Skip to content

Releases: falcosecurity/falco

0.24.0

16 Jul 14:40
@leodido leodido
0.24.0
c4b7f17
Compare
Choose a tag to compare
0.24.0

Released on 2020-16-07

Major Changes

  • BREAKING CHANGE: --stats_interval is now --stats-interval [#1308]
  • BREAKING CHANGE: server streaming gRPC outputs method is now falco.outputs.service/get [#1241]
  • new: auto threadiness for gRPC server [#1271]
  • new: new bi-directional async streaming gRPC outputs (falco.outputs.service/sub) [#1241]
  • new: unix socket for the gRPC server [#1217]
  • new: Falco now supports userspace instrumentation with the -u flag [#1195]

Minor Changes

  • update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [#1305]
  • update: SKIP_MODULE_LOAD renamed to SKIP_DRIVER_LOADER [#1297]
  • docs: add leogr to OWNERS [#1300]
  • update: default threadiness to 0 ("auto" behavior) [#1271]
  • update: k8s audit endpoint now defaults to /k8s-audit everywhere [#1292]
  • update(falco.yaml): webserver.k8s_audit_endpoint default value changed from /k8s_audit to /k8s-audit [#1261]
  • docs(test): instructions to run regression test suites locally [#1234]

Bug Fixes

  • fix: --stats-interval correctly accepts values >= 999 (ms) [#1308]
  • fix: make the eBPF driver build work on CentOS 8 [#1301]
  • fix(userspace/falco): correct options handling for buffered_output: false which was not honored for the stdout output [#1296]
  • fix(userspace/falco): honor -M also when using a trace file [#1245]
  • fix: high CPU usage when using server streaming gRPC outputs [#1241]
  • fix: missing newline from some log messages (eg., token bucket depleted) [#1257]

Rule Changes

  • rule(Container Drift Detected (chmod)): disabled by default [#1316]
  • rule(Container Drift Detected (open+create)): disabled by default [#1316]
  • rule(Write below etc): allow snapd to write its unit files [#1289]
  • rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [#1224]
  • rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [#1286]
  • rule(Change thread namespace): Allow protokube, dockerd, tini and aws binaries to change thread namespace. [#1222]
  • rule(macro exe_running_docker_save): to filter out cmdlines containing /var/run/docker. [#1222]
  • rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs [#1294]
  • rule(Schedule Cron Jobs): exclude known cron jobs [#1294]
  • rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update [#1294]
  • rule(Update Package Registry): exclude known package registry update [#1294]
  • rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info [#1294]
  • rule(Read ssh information): do not throw for activities known to read SSH info [#1294]
  • rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [#1294]
  • rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [#1294]
  • rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [#1294]
  • rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [#1294]
  • rule(Write below rpm database): do not throw for activities known to write RPM database [#1294]
  • rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [#1294]
  • rule(DB program spawned process): do not throw for processes known to spawn DB [#1294]
  • rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [#1294]
  • rule(Modify binary dirs): do not throw for activities known to modify bin directories [#1294]
  • rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [#1294]
  • rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [#1294]
  • rule(macro user_known_system_user_login): new macro to exclude known system user logins [#1294]
  • rule(System user interactive): do not throw for known system user logins [#1294]
  • rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [#1294]
  • rule(User mgmt binaries): do not throw for activities known to do user managements activities [#1294]
  • rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [#1294]
  • rule(Create files below dev): do not throw for activities known to create files below dev [#1294]
  • rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [#1294]
  • rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [#1294]
  • rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [#1294]
  • rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [#1294]
  • rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [#1294]
  • rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [#1294]
  • rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [#1294]
  • rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [#1294]
  • rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [#1294]
  • rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [#1294]
  • rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [#1294]
  • rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [#1294]
  • rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [#1294]
  • rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [...
Read more
Assets 2
Loading

0.23.0

18 May 16:44
@leogr leogr
0.23.0
f3f512c
Compare
Choose a tag to compare
0.23.0

Released on 2020-18-05

Major Changes

  • BREAKING CHANGE: the falco-driver-loader script now references falco-probe.o and falco-probe.ko as falco.o and falco.ko [#1158]
  • BREAKING CHANGE: the falco-driver-loader script environment variable to use a custom repository to download drivers now uses the DRIVERS_REPO environment variable instead of DRIVER_LOOKUP_URL. This variable must contain the parent URI containing the following directory structure /$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]. e.g: [#1160]
  • new(scripts): options and command-line usage for falco-driver-loader [#1200]
  • new: ability to specify exact matches when adding rules to Falco engine (only API) [#1185]
  • new(docker): add an image that wraps the falco-driver-loader with the toolchain [#1192]
  • new(docker): add falcosecurity/falco-no-driver image [#1205]

Minor Changes

  • update(scripts): improve falco-driver-loader output messages [#1200]
  • update: containers look for prebuilt drivers on the Drivers Build Grid [#1158]
  • update: driver version bump to 96bd9bc560f67742738eb7255aeb4d03046b8045 [#1190]
  • update(docker): now falcosecurity/falco:slim-* alias to falcosecurity/falco-no-driver:* [#1205]
  • docs: instructions to run unit tests [#1199]
  • docs(examples): move /examples to contrib repo [#1191]
  • update(docker): remove minimal image [#1196]
  • update(integration): move /integrations to contrib repo [#1157]
  • https://dl.bintray.com/driver/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]` [#1160]
  • update(docker/event-generator): remove the event-generator from Falco repository [#1156]
  • docs(examples): set audit level to metadata for object secrets [#1153]

Bug Fixes

  • fix(scripts): upstream files (prebuilt drivers) for the generic Ubuntu kernel contains "ubuntu-generic" [#1212]
  • fix: support Falco driver on Linux kernels 5.6.y [#1174]

Rule Changes

  • rule(Redirect STDOUT/STDIN to Network Connection in Container): correct rule name as per rules naming convention [#1164]
  • rule(Redirect STDOUT/STDIN to Network Connection in Container): new rule to detect Redirect stdout/stdin to network connection in container [#1152]
  • rule(K8s Secret Created): new rule to track the creation of Kubernetes secrets (excluding kube-system and service account secrets) [#1151]
  • rule(K8s Secret Deleted): new rule to track the deletion of Kubernetes secrets (excluding kube-system and service account secrets) [#1151]

Statistics

Merged PRs Number
Not user-facing 17
Release note 18
Total 35
Assets 2
Loading

0.22.1

17 Apr 13:56
@leodido leodido
0.22.1
b0f5e59
Compare
Choose a tag to compare
0.22.1

Released on 2020-17-04

Major Changes

  • Same as v0.22.0

Minor Changes

  • Same as v0.22.0

Bug Fixes

  • fix: correct driver path (/usr/src/falco-%driver_version%) for RPM package [#1148]

Rule Changes

  • Same as v0.22.0
Assets 2
Loading

0.22.0

17 Apr 11:01
@leogr leogr
0.22.0
c241f13
Compare
Choose a tag to compare
0.22.0

Released on 2020-16-04

Major Changes

  • new: falco version and driver version are distinct and not coupled anymore [#1111]
  • new: flag to disable asynchronous container metadata (CRI) fetch --disable-cri-async [#1099]

Minor Changes

  • docs(integrations): update API resource versions to Kubernetes 1.16 [#1044]
  • docs: add new release archive to the README.md [#1098]
  • update: driver version a259b4bf49c3 [#1138]
  • docs(integrations/k8s-using-daemonset): --cri flag correct socket path [#1140]
  • update: bump driver version to cd3d10123e [#1131]
  • update(docker): remove RHEL, kernel/linuxkit, and kernel/probeloader images [#1124]
  • update: falco-probe-loader script is falco-driver-loader now [#1111]
  • update: using only sha256 hashes when pulling build dependencies [#1118]

Bug Fixes

  • fix(integrations/k8s-using-daemonset): added missing privileges for the apps Kubernetes API group in the falco-cluster-role when using RBAC [#1136]
  • fix: connect to docker works also with libcurl >= 7.69.0 [#1138]
  • fix: HOST_ROOT environment variable detection [#1133]
  • fix(driver/bpf): stricter conditionals while dealing with strings [#1131]
  • fix: /usr/bin/falco-${DRIVER_VERSION} driver directory [#1111]
  • fix: FALCO_VERSION env variable inside Falco containers contains the Falco version now (not the docker image tag) [#1111]

Rule Changes

  • rule(macro user_expected_system_procs_network_activity_conditions): allow whitelisting system binaries using the network under specific conditions [#1070]
  • rule(Full K8s Administrative Access): detect any k8s operation by an administrator with full access [#1122]
  • rule(Ingress Object without TLS Certificate Created): detect any attempt to create an ingress without TLS certification (rule enabled by default) [#1122]
  • rule(Untrusted Node Successfully Joined the Cluster): detect a node successfully joined the cluster outside of the list of allowed nodes [#1122]
  • rule(Untrusted Node Unsuccessfully Tried to Join the Cluster): detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes [#1122]
  • rule(Network Connection outside Local Subnet): detect traffic to image outside local subnet [#1122]
  • rule(Outbound or Inbound Traffic not to Authorized Server Process and Port): detect traffic that is not to authorized server process and port [#1122]
  • rule(Delete or rename shell history): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [#1143]
  • rule(Delete Bash History): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [#1143]
  • rule(Write below root): use pmatch to check against known root directories [#1137]
  • rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns [#1115]
  • rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success [#1117]

Statistics

Merged PRs Number
Not user-facing 4
Release note 17
Total 21
Assets 2
Loading

0.21.0

17 Mar 17:31
@leodido leodido
0.21.0
5909eac
Compare
Choose a tag to compare
0.21.0

Released on 2020-03-17

Major Changes

  • BREAKING CHANGE: the SYSDIG_BPF_PROBE environment variable is now just FALCO_BPF_PROBE (please update your systemd scripts or kubernetes deployments). [#1050]
  • new: automatically publish deb packages (from git master branch) to public dev repository [#1059]
  • new: automatically publish rpm packages (from git master branch) to public dev repository [#1059]
  • new: automatically release deb packages (from git tags) to public repository [#1059]
  • new: automatically release rpm packages (from git tags) to public repository [#1059]
  • new: automatically publish docker images from master (master, master-slim, master-minimal) [#1059]
  • new: automatically publish docker images from git tag (tag, tag-slim, tag-master, latest, latest-slim, latest-minimal) [#1059]
  • new: sign packages with falcosecurity gpg key [#1059]

Minor Changes

  • new: falco_version_prerelease contains the number of commits since last tag on the master [#1086]
  • docs: update branding [#1074]
  • new(docker/event-generator): add example k8s resource files that allow running the event generator in a k8s cluster. [#1088]
  • update: creating *-dev docker images using build arguments at build time [#1059]
  • update: docker images use packages from the new repositories [#1059]
  • update: docker image downloads old deb dependencies (gcc-6, gcc-5, binutils-2.30) from a new open repository [#1059]

Bug Fixes

  • fix(docker): updating stable and local images to run from debian:stable [#1018]
  • fix(event-generator): the image used by the event generator deployment to latest. [#1091]
  • fix: -t (to disable rules by certain tag) or -t (to only run rules with a certain tag) work now [#1081]
  • fix: the falco driver now compiles on >= 5.4 kernels [#1080]
  • fix: download falco packages which url contains character to encode - eg, + [#1059]
  • fix(docker): use base name in docker-entrypoint.sh [#981]

Rule Changes

  • rule(detect outbound connections to common miner pool ports): disabled by default [#1061]
  • rule(macro net_miner_pool): add localhost and rfc1918 addresses as exception in the rule. [#1061]
  • rule(change thread namespace): modify condition to detect suspicious container activity [#974]

Statistics

Merged PRs Number
Not user-facing 7
Release note 12
Total 19
Assets 2
Loading

0.20.0

24 Feb 10:11
@fntlnz fntlnz
0.20.0
d77080a
Compare
Choose a tag to compare
0.20.0

Released on 2020-02-24

Major Changes

  • fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [#1041]
  • new: grpc version api [#872]

Bug Fixes

  • fix: the base64 output format (-b) now works with both json and normal output. [#1033]
  • fix: version follows semver 2 bnf [#872]

Rule Changes

  • rule(write below etc): add "dsc_host" as a ms oms program [#1028]
  • rule(write below etc): let mcafee write to /etc/cma.d [#1028]
  • rule(write below etc): let avinetworks supervisor write some ssh cfg [#1028]
  • rule(write below etc): alow writes to /etc/pki from openshift secrets dir [#1028]
  • rule(write below root): let runc write to /exec.fifo [#1028]
  • rule(change thread namespace): let cilium-cni change namespaces [#1028]
  • rule(run shell untrusted): let puma reactor spawn shells [#1028]

Statistics

Merged PRs Number
Not user-facing 5
Release note 4
Total 9
Assets 2
Loading

0.19.0

23 Jan 15:43
@leodido leodido
0.19.0
32b373a
Compare
Choose a tag to compare
0.19.0

Released on 2020-01-23

Major Changes

  • new: security audit [#977]
  • instead of crashing, now falco will report the error when an internal error occurs while handling an event to be inspected. the log line will be of type error and will contain the string error handling inspector event [#746]
  • build: bump grpc to 1.25.0 [#939]
  • build: (most of) dependencies are bundled dynamically (by default) [#968]
  • test: integration tests now can run on different distributions via docker containers, for now CentOS 7 and Ubuntu 18.04 with respective rpm and deb packages [#1012]

Minor Changes

  • proposal: rules naming convention [#980]
  • update: also allow posting json arrays containing k8s audit events to the k8s_audit endpoint. [#967]
  • update: add support for k8s audit events to the falco-event-generator container. [#997]
  • update: falco-tester base image is fedora:31 now [#968]
  • build: switch to circleci [#968]
  • build: bundle openssl into falco-builder docker image [#1004]
  • build: falco-builder docker image revamp (centos:7 base image) [#1004]
  • update: puppet module had been renamed from "sysdig-falco" to "falco" [#922]
  • update: adds a hostname field to grpc output [#927]
  • build: download grpc from their github repo [#933]
  • update: ef_drop_falco is now ef_drop_simple_cons [#922]
  • update(docker): use host_root environment variable rather than sysdig_host_root [#922]
  • update: ef_drop_falco is now ef_drop_simple_cons [#922]

Bug Fixes

  • fix: providing clang into docker-builder [#972]
  • fix: prevent throwing json type error c++ exceptions outside of the falco engine when procesing k8s audit events. [#928]
  • fix(docker/kernel/linuxkit): correct from for falco minimal image [#913]

Rule Changes

  • rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [#973]
  • rules(write below etc): allow automount to write to /etc/mtab [#957]
  • rules(macro user_known_k8s_client_container): when executing the docker client, exclude fluentd-gcp-scaler container running in the kube-system namespace to avoid false positives [#962]
  • rules(the docker client is executed in a container): detect the execution of the docker client in a container and logs it with warning priority. [#915]
  • rules(list k8s_client_binaries): create and add docker, kubectl, crictl [#915]
  • rules(macro container_entrypoint): add docker-runc-cur [#914]
  • rules(list user_known_chmod_applications): add hyperkube [#914]
  • rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [#975]
  • rules(macro user_known_k8s_client_container): macro to match kube-system namespace [#955]
  • rules(contact k8s api server from container): now it can automatically resolve the cluster ip address [#952]
  • rules(macro k8s_api_server): new macro to match the default k8s api server [#952]
  • rules(macro sensitive_vol_mount): add more sensitive host paths [#929]
  • rules(macro sensitive_mount): add more sensitive paths [#929]
  • rules(macro consider_metadata_access): macro to decide whether to consider metadata or not (off by default) [#943]
  • rules(contact cloud metadata service from container): add rules to detect access to gce instance metadata [#943]
  • rules(macro sensitive_vol_mount): align sensitive mounts macro between k8s audit rules and syscall rules [#950]
  • rules(macro consider_packet_socket_communication): macro to consider or not packet socket communication (off by default) [#945]
  • rules(packet socket created in container): rule to detect raw packets creation [#945]
  • rules(macro exe_running_docker_save): fixed false positives in multiple rules that were caused by the use of docker in docker [#951]
  • rules(modify shell configuration file): fixed a false positive by excluding "exe_running_docker_save" [#949]
  • rules(update package repository): fixed a false positive by excluding "exe_running_docker_save". [#948]
  • rules(the docker client is executed in a container): when executing the docker client, exclude containers running in the kube-system namespace to avoid false positives [#955]
  • rules(list user_known_chmod_applications): add kubelet [#944]
  • rules(set setuid or setgid bit): fixed a false positive by excluding "exe_running_docker_save" [#946]
  • rules(macro user_known_package_manager_in_container): allow users to specify conditions that match a legitimate use case for using a package management process in a container. [#941]

Statistics

Merged PRs Number
Not user-facing 12
Release note 32
Total 44
Assets 2
Loading

0.18.0

31 Oct 11:39
@fntlnz fntlnz
0.18.0
6c5554c
Compare
Choose a tag to compare
0.18.0

Released 2019-10-31

Major Changes

  • falco grpc api server implementation, contains a subscribe method to subscribe to outputs from any grpc capable language [#822]
  • add support for converting k8s pod security policies (psps) into set of falco rules that can be used to evaluate the conditions specified in the psp. [#826]
  • initial redesign container images to remove build tools and leverage init containers for kernel module delivery. [#776]
  • add flags to disable syscall event source or k8s_audit event source [#779]

Minor Changes

  • allow for unique names for psp converted rules/macros/lists/rule names as generated by falcoctl 0.0.3 [#895]
  • make it easier to run regression tests without necessarily using the falco-tester docker image. [#808]
  • fix falco engine compatibility with older k8s audit rules files. [#893]
  • add tests for psp conversions with names containing spaces/dashes. [#899]

Bug Fixes

  • handle multi-document yaml files when reading rules files. [#760]
  • improvements to how the webserver handles incoming invalid inputs [#759]
  • fix: make lua state access thread-safe [#867]
  • fix compilation on gcc 5.4 by working around gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56480 [#873]
  • add explicit dependency between tests and catch2 header file. [#879]
  • fix: stable dockerfile libgcc-6-dev dependencies [#830]
  • fix: build dependencies for the local dockerfile [#782]
  • fix: a crash bug that could result from reading more than ~6 rules files [#906] [#907]

Rule Changes

  • rules: add calico/node to trusted privileged container list [#902]
  • rules: add macro calico_node_write_envvars to exception list of write below etc [#902]
  • rules: add exception for rule write below rpm, this is a fp caused by amazon linux 2 yum. [#755]
  • rules: ignore sensitive mounts from the ecs-agent [#881]
  • rules: add rules to detect crypto mining activities [#763]
  • rules: add back rule delete bash history for backport compatibility [#864]
  • rule: syscalls are used to detect suid and sgid [#765]
  • rules: delete bash history is renamed to delete or rename shell history [#762]
  • rules: add image fluent/fluentd-kubernetes-daemonset to clear log trusted images [#852]
  • rules: include default users created by kops. [#898]
  • rules: delete or rename shell history: when deleting a shell history file now the syscalls are taken into account rather than just the commands deleting the files [#762]
  • rules: delete or rename shell history: history deletion now supports fish and zsh in addition to bash [#762]
  • rules: "create hidden files or directories" and "update package repository" now trigger also if the files are moved and not just if modified or created. [#766]
Assets 2
Loading

0.17.1

26 Sep 14:38
@fntlnz fntlnz
0.17.1
2439873
Compare
Choose a tag to compare
0.17.1

Released 2019-09-26

Major Changes

  • Same as v0.17.0

Minor Changes

  • Same as v0.17.0

Bug Fixes

Rule Changes

  • Same as v0.17.0
Assets 2
Loading

0.17.0

31 Jul 22:52
@mstemm mstemm
0.17.0
2439873
Compare
Choose a tag to compare
0.17.0

Released 2019-07-31

Major Changes

  • The set of supported platforms has changed. Switch to a reorganized builder image that uses Centos 7 as a base. As a result, falco is no longer supported on Centos 6. The other supported platforms should remain the same [#719]

Minor Changes

  • When enabling rules within the falco engine, use rule substrings instead of regexes. [#743]

  • Additional improvements to the handling and display of rules validation errors [#744] [#747]

Bug Fixes

  • Fix a problem that would cause prevent container metadata lookups when falco was daemonized [#731]

  • Allow rule priorites to be expressed as lowercase and a mix of lower/uppercase [#737]

Rule Changes

  • Fix a parentheses bug with the shell_procs macro [#728]

  • Allow additional containers to mount sensitive host paths [#733] [#736]

  • Allow additional containers to truncate log files [#733]

  • Fix false positives with the Write below root rule on GKE [#739]

Assets 2
Loading