github falcosecurity/falco 0.32.0

latest releases: 0.39.1, 0.39.1-rc1, 0.39.0...
2 years ago
Packages Download
rpm rpm
deb deb
tgz tgz
Images
docker pull docker.io/falcosecurity/falco:0.32.0
docker pull public.ecr.aws/falcosecurity/falco:0.32.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.0
docker pull docker.io/falcosecurity/falco-no-driver:0.32.0

Major Changes

  • new: added new watch_config_files config option, to trigger a Falco restart whenever a change is detected in the rules or config files [#1991] - @FedeDP
  • new(rules): add rule to detect excessively capable container [#1963] - @loresuso
  • new(rules): add rules to detect pods sharing host pid and IPC namespaces [#1951] - @loresuso
  • new(image): add Falco image based on RedHat UBI [#1943] - @araujof
  • new(falco): add --markdown and --list-syscall-events [#1939] - @LucaGuerra

Minor Changes

  • update(build): updated plugins to latest versions. [#2033] - @FedeDP
  • refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [#1953] - @mstemm
  • rules: out of the box ruleset for OKTA Falco Plugin [#1955] - @darryk10
  • update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [#2031] - @FedeDP
  • update!: moving out plugins ruleset files [#1995] - @leogr
  • update: added hostname as a field in JSON output [#1989] - @Milkshak3s
  • refactor!: remove K8S audit logs from Falco [#1952] - @jasondellaluce
  • refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [#1975] - @jasondellaluce
  • refactor!: deprecate PSP regression tests and warn for unsafe usage of in k8s audit filters [#1976] - @jasondellaluce
  • build(cmake): upgrade catch2 to 2.13.9 [#1977] - @leogr
  • refactor(userspace/engine): reduce memory usage for resolving evttypes [#1965] - @jasondellaluce
  • refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [#1966] - @jasondellaluce
  • refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [#1970] - @jasondellaluce
  • refactor: update definitions of falco_common [#1967] - @jasondellaluce
  • update: improved Falco engine event processing performance [#1944] - @deepskyblue86
  • refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [#1947] - @jasondellaluce

Bug Fixes

  • fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [#1920] - @mstemm
  • fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [#2019] - @jasondellaluce

Rule Changes

  • rule(Launch Excessively Capable Container): fix typo in description [#1996] - @mmonitz
  • rule(macro: known_shell_spawn_cmdlines): add sh -c /usr/share/lighttpd/create-mime.conf.pl to macro [#1996] - @mmonitz
  • rule(macro net_miner_pool): additional syscall for detection [#2011] - @beryxz
  • rule(macro truncate_shell_history): include .ash_history [#1956] - @bdashrad
  • rule(macro modify_shell_history): include .ash_history [#1956] - @bdashrad
  • rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [#1969] - @darryk10
  • rule(k8s: secret): detect get attempts for both successful and unsuccessful attempts [#1949] - @Dentrax
  • rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [#1973] - @darryk10
  • rule(Disallowed K8s User): exclude allowed EKS users [#1960] - @darryk10
  • rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [#1968] - @darryk10
  • rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [#1930] - @mmoyerfigma
  • rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [#1938] - @claudio-vellage

Non user-facing changes

  • new: update plugins [#2023] - @FedeDP
  • update(build): updated libs version for Falco 0.32.0 release. [#2022] - @FedeDP
  • update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [#2024] - @FedeDP
  • chore(userspace/falco): do not print error code in process_events.cpp [#2030] - @alacuku
  • fix(falco-scripts): remove driver versions with dkms-3.0.3 [#2027] - @Andreagit97
  • chore(userspace/falco): fix punctuation typo in output message when loading plugins [#2026] - @alacuku
  • refactor(userspace): change falco engine design to properly support multiple sources [#2017] - @jasondellaluce
  • update(userspace/falco): improve falco termination [#2012] - @Andreagit97
  • update(userspace/engine): introduce new check_plugin_requirements API [#2009] - @Andreagit97
  • fix(userspace/engine): improve rule loader source checks [#2010] - @Andreagit97
  • fix: split filterchecks per source-idx [#1999] - @FedeDP
  • new: port CI builds to github actions [#2000] - @FedeDP
  • build(userspace/engine): cleanup unused include dir [#1987] - @leogr
  • rule(Anonymous Request Allowed): exclude {/livez, /readyz} [#1954] - @sledigabel
  • chore(falco_scripts): Update falco-driver-loader cleaning phase [#1950] - @Andreagit97
  • new(userspace/falco): use new plugin caps API [#1982] - @FedeDP
  • build: correct conffiles for DEB packages [#1980] - @leogr
  • Fix exception parsing regressions [#1985] - @mstemm
  • Add codespell GitHub Action [#1962] - @invidian
  • build: components opt-in mechanism for packages [#1979] - @leogr
  • add gVisor to ADOPTERS.md [#1974] - @kevinGC
  • rules: whitelist GCP's container threat detection image [#1959] - @clmssz
  • Fix some typos [#1961] - @invidian
  • chore(rules): remove leftover [#1958] - @leogr
  • docs: readme update and plugins [#1940] - @leogr

Statistics

Merged PRs Number
Not user-facing 27
Release note 34
Total 61

Release Manager @FedeDP

Don't miss a new falco release

NewReleases is sending notifications on new releases.