0.31.1

Packages	Download
rpm
deb
tgz

Images
docker pull docker.io/falcosecurity/falco:0.31.1
docker pull public.ecr.aws/falcosecurity/falco:0.31.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.31.1
docker pull docker.io/falcosecurity/falco-no-driver:0.31.1

Major Changes

• new: add a new drop category n_drops_scratch_map [#1916] - @Andreagit97
• new: allow to specify multiple --cri options [#1893] - @FedeDP

Minor Changes

• refactor(userspace/falco): replace direct getopt_long() cmdline option parsing with third-party cxxopts library. [#1886] - @mstemm
• update: driver version is b7eb0dd [#1923] - @LucaGuerra

Bug Fixes

• fix(userspace/falco): correct plugins init config conversion from YAML to JSON [#1907] - @jasondellaluce
• fix(userspace/engine): for rules at the informational level being loaded at the notice level [#1885] - @mike-stewart
• chore(userspace/falco): fixes truncated -b option description. [#1915] - @andreabonanno
• update(falco): updates usage description for -o, --option [#1903] - @andreabonanno

Rule Changes

• rule(Detect outbound connections to common miner pool ports): fix url in rule output [#1918] - @jsoref
• rule(macro somebody_becoming_themself): renaming macro to somebody_becoming_themselves [#1918] - @jsoref
• rule(list package_mgmt_binaries): npm added [#1866] - @rileydakota
• rule(Launch Package Management Process in Container): support for detecting npm usage [#1866] - @rileydakota
• rule(Polkit Local Privilege Escalation Vulnerability): new rule created to detect CVE-2021-4034 [#1877] - @darryk10
• rule(macro: modify_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
• rule(macro: truncate_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
• rule(macro sssd_writing_krb): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
• rule(macro write_etc_common): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
• upgrade macro(keepalived_writing_conf) [#1742] - @pabloopez
• rule_output(Delete Bucket Public Access Block) typo [#1888] - @pabloopez

Non user-facing changes

• fix(build): fix civetweb linking in cmake module [#1919] - @LucaGuerra
• chore(userspace/engine): remove unused lua functions and state vars [#1908] - @jasondellaluce
• fix(userspace/falco): applies FALCO_INSTALL_CONF_FILE as the default … [#1900] - @andreabonanno
• fix(scripts): correct typo in falco-driver-loader help message [#1899] - @leogr
• update(build)!: replaced various PROBE with DRIVER where necessary. [#1887] - @FedeDP
• Add Fairwinds to the adopters list [#1917] - @sudermanjr
• build(cmake): several cmake changes to speed up/simplify builds for external projects and copying files from source-to-build directories [#1905] - @mstemm

Statistics

Merged PRs	Number
Not user-facing	11
Release note	13
Total	24

Release Manager @LucaGuerra