Skip to content

Latest commit

 

History

History
1602 lines (1056 loc) · 131 KB

CHANGELOG.md

File metadata and controls

1602 lines (1056 loc) · 131 KB

Change Log

v0.30.0

Released on 2021-10-01

Major Changes

  • new: add --k8s-node command-line options, which allows filtering by a node when requesting metadata of pods to the K8s API server [#1671] - @leogr
  • new(outputs): expose rule tags and event source in gRPC and json outputs [#1714] - @jasondellaluce
  • new(userspace/falco): add customizable metadata fetching params [#1667] - @zuc

Minor Changes

Bug Fixes

  • fix(scripts): correct standard output redirection in systemd config (DEB and RPM packages) [#1697] - @chirabino
  • fix(scripts): correct lookup order when trying multiple gcc versions in the falco-driver-loader script [#1716] - @Spartan-65

Rule Changes

Non user-facing changes

  • add Qonto as adopter [#1717] - @Issif
  • docs(proposals): proposal for a libs plugin system [#1637] - @ldegio
  • build: remove unused ncurses dependency [#1658] - @leogr
  • build(.circleci): use new Debian 11 package names for python-pip [#1712] - @zuc
  • build(docker): adding libssl-dev, upstream image reference pinned to debian:buster [#1719] - @michalschott
  • fix(test): avoid output_strictly_contains failures [#1724] - @jasondellaluce
  • Remove duplicate allowed ecr registry rule [#1725] - @TomKeyte
  • docs(RELEASE.md): switch to 3 releases per year [#1711] - @leogr

v0.29.1

Released on 2021-06-29

Minor Changes

  • update: bump the Falco engine version to version 9 [#1675] - @leodido

Rule Changes

  • rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall [#1675] - @leodido
  • rule(macro consider_userfaultfd_activities): macro to gate the "Unprivileged Delegation of Page Faults Handling to a Userspace Process" rule [#1675] - @leodido
  • rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls [#1675] - @leodido
  • rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule [#1675] - @leodido

Non user-facing changes

v0.29.0

Released on 2021-06-21

Minor Changes

  • update: driver version is 17f5df52a7d9ed6bb12d3b1768460def8439936d now [#1669] - @leogr

Rule Changes

  • rule(list miner_domains): add rx.unmineable.com for anti-miner detection [#1676] - @fntlnz
  • rule(Change thread namespace and Set Setuid or Setgid bit): disable by default [#1632] - @Kaizhe
  • rule(list known_sa_list): add namespace-controller, statefulset-controller, disruption-controller, job-controller, horizontal-pod-autoscaler and persistent-volume-binder as allowed service accounts in the kube-system namespace [#1659] - @sboschman
  • rule(Non sudo setuid): check user id as well in case user name info is not available [#1665] - @Kaizhe
  • rule(Debugfs Launched in Privileged Container): fix typo in description [#1657] - @Kaizhe

Non user-facing changes

v0.28.1

Released on 2021-05-07

Major Changes

  • new: --support output now includes info about the Falco engine version [#1581] - @mstemm
  • new: Falco outputs an alert in the unlikely situation it's receiving too many consecutive timeouts without an event [#1622] - @leodido
  • new: configuration field syscall_event_timeouts.max_consecutive to configure after how many consecutive timeouts without an event Falco must alert [#1622] - @leodido

Minor Changes

  • build: enforcing hardening flags by default [#1604] - @leogr

Bug Fixes

  • fix: do not stop the webserver for k8s audit logs when invalid data is coming in the event to be processed [#1617] - @fntlnz

Rule Changes

  • rule(macro: allowed_aws_ecr_registry_root_for_eks): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
  • rule(macro: aws_eks_core_images): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
  • rule(macro: aws_eks_image_sensitive_mount): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
  • rule(list falco_privileged_images): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92
  • rule(list falco_sensitive_mount_images): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92
  • rule(macro k8s_containers): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92
  • rule(macro: python_running_sdchecks): macro removed [#1620] - @leogr
  • rule(Change thread namespace): remove python_running_sdchecks exception [#1620] - @leogr

Non user-facing changes

v0.28.0

Released on 2021-04-12

Major Changes

Minor Changes

  • docs(proposals): libraries and drivers donation [#1530] - @leodido
  • docs(docker): update links to the new Falco website URLs [#1545] - @cpanato
  • docs(test): update links to new Falco website URLs [#1563] - @shane-lawrence
  • build: now Falco packages are published at https://download.falco.org [#1577] - @leogr
  • update: lower the syscall_event_drops.max_burst default value to 1 [#1586] - @leodido
  • update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [#1599] - @leodido
  • docs(test): document the prerequisites for running the integration test suite locally [#1609] - @fntlnz
  • update: Debian/RPM package migrated from init to systemd [#1448] - @jenting

Bug Fixes

  • fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [#1601] - @mstemm
  • fix(docker/falco): add flex and bison dependency to container image [#1562] - @schans
  • fix: ignore action can not be used with log and alert ones (syscall_event_drops config) [#1586] - @leodido
  • fix(userspace/engine): allows fields starting with numbers to be parsed properly [#1598] - @mstemm

Rule Changes

  • rule(Write below monitored dir): improve rule description [#1588] - @stevenshuang
  • rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [#1555] - @ismailyenigul
  • rule(macro aws_eks_image): match aws image repository for eks [#1555] - @ismailyenigul
  • rule(macro aws_eks_image_sensitive_mount): match aws cni images [#1555] - @ismailyenigul
  • rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [#1555] - @ismailyenigul
  • rule(Launch Privileged Container): exclude aws_eks_image [#1555] - @ismailyenigul
  • rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [#1555] - @ismailyenigul
  • rule(Debugfs Launched in Privileged Container): new rule [#1583] - @Kaizhe
  • rule(Mount Launched in Privileged Container): new rule [#1583] - @Kaizhe
  • rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [#1583] - @Kaizhe
  • rule(macro user_ssh_directory): using glob operator [#1560] - @shane-lawrence
  • rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [#1337] - @nibalizer
  • rule(list rpm_binaries): add rhsmcertd [#1385] - @epcim
  • rule(list deb_binaries): add apt.systemd.daily [#1385] - @epcim
  • rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [#1543] - @darryk10
  • rule(list allowed_k8s_users): add eks:node-manager [#1536] - @ismailyenigul
  • rule(list mysql_mgmt_binaries): removed [#1602] - @fntlnz
  • rule(list db_mgmt_binaries): removed [#1602] - @fntlnz
  • rule(macro parent_ansible_running_python): removed [#1602] - @fntlnz
  • rule(macro parent_bro_running_python): removed [#1602] - @fntlnz
  • rule(macro parent_python_running_denyhosts): removed [#1602] - @fntlnz
  • rule(macro parent_linux_image_upgrade_script): removed [#1602] - @fntlnz
  • rule(macro parent_java_running_echo): removed [#1602] - @fntlnz
  • rule(macro parent_scripting_running_builds): removed [#1602] - @fntlnz
  • rule(macro parent_Xvfb_running_xkbcomp): removed [#1602] - @fntlnz
  • rule(macro parent_nginx_running_serf): removed [#1602] - @fntlnz
  • rule(macro parent_node_running_npm): removed [#1602] - @fntlnz
  • rule(macro parent_java_running_sbt): removed [#1602] - @fntlnz
  • rule(list known_container_shell_spawn_cmdlines): removed [#1602] - @fntlnz
  • rule(list known_shell_spawn_binaries): removed [#1602] - @fntlnz
  • rule(macro run_by_puppet): removed [#1602] - @fntlnz
  • rule(macro user_privileged_containers): removed [#1602] - @fntlnz
  • rule(list rancher_images): removed [#1602] - @fntlnz
  • rule(list images_allow_network_outside_subnet): removed [#1602] - @fntlnz
  • rule(macro parent_python_running_sdchecks): removed [#1602] - @fntlnz
  • rule(macro trusted_containers): removed [#1602] - @fntlnz
  • rule(list authorized_server_binaries): removed [#1602] - @fntlnz

Non user-facing changes

v0.27.0

Released on 2021-01-18

Major Changes

  • new: Added falco engine version to grpc version service [#1507] - @nibalizer
  • BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [#1494] - @nibalizer
  • new: asynchronous outputs implementation, outputs channels will not block event processing anymore [#1451] - @leogr
  • new: slow outputs detection [#1451] - @leogr
  • new: output_timeout config option for slow outputs detection [#1451] - @leogr

Minor Changes

  • build: bump b64 to v2.0.0.1 [#1441] - @fntlnz
  • rules(macro container_started): re-use spawned_process macro inside container_started macro [#1449] - @leodido
  • docs: reach out documentation [#1472] - @fntlnz
  • docs: Broken outputs.proto link [#1493] - @deepskyblue86
  • docs(README.md): correct broken links [#1506] - @leogr
  • docs(proposals): Exceptions handling proposal [#1376] - @mstemm
  • docs: fix a broken link of README [#1516] - @oke-py
  • docs: adding the kubernetes privileged use case to use cases [#1484] - @fntlnz
  • rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
  • rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
  • docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [#1518] - @leodido
  • build: falcosecurity/falco:master also available on the AWS ECR Public registry [#1512] - @leodido
  • build: falcosecurity/falco:latest also available on the AWS ECR Public registry [#1512] - @leodido
  • update: gRPC clients can now subscribe to drop alerts via gRCP API [#1451] - @leogr
  • macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [#1444] - @fntlnz

Bug Fixes

  • fix(userspace/falco): use given priority in falco_outputs::handle_msg() [#1450] - @leogr
  • fix(userspace/engine): free formatters, if any [#1447] - @leogr
  • fix(scripts/falco-driver-loader): lsmod usage [#1474] - @dnwe
  • fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [#1485] - @leodido
  • fix: set HOST_ROOT=/host environment variable for the falcosecurity/falco-no-driver container image by default [#1492] - @leogr

Rule Changes

  • rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [#1501] - @Kaizhe
  • rule(Container Run as Root User): new rule created [#1500] - @Kaizhe
  • rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using insmod from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [#1478] - @d1vious
  • rule(macro multipath_writing_conf): create and use the macro [#1475] - @nmarier-coveo
  • rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [#1457] - @czunker
  • rule(Full K8s Administrative Access): use the right list of admin users (fix) [#1454] - @mstemm

Non user-facing changes

v0.26.2

Released on 2020-11-10

Major Changes

v0.26.1

Released on 2020-10-01

Major Changes

  • new: CLI flag --alternate-lua-dir to load Lua files from arbitrary paths [#1419] - @admiral0

Rule Changes

  • rule(Delete or rename shell history): fix warnings/FPs + container teardown [#1423] - @mstemm
  • rule(Write below root): ensure proc_name_exists too [#1423] - @mstemm

v0.26.0

Released on 2020-24-09

Major Changes

  • new: address several sources of FPs, primarily from GKE environments. [#1372] - @mstemm
  • new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [#1410] - @leogr
  • new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [#1408] - @fntlnz
  • new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [#1377] - @leogr

Minor Changes

  • update: bump Falco engine version to 7 [#1381] - @leogr
  • update: the required_engine_version is now on by default [#1381] - @leogr
  • update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [#1377] - @leogr
  • docs(proposals): artifacts storage [#1375] - @leodido
  • docs(proposals): artifacts cleanup [#1375] - @leodido

Rule Changes

  • rule(macro inbound_outbound): add brackets to disambiguate operator precedence [#1373] - @ldegio
  • rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [#1373] - @ldegio
  • rule(macro run_by_foreman): add brackets to disambiguate operator precedence [#1373] - @ldegio
  • rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [#1402] - @rung
  • rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [#1393] - @mstemm
  • rule(Disallowed K8s User): quote colons in user names [#1393] - @mstemm
  • rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [#1394] - @bgeesaman
  • rule: adds user.loginuid to the default Falco rules that also contain user.name [#1369] - @csschwe

v0.25.0

Released on 2020-08-25

Major Changes

  • new(userspace/falco): print the Falco and driver versions at the very beginning of the output. [#1303] - @leogr
  • new: libyaml is now bundled in the release process. Users can now avoid installing libyaml directly when getting Falco from the official release. [#1252] - @fntlnz

Minor Changes

  • docs(test): step-by-step instructions to run integration tests locally [#1313] - @leodido
  • update: renameat2 syscall support [#1355] - @fntlnz
  • update: support for 5.8.x kernels [#1355] - @fntlnz

Bug Fixes

  • fix(userspace/falco): correct the fallback mechanism for loading the kernel module [#1366] - @leogr
  • fix(falco-driver-loader): script crashing when using arguments [#1330] - @antoinedeschenes

Rule Changes

  • rule(macro user_trusted_containers): add sysdig/node-image-analyzer and sysdig/agent-slim [#1321] - @Kaizhe
  • rule(macro falco_privileged_images): add docker.io/falcosecurity/falco [#1326] - @nvanheuverzwijn
  • rule(EphemeralContainers Created): add new rule to detect ephemeral container created [#1339] - @Kaizhe
  • rule(macro user_read_sensitive_file_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
  • rule(macro user_trusted_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
  • rule(macro user_privileged_containers): replace endswiths with exact image repo name [#1349] - @Kaizhe
  • rule(macro trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name [#1349] - @Kaizhe
  • rule(macro falco_privileged_containers): append "/" to quay.io/sysdig [#1349] - @Kaizhe
  • rule(list falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer [#1349] - @Kaizhe
  • rule(list falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim [#1349] - @Kaizhe
  • rule(list k8s_containers): prepend docker.io to images [#1349] - @Kaizhe
  • rule(macro exe_running_docker_save): add better support for centos [#1350] - @admiral0
  • rule(macro rename): add renameat2 syscall [#1359] - @leogr
  • rule(Read sensitive file untrusted): add trusted images into whitelist [#1327] - @Kaizhe
  • rule(Pod Created in Kube Namespace): add new list k8s_image_list as white list [#1336] - @Kaizhe
  • rule(list allowed_k8s_users): add "kubernetes-admin" user [#1323] - @leogr

v0.24.0

Released on 2020-07-16

Major Changes

  • new: Falco now supports userspace instrumentation with the -u flag [#1195]
  • BREAKING CHANGE: --stats_interval is now --stats-interval [#1308]
  • new: auto threadiness for gRPC server [#1271]
  • BREAKING CHANGE: server streaming gRPC outputs method is now falco.outputs.service/get [#1241]
  • new: new bi-directional async streaming gRPC outputs (falco.outputs.service/sub) [#1241]
  • new: unix socket for the gRPC server [#1217]

Minor Changes

  • update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [#1305]
  • update: SKIP_MODULE_LOAD renamed to SKIP_DRIVER_LOADER [#1297]
  • docs: add leogr to OWNERS [#1300]
  • update: default threadiness to 0 ("auto" behavior) [#1271]
  • update: k8s audit endpoint now defaults to /k8s-audit everywhere [#1292]
  • update(falco.yaml): webserver.k8s_audit_endpoint default value changed from /k8s_audit to /k8s-audit [#1261]
  • docs(test): instructions to run regression test suites locally [#1234]

Bug Fixes

  • fix: --stats-interval correctly accepts values >= 999 (ms) [#1308]
  • fix: make the eBPF driver build work on CentOS 8 [#1301]
  • fix(userspace/falco): correct options handling for buffered_output: false which was not honored for the stdout output [#1296]
  • fix(userspace/falco): honor -M also when using a trace file [#1245]
  • fix: high CPU usage when using server streaming gRPC outputs [#1241]
  • fix: missing newline from some log messages (eg., token bucket depleted) [#1257]

Rule Changes

  • rule(Container Drift Detected (chmod)): disabled by default [#1316]
  • rule(Container Drift Detected (open+create)): disabled by default [#1316]
  • rule(Write below etc): allow snapd to write its unit files [#1289]
  • rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [#1224]
  • rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [#1286]
  • rule(Change thread namespace): Allow protokube, dockerd, tini and aws binaries to change thread namespace. [#1222]
  • rule(macro exe_running_docker_save): to filter out cmdlines containing /var/run/docker. [#1222]
  • rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs [#1294]
  • rule(Schedule Cron Jobs): exclude known cron jobs [#1294]
  • rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update [#1294]
  • rule(Update Package Registry): exclude known package registry update [#1294]
  • rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info [#1294]
  • rule(Read ssh information): do not throw for activities known to read SSH info [#1294]
  • rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [#1294]
  • rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [#1294]
  • rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [#1294]
  • rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [#1294]
  • rule(Write below rpm database): do not throw for activities known to write RPM database [#1294]
  • rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [#1294]
  • rule(DB program spawned process): do not throw for processes known to spawn DB [#1294]
  • rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [#1294]
  • rule(Modify binary dirs): do not throw for activities known to modify bin directories [#1294]
  • rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [#1294]
  • rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [#1294]
  • rule(macro user_known_system_user_login): new macro to exclude known system user logins [#1294]
  • rule(System user interactive): do not throw for known system user logins [#1294]
  • rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [#1294]
  • rule(User mgmt binaries): do not throw for activities known to do user managements activities [#1294]
  • rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [#1294]
  • rule(Create files below dev): do not throw for activities known to create files below dev [#1294]
  • rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [#1294]
  • rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [#1294]
  • rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [#1294]
  • rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [#1294]
  • rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [#1294]
  • rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [#1294]
  • rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [#1294]
  • rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [#1294]
  • rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [#1294]
  • rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [#1294]
  • rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [#1294]
  • rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [#1294]
  • rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [#1294]
  • rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [#1294]
  • rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s) [#1294]
  • rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s) [#1294]
  • rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s) [#1294]
  • rule(macro trusted_pod): defines trusted pods by an image list [#1294]
  • rule(Pod Created in Kube Namespace): do not throw for trusted pods [#1294]
  • rule(macro trusted_sa): define trusted ServiceAccount [#1294]
  • rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount [#1294]
  • rule(list network_tool_binaries): add zmap to the list [#1284]
  • rule(macro root_dir): correct macro to exactly match the /root dir and not other with just /root as a prefix [#1279]
  • rule(macro user_expected_terminal_shell_in_container_conditions): allow whitelisting terminals in containers under specific conditions [#1154]
  • rule(macro user_known_write_below_binary_dir_activities): allow writing to a binary dir in some conditions [#1260]
  • rule(macro trusted_logging_images): Add addl fluentd image [#1230]
  • rule(macro trusted_logging_images): Let azure-npm image write to /var/log [#1230]
  • rule(macro lvprogs_writing_conf): Add lvs as a lvm program [#1230]
  • rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers [#1230]
  • rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users [#1230]
  • rule(Anonymous Request Allowed): update to checking auth decision equals to allow [#1267]
  • rule(Container Drift Detected (chmod)): new rule to detect if an existing file get exec permissions in a container [#1254]
  • rule(Container Drift Detected (open+create)): new rule to detect if a new file with execution permission is created in a container [#1254]
  • rule(Mkdir binary dirs): correct condition in macro bin_dir_mkdir to catch mkdirat syscall [#1250]
  • rule(Modify binary dirs): correct condition in macro bin_dir_rename to catch rename, renameat, and unlinkat syscalls [#1250]
  • rule(Create files below dev): correct condition to catch openat syscall [#1250]
  • rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro [#1213]

v0.23.0

Released on 2020-05-18

Major Changes

  • BREAKING CHANGE: the falco-driver-loader script now references falco-probe.o and falco-probe.ko as falco.o and falco.ko [#1158]
  • BREAKING CHANGE: the falco-driver-loader script environment variable to use a custom repository to download drivers now uses the DRIVERS_REPO environment variable instead of DRIVER_LOOKUP_URL. This variable must contain the parent URI containing the following directory structure /$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]. e.g: [#1160]
  • new(scripts): options and command-line usage for falco-driver-loader [#1200]
  • new: ability to specify exact matches when adding rules to Falco engine (only API) [#1185]
  • new(docker): add an image that wraps the falco-driver-loader with the toolchain [#1192]
  • new(docker): add falcosecurity/falco-no-driver image [#1205]

Minor Changes

  • update(scripts): improve falco-driver-loader output messages [#1200]
  • update: containers look for prebuilt drivers on the Drivers Build Grid [#1158]
  • update: driver version bump to 96bd9bc560f67742738eb7255aeb4d03046b8045 [#1190]
  • update(docker): now falcosecurity/falco:slim-* alias to falcosecurity/falco-no-driver:* [#1205]
  • docs: instructions to run unit tests [#1199]
  • docs(examples): move /examples to contrib repo [#1191]
  • update(docker): remove minimal image [#1196]
  • update(integration): move /integrations to contrib repo [#1157]
  • https://dl.bintray.com/driver/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]` [#1160]
  • update(docker/event-generator): remove the event-generator from Falco repository [#1156]
  • docs(examples): set audit level to metadata for object secrets [#1153]

Bug Fixes

  • fix(scripts): upstream files (prebuilt drivers) for the generic Ubuntu kernel contains "ubuntu-generic" [#1212]
  • fix: support Falco driver on Linux kernels 5.6.y [#1174]

Rule Changes

  • rule(Redirect STDOUT/STDIN to Network Connection in Container): correct rule name as per rules naming convention [#1164]
  • rule(Redirect STDOUT/STDIN to Network Connection in Container): new rule to detect Redirect stdout/stdin to network connection in container [#1152]
  • rule(K8s Secret Created): new rule to track the creation of Kubernetes secrets (excluding kube-system and service account secrets) [#1151]
  • rule(K8s Secret Deleted): new rule to track the deletion of Kubernetes secrets (excluding kube-system and service account secrets) [#1151]

v0.22.1

Released on 2020-04-17

Major Changes

  • Same as v0.22.0

Minor Changes

  • Same as v0.22.0

Bug Fixes

  • fix: correct driver path (/usr/src/falco-%driver_version%) for RPM package [#1148]

Rule Changes

  • Same as v0.22.0

v0.22.0

Released on 2020-04-16

Major Changes

  • new: falco version and driver version are distinct and not coupled anymore [#1111]
  • new: flag to disable asynchronous container metadata (CRI) fetch --disable-cri-async [#1099]

Minor Changes

  • docs(integrations): update API resource versions to Kubernetes 1.16 [#1044]
  • docs: add new release archive to the README.md [#1098]
  • update: driver version a259b4bf49c3 [#1138]
  • docs(integrations/k8s-using-daemonset): --cri flag correct socket path [#1140]
  • update: bump driver version to cd3d10123e [#1131]
  • update(docker): remove RHEL, kernel/linuxkit, and kernel/probeloader images [#1124]
  • update: falco-probe-loader script is falco-driver-loader now [#1111]
  • update: using only sha256 hashes when pulling build dependencies [#1118]

Bug Fixes

  • fix(integrations/k8s-using-daemonset): added missing privileges for the apps Kubernetes API group in the falco-cluster-role when using RBAC [#1136]
  • fix: connect to docker works also with libcurl >= 7.69.0 [#1138]
  • fix: HOST_ROOT environment variable detection [#1133]
  • fix(driver/bpf): stricter conditionals while dealing with strings [#1131]
  • fix: /usr/bin/falco-${DRIVER_VERSION} driver directory [#1111]
  • fix: FALCO_VERSION env variable inside Falco containers contains the Falco version now (not the docker image tag) [#1111]

Rule Changes

  • rule(macro user_expected_system_procs_network_activity_conditions): allow whitelisting system binaries using the network under specific conditions [#1070]
  • rule(Full K8s Administrative Access): detect any k8s operation by an administrator with full access [#1122]
  • rule(Ingress Object without TLS Certificate Created): detect any attempt to create an ingress without TLS certification (rule enabled by default) [#1122]
  • rule(Untrusted Node Successfully Joined the Cluster): detect a node successfully joined the cluster outside of the list of allowed nodes [#1122]
  • rule(Untrusted Node Unsuccessfully Tried to Join the Cluster): detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes [#1122]
  • rule(Network Connection outside Local Subnet): detect traffic to image outside local subnet [#1122]
  • rule(Outbound or Inbound Traffic not to Authorized Server Process and Port): detect traffic that is not to authorized server process and port [#1122]
  • rule(Delete or rename shell history): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [#1143]
  • rule(Delete Bash History): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [#1143]
  • rule(Write below root): use pmatch to check against known root directories [#1137]
  • rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns [#1115]
  • rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success [#1117]

v0.21.0

Released on 2020-03-17

Major Changes

  • BREAKING CHANGE: the SYSDIG_BPF_PROBE environment variable is now just FALCO_BPF_PROBE (please update your systemd scripts or kubernetes deployments. [#1050]
  • new: automatically publish deb packages (from git master branch) to public dev repository [#1059]
  • new: automatically publish rpm packages (from git master branch) to public dev repository [#1059]
  • new: automatically release deb packages (from git tags) to public repository [#1059]
  • new: automatically release rpm packages (from git tags) to public repository [#1059]
  • new: automatically publish docker images from master (master, master-slim, master-minimal) [#1059]
  • new: automatically publish docker images from git tag (tag, tag-slim, tag-master, latest, latest-slim, latest-minimal) [#1059]
  • new: sign packages with falcosecurity gpg key [#1059]

Minor Changes

  • new: falco_version_prerelease contains the number of commits since last tag on the master [#1086]
  • docs: update branding [#1074]
  • new(docker/event-generator): add example k8s resource files that allow running the event generator in a k8s cluster. [#1088]
  • update: creating *-dev docker images using build arguments at build time [#1059]
  • update: docker images use packages from the new repositories [#1059]
  • update: docker image downloads old deb dependencies (gcc-6, gcc-5, binutils-2.30) from a new open repository [#1059]

Bug Fixes

  • fix(docker): updating stable and local images to run from debian:stable [#1018]
  • fix(event-generator): the image used by the event generator deployment to latest. [#1091]
  • fix: -t (to disable rules by certain tag) or -t (to only run rules with a certain tag) work now [#1081]
  • fix: the falco driver now compiles on >= 5.4 kernels [#1080]
  • fix: download falco packages which url contains character to encode - eg, + [#1059]
  • fix(docker): use base name in docker-entrypoint.sh [#981]

Rule Changes

  • rule(detect outbound connections to common miner pool ports): disabled by default [#1061]
  • rule(macro net_miner_pool): add localhost and rfc1918 addresses as exception in the rule. [#1061]
  • rule(change thread namespace): modify condition to detect suspicious container activity [#974]

v0.20.0

Released on 2020-02-24

Major Changes

  • fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [#1041]
  • new: grpc version api [#872]

Bug Fixes

  • fix: the base64 output format (-b) now works with both json and normal output. [#1033]
  • fix: version follows semver 2 bnf [#872]

Rule Changes

  • rule(write below etc): add "dsc_host" as a ms oms program [#1028]
  • rule(write below etc): let mcafee write to /etc/cma.d [#1028]
  • rule(write below etc): let avinetworks supervisor write some ssh cfg [#1028]
  • rule(write below etc): alow writes to /etc/pki from openshift secrets dir [#1028]
  • rule(write below root): let runc write to /exec.fifo [#1028]
  • rule(change thread namespace): let cilium-cni change namespaces [#1028]
  • rule(run shell untrusted): let puma reactor spawn shells [#1028]

v0.19.0

Released on 2020-01-23

Major Changes

  • new: security audit [#977]
  • instead of crashing, now falco will report the error when an internal error occurs while handling an event to be inspected. the log line will be of type error and will contain the string error handling inspector event [#746]
  • build: bump grpc to 1.25.0 [#939]
  • build: (most of) dependencies are bundled dynamically (by default) [#968]
  • test: integration tests now can run on different distributions via docker containers, for now CentOS 7 and Ubuntu 18.04 with respective rpm and deb packages [#1012]

Minor Changes

  • proposal: rules naming convention [#980]
  • update: also allow posting json arrays containing k8s audit events to the k8s_audit endpoint. [#967]
  • update: add support for k8s audit events to the falco-event-generator container. [#997]
  • update: falco-tester base image is fedora:31 now [#968]
  • build: switch to circleci [#968]
  • build: bundle openssl into falco-builder docker image [#1004]
  • build: falco-builder docker image revamp (centos:7 base image) [#1004]
  • update: puppet module had been renamed from "sysdig-falco" to "falco" [#922]
  • update: adds a hostname field to grpc output [#927]
  • build: download grpc from their github repo [#933]
  • update: ef_drop_falco is now ef_drop_simple_cons [#922]
  • update(docker): use host_root environment variable rather than sysdig_host_root [#922]
  • update: ef_drop_falco is now ef_drop_simple_cons [#922]

Bug Fixes

  • fix: providing clang into docker-builder [#972]
  • fix: prevent throwing json type error c++ exceptions outside of the falco engine when procesing k8s audit events. [#928]
  • fix(docker/kernel/linuxkit): correct from for falco minimal image [#913]

Rule Changes

  • rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [#973]
  • rules(write below etc): allow automount to write to /etc/mtab [#957]
  • rules(macro user_known_k8s_client_container): when executing the docker client, exclude fluentd-gcp-scaler container running in the kube-system namespace to avoid false positives [#962]
  • rules(the docker client is executed in a container): detect the execution of the docker client in a container and logs it with warning priority. [#915]
  • rules(list k8s_client_binaries): create and add docker, kubectl, crictl [#915]
  • rules(macro container_entrypoint): add docker-runc-cur [#914]
  • rules(list user_known_chmod_applications): add hyperkube [#914]
  • rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [#975]
  • rules(macro user_known_k8s_client_container): macro to match kube-system namespace [#955]
  • rules(contact k8s api server from container): now it can automatically resolve the cluster ip address [#952]
  • rules(macro k8s_api_server): new macro to match the default k8s api server [#952]
  • rules(macro sensitive_vol_mount): add more sensitive host paths [#929]
  • rules(macro sensitive_mount): add more sensitive paths [#929]
  • rules(macro consider_metadata_access): macro to decide whether to consider metadata or not (off by default) [#943]
  • rules(contact cloud metadata service from container): add rules to detect access to gce instance metadata [#943]
  • rules(macro sensitive_vol_mount): align sensitive mounts macro between k8s audit rules and syscall rules [#950]
  • rules(macro consider_packet_socket_communication): macro to consider or not packet socket communication (off by default) [#945]
  • rules(packet socket created in container): rule to detect raw packets creation [#945]
  • rules(macro exe_running_docker_save): fixed false positives in multiple rules that were caused by the use of docker in docker [#951]
  • rules(modify shell configuration file): fixed a false positive by excluding "exe_running_docker_save" [#949]
  • rules(update package repository): fixed a false positive by excluding "exe_running_docker_save". [#948]
  • rules(the docker client is executed in a container): when executing the docker client, exclude containers running in the kube-system namespace to avoid false positives [#955]
  • rules(list user_known_chmod_applications): add kubelet [#944]
  • rules(set setuid or setgid bit): fixed a false positive by excluding "exe_running_docker_save" [#946]
  • rules(macro user_known_package_manager_in_container): allow users to specify conditions that match a legitimate use case for using a package management process in a container. [#941]

v0.18.0

Released 2019-10-28

Major Changes

  • falco grpc api server implementation, contains a subscribe method to subscribe to outputs from any grpc capable language [#822]
  • add support for converting k8s pod security policies (psps) into set of falco rules that can be used to evaluate the conditions specified in the psp. [#826]
  • initial redesign container images to remove build tools and leverage init containers for kernel module delivery. [#776]
  • add flags to disable syscall event source or k8s_audit event source [#779]

Minor Changes

  • allow for unique names for psp converted rules/macros/lists/rule names as generated by falcoctl 0.0.3 [#895]
  • make it easier to run regression tests without necessarily using the falco-tester docker image. [#808]
  • fix falco engine compatibility with older k8s audit rules files. [#893]
  • add tests for psp conversions with names containing spaces/dashes. [#899]

Bug Fixes

  • handle multi-document yaml files when reading rules files. [#760]
  • improvements to how the webserver handles incoming invalid inputs [#759]
  • fix: make lua state access thread-safe [#867]
  • fix compilation on gcc 5.4 by working around gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56480 [#873]
  • add explicit dependency between tests and catch2 header file. [#879]
  • fix: stable dockerfile libgcc-6-dev dependencies [#830]
  • fix: build dependencies for the local dockerfile [#782]
  • fix: a crash bug that could result from reading more than ~6 rules files [#906] [#907]

Rule Changes

  • rules: add calico/node to trusted privileged container list [#902]
  • rules: add macro calico_node_write_envvars to exception list of write below etc [#902]
  • rules: add exception for rule write below rpm, this is a fp caused by amazon linux 2 yum. [#755]
  • rules: ignore sensitive mounts from the ecs-agent [#881]
  • rules: add rules to detect crypto mining activities [#763]
  • rules: add back rule delete bash history for backport compatibility [#864]
  • rule: syscalls are used to detect suid and sgid [#765]
  • rules: delete bash history is renamed to delete or rename shell history [#762]
  • rules: add image fluent/fluentd-kubernetes-daemonset to clear log trusted images [#852]
  • rules: include default users created by kops. [#898]
  • rules: delete or rename shell history: when deleting a shell history file now the syscalls are taken into account rather than just the commands deleting the files [#762]
  • rules: delete or rename shell history: history deletion now supports fish and zsh in addition to bash [#762]
  • rules: "create hidden files or directories" and "update package repository" now trigger also if the files are moved and not just if modified or created. [#766]

v0.17.1

Released 2019-09-26

Major Changes

  • Same as v0.17.0

Minor Changes

  • Same as v0.17.0

Bug Fixes

Rule Changes

  • Same as v0.17.0

v0.17.0

Released 2019-07-31

Major Changes

  • The set of supported platforms has changed. Switch to a reorganized builder image that uses Centos 7 as a base. As a result, falco is no longer supported on Centos 6. The other supported platforms should remain the same [#719]

Minor Changes

  • When enabling rules within the falco engine, use rule substrings instead of regexes. [#743]

  • Additional improvements to the handling and display of rules validation errors [#744] [#747]

Bug Fixes

  • Fix a problem that would cause prevent container metadata lookups when falco was daemonized [#731]

  • Allow rule priorites to be expressed as lowercase and a mix of lower/uppercase [#737]

Rule Changes

  • Fix a parentheses bug with the shell_procs macro [#728]

  • Allow additional containers to mount sensitive host paths [#733] [#736]

  • Allow additional containers to truncate log files [#733]

  • Fix false positives with the Write below root rule on GKE [#739]

v0.16.0

Released 2019-07-12

Major Changes

  • Clean up error reporting to provide more meaningful error messages along with context when loading rules files. When run with -V, the results of the validation ("OK" or error message) are sent to standard output. [#708]

  • Improve rule loading performance by optimizing lua parsing paths to avoid expensive pattern matches. [#694]

  • Bump falco engine version to 4 to reflect new fields ka.useragent, others. [#710] [#681]

  • Add Catch2 as a unit testing framework. This will add additional coverage on top of the regression tests using Avocado. [#687]

Minor Changes

  • Add SYSDIG_DIR Cmake option to specify location for sysdig source code when building falco. [#677] [#679] [#702]

  • New field ka.useragent reports the useragent from k8s audit events. [#709]

  • Add clang formatter for C++ syntax formatting. [#701] [#689]

  • Partial changes towards lua syntax formatting. No particular formatting enforced yet, though. [#718]

  • Partial changes towards yaml syntax formatting. No particular formatting enforced yet, though. [#714]

  • Add cmake syntax formatting. [#703]

  • Token bucket unit tests and redesign. [#692]

  • Update github PR template. [#699]

  • Fix PR template for kind/rule-*. [#697]

Bug Fixes

  • Remove an unused cmake file. [#700]

  • Misc Cmake cleanups. [#673]

  • Misc k8s install docs improvements. [#671]

Rule Changes

  • Allow k8s.gcr.io/kube-proxy image to run privileged. [#717]

  • Add runc to the list of possible container entrypoint parents. [#712]

  • Skip Source RFC 1918 addresses when considering outbound connections. [#685]

  • Add additional user_XXX placeholder macros to allow for easy customization of rule exceptions. [#685]

  • Let weaveworks programs change namespaces. [#685]

  • Add additional openshift images. [#685]

  • Add openshift as a k8s binary. [#678]

  • Add dzdo as a binary that can change users. [#678]

  • Allow azure/calico binaries to change namespaces. [#678]

  • Add back trusted_containers list for backport compatibility [#675]

  • Add mkdirat as a syscall for mkdir operations. [#667]

  • Add container id/repository to rules that can work with containers. [#667]

v0.15.3

Released 2019-06-12

Major Changes

  • None.

Minor Changes

  • None.

Bug Fixes

  • Fix kernel module compilation for kernels < 3.11 [#sysdig/1436]

Rule Changes

  • None.

v0.15.2

Released 2019-06-12

Major Changes

  • New documentation and process handling around issues and pull requests. [#644] [#659] [#664] [#665]

Minor Changes

  • None.

Bug Fixes

  • Fix compilation of eBPF programs on COS (used by GKE) [#sysdig/1431]

Rule Changes

  • Rework exceptions lists for Create Privileged Pod, Create Sensitive Mount Pod, Launch Sensitive Mount Container, Launch Privileged Container rules to use separate specific lists rather than a single "Trusted Containers" list. [#651]

v0.15.1

Released 2019-06-07

Major Changes

  • Drop unnecessary events at the kernel level instead of userspace, which should improve performance [#635]

Minor Changes

  • Add instructions for k8s audit support in >= 1.13 [#608]

  • Fix security issues reported by GitHub on Anchore integration [#592]

  • Several docs/readme improvements [#620] [#616] [#631] [#639] [#642]

  • Better tracking of rule counts per ruleset [#645]

Bug Fixes

  • Handle rule patterns that are invalid regexes [#636]

  • Fix kernel module builds on newer kernels [#646] [#sysdig/1413]

Rule Changes

  • New rule Launch Remote File Copy Tools in Container could be used to identify exfiltration attacks [#600]

  • New rule Create Symlink Over Sensitive Files can help detect attacks like [CVE-2018-15664] [#613] [#637]

  • Let etcd-manager write to /etc/hosts. [#613]

  • Let additional processes spawned by google-accounts-daemon access sensitive files [#593]

  • Add Sematext Monitoring & Logging agents to trusted k8s containers [#594]

  • Add additional coverage for Netcat Remote Code Execution in Container rule. [#617]

  • Fix egrep typo. [#617]

  • Allow Ansible to run using Python 3 [#625]

  • Additional Write below etc exceptions for nginx, rancher [#637] [#648] [#652]

  • Add rules for running with IBM Cloud Kubernetes Service [#634]

v0.15.0

Released 2019-05-13

Major Changes

  • Actions and alerts for dropped events: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. Fixes CVE 2019-8339. [#561] [#571]

  • Support for Containerd/CRI-O: Falco now supports containerd/cri-o containers. [#585] [#591] [#599] [#sysdig/1376] [#sysdig/1310] [#sysdig/1399]

  • Perform docker metadata fetches asynchronously: When new containers are discovered, fetch metadata about the container asynchronously, which should significantly reduce the likelihood of dropped system call events. [#sysdig/1326] [#550] [#570]

  • Better syscall event performance: improve algorithm for reading system call events from kernel module to handle busy event streams [#sysdig/1372]

  • HTTP Output: Falco can now send alerts to http endpoints directly without having to use curl. [#523]

  • Move Kubernetes Response Engine to own repo: The Kubernetes Response Engine is now in its own github repository. [#539]

  • Updated Puppet Module: An all-new puppet module compatible with puppet 4 with a smoother installation process and updated package links. [#537] [#543] [#546]

  • RHEL-based falco image: Provide dockerfiles that use RHEL 7 as the base image instead of debian:unstable. [#544]

Minor Changes

  • ISO-8601 Timestamps: Add the ability to write timestamps in ISO-8601 w/ UTC, and use this format by default when running falco in a container [#518]

  • Docker-based builder/tester: You can now build Falco using the falco-builder docker image, and run regression tests using the falco-tester docker image. [#522] [#584]

  • Several small docs changes to improve clarity and readibility [#524] [#540] [#541] [#542]

  • Add instructions on how to enable K8s Audit Logging for kops [#535]

  • Add a "stale issue" bot that marks and eventually closes old issues with no activity [#548]

  • Improvements to sample K8s daemonset/service/etc files [#562]

Bug Fixes

  • Fix regression that broke json output [#581]

  • Fix errors when building via docker from MacOS [#582]

Rule Changes

  • Tag rules using Mitre Attack Framework: Add tags for all relevant rules linking them to the MITRE Attack Framework. We have an associated blog post. [#575] [#578]

  • New rules for additional use cases: New rules Schedule Cron Jobs, Update Package Repository, Remove Bulk Data from Disk, Set Setuid or Setgid bit, Detect bash history deletion, Create Hidden Files or Directories look for additional common follow-on activity you might see from an attacker. [#578] [#580]

  • Allow docker's "exe" (usually part of docker save/load) to write to many filesystem locations [#552]

  • Let puppet write below /etc [#563

  • Add new user_known_write_root_conditions, user_known_non_sudo_setuid_conditions, and user_known_write_monitored_dir_conditions macros to allow those rules to be easily customized in user rules files [#563] [#566]

  • Better coverage and exceptions for rancher [#559]

  • Allow prometheus to write to its conf directory under etc [#564]

  • Better coverage and exceptions for openshift/related tools [#567] [#573]

  • Better coverage for cassandra/kubelet/kops to reduce FPs [#551]

  • Better coverage for docker, openscap to reduce FPs [#573]

  • Better coverage for fluentd/jboss to reduce FPs [#590]

  • Add ash (Alpine Linux-related shell) as a shell binary [#597]

v0.14.0

Released 2019-02-06

Major Changes

  • Rules versioning support: The falco engine and executable now have an engine version that represents the fields they support. Similarly, rules files have an optional required_engine_version: NNN object that names the minimum engine version required to read that rules file. Any time the engine adds new fields, event sources, etc, the engine version will be incremented, and any time a rules file starts using new fields, event sources, etc, the required engine version will be incremented. [#492]

  • Allow SSL for K8s audit endpoint/embedded webserver [#471]

  • Add stale issues bot that automatically flags old github issues as stale after 60 days of inactivity and closes issues after 67 days of inactivity. [#500]

  • Support bundle: When run with --support, falco will print a json object containing necessary information like falco version, command line, operating system information, and falco rules files contents. This could be useful when reporting issues. [#517]

Minor Changes

  • Support new third-party library dependencies from open source sysdig. [#498]

  • Add CII best practices badge. [#499]

  • Fix kernel module builds when running on centos as a container by installing gcc 5 by hand instead of directly from debian/unstable. [#501]

  • Mount /etc when running as a container, which allows container to build kernel module/ebpf program on COS/Minikube. [#475]

  • Improved way to specify the source of generic event objects [#480]

  • Readability/clarity improvements to K8s Audit/K8s Daemonset READMEs. [#503]

  • Add additional RBAC permissions to track deployments/daemonsets/replicasets. [#514]

Bug Fixes

  • Fix formatting of nodejs examples README [#502]

Rule Changes

  • Remove FPs for Launch Sensitive Mount Container rule [#509]

  • Update Container rules/macros to use the more reliable container.image.{repository,tag} that always return the repository/tag of an image instead of container.image, which may not for some docker daemon versions. [#513]

v0.13.1

Released 2019-01-16

Major Changes

Minor Changes

  • Unbuffer outputs by default. This helps make output readable when used in environments like K8s. [#494]

  • Improved documentation for running Falco within K8s and getting K8s Audit Logging to work with Minikube and Falco as a Daemonset within K8s. [#496]

  • Fix AWS Permissions for Kubernetes Response Engine [#465]

  • Tighten compilation flags to include -Wextra and -Werror [#479]

  • Add k8s.ns.name to outputs when -pk argument is used [#472]

  • Remove kubernetes-response-engine from system:masters [#488]

Bug Fixes

  • Ensure -pc/-pk only apply to syscall rules and not k8s_audit rules [#495]

  • Fix a potential crash that could occur when using the falco engine and rulesets [#468]

  • Fix a regression where format output options were mistakenly removed [#485]

Rule Changes

  • Fix FPs related to calico and writing files below etc [#481]

  • Fix FPs related to apt-config/apt-cache, apk [#490]

  • New rules Launch Package Management Process in Container, Netcat Remote Code Execution in Container, Lauch Suspicious Network Tool in Container look for host-level network tools like netcat, package management tools like apt-get, or network tool binaries being run in a container. [#490]

  • Fix the inbound and outbound macros so they work with sendto/recvfrom/sendmsg/recvmsg. [#470]

  • Fix FPs related to prometheus/openshift writing config below /etc. [#470]

v0.13.0

Released 2018-11-09

Major Changes

  • Support for K8s Audit Events : Falco now supports K8s Audit Events as a second stream of events in addition to syscalls. For full details on the feature, see the wiki.

  • Transparent Config/Rule Reloading: On SIGHUP, Falco will now reload all config files/rules files and start processing new events. Allows rules changes without having to restart falco [#457] [#432]

Minor Changes

  • The reference integration of falco into a action engine now supports aws actions like lambda, etc. [#460]

  • Add netcat to falco docker images, which allows easier integration of program outputs to external servers [#456] [#433]

Bug Fixes

  • Links cleanup related to the draios/falco -> falcosecurity/falco move [#447]

  • Properly load/unload kernel module when the falco service is started/stopped [#459] [#418]

Rule Changes

  • Better coverage (e.g. reduced FPs) for critical stack, hids systems, ufw, cloud-init, etc. [#445]

  • New rules Launch Package Management Process in Container, Netcat Remote Code Execution in Container, and Lauch Suspicious Network Tool in Container look for running various suspicious programs in a container. [#461]

  • Misc changes to address false positives in GKE, Istio, etc. [#455] [#439]

v0.12.1

Released 2018-09-11

Bug Fixes

  • Fig regression in libcurl configure script [#416]

v0.12.0

Released 2018-09-11

Major Changes

  • Improved IPv6 Support to fully support use of IPv6 addresses in events, connections and filters [#sysdig/1204]

  • Ability to associate connections with dns names: new filterchecks fd.*ip.name allow looking up the DNS name for a connection's IP address. This can be used to identify or restrict connections by dns names e.g. evt.type=connect and fd.sip.name=github.com. [#412] [#sysdig/1213]

  • New filterchecks user.loginuid and user.loginname can be used to match the login uid, which stays consistent across sudo/su. This can be used to find the actual user running a given process [#sysdig/1189]

Minor Changes

  • Upgrade zlib to 1.2.11, openssl to 1.0.2n, and libcurl to 7.60.0 to address software vulnerabilities [#402]
  • New endswith operator can be used for suffix matching on strings [#sysdig/1209]

Bug Fixes

  • Better control of specifying location of lua source code [#406]

Rule Changes

  • None for this release.

v0.11.1

Released 2018-07-31

Bug Fixes

  • Fix a problem that caused the kernel module to not load on certain kernel versions [#397] [#394]

v0.11.0

Released 2018-07-24

Major Changes

  • EBPF Support (Beta): Falco can now read events via an ebpf program loaded into the kernel instead of the falco-probe kernel module. Full docs here. [#365]

Minor Changes

  • Rules may now have an skip-if-unknown-filter property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. fd.some-new-attibute) that is not present in the current falco version. [#364] [#345]
  • Small changes to Falco COPYING file so github automatically recognizes license [#380]
  • New example integration showing how to connect Falco with Anchore to dynamically create falco rules based on negative scan results [#390]
  • New example integration showing how to connect Falco, nats, and K8s to run flexible "playbooks" based on Falco events [#389]

Bug Fixes

  • Ensure all rules are enabled by default [#379]
  • Fix libcurl compilation problems [#374]
  • Add gcc-6 to docker container, which improves compatibility when building kernel module [#382] [#371]
  • Ensure the /lib/modules symlink to /host/lib/modules is set correctly [#392]

Rule Changes

  • Add additional binary writing programs [#366]
  • Add additional package management programs [#388] [#366]
  • Expand write_below_etc handling for additional programs [#388] [#366]
  • Expand set of programs allowed to write to /etc/pki [#388]
  • Expand set of root written directories/files [#388] [#366]
  • Let pam-config read sensitive files [#388]
  • Add additional trusted containers: openshift, datadog, docker ucp agent, gliderlabs logspout [#388]
  • Let coreos update-ssh-keys write to /home/core/.ssh [#388]
  • Expand coverage for MS OMS [#388] [#387]
  • Expand the set of shell spawning programs [#366]
  • Add additional mysql programs/directories [#366]
  • Let program id open network connections [#366]
  • Opt-in rule for protecting tomcat shell spawns [#366]
  • New rule Write below monitored directory [#366]

v0.10.0

Released 2018-04-24

Major Changes

  • Rules Directory Support: Falco will read rules files from /etc/falco/rules.d in addition to /etc/falco/falco_rules.yaml and /etc/falco/falco_rules.local.yaml. Also, when the argument to -r/falco.yaml rules_file is a directory, falco will read rules files from that directory. [#348] [#187]
  • Properly support all syscalls (e.g. those without parameter extraction by the kernel module) in falco conditions, so they can be included in evt.type=<name> conditions. [#352]
  • When packaged as a container, start building kernel module with gcc 5.0 instead of gcc 4.9. [#331]
  • New example puppet module for falco. [#341] [#115]
  • When signaled with USR1, falco will close/reopen log files. Include a logrotate example that shows how to use this feature for log rotation. [#347] [#266]
  • To improve resource usage, further restrict the set of system calls available to falco [#351] [draios/sysdig#1105]

Minor Changes

  • Add gdb to the development Docker image (sysdig/falco:dev) to aid in debugging. [#323]
  • You can now specify -V multiple times on the command line to validate multiple rules files at once. [#329]
  • When run with -v, falco will print dangling macros/lists that are not used by any rules. [#329]
  • Add an example demonstrating cryptomining attack that exploits an open docker daemon using host mounts. [#336]
  • New falco.yaml option json_include_output_property controls whether the formatted string "output" is included in the json object when json output is enabled. [#342]
  • Centralize testing event types for consideration by falco into a single function [draios/sysdig#1105) [#356]
  • If a rule has an attribute warn_evttypes, falco will not complain about evt.type restrictions on that rule [#355]
  • When run with -i, print all ignored events/syscalls and exit. [#359]

Bug Fixes

  • Minor bug fixes to k8s daemonset configuration. [#325] [#296] [#295]
  • Ensure --validate can be used interchangeably with -V. [#334] [#322]
  • Rule conditions like fd.net can now be used with the in operator e.g. evt.type=connect and fd.net in ("127.0.0.1/24"). [draios/sysdig#1091] [#343]
  • Ensure that keep_alive can be used both with file and program output at the same time. [#335]
  • Make it possible to append to a skipped macro/rule without falco complaining [#346] [#305]
  • Ensure rule order is preserved even when rules do not contain any evt.type restriction. [#354] [#355]

Rule Changes

  • Make it easier to extend the Change thread namespace rule via a user_known_change_thread_namespace_binaries list. [#324]
  • Various FP fixes from users. [#321] [#326] [#344] [#350]
  • New rule Disallowed SSH Connection detects attempts ssh connection attempts to hosts outside of an expected set. In order to be effective, you need to override the macro allowed_ssh_hosts in a user rules file. [#321]
  • New rule Unexpected K8s NodePort Connection detects attempts to contact the K8s NodePort range from a program running inside a container. In order to be effective, you need to override the macro nodeport_containers in a user rules file. [#321]
  • Improve Modify binary dirs rule to work with new syscalls [#353]
  • New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Somewhat FP-prone, so it must be explicitly enabled by overriding the macro do_unexpected_udp_check in a user rules file. [#320] [#357]

v0.9.0

Released 2018-01-18

Bug Fixes

  • Fix driver incompatibility problems with some linux kernel versions that can disable pagefault tracepoints [#sysdig/1034]
  • Fix OSX Build incompatibility with latest version of libcurl [#291]

Minor Changes

  • Updated the Kubernetes example to provide an additional example: Daemon Set using RBAC and a ConfigMap for configuration. Also expanded the documentation for both the RBAC and non-RBAC examples. [#309]

Rule Changes

  • Refactor the shell-related rules to reduce false positives. These changes significantly decrease the scope of the rules so they trigger only for shells spawned below specific processes instead of anywhere. [#301] [#304]
  • Lots of rule changes based on feedback from Sysdig Secure community [#293] [#298] [#300] [#307] [#315]

v0.8.1

Released 2017-10-10

Bug Fixes

  • Fix packaging to specify correct built-in config file [#288]

v0.8.0

Released 2017-10-10

Important: the location for falco's configuration file has moved from /etc/falco.yaml to /etc/falco/falco.yaml. The default rules file has moved from /etc/falco_rules.yaml to /etc/falco/falco_rules.yaml. In addition, 0.8.0 has added a local ruls file to /etc/falco/falco_rules.local.yaml. See the documentation for more details.

Major Changes

  • Add the ability to append one list to another list by setting an append: true attribute. [#264]
  • Add the ability to append one macro/rule to another list by setting an append: true attribute. [#277]
  • Ensure that falco rules/config files are preserved across package upgrades/removes if modified. [#278]
  • Add the notion of a "local" rules file that should contain modifications to the default falco rules file. [#278]
  • When using json output, separately include the individual templated fields in the json object. [#282]
  • Add the ability to keep a file/program pipe handle open across rule notifications. [#283]
  • New argument -V validates rules file and immediately exits. [#286]

Minor Changes

  • Minor updates to falco example programs [#248] [#275]
  • Also validate macros at rule parse time. [#257]
  • Minor README typo fixes [#276]
  • Add a government CLA (contributor license agreement). [#263]
  • Add ability to only run rules with a priority >= some threshold [#281]
  • Add ability to make output channels unbuffered [#285]

Bug Fixes

  • Fix installation of falco on OSX [#252]
  • Fix a bug that caused the trailing whitespace of a quoted string to be accidentally removed [#254]
  • When multiple sets of kernel headers are installed, find the one for the running kernel [#260]
  • Allow pathnames in rule/macro conditions to contain '.' characters [#262]
  • Fix a bug where a list named "foo" would be substituted even if it were a substring of a longer word like "my_foo" [#258]
  • Remove extra trailing newlines from rule output strings [#265]
  • Improve build pathnames to avoid relative paths when possible [#284]

Rule Changes

  • Significant changes to default ruleset to address FPs. These changes resulted from hundreds of hours of use in actual customer environments. [#247] [#259]
  • Add official gitlab EE docker image to list of known shell spawning images. Thanks @dkerwin! [#270]
  • Add keepalived to list of shell spawning binaries. Thanks @dkerwin! [#269]

v0.7.0

Released 2017-05-30

Major Changes

  • Update the priorities of falco rules to use a wider range of priorities rather than just ERROR/WARNING. More info on the use of priorities in the ruleset can be found here. [#244]

Minor Changes

None.

Bug Fixes

  • Fix typos in various markdown files. Thanks @sublimino! [#241]

Rule Changes

  • Add gitlab-mon as a gitlab binary, which allows it to run shells, etc. Thanks @dkerwin! [#237]
  • A new rule Terminal shell in container" that looks for shells spawned in a container with an attached terminal. [#242]
  • Fix some FPs related to the sysdig monitor agent. [#243]
  • Fix some FPs related to stating containers combined with missed events [#243]

v0.6.1

Released 2017-05-15

Major Changes

None

Minor Changes

  • Small changes to token bucket used to throttle falco events [#234] [#235] [#236] [#238]

Bug Fixes

  • Update the falco driver to work with kernel 4.11 [#829]

Rule Changes

  • Don't allow apache2 to spawn shells in containers [#231] [#232]

v0.6.0

Released 2017-03-29

Major Changes

  • Add the notion of tagged falco rules. Full documentation for this feature is available on the wiki. [#58] [#59] [#60] [#206]
  • Falco now has its own dedicated kernel module. Previously, it would depend on sysdig being installed and would use sysdig's sysdig-probe kernel module. This ensures you can upgrade sysdig and falco without kernel driver compatibility problems. More details on the kernel module and its installation are on the wiki. [#215] [#223] [#224]
  • When providing multiple rules files by specifying `-r' multiple times, make sure that you can override rules/lists/macros. Previously, a list/macro/rule specified in an earlier file could not be overridden in a later file. [#176] [#177]
  • Add example k8s yaml files that show how to run falco as a k8s DaemonSet, and how to run falco-event-generator as a deployment running on one node. [#222] [#225] [#226]
  • Update third party libraries to address security vulnerabilities. [#182]
  • Falco can now be built on OSX. Like sysdig, on OSX it is limited to reading existing trace files. [#210]

Minor Changes

  • Several changes to falco-event-generator to improve usability. [#205]
  • Switch to a formatter cache provided by sysdig code instead of using our own. [#212]
  • Add automated tests that use locally-built docker images. [#188]

Bug Fixes

  • Make sure output strings are not truncated when a given %field expression has a NULL value. [#180] [#181]
  • Allow ASSERTs when running travisci tests. [#199]
  • Fix make dependencies for lyaml. [#204] [#130]
  • (This was a change in sysdig, but affected falco). Prevent hangs when traversing malformed parent thread state. [#208]

Rule Changes

  • Add confd as a program that can write files below /etc and fleetctl as a program that can spawn shells. [#175]
  • Add exechealthz, a k8s liveness checking utility, to the list of shell spawners. [#190]
  • Eliminate FPs related to weekly ubuntu cron jobs. [#192]
  • Allow shells spawned by ansible, and eliminate FPs when managing machines via ansible. [#193] [#196] [#202]
  • Eliminate FPs related to use of other security products. Thanks to @juju4 for the useful rule updates. [#200]
  • Add additional possible locations for denyhosts, add PM2 as a shell spawner. [#202]
  • Add flanneld as a privileged container, improve grouping for the "x running y" macros, allow denyhosts to spawn shells. [#207]
  • Handle systemd changing its name to "(systemd)", add sv (part of runit) as a program that can write below /etc, allow writing to all /dev/tty* files. [#209]
  • Add erl_child_setup as a shell spawner. Thanks to @dkerwin for the useful rule updates. [#218] [#221]
  • Add support for gitlab omnibus containers/pods. Thanks to @dkerwin for the useful rule updates. [#220]

v0.5.0

Released 2016-12-22

Starting with this release, we're adding a new section "Rule Changes" devoted to changes to the default ruleset falco_rules.yaml.

Major Changes

  • Cache event formatting objects so they are not re-created for every falco notification. This can result in significant speedups when the ruleset results in lots of notifications. [#158]
  • Falco notifications are now throttled by a token bucket, preventing a flood of notifications when many events match a rule. Controlled by the outputs, rate and outputs, max_burst options. [#161]

Minor Changes

  • When run from a container, you can provide the environment variable SYSDIG_SKIP_LOAD to skip the process of building/loading the kernel module. Thanks @carlsverre for the fix. [#145]
  • Fully implement USE_BUNDLED_DEPS within CMakeFiles so you can build with external third-party libraries. [#147]
  • Improve error messages that result when trying to load a rule with a malformed output: attribute [#150] [#151]
  • Add the ability to write event capture statistics to a file via the -s <statsfile> option. [#155]
  • New configuration option log_level controls the verbosity of falco's logging. [#160]

Bug Fixes

  • Improve compatibility with Sysdig Cloud Agent build [#148]

Rule Changes

  • Add DNF as non-alerting for RPM and package management. Thanks @djcross for the fix. [#153]
  • Make google_containers/kube-proxy a trusted image, affecting the File Open by Privileged Container/Sensitive Mount by Container rules. [#159]
  • Add fail2ban-server as a program that can spawn shells. Thanks @jcoetzee for the fix. [#168]
  • Add systemd as a program that can access sensitive files. Thanks @jcoetzee for the fix. [#169]
  • Add apt/apt-get as programs that can spawn shells. Thanks @jcoetzee for the fix. [#170]

v0.4.0

Released 2016-10-25

As falco depends heavily on sysdig, many changes here were actually made to sysdig and pulled in as a part of the build process. Issues/PRs starting with sysdig/#XXX are sysdig changes.

Major Changes

  • Improved visibility into containers: ** New filter container.privileged to match containers running in privileged mode [sysdig/#655] [sysdig/#658] ** New rules utilizing privileged state [#121] ** New filters container.mount* to match container mount points [sysdig/#655] ** New rules utilizing container mount points [#120] ** New filter container.image.id to match container image id [sysdig/#661]

  • Improved visibility into orchestration environments: ** New k8s.deployment.* and k8s.rs.* filters to support latest kubernetes features [sysdg/#dbf9b5c] ** Rule changes to avoid FPs when monitoring k8s environments [#138] ** Add new options -pc/-pk/-pm/-k/-m analogous to sysdig command line options. These options pull metadata information from k8s/mesos servers and adjust default falco notification outputs to contain container/orchestration information when applicable. [#131] [#134]

  • Improved ability to work with file pathnames: ** Added glob operator for strings, works as classic shell glob path matcher [sysdig/#653] ** Added pmatch operator to efficiently test a subject pathname against a set of target pathnames, to see if the subject is a prefix of any target [sysdig/#660] [#125]

Minor Changes

  • Add an event generator program that simulates suspicious activity that can be detected by falco. This is also available as a docker image [sysdig/falco-event-generator]. [#113] [#132]
  • Changed rule names to be human readable [#116]
  • Add Copyright notice to all source files [#126]
  • Changes to docker images to make it easier to massage JSON output for webhooks [#133]
  • When run with -v, print statistics on the number of events processed and dropped [#139]
  • Add ability to write trace files with -w. This can be useful to write a trace file in parallel with live event monitoring so you can reproduce it later. [#140]
  • All rules can now take an optional enabled flag. With enabled: false, a rule will not be loaded or run against events. By default all rules are enabled [#119]

Bug Fixes

  • Fixed rule FPs related to docker's docker/dockerd split in 1.12 [#112]
  • Fixed rule FPs related to sysdigcloud agent software [#141]
  • Minor changes to node.js example to avoid falco false positives [#111]
  • Fixed regression that broke configurable outputs [#117]. This was not broken in 0.3.0, just between 0.3.0 and 0.4.0.
  • Fixed a lua stack leak that could cause problems when matching millions of events against a large set of rules [#123]
  • Update docker files to reflect changes to debian:unstable docker image [#124]
  • Fixed logic for detecting config files to ensure config files in /etc/falco.yaml are properly detected [#135] [#136]
  • Don't alert on falco spawning a shell for program output notifications [#137]

v0.3.0

Released 2016-08-05

Major Changes

Significantly improved performance, involving changes in the falco and sysdig repositories:

  • Reordering a rule condition's operators to put likely-to-fail operators at the beginning and expensive operators at the end. [#95] [#104]
  • Adding the ability to perform x in (a, b, c, ...) as a single set membership test instead of individual comparisons between x=a, x=b, etc. [#624] [#98]
  • Avoid unnecessary string manipulations. [#625]
  • Using startswith as a string comparison operator when possible. [#623]
  • Use is_open_read/is_open_write when possible instead of searching through open flags. [#610]
  • Group rules by event type, which allows for an initial filter using event type before going through each rule's condition. [#627] [#101]

All of these changes result in dramatically reduced CPU usage. Here are some comparisons between 0.2.0 and 0.3.0 for the following workloads:

  • Phoronix's pts/apache and pts/dbench tests.
  • Sysdig Cloud Kubernetes Demo: Starts a kubernetes environment using docker with apache and wordpress instances + synthetic workloads.
  • Juttle-engine examples : Several elasticsearch, node.js, logstash, mysql, postgres, influxdb instances run under docker-compose.
Workload 0.2.0 CPU Usage 0.3.0 CPU Usage
pts/apache 24% 7%
pts/dbench 70% 5%
Kubernetes-Demo (Running) 6% 2%
Kubernetes-Demo (During Teardown) 15% 3%
Juttle-examples 3% 1%

As a part of these changes, falco now prefers rule conditions that have at least one evt.type= operator, at the beginning of the condition, before any negative operators (i.e. not or !=). If a condition does not have any evt.type= operator, falco will log a warning like:

Rule no_evttype: warning (no-evttype):
proc.name=foo
     did not contain any evt.type restriction, meaning it will run for all event types.
     This has a significant performance penalty. Consider adding an evt.type restriction if possible.

If a rule has a evt.type operator in the later portion of the condition, falco will log a warning like:

Rule evttype_not_equals: warning (trailing-evttype):
evt.type!=execve
     does not have all evt.type restrictions at the beginning of the condition,
     or uses a negative match (i.e. "not"/"!=") for some evt.type restriction.
     This has a performance penalty, as the rule can not be limited to specific event types.
     Consider moving all evt.type restrictions to the beginning of the rule and/or
     replacing negative matches with positive matches if possible.

Minor Changes

  • Several sets of rule cleanups to reduce false positives. [#95]
  • Add example of how falco can detect abuse of a badly designed REST API. [#97]
  • Add a new output type "program" that writes a formatted event to a configurable program. Each notification results in one invocation of the program. A common use of this output type would be to send an email for every falco notification. [#105] [#99]
  • Add the ability to run falco on all events, including events that are flagged with EF_DROP_FALCO. (These events are high-volume, low-value events that are ignored by default to improve performance). [#107] [#102]

Bug Fixes

  • Add third-party jq library now that sysdig requires it. [#96]

v0.2.0

Released 2016-06-09

For full handling of setsid system calls and session id tracking using proc.sname, falco requires a sysdig version >= 0.10.0.

Major Changes

  • Add TravisCI regression tests. Testing involves a variety of positive, negative, and informational trace files with both plain and json output. [#76] [#83]
  • Fairly big rework of ruleset to improve coverage, reduce false positives, and handle installation environments effectively [#83] [#87]
  • Not directly a code change, but mentioning it here--the Wiki has now been populated with an initial set of articles, migrating content from the README and adding detail when necessary. [#90]

Minor Changes

  • Improve JSON output to include the rule name, full output string, time, and severity [#89]

Bug Fixes

  • Improve CMake quote handling [#84]
  • Remove unnecessary NULL check of a delete [#85]

v0.1.0

Released 2016-05-17

Major Changes

  • Initial release. Subsequent releases will have "Major Changes", "Minor Changes", and "Bug Fixes" sections, with links to github issues/pull requests as appropriate.