Skip to content

0.10.0
Compare
Choose a tag to compare
@mstemm mstemm released this 24 Apr 23:21
· 3919 commits to master since this release
0.10.0
2a0911d

Released 2018-04-24

Major Changes

  • Rules Directory Support: Falco will read rules files from /etc/falco/rules.d in addition to /etc/falco/falco_rules.yaml and /etc/falco/falco_rules.local.yaml. Also, when the argument to -r/falco.yaml rules_file is a directory, falco will read rules files from that directory. [#348] [#187]
  • Properly support all syscalls (e.g. those without parameter extraction by the kernel module) in falco conditions, so they can be included in evt.type=<name> conditions. [#352]
  • When packaged as a container, start building kernel module with gcc 5.0 instead of gcc 4.9. [#331]
  • New example puppet module for falco. [#341] [#115]
  • When signaled with USR1, falco will close/reopen log files. Include a logrotate example that shows how to use this feature for log rotation. [#347] [#266]
  • To improve resource usage, further restrict the set of system calls available to falco [#351] [draios/sysdig#1105]

Minor Changes

  • Add gdb to the development Docker image (sysdig/falco:dev) to aid in debugging. [#323]
  • You can now specify -V multiple times on the command line to validate multiple rules files at once. [#329]
  • When run with -v, falco will print dangling macros/lists that are not used by any rules. [#329]
  • Add an example demonstrating cryptomining attack that exploits an open docker daemon using host mounts. [#336]
  • New falco.yaml option json_include_output_property controls whether the formatted string "output" is included in the json object when json output is enabled. [#342]
  • Centralize testing event types for consideration by falco into a single function [draios/sysdig#1105) [#356]
  • If a rule has an attribute warn_evttypes, falco will not complain about evt.type restrictions on that rule [#355]
  • When run with -i, print all ignored events/syscalls and exit. [#359]

Bug Fixes

  • Minor bug fixes to k8s daemonset configuration. [#325] [#296] [#295]
  • Ensure --validate can be used interchangeably with -V. [#334] [#322]
  • Rule conditions like fd.net can now be used with the in operator e.g. evt.type=connect and fd.net in ("127.0.0.1/24"). [draios/sysdig#1091] [#343]
  • Ensure that keep_alive can be used both with file and program output at the same time. [#335]
  • Make it possible to append to a skipped macro/rule without falco complaining [#346] [#305]
  • Ensure rule order is preserved even when rules do not contain any evt.type restriction. [#354] [#355]

Rule Changes

  • Make it easier to extend the Change thread namespace rule via a user_known_change_thread_namespace_binaries list. [#324]
  • Various FP fixes from users. [#321] [#326] [#344] [#350]
  • New rule Disallowed SSH Connection detects ssh connection attempts to hosts outside of an expected set. In order to be effective, you need to override the macro allowed_ssh_hosts in a user rules file. [#321]
  • New rule Unexpected K8s NodePort Connection detects attempts to contact the K8s NodePort range from a program running inside a container. In order to be effective, you need to override the macro nodeport_containers in a user rules file. [#321]
  • Improve Modify binary dirs rule to work with new syscalls [#353]
  • New rule Unexpected UDP Traffic checks for udp traffic not on a list of expected ports. Somewhat FP-prone, so it must be explicitly enabled by overriding the macro do_unexpected_udp_check in a user rules file. [#320] [#357]
Assets 2
Loading