falcosecurity/falco 0.28.0

on GitHub

Packages	Download
rpm
deb
tgz

Major Changes

• BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [#1577] - @leogr
• BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [#1599] - @leodido
• BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [#1448] - @jenting
• new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [#1427] - @mstemm
• new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [#1519] - @jonahjon
• new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [#1519] - @jonahjon
• new: add healthz endpoint to the webserver [#1546] - @cpanato
• new: introduce a new configuration field syscall_event_drops.threshold to tune the drop noisiness [#1586] - @leodido
• new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [#1488] - @leodido
• new: falco-driver-loader know the Falco version [#1488] - @leodido

Minor Changes

• docs(proposals): libraries and drivers donation [#1530] - @leodido
• docs(docker): update links to the new Falco website URLs [#1545] - @cpanato
• docs(test): update links to new Falco website URLs [#1563] - @shane-lawrence
• build: now Falco packages are published at https://download.falco.org [#1577] - @leogr
• update: lower the syscall_event_drops.max_burst default value to 1 [#1586] - @leodido
• update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [#1599] - @leodido
• docs(test): document the prerequisites for running the integration test suite locally [#1609] - @fntlnz
• update: Debian/RPM package migrated from init to systemd [#1448] - @jenting

Bug Fixes

• fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [#1601] - @mstemm
• fix(docker/falco): add flex and bison dependency to container image [#1562] - @schans
• fix: ignore action can not be used with log and alert ones (syscall_event_drops config) [#1586] - @leodido
• fix(userspace/engine): allows fields starting with numbers to be parsed properly [#1598] - @mstemm

Rule Changes

• rule(Write below monitored dir): improve rule description [#1588] - @stevenshuang
• rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [#1555] - @ismailyenigul
• rule(macro aws_eks_image): match aws image repository for eks [#1555] - @ismailyenigul
• rule(macro aws_eks_image_sensitive_mount): match aws cni images [#1555] - @ismailyenigul
• rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [#1555] - @ismailyenigul
• rule(Launch Privileged Container): exclude aws_eks_image [#1555] - @ismailyenigul
• rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [#1555] - @ismailyenigul
• rule(Debugfs Launched in Privileged Container): new rule [#1583] - @Kaizhe
• rule(Mount Launched in Privileged Container): new rule [#1583] - @Kaizhe
• rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [#1583] - @Kaizhe
• rule(macro user_ssh_directory): using glob operator [#1560] - @shane-lawrence
• rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [#1337] - @nibalizer
• rule(list rpm_binaries): add rhsmcertd [#1385] - @epcim
• rule(list deb_binaries): add apt.systemd.daily [#1385] - @epcim
• rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [#1543] - @darryk10
• rule(list allowed_k8s_users): add eks:node-manager [#1536] - @ismailyenigul
• rule(list mysql_mgmt_binaries): removed [#1602] - @fntlnz
• rule(list db_mgmt_binaries): removed [#1602] - @fntlnz
• rule(macro parent_ansible_running_python): removed [#1602] - @fntlnz
• rule(macro parent_bro_running_python): removed [#1602] - @fntlnz
• rule(macro parent_python_running_denyhosts): removed [#1602] - @fntlnz
• rule(macro parent_linux_image_upgrade_script): removed [#1602] - @fntlnz
• rule(macro parent_java_running_echo): removed [#1602] - @fntlnz
• rule(macro parent_scripting_running_builds): removed [#1602] - @fntlnz
• rule(macro parent_Xvfb_running_xkbcomp): removed [#1602] - @fntlnz
• rule(macro parent_nginx_running_serf): removed [#1602] - @fntlnz
• rule(macro parent_node_running_npm): removed [#1602] - @fntlnz
• rule(macro parent_java_running_sbt): removed [#1602] - @fntlnz
• rule(list known_container_shell_spawn_cmdlines): removed [#1602] - @fntlnz
• rule(list known_shell_spawn_binaries): removed [#1602] - @fntlnz
• rule(macro run_by_puppet): removed [#1602] - @fntlnz
• rule(macro user_privileged_containers): removed [#1602] - @fntlnz
• rule(list rancher_images): removed [#1602] - @fntlnz
• rule(list images_allow_network_outside_subnet): removed [#1602] - @fntlnz
• rule(macro parent_python_running_sdchecks): removed [#1602] - @fntlnz
• rule(macro trusted_containers): removed [#1602] - @fntlnz
• rule(list authorized_server_binaries): removed [#1602] - @fntlnz

Non user-facing changes

• chore(test): replace bucket url with official distribution url [#1608] - @fntlnz
• adding asapp as an adopter [#1611] - @Stuxend
• update: fixtures URLs [#1603] - @leogr
• cleanup publishing jobs [#1596] - @leogr
• fix(falco/test): bump pyyaml from 5.3.1 to 5.4 [#1595] - @leodido
• fix(.circleci): tar must be present in the image [#1594] - @leogr
• fix: publishing jobs [#1591] - @leogr
• Pocteo as an adopter [#1574] - @pocteo-labs
• build: fetch build deps from download.falco.org [#1572] - @leogr
• adding shapesecurity to adopters [#1566] - @irivera007
• Use default pip version to get avocado version [#1565] - @shane-lawrence
• Added Swissblock to list of adopters [#1551] - @bygui86
• Fix various typos in markdown files. [#1514] - @didier-durand
• docs: move governance to falcosecurity/.github [#1524] - @leogr
• ci: fix missing infra context to publish stable Falco packages [#1615] - @leodido

Statistics