Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.28.0
|
docker pull public.ecr.aws/falcosecurity/falco:0.28.0
|
docker pull docker.io/falcosecurity/falco-driver-loader:0.28.0
|
docker pull docker.io/falcosecurity/falco-no-driver:0.28.0
|
Major Changes
- BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [#1577] - @leogr
- BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [#1599] - @leodido
- BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [#1448] - @jenting
- new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [#1427] - @mstemm
- new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [#1519] - @jonahjon
- new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [#1519] - @jonahjon
- new: add healthz endpoint to the webserver [#1546] - @cpanato
- new: introduce a new configuration field
syscall_event_drops.threshold
to tune the drop noisiness [#1586] - @leodido - new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [#1488] - @leodido
- new: falco-driver-loader know the Falco version [#1488] - @leodido
Minor Changes
- docs(proposals): libraries and drivers donation [#1530] - @leodido
- docs(docker): update links to the new Falco website URLs [#1545] - @cpanato
- docs(test): update links to new Falco website URLs [#1563] - @shane-lawrence
- build: now Falco packages are published at https://download.falco.org [#1577] - @leogr
- update: lower the
syscall_event_drops.max_burst
default value to 1 [#1586] - @leodido - update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [#1599] - @leodido
- docs(test): document the prerequisites for running the integration test suite locally [#1609] - @fntlnz
- update: Debian/RPM package migrated from init to systemd [#1448] - @jenting
Bug Fixes
- fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [#1601] - @mstemm
- fix(docker/falco): add flex and bison dependency to container image [#1562] - @schans
- fix: ignore action can not be used with log and alert ones (
syscall_event_drops
config) [#1586] - @leodido - fix(userspace/engine): allows fields starting with numbers to be parsed properly [#1598] - @mstemm
Rule Changes
- rule(Write below monitored dir): improve rule description [#1588] - @stevenshuang
- rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [#1555] - @ismailyenigul
- rule(macro aws_eks_image): match aws image repository for eks [#1555] - @ismailyenigul
- rule(macro aws_eks_image_sensitive_mount): match aws cni images [#1555] - @ismailyenigul
- rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [#1555] - @ismailyenigul
- rule(Launch Privileged Container): exclude aws_eks_image [#1555] - @ismailyenigul
- rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [#1555] - @ismailyenigul
- rule(Debugfs Launched in Privileged Container): new rule [#1583] - @Kaizhe
- rule(Mount Launched in Privileged Container): new rule [#1583] - @Kaizhe
- rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [#1583] - @Kaizhe
- rule(macro user_ssh_directory): using glob operator [#1560] - @shane-lawrence
- rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [#1337] - @nibalizer
- rule(list rpm_binaries): add rhsmcertd [#1385] - @epcim
- rule(list deb_binaries): add apt.systemd.daily [#1385] - @epcim
- rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [#1543] - @darryk10
- rule(list allowed_k8s_users): add
eks:node-manager
[#1536] - @ismailyenigul - rule(list mysql_mgmt_binaries): removed [#1602] - @fntlnz
- rule(list db_mgmt_binaries): removed [#1602] - @fntlnz
- rule(macro parent_ansible_running_python): removed [#1602] - @fntlnz
- rule(macro parent_bro_running_python): removed [#1602] - @fntlnz
- rule(macro parent_python_running_denyhosts): removed [#1602] - @fntlnz
- rule(macro parent_linux_image_upgrade_script): removed [#1602] - @fntlnz
- rule(macro parent_java_running_echo): removed [#1602] - @fntlnz
- rule(macro parent_scripting_running_builds): removed [#1602] - @fntlnz
- rule(macro parent_Xvfb_running_xkbcomp): removed [#1602] - @fntlnz
- rule(macro parent_nginx_running_serf): removed [#1602] - @fntlnz
- rule(macro parent_node_running_npm): removed [#1602] - @fntlnz
- rule(macro parent_java_running_sbt): removed [#1602] - @fntlnz
- rule(list known_container_shell_spawn_cmdlines): removed [#1602] - @fntlnz
- rule(list known_shell_spawn_binaries): removed [#1602] - @fntlnz
- rule(macro run_by_puppet): removed [#1602] - @fntlnz
- rule(macro user_privileged_containers): removed [#1602] - @fntlnz
- rule(list rancher_images): removed [#1602] - @fntlnz
- rule(list images_allow_network_outside_subnet): removed [#1602] - @fntlnz
- rule(macro parent_python_running_sdchecks): removed [#1602] - @fntlnz
- rule(macro trusted_containers): removed [#1602] - @fntlnz
- rule(list authorized_server_binaries): removed [#1602] - @fntlnz
Non user-facing changes
- chore(test): replace bucket url with official distribution url [#1608] - @fntlnz
- adding asapp as an adopter [#1611] - @Stuxend
- update: fixtures URLs [#1603] - @leogr
- cleanup publishing jobs [#1596] - @leogr
- fix(falco/test): bump pyyaml from 5.3.1 to 5.4 [#1595] - @leodido
- fix(.circleci): tar must be present in the image [#1594] - @leogr
- fix: publishing jobs [#1591] - @leogr
- Pocteo as an adopter [#1574] - @pocteo-labs
- build: fetch build deps from download.falco.org [#1572] - @leogr
- adding shapesecurity to adopters [#1566] - @irivera007
- Use default pip version to get avocado version [#1565] - @shane-lawrence
- Added Swissblock to list of adopters [#1551] - @bygui86
- Fix various typos in markdown files. [#1514] - @didier-durand
- docs: move governance to falcosecurity/.github [#1524] - @leogr
- ci: fix missing infra context to publish stable Falco packages [#1615] - @leodido
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 17 |
Release note | 24 |
Total | 41 |