From 4ab72d039107e19e8d1de4d6e227a79f2e5484b9 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 22 Dec 2016 11:18:24 -0800 Subject: [PATCH] Updating docs for 0.5.0. New changelog and readme updates. --- CHANGELOG.md | 32 ++++++++++++++++++++++++++++++++ README.md | 7 ++++++- 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27aac681263..caf5cb932f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,38 @@ This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org). +## v0.5.0 + +Released 2016-12-22 + +Starting with this release, we're adding a new section "Rule Changes" devoted to changes to the default ruleset `falco_rules.yaml`. + +### Major Changes + +* Cache event formatting objects so they are not re-created for every falco notification. This can result in significant speedups when the ruleset results in lots of notifications. [[#158](https://github.com/draios/falco/pull/158)] +* Falco notifications are now throttled by a token bucket, preventing a flood of notifications when many events match a rule. Controlled by the `outputs, rate` and `outputs, max_burst` options. [[#161](https://github.com/draios/falco/pull/161)] + +### Minor Changes + +* When run from a container, you can provide the environment variable `SYSDIG_SKIP_LOAD` to skip the process of building/loading the kernel module. Thanks @carlsverre for the fix. [[#145](https://github.com/draios/falco/pull/145)] +* Fully implement `USE_BUNDLED_DEPS` within CMakeFiles so you can build with external third-party libraries. [[#147](https://github.com/draios/falco/pull/147)] +* Improve error messages that result when trying to load a rule with a malformed `output:` attribute [[#150](https://github.com/draios/falco/pull/150)] [[#151](https://github.com/draios/falco/pull/151)] +* Add the ability to write event capture statistics to a file via the `-s ` option. [[#155](https://github.com/draios/falco/pull/155)] +* New configuration option `log_level` controls the verbosity of falco's logging. [[#160](https://github.com/draios/falco/pull/160)] + + +### Bug Fixes + +* Improve compatibility with Sysdig Cloud Agent build [[#148](https://github.com/draios/falco/pull/148)] + +### Rule Changes + +* Add DNF as non-alerting for RPM and package management. Thanks @djcross for the fix. [[#153](https://github.com/draios/falco/pull/153)] +* Make `google_containers/kube-proxy` a trusted image, affecting the File Open by Privileged Container/Sensitive Mount by Container rules. [[#159](https://github.com/draios/falco/pull/159)] +* Add fail2ban-server as a program that can spawn shells. Thanks @jcoetzee for the fix. [[#168](https://github.com/draios/falco/pull/168)] +* Add systemd as a program that can access sensitive files. Thanks @jcoetzee for the fix. [[#169](https://github.com/draios/falco/pull/169)] +* Add apt/apt-get as programs that can spawn shells. Thanks @jcoetzee for the fix. [[#170](https://github.com/draios/falco/pull/170)] + ## v0.4.0 Released 2016-10-25 diff --git a/README.md b/README.md index f7641ee1ac6..3f65a08e932 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ####Latest release -**v0.4.0** +**v0.5.0** Read the [change log](https://github.com/draios/falco/blob/dev/CHANGELOG.md) Dev Branch: [![Build Status](https://travis-ci.org/draios/falco.svg?branch=dev)](https://travis-ci.org/draios/falco)
@@ -22,6 +22,11 @@ Falco can detect and alert on any behavior that involves making Linux system cal - A non-device file is written to `/dev` - A standard system binary (like `ls`) makes an outbound network connection +#### How Falco Compares to Other Security Tools like SELinux, Auditd, etc. + +One of the questions we often get when we talk about Sysdig Falco is “How does it compare to other tools like SELinux, AppArmor, Auditd, etc. that also have security policies?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco to other tools. + + Documentation --- [Visit the wiki] (https://github.com/draios/falco/wiki) for full documentation on falco.