Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.34.0
|
docker pull public.ecr.aws/falcosecurity/falco:0.34.0
|
docker pull docker.io/falcosecurity/falco-driver-loader:0.34.0
|
docker pull docker.io/falcosecurity/falco-no-driver:0.34.0
|
docker pull docker.io/falcosecurity/falcoctl:0.4.0
|
Major Changes
- BREAKING CHANGE: if you relied upon
application_rules.yaml
you can download it from https://github.com/falcosecurity/rules/tree/main/rules and manually install it. [#2389] - @leogr - new(rules): New rule to detect attempts to inject code into a process using PTRACE [#2226] - @Brucedh
- new(engine): Also include exact locations for rule condition compile errors (missing macros, etc). [#2216] - @mstemm
- new(scripts): Support older RHEL distros in falco-driver-loader script [#2312] - @gentooise
- new(scripts): add
falcoctl
config into Falco package [#2390] - @Andreagit97 - new(userspace/falco): [EXPERIMENTAL] allow modern bpf probe to assign more than one CPU to a single ring buffer [#2363] - @Andreagit97
- new(userspace/falco): add webserver endpoint for retrieving internal version numbers [#2356] - @jasondellaluce
- new(falco): add --version-json to print version information in json format [#2331] - @LucaGuerra
- new(scripts): support multiple drivers in systemd units [#2242] - @FedeDP
- new(scripts): add bottlerocket support in falco-driver-loader [#2318] - @FedeDP
- new(falco): add more version fields to --support and --version [#2325] - @LucaGuerra
- new(config): explicitly add the
simulate_drops
config [#2260] - @Andreagit97
Minor Changes
- build: upgrade to
falcoctl
v0.4.0 [#2406] - @loresuso - update(userspace): change
modern_bpf.cpus_for_each_syscall_buffer
default value [#2404] - @Andreagit97 - update(build): update falcoctl to 0.3.0 [#2401] - @LucaGuerra
- update(build): update falcoctl to 0.3.0-rc7 [#2396] - @LucaGuerra
- update(cmake): bump libs to 0.10.3 [#2392] - @FedeDP
- build:
/etc/falco/rules.available
has been deprecated [#2389] - @leogr - build:
application_rules.yaml
is not shipped anymore with Falco [#2389] - @leogr - build: upgrade k8saudit plugin to v0.5.0 [#2381] - @leogr
- build: upgrade cloudtrail plugin to v0.6.0 [#2381] - @leogr
- new!: ship falcoctl inside Falco [#2345] - @FedeDP
- refactor: remove rules and add submodule to falcosecurity/rules [#2359] - @jasondellaluce
- update(scripts): add option for regenerating signatures of all dev and release packages [#2364] - @jasondellaluce
- update: print JSON version output when json_output is enabled [#2351] - @jasondellaluce
- update(cmake): updated libs to 0.10.1 tag. [#2362] - @FedeDP
- Install the certificates of authorities in falco:no-driver docker image [#2355] - @Issif
- update: Mesos support is now deprecated and will be removed in the next version. [#2328] - @leogr
- update(scripts/falco-driver-loader): optimize the resiliency of module download script for air-gapped environments [#2336] - @Dentrax
- doc(userspace): provide users with a correct message when some syscalls are not defined [#2329] - @Andreagit97
- update(ci): update ci jobs to generate Falco images with the modern BPF probe [#2320] - @Andreagit97
- rules: add Falco container lists [#2290] - @oscr
- rules(macro: private_key_or_password): now also check for OpenSSH private keys [#2284] - @oscr
- update(cmake): bump libs and driver to latest RC. [#2302] - @FedeDP
- Ensure that a ruleset object is copied properly in falco_engine::add_source(). [#2271] - @mstemm
- update(userspace/falco): enable using zlib with webserver [#2125] - @jasondellaluce
- update(falco): add container-gvisor and kubernetes-gvisor print options [#2288] - @LucaGuerra
- cleanup: always use bundled libz and libelf in BUNDLED_DEPS mode. [#2277] - @FedeDP
- update: updated libs and driver to version dd443b67c6b04464cb8ee2771af8ada8777e7fac [#2277] - @FedeDP
- update(falco.yaml):
open_params
under plugins configuration is now trimmed from surrounding whitespace [#2267] - @yardenshoham
Bug Fixes
- fix(engine): Avoid crash related to caching syscall source when the falco engine uses multiple sources at the same time. [#2272] - @mstemm
- fix(scripts): use falco-driver-loader only into install scripts [#2391] - @Andreagit97
- fix(userspace/falco): fix grpc server shutdown [#2350] - @FedeDP
- fix(docker/falco): trust latest GPG key [#2365] - @jasondellaluce
- fix(userspace/engine): improve rule loading validation results [#2344] - @jasondellaluce
- fix: graceful error handling for macros/lists reference loops [#2311] - @jasondellaluce
Rule Changes
- rules(tagging): enhanced rules tagging for inventory / threat modeling [#2167] - @incertum
- rule(Outbound Connection to C2 Server): Update the "Outbound connection to C2 server" rule to match both FQDN and IP addresses. Prior to this change, the rule only matched IP addresses and not FQDN. [#2241] - @Nicolas-Peiffer
- rule(Execution from /dev/shm): new rule to detect execution from /dev/shm [#2225] - @AlbertoPellitteri
- rule(Find AWS Credentials): new rule to detect executions looking for AWS credentials [#2224] - @AlbertoPellitteri
- rule(Linux Kernel Module Injection Detected): improve insmod detection within container using CAP_SYS_MODULE [#2305] - @loresuso
- rule(Read sensitive file untrusted): let salt-call read sensitive files [#2291] - @vin01
- rule(macro: rpm_procs): let salt-call write to rpm database [#2291] - @vin01
Non user-facing changes
- fix(ci): fix rpm sign job dependencies [#2324] - @cappellinsamuele
- chore(userspace): add
njson
lib as a dependency forfalco_engine
[#2316] - @Andreagit97 - fix(scripts): force rpm postinstall script to always show dialog, even on upgrade [#2405] - @FedeDP
- fix(scripts): fixed falcoctl config install dir. [#2399] - @FedeDP
- fix(scripts): make /usr writable [#2398] - @therealbobo
- fix(scripts): driver loader insmod [#2388] - @FedeDP
- update(systemd): solve some issues with systemd unit [#2385] - @Andreagit97
- build(cmake): upgrade falcoctl to v0.3.0-rc6 [#2383] - @leogr
- docs(.github): rules are no longer in this repo [#2382] - @leogr
- update(CI): mitigate frequent failure in CircleCI jobs [#2375] - @Andreagit97
- fix(userspace): use the right path for the
cpus_for_each_syscall_buffer
config [#2378] - @Andreagit97 - fix(scripts): fixed incorrect bash var expansion [#2367] - @therealbobo
- update(CI): upgrade toolchain in modern falco builder dockerfile [#2337] - @Andreagit97
- cleanup(ci): move static analysis job from circle CI to GHA [#2332] - @Andreagit97
- update(falco): update cpp-httplib to 0.11.3 [#2327] - @LucaGuerra
- update(script): makes user able to pass custom option to driver-loade… [#1901] - @andreabonanno
- cleanup(ci): remove some unused jobs and remove some
falco-builder
reference where possible [#2322] - @Andreagit97 - docs(proposal): new artifacts distribution proposal [#2304] - @leogr
- fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash [#2292] - @FedeDP
- chore(deps): Bump certifi from 2020.4.5.1 to 2022.12.7 in /test [#2313] - @dependabot[bot]
- chore: remove string view lite [#2307] - @leogr
- new(CHANGELOG): add entry for 0.33.1 (in master branch this time) [#2303] - @LucaGuerra
- update(docs): add overview and versioning sections to falco release.md [#2205] - @incertum
- Add Xenit AB to adopters [#2285] - @NissesSenap
- fix(userspace/falco): verify engine fields only for syscalls [#2281] - @jasondellaluce
- fix(output): do not print syscall_buffer_size when gvisor is enabled [#2283] - @alacuku
- fix(engine): fix warning about redundant std::move [#2286] - @LucaGuerra
- fix(scripts): force falco-driver-loader script to try to compile the driver anyway even on unsupported platforms [#2219] - @FedeDP
- fix(ci): fixed version bucket for release jobs. [#2266] - @FedeDP
- fix(cmake): fixed tag fetching fallback (that is indeed needed) [#2409] - @FedeDP
Statistics
Merged PRs | Number |
---|---|
Not user-facing | 30 |
Release note | 53 |
Total | 83 |