Version 0.30.0
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.30.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.30.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.30.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.30.0 |
--k8s-node
command-line options, which allows filtering by a node when requesting metadata of pods to the K8s API server [#1671] - @leogrgcc
versions in the falco-driver-loader
script [#1716] - @Spartan-65ncurses
dependency [#1658] - @leogrdebian:buster
[#1719] - @michalschottMerged PRs | Number |
---|---|
Not user-facing | 10 |
Release note | 9 |
Total | 19 |
Version 0.29.1
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.29.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.29.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.29.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.29.1 |
Merged PRs | Number |
---|---|
Not user-facing | 2 |
Release note | 1 |
Total | 3 |
Version 0.29.0
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.29.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.29.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.29.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.29.0 |
Merged PRs | Number |
---|---|
Not user-facing | 11 |
Release note | 7 |
Total | 18 |
Release Manager @maxgio92
Version 0.28.1
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.28.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.28.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.28.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.28.1 |
--support
output now includes info about the Falco engine version [#1581] - @mstemmsyscall_event_timeouts.max_consecutive
to configure after how many consecutive timeouts without an event Falco must alert [#1622] - @leodidofalco_privileged_images
): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92falco_sensitive_mount_images
): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92k8s_containers
): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92Merged PRs | Number |
---|---|
Not user-facing | 7 |
Release note | 7 |
Total | 14 |
Release Manager @cpanato
Version 0.28.0
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.28.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.28.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.28.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.28.0 |
syscall_event_drops.threshold
to tune the drop noisiness [#1586] - @leodidosyscall_event_drops.max_burst
default value to 1 [#1586] - @leodidosyscall_event_drops
config) [#1586] - @leodidoeks:node-manager
[#1536] - @ismailyenigulMerged PRs | Number |
---|---|
Not user-facing | 17 |
Release note | 24 |
Total | 41 |
Version 0.27.0
Released on 2021-01-18
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.27.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.27.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.27.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.27.0 |
output_timeout
config option for slow outputs detection [#1451] - @leogrspawned_process
macro inside container_started
macro [#1449] - @leodidoHOST_ROOT=/host
environment variable for the falcosecurity/falco-no-driver
container image by default [#1492] - @leogrinsmod
from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [#1478] - @d1viousMerged PRs | Number |
---|---|
Not user-facing | 10 |
Release note | 30 |
Total | 40 |
Version 0.26.2
Released on 2020-10-01
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.26.2 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.26.2 |
docker pull docker.io/falcosecurity/falco-no-driver:0.26.2 |
Version 0.26.1
Released on 2020-10-01
Packages | Download |
---|---|
rpm | |
deb | |
tgz |
Images |
---|
docker pull docker.io/falcosecurity/falco:0.26.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.26.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.26.1 |
Merged PRs | Number |
---|---|
Not user-facing | 4 |
Release note | 2 |
Total | 6 |
Version 0.26.0
Released on 2020-24-09
Official Stable Download 0.26.0 | |
---|---|
rpm | |
deb | |
binary |
This file documents all notable changes to Falco. The release numbering uses semantic versioning.
Merged PRs | Number |
---|---|
Not user-facing | 5 |
Release note | 13 |
Total | 18 |
Version 0.25.0
Released on 2020-08-25
sysdig/node-image-analyzer
and sysdig/agent-slim
[#1321] - @Kaizhedocker.io/falcosecurity/falco
[#1326] - @nvanheuverzwijnrenameat2
syscall [#1359] - @leogrMerged PRs | Number |
---|---|
Not user-facing | 5 |
Release note | 15 |
Total | 20 |
Version 0.24.0
Released on 2020-16-07
falco.outputs.service/get
[#1241]falco.outputs.service/sub
) [#1241]SKIP_MODULE_LOAD
renamed to SKIP_DRIVER_LOADER
[#1297]webserver.k8s_audit_endpoint
default value changed from /k8s_audit
to /k8s-audit
[#1261]buffered_output: false
which was not honored for the stdout
output [#1296]protokube
, dockerd
, tini
and aws
binaries to change thread namespace. [#1222]/var/run/docker
. [#1222]/root
dir and not other with just /root
as a prefix [#1279]bin_dir_mkdir
to catch mkdirat
syscall [#1250]bin_dir_rename
to catch rename
, renameat
, and unlinkat
syscalls [#1250]openat
syscall [#1250]Merged PRs | Number |
---|---|
Not user-facing | 9 |
Release note | 29 |
Total | 38 |
Version 0.23.0
Released on 2020-18-05
falco-probe.o
and falco-probe.ko
as falco.o
and falco.ko
[#1158]falco-driver-loader
script environment variable to use a custom repository to download drivers now uses the DRIVERS_REPO
environment variable instead of DRIVER_LOOKUP_URL
. This variable must contain the parent URI containing the following directory structure /$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]
. e.g: [#1160]falco-driver-loader
[#1200]falco-driver-loader
with the toolchain [#1192]falcosecurity/falco-no-driver
image [#1205]falco-driver-loader
output messages [#1200]falcosecurity/falco:slim-*
alias to falcosecurity/falco-no-driver:*
[#1205]/examples
to contrib
repo [#1191]minimal
image [#1196]/integrations
to contrib
repo [#1157]Merged PRs | Number |
---|---|
Not user-facing | 17 |
Release note | 18 |
Total | 35 |
Version 0.22.1
Released on 2020-17-04
Version 0.22.0
Released on 2020-16-04
--disable-cri-async
[#1099]README.md
[#1098]/usr/bin/falco-${DRIVER_VERSION}
driver directory [#1111]Merged PRs | Number |
---|---|
Not user-facing | 4 |
Release note | 17 |
Total | 21 |
Version 0.21.0
Released on 2020-03-17
stable
and local
images to run from debian:stable
[#1018]latest
. [#1091]+
[#1059]Merged PRs | Number |
---|---|
Not user-facing | 7 |
Release note | 12 |
Total | 19 |
Version 0.20.0
Released on 2020-02-24
Merged PRs | Number |
---|---|
Not user-facing | 5 |
Release note | 4 |
Total | 9 |
Version 0.19.0
Released on 2020-01-23
error handling inspector event
[#746]kube-system
namespace to avoid false positives [#962]kube-system
namespace to avoid false positives [#955]Merged PRs | Number |
---|---|
Not user-facing | 12 |
Release note | 32 |
Total | 44 |
Version 0.18.0
Released 2019-10-31
syscall
event source or k8s_audit
event source [#779]calico_node_write_envvars
to exception list of write below etc [#902]kops
. [#898]Version 0.17.1
Released 2019-09-26
Version 0.17.0
Released 2019-07-31
When enabling rules within the falco engine, use rule substrings instead of regexes. [#743]
Additional improvements to the handling and display of rules validation errors [#744] [#747]
Fix a problem that would cause prevent container metadata lookups when falco was daemonized [#731]
Allow rule priorites to be expressed as lowercase and a mix of lower/uppercase [#737]
Version 0.16.0
Released 2019-07-16
Clean up error reporting to provide more meaningful error messages along with context when loading rules files. When run with -V, the results of the validation ("OK" or error message) are sent to standard output. [#708]
Improve rule loading performance by optimizing lua parsing paths to avoid expensive pattern matches. [#694]
Bump falco engine version to 4 to reflect new fields ka.useragent
, others. [#710] [#681]
Add Catch2 as a unit testing framework. This will add additional coverage on top of the regression tests using Avocado. [#687]
Add SYSDIG_DIR Cmake option to specify location for sysdig source code when building falco. [#677] [#679] [#702]
New field ka.useragent
reports the useragent from k8s audit events. [#709]
Add clang formatter for C++ syntax formatting. [#701] [#689]
Partial changes towards lua syntax formatting. No particular formatting enforced yet, though. [#718]
Partial changes towards yaml syntax formatting. No particular formatting enforced yet, though. [#714]
Add cmake syntax formatting. [#703]
Token bucket unit tests and redesign. [#692]
Update github PR template. [#699]
Fix PR template for kind/rule-*. [#697]
Remove an unused cmake file. [#700]
Misc Cmake cleanups. [#673]
Misc k8s install docs improvements. [#671]
Allow k8s.gcr.io/kube-proxy image to run privileged. [#717]
Add runc to the list of possible container entrypoint parents. [#712]
Skip Source RFC 1918 addresses when considering outbound connections. [#685]
Add additional user_XXX
placeholder macros to allow for easy customization of rule exceptions. [#685]
Let weaveworks programs change namespaces. [#685]
Add additional openshift images. [#685]
Add openshift as a k8s binary. [#678]
Add dzdo as a binary that can change users. [#678]
Allow azure/calico binaries to change namespaces. [#678]
Add back trusted_containers list for backport compatibility [#675]
Add mkdirat as a syscall for mkdir operations. [#667]
Add container id/repository to rules that can work with containers. [#667]
Version 0.15.3
Released 2019-06-12
Version 0.15.2
Released 2019-06-12
Create Privileged Pod
, Create Sensitive Mount Pod
, Launch Sensitive Mount Container
, Launch Privileged Container
rules to use separate specific lists rather than a single "Trusted Containers" list. [#651]Version 0.15.1
Released 2019-06-07
Add instructions for k8s audit support in >= 1.13 [#608]
Fix security issues reported by GitHub on Anchore integration [#592]
Several docs/readme improvements [#620] [#616] [#631] [#639] [#642]
Better tracking of rule counts per ruleset [#645]
Handle rule patterns that are invalid regexes [#636]
Fix kernel module builds on newer kernels [#646] [#sysdig/1413]
New rule Launch Remote File Copy Tools in Container
could be used to identify exfiltration attacks [#600]
New rule Create Symlink Over Sensitive Files
can help detect attacks like [CVE-2018-15664] [#613] [#637]
Let etcd-manager write to /etc/hosts. [#613]
Let additional processes spawned by google-accounts-daemon access sensitive files [#593]
Add Sematext Monitoring & Logging agents to trusted k8s containers [#594]
Add additional coverage for Netcat Remote Code Execution in Container
rule. [#617]
Fix egrep
typo. [#617]
Allow Ansible to run using Python 3 [#625]
Additional Write below etc
exceptions for nginx, rancher [#637] [#648] [#652]
Add rules for running with IBM Cloud Kubernetes Service [#634]
Version 0.15.0
Released 2019-05-13
Actions and alerts for dropped events: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. [#561] [#571]
Support for Containerd/CRI-O: Falco now supports containerd/cri-o containers. [#585] [#591] [#599] [#sysdig/1376] [#sysdig/1310]
Perform docker metadata fetches asynchronously: When new containers are discovered, fetch metadata about the container asynchronously, which should significantly reduce the likelihood of dropped system call events. [#sysdig/1326] [#550] [#570]
Better syscall event performance: improve algorithm for reading system call events from kernel module to handle busy event streams [#sysdig/1372]
HTTP Output: Falco can now send alerts to http endpoints directly without having to use curl. [#523]
Move Kubernetes Response Engine to own repo: The Kubernetes Response Engine is now in its own github repository. [#539]
Updated Puppet Module: An all-new puppet module compatible with puppet 4 with a smoother installation process and updated package links. [#537] [#543] [#546]
RHEL-based falco image: Provide dockerfiles that use RHEL 7 as the base image instead of debian:unstable. [#544]
ISO-8601 Timestamps: Add the ability to write timestamps in ISO-8601 w/ UTC, and use this format by default when running falco in a container [#518]
Docker-based builder/tester: You can now build Falco using the falco-builder docker image, and run regression tests using the falco-tester docker image. [#522] [#584]
Several small docs changes to improve clarity and readibility [#524] [#540] [#541] [#542]
Add instructions on how to enable K8s Audit Logging for kops [#535]
Add a "stale issue" bot that marks and eventually closes old issues with no activity [#548]
Improvements to sample K8s daemonset/service/etc files [#562]
Tag rules using Mitre Attack Framework: Add tags for all relevant rules linking them to the MITRE Attack Framework. We have an associated blog post. [#575] [#578]
New rules for additional use cases: New rules Schedule Cron Jobs
, Update Package Repository
, Remove Bulk Data from Disk
, Set Setuid or Setgid bit
, Detect bash history deletion
, Create Hidden Files or Directories
look for additional common follow-on activity you might see from an attacker. [#578] [#580]
Allow docker's "exe" (usually part of docker save/load) to write to many filesystem locations [#552]
Let puppet write below /etc [#563
Add new user_known_write_root_conditions
, user_known_non_sudo_setuid_conditions
, and user_known_write_monitored_dir_conditions
macros to allow those rules to be easily customized in user rules files [#563] [#566]
Better coverage and exceptions for rancher [#559]
Allow prometheus to write to its conf directory under etc [#564]
Better coverage and exceptions for openshift/related tools [#567] [#573]
Better coverage for cassandra/kubelet/kops to reduce FPs [#551]
Better coverage for docker, openscap to reduce FPs [#573]
Better coverage for fluentd/jboss to reduce FPs [#590]
Add ash
(Alpine Linux-related shell) as a shell binary [#597]
Version 0.14.0
Released 2019-02-06
Rules versioning support: The falco engine and executable now have an engine version that represents the fields they support. Similarly, rules files have an optional required_engine_version: NNN object that names the minimum engine version required to read that rules file. Any time the engine adds new fields, event sources, etc, the engine version will be incremented, and any time a rules file starts using new fields, event sources, etc, the required engine version will be incremented. [#492]
Allow SSL for K8s audit endpoint/embedded webserver [#471]
Add stale issues bot that automatically flags old github issues as stale after 60 days of inactivity and closes issues after 67 days of inactivity. [#500]
Support bundle: When run with --support
, falco will print a json object containing necessary information like falco version, command line, operating system information, and falco rules files contents. This could be useful when reporting issues. [#517]
Support new third-party library dependencies from open source sysdig. [#498]
Add CII best practices badge. [#499]
Fix kernel module builds when running on centos as a container by installing gcc 5 by hand instead of directly from debian/unstable. [#501]
Mount /etc
when running as a container, which allows container to build kernel module/ebpf program on COS/Minikube. [#475]
Improved way to specify the source of generic event objects [#480]
Readability/clarity improvements to K8s Audit/K8s Daemonset READMEs. [#503]
Add additional RBAC permissions to track deployments/daemonsets/replicasets. [#514]
Version 0.13.1
Released 2019-01-16
Unbuffer outputs by default. This helps make output readable when used in environments like K8s. [#494]
Improved documentation for running Falco within K8s and getting K8s Audit Logging to work with Minikube and Falco as a Daemonset within K8s. [#496]
Fix AWS Permissions for Kubernetes Response Engine [#465]
Tighten compilation flags to include -Wextra
and -Werror
[#479]
Add k8s.ns.name
to outputs when -pk
argument is used [#472]
Remove kubernetes-response-engine from system:masters [#488]
Ensure -pc
/-pk
only apply to syscall rules and not k8s_audit rules [#495]
Fix a potential crash that could occur when using the falco engine and rulesets [#468]
Fix a regression where format output options were mistakenly removed [#485]
Fix FPs related to calico and writing files below etc [#481]
Fix FPs related to apt-config
/apt-cache
, apk
[#490]
New rules Launch Package Management Process in Container
, Netcat Remote Code Execution in Container
, Lauch Suspicious Network Tool in Container
look for host-level network tools like netcat
, package management tools like apt-get
, or network tool binaries being run in a container. [#490]
Fix the inbound
and outbound
macros so they work with sendto/recvfrom/sendmsg/recvmsg. [#470]
Fix FPs related to prometheus/openshift writing config below /etc. [#470]
Version 0.13.0
Released 2018-11-09
Support for K8s Audit Events : Falco now supports K8s Audit Events as a second stream of events in addition to syscalls. For full details on the feature, see the wiki.
Transparent Config/Rule Reloading: On SIGHUP, Falco will now reload all config files/rules files and start processing new events. Allows rules changes without having to restart falco [#457] [#432]
The reference integration of falco into a action engine now supports aws actions like lambda, etc. [#460]
Add netcat to falco docker images, which allows easier integration of program outputs to external servers [#456] [#433]
Links cleanup related to the draios/falco -> falcosecurity/falco move [#447]
Properly load/unload kernel module when the falco service is started/stopped [#459] [#418]
Better coverage (e.g. reduced FPs) for critical stack, hids systems, ufw, cloud-init, etc. [#445]
New rules Launch Package Management Process in Container
, Netcat Remote Code Execution in Container
, and Lauch Suspicious Network Tool in Container
look for running various suspicious programs in a container. [#461]
Misc changes to address false positives in GKE, Istio, etc. [#455] [#439]
Version 0.12.0
Released 2018-09-11
Improved IPv6 Support to fully support use of IPv6 addresses in events, connections and filters [#sysdig/1204]
Ability to associate connections with dns names: new filterchecks fd.*ip.name
allow looking up the DNS name for a connection's IP address. This can be used to identify or restrict connections by dns names e.g. evt.type=connect and fd.sip.name=github.com
. [#412] [#sysdig/1213]
New filterchecks user.loginuid
and user.loginname
can be used to match the login uid, which stays consistent across sudo/su. This can be used to find the actual user running a given process [#sysdig/1189]
endswith
operator can be used for suffix matching on strings [#sysdig/1209]Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.