Releases: falcosecurity/falco
Releases · falcosecurity/falco
0.31.1
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.31.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.31.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.31.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.31.1 |
Major Changes
- new: add a new drop category
n_drops_scratch_map[#1916] - @Andreagit97 - new: allow to specify multiple --cri options [#1893] - @FedeDP
Minor Changes
- refactor(userspace/falco): replace direct getopt_long() cmdline option parsing with third-party cxxopts library. [#1886] - @mstemm
- update: driver version is b7eb0dd [#1923] - @LucaGuerra
Bug Fixes
- fix(userspace/falco): correct plugins init config conversion from YAML to JSON [#1907] - @jasondellaluce
- fix(userspace/engine): for rules at the informational level being loaded at the notice level [#1885] - @mike-stewart
- chore(userspace/falco): fixes truncated -b option description. [#1915] - @andreabonanno
- update(falco): updates usage description for -o, --option [#1903] - @andreabonanno
Rule Changes
- rule(Detect outbound connections to common miner pool ports): fix url in rule output [#1918] - @jsoref
- rule(macro somebody_becoming_themself): renaming macro to somebody_becoming_themselves [#1918] - @jsoref
- rule(list package_mgmt_binaries):
npmadded [#1866] - @rileydakota - rule(Launch Package Management Process in Container): support for detecting
npmusage [#1866] - @rileydakota - rule(Polkit Local Privilege Escalation Vulnerability): new rule created to detect CVE-2021-4034 [#1877] - @darryk10
- rule(macro: modify_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
- rule(macro: truncate_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
- rule(macro sssd_writing_krb): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
- rule(macro write_etc_common): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
- upgrade macro(keepalived_writing_conf) [#1742] - @pabloopez
- rule_output(Delete Bucket Public Access Block) typo [#1888] - @pabloopez
Non user-facing changes
- fix(build): fix civetweb linking in cmake module [#1919] - @LucaGuerra
- chore(userspace/engine): remove unused lua functions and state vars [#1908] - @jasondellaluce
- fix(userspace/falco): applies FALCO_INSTALL_CONF_FILE as the default … [#1900] - @andreabonanno
- fix(scripts): correct typo in
falco-driver-loaderhelp message [#1899] - @leogr - update(build)!: replaced various
PROBEwithDRIVERwhere necessary. [#1887] - @FedeDP - Add Fairwinds to the adopters list [#1917] - @sudermanjr
- build(cmake): several cmake changes to speed up/simplify builds for external projects and copying files from source-to-build directories [#1905] - @mstemm
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 11 |
| Release note | 13 |
| Total | 24 |
Release Manager @LucaGuerra
Contributors
LucaGuerra
Assets 2
0.31.0
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.31.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.31.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.31.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.31.0 |
Major Changes
- new: add support for plugins to extend Falco functionality to new event sources and custom fields [#1753] - @mstemm
- new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurit/falco'. [#1850] - @yoshi314
- new(configuration): support defining plugin init config as a YAML [#1852] - @jasondellaluce
Minor Changes
- rules: add the official Falco ECR repository to rules [#1817] - @calvinbui
- build: update CircleCI machine image for eBPF tests to a newer version of ubuntu [#1764] - @mstemm
- update(engine): refactor Falco engine to be agnostic to specific event sources [#1715] - @mstemm
- build: upgrade civetweb to v1.15 [#1782] - @FedeDP
- update: driver version is 319368f1ad778691164d33d59945e00c5752cd27 now [#1861] - @FedeDP
- build: allow using local libs source dir by setting
FALCOSECURITY_LIBS_SOURCE_DIRin cmake [#1791] - @jasondellaluce - build: the statically linked binary package is now published with the
-staticsuffix [#1873] - @LucaGuerra - update!: removed "--alternate-lua-dir" cmdline option as lua scripts are now embedded in Falco executable. [#1872] - @FedeDP
- build: switch to dynamic build for the binary package (
.tar.gz) [#1853] - @LucaGuerra - update: simpleconsumer filtering is now being done at kernel level [#1846] - @FedeDP
- update(scripts/falco-driver-loader): first try to load the latest kmod version, then fallback to an already installed if any [#1863] - @leogr
- refactor: clean up --list output with better formatting and no duplicate sections across event sources. [#1816] - @mstemm
- update: embed .lua files used to load/compile rules into the main falco executable, for simplicity and to avoid tampering. [#1843] - @mstemm
- update: support non-enumerable event sources in gRPC outputs service [#1840] - @jasondellaluce
- docs: add jasondellaluce to OWNERS [#1818] - @jasondellaluce
- chore: --list option can be used to selectively list fields related to new sources that are introduced by plugins [#1839] - @loresuso
- update(userspace/falco): support arbitrary-depth nested values in YAML configuration [#1792] - @jasondellaluce
- build: bump FakeIt version to 2.0.9 [#1797] - @jasondellaluce
- update: allow append of new exceptions to rules [#1780] - @sai-arigeli
- update: Linux packages are now signed with SHA256 [#1758] - @twa16
Bug Fixes
- fix(scripts/falco-driver-loader): fix for SELinux insmod denials [#1756] - @dwindsor
- fix(scripts/falco-driver-loader): correctly clean loaded drivers when using
--clean[#1795] - @jasondellaluce - fix(userspace/falco): in case output_file cannot be opened, throw a falco exception [#1773] - @FedeDP
- fix(userspace/engine): support jsonpointer escaping in rule parser [#1777] - @jasondellaluce
- fix(scripts/falco-driver-loader): support kernel object files in
.zstand.gzcompression formats [#1863] - @leogr - fix(engine): correctly format json output in json_event [#1847] - @jasondellaluce
- fix: set http output contenttype to text/plain when json output is disabled [#1829] - @FedeDP
- fix(userspace/falco): accept 'Content-Type' header that contains "application/json", but it is not strictly equal to it [#1800] - @FedeDP
- fix(userspace/engine): supporting enabled-only overwritten rules [#1775] - @jasondellaluce
Rule Changes
- rule(Create Symlink Over Sensitive File): corrected typo in rule output [#1820] - @deepskyblue86
- rule(macro open_write): add support to openat2 [#1796] - @jasondellaluce
- rule(macro open_read): add support to openat2 [#1796] - @jasondellaluce
- rule(macro open_directory): add support to openat2 [#1796] - @jasondellaluce
- rule(Create files below dev): add support to openat2 [#1796] - @jasondellaluce
- rule(Container Drift Detected (open+create)): add support to openat2 [#1796] - @jasondellaluce
- rule(macro sensitive_mount): add containerd socket [#1815] - @loresuso
- rule(macro spawned_process): monitor also processes spawned by
execveat[#1868] - @Andreagit97 - rule(Create Hardlink Over Sensitive Files): new rule to detect hard links created over sensitive files [#1810] - @sberkovich
- rule(Detect crypto miners using the Stratum protocol): add
stratum2+tcpandstratum+sslprotocols detection [#1810] - @sberkovich - rule(Sudo Potential Privilege Escalation): correct special case for the CVE-2021-3156 exploit [#1810] - @sberkovich
- rule(list falco_hostnetwork_images): moved to k8s_audit_rules.yaml to avoid a warning when usng falco_rules.yaml only [#1681] - @leodido
- rule(list deb_binaries): remove
apt-config[#1860] - @Andreagit97 - rule(Launch Remote File Copy Tools in Container): add additional binaries: curl and wget. [#1771] - [@ec4n6](https:...
Contributors
jasondellaluce
Assets 2
0.30.0
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.30.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.30.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.30.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.30.0 |
Major Changes
- new: add
--k8s-nodecommand-line options, which allows filtering by a node when requesting metadata of pods to the K8s API server [#1671] - @leogr - new(outputs): expose rule tags and event source in gRPC and json outputs [#1714] - @jasondellaluce
- new(userspace/falco): add customizable metadata fetching params [#1667] - @zuc
Minor Changes
- update: bump driver version to 3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4 [#1744] - @zuc
- docs: clarify that previous Falco drivers will remain available at https://download.falco.org and no automated cleanup is run anymore [#1738] - @leodido
- update(outputs): add configuration option for tags in json outputs [#1733] - @jasondellaluce
Bug Fixes
- fix(scripts): correct standard output redirection in systemd config (DEB and RPM packages) [#1697] - @chirabino
- fix(scripts): correct lookup order when trying multiple
gccversions in thefalco-driver-loaderscript [#1716] - @Spartan-65
Rule Changes
- rule(list miner_domains): add new miner domains [#1729] - @AlbertoPellitteri
- rule(list https_miner_domains): add new miner domains [#1729] - @AlbertoPellitteri
Non user-facing changes
- add Qonto as adopter [#1717] - @Issif
- docs(proposals): proposal for a libs plugin system [#1637] - @ldegio
- build: remove unused
ncursesdependency [#1658] - @leogr - build(.circleci): use new Debian 11 package names for python-pip [#1712] - @zuc
- build(docker): adding libssl-dev, upstream image reference pinned to
debian:buster[#1719] - @michalschott - fix(test): avoid output_strictly_contains failures [#1724] - @jasondellaluce
- Remove duplicate allowed ecr registry rule [#1725] - @TomKeyte
- docs(RELEASE.md): switch to 3 releases per year [#1711] - @leogr
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 10 |
| Release note | 9 |
| Total | 19 |
Release Manager @araujof
Contributors
araujof
Assets 2
0.29.1
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.29.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.29.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.29.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.29.1 |
Minor Changes
Rule Changes
- rule(list user_known_userfaultfd_processes): list to exclude processes known to use userfaultfd syscall [#1675] - @leodido
- rule(macro consider_userfaultfd_activities): macro to gate the "Unprivileged Delegation of Page Faults Handling to a Userspace Process" rule [#1675] - @leodido
- rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process): new rule to detect successful unprivileged userfaultfd syscalls [#1675] - @leodido
- rule(Linux Kernel Module Injection Detected): adding container info to the output of the rule [#1675] - @leodido
Non user-facing changes
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 2 |
| Release note | 1 |
| Total | 3 |
Release Manager @leodido
0.29.0
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.29.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.29.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.29.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.29.0 |
Minor Changes
Rule Changes
- rule(list miner_domains): add rx.unmineable.com for anti-miner detection [#1676] - @fntlnz
- rule(Change thread namespace and Set Setuid or Setgid bit): disable by default [#1632] - @Kaizhe
- rule(list known_sa_list): add namespace-controller, statefulset-controller, disruption-controller, job-controller, horizontal-pod-autoscaler and persistent-volume-binder as allowed service accounts in the kube-system namespace [#1659] - @sboschman
- rule(Non sudo setuid): check user id as well in case user name info is not available [#1665] - @Kaizhe
- rule(Debugfs Launched in Privileged Container): fix typo in description [#1657] - @Kaizhe
Non user-facing changes
- Fix link to CONTRIBUTING.md in the Pull Request Template [#1679] - @tspearconquest
- fetch libs and drivers from the new repo [#1552] - @leogr
- build(test): upgrade urllib3 to 1.26.5 [#1666] - @leogr
- revert: add notes for 0.28.2 release [#1663] - @maxgio92
- changelog: add notes for 0.28.2 release [#1661] - @maxgio92
- docs(release.md): add blog announcement to post-release tasks [#1652] - @maxgio92
- add Yahoo!Japan as an adopter [#1651] - @ukitazume
- Add Replicated to adopters [#1649] - @diamonwiggins
- docs(proposals): fix libs contribution name [#1641] - @leodido
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 11 |
| Release note | 7 |
| Total | 18 |
Release Manager @maxgio92
0.28.1
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.28.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.28.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.28.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.28.1 |
Major Changes
- new:
--supportoutput now includes info about the Falco engine version [#1581] - @mstemm - new: Falco outputs an alert in the unlikely situation it's receiving too many consecutive timeouts without an event [#1622] - @leodido
- new: configuration field
syscall_event_timeouts.max_consecutiveto configure after how many consecutive timeouts without an event Falco must alert [#1622] - @leodido
Minor Changes
Bug Fixes
- fix: do not stop the webserver for k8s audit logs when invalid data is coming in the event to be processed [#1617] - @fntlnz
Rule Changes
- rule(macro: allowed_aws_ecr_registry_root_for_eks): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(macro: aws_eks_core_images): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(macro: aws_eks_image_sensitive_mount): new macro for AWS EKS images hosted on ECR to use in rule: Launch Privileged Container [#1640] - @ismailyenigul
- rule(list
falco_privileged_images): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92 - rule(list
falco_sensitive_mount_images): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92 - rule(macro
k8s_containers): remove deprecated Falco's OCI image repositories [#1634] - @maxgio92 - rule(macro: python_running_sdchecks): macro removed [#1620] - @leogr
- rule(Change thread namespace): remove python_running_sdchecks exception [#1620] - @leogr
Non user-facing changes
- urelease/docs: fix link and small refactor in the text [#1636] - @cpanato
- Add Secureworks to adopters [#1629] - @dwindsor-scwx
- regression test for malformed k8s audit input (FAL-01-003) [#1624] - @leodido
- Add mathworks to adopterlist [#1621] - @natchaphon-r
- adding known users [#1623] - @danpopSD
- docs: update link for HackMD community call notes [#1614] - @leodido
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 7 |
| Release note | 7 |
| Total | 14 |
Release Manager @cpanato
0.28.0
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.28.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.28.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.28.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.28.0 |
Major Changes
- BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [#1577] - @leogr
- BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [#1599] - @leodido
- BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [#1448] - @jenting
- new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [#1427] - @mstemm
- new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [#1519] - @jonahjon
- new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [#1519] - @jonahjon
- new: add healthz endpoint to the webserver [#1546] - @cpanato
- new: introduce a new configuration field
syscall_event_drops.thresholdto tune the drop noisiness [#1586] - @leodido - new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [#1488] - @leodido
- new: falco-driver-loader know the Falco version [#1488] - @leodido
Minor Changes
- docs(proposals): libraries and drivers donation [#1530] - @leodido
- docs(docker): update links to the new Falco website URLs [#1545] - @cpanato
- docs(test): update links to new Falco website URLs [#1563] - @shane-lawrence
- build: now Falco packages are published at https://download.falco.org [#1577] - @leogr
- update: lower the
syscall_event_drops.max_burstdefault value to 1 [#1586] - @leodido - update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [#1599] - @leodido
- docs(test): document the prerequisites for running the integration test suite locally [#1609] - @fntlnz
- update: Debian/RPM package migrated from init to systemd [#1448] - @jenting
Bug Fixes
- fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [#1601] - @mstemm
- fix(docker/falco): add flex and bison dependency to container image [#1562] - @schans
- fix: ignore action can not be used with log and alert ones (
syscall_event_dropsconfig) [#1586] - @leodido - fix(userspace/engine): allows fields starting with numbers to be parsed properly [#1598] - @mstemm
Rule Changes
- rule(Write below monitored dir): improve rule description [#1588] - @stevenshuang
- rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [#1555] - @ismailyenigul
- rule(macro aws_eks_image): match aws image repository for eks [#1555] - @ismailyenigul
- rule(macro aws_eks_image_sensitive_mount): match aws cni images [#1555] - @ismailyenigul
- rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [#1555] - @ismailyenigul
- rule(Launch Privileged Container): exclude aws_eks_image [#1555] - @ismailyenigul
- rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [#1555] - @ismailyenigul
- rule(Debugfs Launched in Privileged Container): new rule [#1583] - @Kaizhe
- rule(Mount Launched in Privileged Container): new rule [#1583] - @Kaizhe
- rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [#1583] - @Kaizhe
- rule(macro user_ssh_directory): using glob operator [#1560] - @shane-lawrence
- rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [#1337] - @nibalizer
- rule(list rpm_binaries): add rhsmcertd [#1385] - @epcim
- rule(list deb_binaries): add apt.systemd.daily [#1385] - @epcim
- rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [#1543] - @darryk10
- rule(list allowed_k8s_users): add
eks:node-manager[#1536] - @ismailyenigul - rule(list mysql_mgmt_binaries): removed [#1602] - @fntlnz
- rule(list db_mgmt_binaries): removed [#1602] - @fntlnz
- rule(macro parent_ansible_running_python): removed [#1602] - @fntlnz
- rule(macro parent_bro_running_python): removed [#1602] - @fntlnz
- rule(macro parent_python_running_denyhosts): removed [#1602] - @fntlnz
- rule(macro parent_linux_image_upgrade_script): removed [#1602] - @fntlnz
- rule(macro parent_java_running_echo): removed [#1602] - @fntlnz
- rule(macro parent_scripting_running_builds): removed [#1602] - @fntlnz
- rule(macro parent_Xvfb_running_xkbcomp): removed [#1602] - @fntlnz
- rule(macro parent_nginx_running_serf): removed [#1602] - @fntlnz
- rule(macro parent_node_running_npm): removed [[#1602](https:...
0.27.0
Released on 2021-01-18
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.27.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.27.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.27.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.27.0 |
Major Changes
- new: Added falco engine version to grpc version service [#1507] - @nibalizer
- BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [#1494] - @nibalizer
- new: asynchronous outputs implementation, outputs channels will not block event processing anymore [#1451] - @leogr
- new: slow outputs detection [#1451] - @leogr
- new:
output_timeoutconfig option for slow outputs detection [#1451] - @leogr
Minor Changes
- build: bump b64 to v2.0.0.1 [#1441] - @fntlnz
- rules(macro container_started): re-use
spawned_processmacro insidecontainer_startedmacro [#1449] - @leodido - docs: reach out documentation [#1472] - @fntlnz
- docs: Broken outputs.proto link [#1493] - @deepskyblue86
- docs(README.md): correct broken links [#1506] - @leogr
- docs(proposals): Exceptions handling proposal [#1376] - @mstemm
- docs: fix a broken link of README [#1516] - @oke-py
- docs: adding the kubernetes privileged use case to use cases [#1484] - @fntlnz
- rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
- rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
- docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [#1518] - @leodido
- build: falcosecurity/falco:master also available on the AWS ECR Public registry [#1512] - @leodido
- build: falcosecurity/falco:latest also available on the AWS ECR Public registry [#1512] - @leodido
- update: gRPC clients can now subscribe to drop alerts via gRCP API [#1451] - @leogr
- macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [#1444] - @fntlnz
Bug Fixes
- fix(userspace/falco): use given priority in falco_outputs::handle_msg() [#1450] - @leogr
- fix(userspace/engine): free formatters, if any [#1447] - @leogr
- fix(scripts/falco-driver-loader): lsmod usage [#1474] - @dnwe
- fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [#1485] - @leodido
- fix: set
HOST_ROOT=/hostenvironment variable for thefalcosecurity/falco-no-drivercontainer image by default [#1492] - @leogr
Rule Changes
- rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [#1501] - @Kaizhe
- rule(Container Run as Root User): new rule created [#1500] - @Kaizhe
- rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using
insmodfrom a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [#1478] - @d1vious - rule(macro multipath_writing_conf): create and use the macro [#1475] - @nmarier-coveo
- rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [#1457] - @czunker
- rule(Full K8s Administrative Access): use the right list of admin users (fix) [#1454] - @mstemm
Non user-facing changes
- chore(cmake): remove unnecessary whitespace patch [#1522] - @leogr
- remove stale bot in favor of the new lifecycle bot [#1490] - @leodido
- chore(cmake): mark some variables as advanced [#1496] - @deepskyblue86
- chore(cmake/modules): avoid useless rebuild [#1495] - @deepskyblue86
- build: BUILD_BYPRODUCTS for civetweb [#1489] - @fntlnz
- build: remove duplicate item from FALCO_SOURCES [#1480] - @leodido
- build: make our integration tests report clear steps for CircleCI UI [#1473] - @fntlnz
- further improvements outputs impl. [#1443] - @leogr
- fix(test): make integration tests properly fail [#1439] - @leogr
- Falco outputs refactoring [#1412] - @leogr
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 10 |
| Release note | 30 |
| Total | 40 |
0.26.2
Released on 2020-10-01
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.26.2 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.26.2 |
docker pull docker.io/falcosecurity/falco-no-driver:0.26.2 |
Major Changes
- update: DRIVERS_REPO now defaults to https://download.falco.org/driver [#1460] - @leodido
0.26.1
Released on 2020-10-01
| Packages | Download |
|---|---|
| rpm |  |
| deb | |
| tgz | |
| Images |
|---|
docker pull docker.io/falcosecurity/falco:0.26.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.26.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.26.1 |
Major Changes
Rule Changes
- rule(Delete or rename shell history): fix warnings/FPs + container teardown [#1423] - @mstemm
- rule(Write below root): ensure proc_name_exists too [#1423] - @mstemm
Statistics
| Merged PRs | Number |
|---|---|
| Not user-facing | 4 |
| Release note | 2 |
| Total | 6 |