Packages | Download |
---|---|
rpm-x86_64 | |
deb-x86_64 | |
tgz-x86_64 | |
rpm-aarch64 | |
deb-aarch64 | |
tgz-aarch64 |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.36.0
|
docker pull public.ecr.aws/falcosecurity/falco:0.36.0
|
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0
|
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.0
|
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0
|
docker pull docker.io/falcosecurity/falco-distroless:0.36.0
|
v0.36.0
Released on 2023-09-26
Breaking Changes ⚠️
- The default rules file that is shipped in the Falco image and/or can be downloaded via falcoctl as
falco-rules
is now a stable rule file. This file contains a much smaller number of rules that are less noisy and have been vetted by the community. This serves as a much requested "starter" Falco rule set that covers many common use case. The rest of that file has been expanded and split intofalco-incubating-rules
andfalco-sandbox-rules
. For more information, see the rules repository - The main
falcosecurity/falco
container image and itsfalco-driver-loader
counterpart have been upgraded. Now they are able to compile the kernel module or classic eBPF probe for relatively newer version of the kernel (5.x and above) while we no longer ship toolchains to compile the kernel module for older versions in the default images. Downloading of prebuilt drivers and the modern eBPF will work exactly like before. The older image, meant for compatibility with older kernels (4.x and below), is currently retained asfalcosecurity/falco-driver-loader-legacy
. - The Falco HTTP output no longer logs to stdout by default for performance reasons. You can set stdout logging preferences and restore the previous behavior with the configuration option
http_output.echo
infalco.yaml
. - The
--list-syscall-events
command line option has been replaced by--list-events
which prints all supported system events (syscall, tracepoints, metaevents, internal plugin events) in addition to extra information about flags. - The semantics of
proc.exepath
have changed. Now that field contains the executable path on disk even if the binary was launched from a symbolic link. - The
-d
daemonize option has been removed. - The
stats
command line option (-s
,--stats-interval
) has been removed in favor of metrics configs infalco.yaml
- The
-p
option is now changed:- when only
-pc
is set Falco will printcontainer_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name
- when
-pk
is set it will print as above, but withk8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name
appended
- when only
Major Changes
- new(falco-driver-loader): --source-only now prints the values as env vars [#2353] - @steakunderscore
- new(docker): allow passing options to falco-driver-loader from the driver loader cointainer [#2781] - @LucaGuerra
- new(docker): add experimental falco-distroless image based on Wolfi [#2768] - @LucaGuerra
- new: the legacy falco image is available as driver-loader-legacy [#2718] - @LucaGuerra
- new: added option to enable/disable echoing of server answer to stdout (disabled by default) when using HTTP output [#2602] - @FedeDP
- new: support systemctl reload for Falco services [#2588] - @jabdr
- new(falco/config): add new configurations for http_output that allow mTLS [#2633] - @annadorottya
- new: allow falco to match multiple rules on same event [#2705] - @loresuso
Minor Changes
- update(cmake): bumped bundled falcoctl to 0.6.2 [#2829] - @FedeDP
- update(rules)!: major rule update to version 2.0.0 [#2823] - @LucaGuerra
- update(cmake): bumped plugins to latest stable versions [#2820] - @FedeDP
- update(cmake): bumped libs to 0.13.0-rc2 and driver to 6.0.1+driver [#2806] - @FedeDP
- update!: default substitution for
%container.info
is now equalcontainer_id=%container.id container_name=%container.name
[#2793] - @leogr - update!: the --list-syscall-events flag is now called --list-events and lists all events [#2771] - @LucaGuerra
- update!: the Falco base image is now based on Debian 12 with gcc 11-12 [#2718] - @LucaGuerra
- update(docker): the Falco no-driver image is now based on Debian 12 [#2782] - @LucaGuerra
- feat(userspace)!: remove
-d
daemonize option [#2677] - @incertum - build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 0d0e333 [#2693] - @dependabot[bot]
- build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b42893a [#2756] - @dependabot[bot]
- build(deps): Bump submodules/falcosecurity-rules from b42893a to 6ed73fe [#2780] - @dependabot[bot]
- update(cmake): bumped libs to 0.13.0-rc1 and driver to 6.0.0+driver. [#2783] - @FedeDP
- feat: support parsing of system environment variables in yaml [#2562] - @therealdwright
- feat(userspace)!: deprecate stats command args option in favor of metrics configs in falco.yaml [#2739] - @incertum
- update: upgrade
falcoctl
to version 0.6.0 [#2764] - @leogr - cleanup: deprecate rate limiter mechanism [#2762] - @Andreagit97
- cleanup(config): add more info [#2758] - @incertum
- update(userspace/engine): improve skip-if-unknown-filter YAML field [#2749] - @jasondellaluce
- chore: improved HTTP output performance [#2602] - @FedeDP
- update!: HTTP output will no more echo to stdout by default [#2602] - @FedeDP
- chore: remove b64 from falco dependencies [#2746] - @Andreagit97
- update(cmake): support building libs and driver from forks [#2747] - @jasondellaluce
- update:
-p
presets have been updated to reflect the new rules style guide [#2737] - @leogr - feat: Allow specifying explicit kernel release and version for falco-driver-loader [#2728] - @johananl
- cleanup(config): assign Stable to
base_syscalls
config [#2740] - @incertum - update : support build for wasm [#2663] - @Rohith-Raju
- docs(config.yaml): fix wrong severity levels for sinsp logger [#2736] - @Andreagit97
- update(cmake): bump libs and driver to 0.12.0 [#2721] - @jasondellaluce
Bug Fixes
- fix(outputs): expose queue_capacity_outputs config for memory control [#2711] - @incertum
- fix(userspace/falco): cleanup metrics timer upon leaving. [#2759] - @FedeDP
- fix: restore Falco MINIMAL_BUILD and deprecate
userspace
option [#2761] - @Andreagit97 - fix(userspace/engine): support appending to unknown sources [#2753] - @jasondellaluce
Non user-facing changes
- build(deps): Bump submodules/falcosecurity-rules from
69c9be8
to77ba57a
[#2833] - @dependabot[bot] - chore: bump submodule testing to 62edc65 [#2831] - @Andreagit97
- update(gha): add version for rn2md [#2830] - @LucaGuerra
- chore: automatically attach release author to release body. [#2828] - @FedeDP
- new(ci): autogenerate release body. [#2812] - @FedeDP
- fix(dockerfile): remove useless CMD [#2824] - @Andreagit97
- chore: bump to the latest libs [#2822] - @Andreagit97
- update: add SPDX license identifier [#2809] - @leogr
- chore: bump to latest libs [#2815] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-rules from
ee5fb38
tobea364e
[#2814] - @dependabot[bot] - fix(build): set the right bucket and version for driver legacy [#2800] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
43580b4
toee5fb38
[#2810] - @dependabot[bot] - cleanup(userspace): thrown exceptions and avoid multiple logs [#2803] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-rules from
c6e01fa
to43580b4
[#2801] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-testing from
76d1743
to30c3643
[#2802] - @dependabot[bot] - fix(userspace/falco): clearing full output queue [#2798] - @jasondellaluce
- update(docs): add driver-loader-legacy to readme and fix bad c&p [#2799] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
d31dbc2
toc6e01fa
[#2797] - @dependabot[bot] - docs: add LICENSE file [#2796] - @leogr
- build(deps): Bump submodules/falcosecurity-rules from
b6372d2
tod31dbc2
[#2794] - @dependabot[bot] - fix(stats): always initialize m_output field [#2789] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-rules from
6ed73fe
tob6372d2
[#2786] - @dependabot[bot] - update(cmake/modules): bump rules to falco-rules-2.0.0-rc1 [#2775] - @leogr
- update(OWNERS): add LucaGuerra to owners [#2650] - @LucaGuerra
- build(deps): Bump submodules/falcosecurity-rules from
9126bef
to0328c59
[#2709] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
0d0e333
to64ce419
[#2731] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
3ceea88
to40a9817
[#2745] - @dependabot[bot] - docs(README.md): correct URL [#2772] - @vjjmiras
- #2393 Document why Falco is written in C++ rather than anything else [#2410] - @RichardoC
- chore: bump Falco to latest libs [#2769] - @Andreagit97
- ci: disable falco-driver-loader tests on ARM64 [#2770] - @Andreagit97
- update(userspace/falco): revised CLI help messages [#2755] - @leogr
- fix(engine): fix reorder warning for m_watch_config_files / m_rule_matching [#2767] - @LucaGuerra
- update: introduce new stats updated to the latest libs version [#2766] - @Andreagit97
- ci: support tests on amazon-linux [#2765] - @Andreagit97
- chore: bump Falco to latest libs master [#2754] - @Andreagit97
- build(deps): Bump submodules/falcosecurity-testing from
b39c807
to9110022
[#2760] - @dependabot[bot] - fix: fix "ebpf_enabled" output stat [#2751] - @Andreagit97
- fix(userspace/engine): support both old and new gcc + std::move [#2748] - @jasondellaluce
- cleanup: turn some warnings into errors [#2744] - @Andreagit97
- update(ci): minimize retention days for build-only CI artifacts [#2743] - @jasondellaluce
- cleanup: remove unused
--pidfile
option from systemd units [#2742] - @Andreagit97 - build(deps): Bump submodules/falcosecurity-rules from
bf1639a
to3ceea88
[#2741] - @dependabot[bot] - build(deps): Bump submodules/falcosecurity-rules from
64ce419
tobf1639a
[#2738] - @dependabot[bot] - Relocate tools on Flatcar in BPF mode [#2729] - @johananl
- build: update versioning with cmake [#2727] - @leogr
- update(userspace/engine): make rule_matching strategy stateless [#2726] - @loresuso
- chore: bump Falco to latest libs version [#2722] - @Andreagit97
Statistics
MERGED PRS | NUMBER |
---|---|
Not user-facing | 48 |
Release note | 38 |
Total | 86 |