Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.32.0
|
docker pull public.ecr.aws/falcosecurity/falco:0.32.0
|
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.0
|
docker pull docker.io/falcosecurity/falco-no-driver:0.32.0
|
Major Changes
- new: added new
watch_config_files
config option, to trigger a Falco restart whenever a change is detected in the rules or config files [#1991] - @FedeDP - new(rules): add rule to detect excessively capable container [#1963] - @loresuso
- new(rules): add rules to detect pods sharing host pid and IPC namespaces [#1951] - @loresuso
- new(image): add Falco image based on RedHat UBI [#1943] - @araujof
- new(falco): add --markdown and --list-syscall-events [#1939] - @LucaGuerra
Minor Changes
- update(build): updated plugins to latest versions. [#2033] - @FedeDP
- refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [#1953] - @mstemm
- rules: out of the box ruleset for OKTA Falco Plugin [#1955] - @darryk10
- update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [#2031] - @FedeDP
- update!: moving out plugins ruleset files [#1995] - @leogr
- update: added
hostname
as a field in JSON output [#1989] - @Milkshak3s - refactor!: remove K8S audit logs from Falco [#1952] - @jasondellaluce
- refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [#1975] - @jasondellaluce
- refactor!: deprecate PSP regression tests and warn for unsafe usage of in k8s audit filters [#1976] - @jasondellaluce
- build(cmake): upgrade catch2 to 2.13.9 [#1977] - @leogr
- refactor(userspace/engine): reduce memory usage for resolving evttypes [#1965] - @jasondellaluce
- refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [#1966] - @jasondellaluce
- refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [#1970] - @jasondellaluce
- refactor: update definitions of falco_common [#1967] - @jasondellaluce
- update: improved Falco engine event processing performance [#1944] - @deepskyblue86
- refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [#1947] - @jasondellaluce
Bug Fixes
- fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [#1920] - @mstemm
- fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [#2019] - @jasondellaluce
Rule Changes
- rule(Launch Excessively Capable Container): fix typo in description [#1996] - @mmonitz
- rule(macro: known_shell_spawn_cmdlines): add
sh -c /usr/share/lighttpd/create-mime.conf.pl
to macro [#1996] - @mmonitz - rule(macro net_miner_pool): additional syscall for detection [#2011] - @beryxz
- rule(macro truncate_shell_history): include .ash_history [#1956] - @bdashrad
- rule(macro modify_shell_history): include .ash_history [#1956] - @bdashrad
- rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [#1969] - @darryk10
- rule(k8s: secret): detect
get
attempts for both successful and unsuccessful attempts [#1949] - @Dentrax - rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [#1973] - @darryk10
- rule(Disallowed K8s User): exclude allowed EKS users [#1960] - @darryk10
- rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [#1968] - @darryk10
- rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [#1930] - @mmoyerfigma
- rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [#1938] - @claudio-vellage
Non user-facing changes
- new: update plugins [#2023] - @FedeDP
- update(build): updated libs version for Falco 0.32.0 release. [#2022] - @FedeDP
- update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [#2024] - @FedeDP
- chore(userspace/falco): do not print error code in process_events.cpp [#2030] - @alacuku
- fix(falco-scripts): remove driver versions with
dkms-3.0.3
[#2027] - @Andreagit97 - chore(userspace/falco): fix punctuation typo in output message when loading plugins [#2026] - @alacuku
- refactor(userspace): change falco engine design to properly support multiple sources [#2017] - @jasondellaluce
- update(userspace/falco): improve falco termination [#2012] - @Andreagit97
- update(userspace/engine): introduce new
check_plugin_requirements
API [#2009] - @Andreagit97 - fix(userspace/engine): improve rule loader source checks [#2010] - @Andreagit97
- fix: split filterchecks per source-idx [#1999] - @FedeDP
- new: port CI builds to github actions [#2000] - @FedeDP
- build(userspace/engine): cleanup unused include dir [#1987] - @leogr
- rule(Anonymous Request Allowed): exclude {/livez, /readyz} [#1954] - @sledigabel
- chore(falco_scripts): Update
falco-driver-loader
cleaning phase [#1950] - @Andreagit97 - new(userspace/falco): use new plugin caps API [#1982] - @FedeDP
- build: correct conffiles for DEB packages [#1980] - @leogr
- Fix exception parsing regressions [#1985] - @mstemm
- Add codespell GitHub Action [#1962] - @invidian
- build: components opt-in mechanism for packages [#1979] - @leogr
- add gVisor to ADOPTERS.md [#1974] - @kevinGC
- rules: whitelist GCP's container threat detection image [#1959] - @clmssz
- Fix some typos [#1961] - @invidian
- chore(rules): remove leftover [#1958] - @leogr
- docs: readme update and plugins [#1940] - @leogr
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 27 |
Release note | 34 |
Total | 61 |