Releases: falcosecurity/falco
Releases · falcosecurity/falco
0.35.0-alpha1
This is a test for the release pipeline.
0.34.0
| Packages |
Download |
| rpm-x86_64 |
 |
| deb-x86_64 |
|
| tgz-x86_64 |
|
| rpm-aarch64 |
|
| deb-aarch64 |
|
| tgz-aarch64 |
|
| Images |
docker pull docker.io/falcosecurity/falco:0.34.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.34.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.34.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.34.0 |
docker pull docker.io/falcosecurity/falcoctl:0.4.0 |
Major Changes
- BREAKING CHANGE: if you relied upon
application_rules.yaml you can download it from https://github.com/falcosecurity/rules/tree/main/rules and manually install it. [#2389] - @leogr
- new(rules): New rule to detect attempts to inject code into a process using PTRACE [#2226] - @Brucedh
- new(engine): Also include exact locations for rule condition compile errors (missing macros, etc). [#2216] - @mstemm
- new(scripts): Support older RHEL distros in falco-driver-loader script [#2312] - @gentooise
- new(scripts): add
falcoctl config into Falco package [#2390] - @Andreagit97
- new(userspace/falco): [EXPERIMENTAL] allow modern bpf probe to assign more than one CPU to a single ring buffer [#2363] - @Andreagit97
- new(userspace/falco): add webserver endpoint for retrieving internal version numbers [#2356] - @jasondellaluce
- new(falco): add --version-json to print version information in json format [#2331] - @LucaGuerra
- new(scripts): support multiple drivers in systemd units [#2242] - @FedeDP
- new(scripts): add bottlerocket support in falco-driver-loader [#2318] - @FedeDP
- new(falco): add more version fields to --support and --version [#2325] - @LucaGuerra
- new(config): explicitly add the
simulate_drops config [#2260] - @Andreagit97
Minor Changes
- build: upgrade to
falcoctl v0.4.0 [#2406] - @loresuso
- update(userspace): change
modern_bpf.cpus_for_each_syscall_buffer default value [#2404] - @Andreagit97
- update(build): update falcoctl to 0.3.0 [#2401] - @LucaGuerra
- update(build): update falcoctl to 0.3.0-rc7 [#2396] - @LucaGuerra
- update(cmake): bump libs to 0.10.3 [#2392] - @FedeDP
- build:
/etc/falco/rules.available has been deprecated [#2389] - @leogr
- build:
application_rules.yaml is not shipped anymore with Falco [#2389] - @leogr
- build: upgrade k8saudit plugin to v0.5.0 [#2381] - @leogr
- build: upgrade cloudtrail plugin to v0.6.0 [#2381] - @leogr
- new!: ship falcoctl inside Falco [#2345] - @FedeDP
- refactor: remove rules and add submodule to falcosecurity/rules [#2359] - @jasondellaluce
- update(scripts): add option for regenerating signatures of all dev and release packages [#2364] - @jasondellaluce
- update: print JSON version output when json_output is enabled [#2351] - @jasondellaluce
- update(cmake): updated libs to 0.10.1 tag. [#2362] - @FedeDP
- Install the certificates of authorities in falco:no-driver docker image [#2355] - @Issif
- update: Mesos support is now deprecated and will be removed in the next version. [#2328] - @leogr
- update(scripts/falco-driver-loader): optimize the resiliency of module download script for air-gapped environments [#2336] - @Dentrax
- doc(userspace): provide users with a correct message when some syscalls are not defined [#2329] - @Andreagit97
- update(ci): update ci jobs to generate Falco images with the modern BPF probe [#2320] - @Andreagit97
- rules: add Falco container lists [#2290] - @oscr
- rules(macro: private_key_or_password): now also check for OpenSSH private keys [#2284] - @oscr
- update(cmake): bump libs and driver to latest RC. [#2302] - @FedeDP
- Ensure that a ruleset object is copied properly in falco_engine::add_source(). [#2271] - @mstemm
- update(userspace/falco): enable using zlib with webserver [#2125] - @jasondellaluce
- update(falco): add container-gvisor and kubernetes-gvisor print options [#2288] - @LucaGuerra
- cleanup: always use bundled libz and libelf in BUNDLED_DEPS mode. [#2277] - @FedeDP
- update: updated libs and driver to version dd443b67c6b04464cb8ee2771af8ada8777e7fac [#2277] - @FedeDP
- update(falco.yaml):
open_params under plugins configuration is now trimmed from surrounding whitespace [#2267] - @yardenshoham
Bug Fixes
- fix(engine): Avoid crash related to caching syscall source when the falco engine uses multiple sources at the same time. [#2272] - @mstemm
- fix(scripts): use falco-driver-loader only into install scripts [#2391] - @Andreagit97
- fix(userspace/falco): fix grpc server shutdown [#2350] - @FedeDP
- fix(docker/falco): trust latest GPG key [#2365] - @jasondellaluce
- fix(userspace/engine): improve rule loading validation results [#2344] - @jasondellaluce
- fix: graceful error handling for mac...
0.33.0
| Packages |
Download |
| rpm-x86_64 |
 |
| deb-x86_64 |
|
| tgz-x86_64 |
|
| rpm-aarch64 |
|
| deb-aarch64 |
|
| tgz-aarch64 |
|
| Images |
docker pull docker.io/falcosecurity/falco:0.33.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.33.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.33.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.33.0 |
Major Changes
- new: add a
drop_pct referred to the global number of events [#2130] - @Andreagit97
- new: print some info about eBPF and enabled sources when Falco starts [#2133] - @Andreagit97
- new(userspace): print architecture information [#2147] - @Andreagit97
- new(CI): add CodeQL security scanning to Falco. [#2171] - @Andreagit97
- new: configure syscall buffer dimension from Falco [#2214] - @Andreagit97
- new(cmdline): add development support for modern BPF probe [#2221] - @Andreagit97
- new(falco-driver-loader):
DRIVERS_REPO now supports the use of multiple download URLs (comma separated) [#2165] - @IanRobertson-wpe
- new(userspace/engine): support alternative plugin version requirements in checks [#2190] - @jasondellaluce
- new: support running multiple event sources in parallel [#2182] - @jasondellaluce
- new(userspace/falco): automatically create paths for grpc unix socket and gvisor endpoint. [#2189] - @FedeDP
- new(scripts): allow falco-driver-loader to properly distinguish any ubuntu flavor [#2178] - @FedeDP
- new: add option to enable event sources selectively [#2085] - @jasondellaluce
Minor Changes
- docs(falco-driver-loader): add some comments in
falco-driver-loader [#2153] - @Andreagit97
- update(cmake): use latest libs tag
0.9.0 [#2257] - @Andreagit97
- update(.circleci): re-enabled cppcheck [#2186] - @leogr
- update(userspace/engine): improve falco files loading performance [#2151] - @VadimZy
- update(cmake): use latest driver tag 3.0.1+driver [#2251] - @Andreagit97
- update(userspace/falco)!: adapt stats writer for multiple parallel event sources [#2182] - @jasondellaluce
- refactor(userspace/engine): remove falco engine APIs that returned a required_engine_version [#2096] - @mstemm
- update(userspace/engine): add some small changes to rules matching that reduce cpu usage with high event volumes (> 1M syscalls/sec) [#2210] - @mstemm
- rules: added process IDs to default rules [#2211] - @spyder-kyle
- update(scripts/debian): falco.service systemd unit is now cleaned-up during (re)install and removal via the DEB and RPM packages [#2138] - @Happy-Dude
- update(userspace/falco): move on from deprecated libs API for printing event list [#2253] - @jasondellaluce
- chore(userspace/falco): improve cli helper and log options with debug level [#2252] - @jasondellaluce
- update(userspace): minor pre-release improvements [#2236] - @jasondellaluce
- update: bumped libs to fd46dd139a8e35692a7d40ab2f0ed2016df827cf. [#2201] - @FedeDP
- update!: gVisor sock default path changed from
/tmp/gvisor.sock to /run/falco/gvisor.sock [#2163] - @vjjmiras
- update!: gRPC server sock default path changed from
/run/falco.sock.sock to /run/falco/falco.sock [#2163] - @vjjmiras
- update(scripts/falco-driver-loader): minikube environment is now correctly detected [#2191] - @alacuku
- update(rules/falco_rules.yaml):
required_engine_version changed to 13 [#2179] - @incertum
- refactor(userspace/falco): re-design stats writer and make it thread-safe [#2109] - @jasondellaluce
- refactor(userspace/falco): make signal handlers thread safe [#2091] - @jasondellaluce
- refactor(userspace/engine): strengthen and document thread-safety guarantees of falco_engine::process_event [#2082] - @jasondellaluce
- update(userspace/falco): make webserver threadiness configurable [#2090] - @jasondellaluce
- refactor(userspace/falco): reduce app actions dependency on app state and inspector [#2097] - @jasondellaluce
- update(userspace/falco): use move semantics in falco logger [#2095] - @jasondellaluce
- update: use
FALCO_HOSTNAME env var to override the hostname value [#2174] - @leogr
- update: bump libs and driver versions to 6599e2efebce30a95f27739d655d53f0d5f686e4 [#2177] - @jasondellaluce
- refactor(userspace/falco): make output rate limiter optional and output engine explicitly thread-safe [#2139] - @jasondellaluce
- update(falco.yaml)!: notification rate limiter disabled by default. [#2139] - @jasondellaluce
Bug Fixes
- fix: compute the
drop ratio in the right way [#2128] - @Andreagit97
- fix(falco_service): falco service needs to write under /sys/module/falco [#2238] - @Andreagit97
- fix(userspace): cleanup output of ruleset validation result [#2248] - @jasondellaluce
- fix(userspace): properly print ignored syscalls messages when not in
-A mode [[#2243](h...
0.32.2
| Packages |
Download |
| rpm-x86_64 |
 |
| deb-x86_64 |
|
| tgz-x86_64 |
|
| rpm-aarch64 |
|
| deb-aarch64 |
|
| tgz-aarch64 |
|
| Images |
docker pull docker.io/falcosecurity/falco:0.32.2 |
docker pull public.ecr.aws/falcosecurity/falco:0.32.2 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.2 |
docker pull docker.io/falcosecurity/falco-no-driver:0.32.2 |
Bug Fixes
Statistics
| Merged PRs |
Number |
| Not user-facing |
0 |
| Release note |
1 |
| Total |
1 |
0.32.1
| Packages |
Download |
| rpm |
 |
| deb |
|
| tgz |
|
| rpm-arm64 |
|
| deb-arm64 |
|
| tgz-arm64 |
|
| Images |
docker pull docker.io/falcosecurity/falco:0.32.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.32.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.32.1 |
Major Changes
Minor Changes
- update(build): Switch from RSA/SHA1 to RSA/SHA256 signature in the RPM package [#2044] - @vjjmiras
- refactor(userspace/engine): drop macro source field in rules and rule loader [#2094] - @jasondellaluce
- build: introduce
DRIVER_VERSION that allows setting a driver version (which may differ from the falcosecurity/libs version) [#2086] - @leogr
- update: add more info to
--version output [#2086] - @leogr
- build(scripts): publish deb repo has now a InRelease file [#2060] - @FedeDP
- update(userspace/falco): make plugin init config optional and add --plugin-info CLI option [#2059] - @jasondellaluce
- update(userspace/falco): support libs logging [#2093] - @jasondellaluce
- update(falco): update libs to 0.7.0 [#2119] - @LucaGuerra
Bug Fixes
- fix(userspace/falco): ensure that only rules files named with
-V are loaded when validating rules files. [#2088] - @mstemm
- fix(rules): use exit event in reverse shell detection rule [#2076] - @alacuku
- fix(scripts): falco-driver-loader script will now seek for drivers in driver/${ARCH}/ for x86_64 too. [#2057] - @FedeDP
- fix(falco-driver-loader): building falco module with DKMS on Flatcar and supporting fetching pre-built module/eBPF probe [#2043] - @jepio
Rule Changes
- rule(Redirect STDOUT/STDIN to Network Connection in Container): changed priority to NOTICE [#2092] - @leogr
- rule(Java Process Class Download): detect potential log4shell exploitation [#2041] - @pirxthepilot
Non user-facing changes
- remove kaizhe from falco rule owner [#2050] - @Kaizhe
- docs(readme): added arm64 mention + packages + badge. [#2101] - @FedeDP
- new(circleci): enable integration tests for arm64. [#2099] - @FedeDP
- chore(cmake): bump plugins versions [#2102] - @Andreagit97
- fix(docker): fixed deb tester sub image. [#2100] - @FedeDP
- fix(ci): fix sign script - avoid interpreting '{*}$argv' too soon [#2075] - @vjjmiras
- fix(tests): make tests run locally (take 2) [#2089] - @LucaGuerra
- fix(ci): creates ~/sign instead of ./sign [#2072] - @vjjmiras
- fix(ci): sign arm64 rpm packages. [#2069] - @FedeDP
- update(falco_scripts): Change Flatcar dynlinker path [#2066] - @jepio
- fix(scripts): fixed path in publish-deb script. [#2062] - @FedeDP
- fix(build): docker-container buildx engine does not support retagging images. Tag all images together. [#2058] - @FedeDP
- fix(build): fixed publish-docker-dev job context. [#2056] - @FedeDP
- Correct linting issue in rules [#2055] - @stephanmiehe
- Fix falco compilation issues with new libs [#2053] - @alacuku
- fix(scripts): forcefully create packages dir for debian packages. [#2054] - @FedeDP
- fix(build): removed leftover line in circleci config. [#2052] - @FedeDP
- fix(build): fixed circleCI artifacts publish for arm64. [#2051] - @FedeDP
- update(docker): updated falco-builder to fix multiarch support. [#2049] - @FedeDP
- fix(build): use apt instead of apk when installing deps for aws ecr publish [#2047] - @FedeDP
- fix(build): try to use root user for cimg/base [#2045] - @FedeDP
- update(build): avoid double build of docker images when pushing to aws ecr [#2046] - @FedeDP
- chore(k8s_audit_plugin): bump k8s audit plugin version [#2042] - @Andreagit97
- fix(tests): make run_regression_tests.sh work locally [#2020] - @LucaGuerra
- Circle CI build job for ARM64 [#1997] - @odidev
Statistics
| Merged PRs |
Number |
| Not user-facing |
25 |
| Release note |
16 |
| Total |
41 |
0.32.0
| Packages |
Download |
| rpm |
 |
| deb |
|
| tgz |
|
| Images |
docker pull docker.io/falcosecurity/falco:0.32.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.32.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.32.0 |
Major Changes
- new: added new
watch_config_files config option, to trigger a Falco restart whenever a change is detected in the rules or config files [#1991] - @FedeDP
- new(rules): add rule to detect excessively capable container [#1963] - @loresuso
- new(rules): add rules to detect pods sharing host pid and IPC namespaces [#1951] - @loresuso
- new(image): add Falco image based on RedHat UBI [#1943] - @araujof
- new(falco): add --markdown and --list-syscall-events [#1939] - @LucaGuerra
Minor Changes
- update(build): updated plugins to latest versions. [#2033] - @FedeDP
- refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [#1953] - @mstemm
- rules: out of the box ruleset for OKTA Falco Plugin [#1955] - @darryk10
- update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [#2031] - @FedeDP
- update!: moving out plugins ruleset files [#1995] - @leogr
- update: added
hostname as a field in JSON output [#1989] - @Milkshak3s
- refactor!: remove K8S audit logs from Falco [#1952] - @jasondellaluce
- refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [#1975] - @jasondellaluce
- refactor!: deprecate PSP regression tests and warn for unsafe usage of in k8s audit filters [#1976] - @jasondellaluce
- build(cmake): upgrade catch2 to 2.13.9 [#1977] - @leogr
- refactor(userspace/engine): reduce memory usage for resolving evttypes [#1965] - @jasondellaluce
- refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [#1966] - @jasondellaluce
- refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [#1970] - @jasondellaluce
- refactor: update definitions of falco_common [#1967] - @jasondellaluce
- update: improved Falco engine event processing performance [#1944] - @deepskyblue86
- refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [#1947] - @jasondellaluce
Bug Fixes
- fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [#1920] - @mstemm
- fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [#2019] - @jasondellaluce
Rule Changes
- rule(Launch Excessively Capable Container): fix typo in description [#1996] - @mmonitz
- rule(macro: known_shell_spawn_cmdlines): add
sh -c /usr/share/lighttpd/create-mime.conf.pl to macro [#1996] - @mmonitz
- rule(macro net_miner_pool): additional syscall for detection [#2011] - @beryxz
- rule(macro truncate_shell_history): include .ash_history [#1956] - @bdashrad
- rule(macro modify_shell_history): include .ash_history [#1956] - @bdashrad
- rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [#1969] - @darryk10
- rule(k8s: secret): detect
get attempts for both successful and unsuccessful attempts [#1949] - @Dentrax
- rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [#1973] - @darryk10
- rule(Disallowed K8s User): exclude allowed EKS users [#1960] - @darryk10
- rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [#1968] - @darryk10
- rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [#1930] - @mmoyerfigma
- rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [#1938] - @claudio-vellage
Non user-facing changes
- new: update plugins [#2023] - @FedeDP
- update(build): updated libs version for Falco 0.32.0 release. [#2022] - @FedeDP
- update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [#2024] - @FedeDP
- chore(userspace/falco): do not print error code in process_events.cpp [#2030] - @alacuku
- fix(falco-scripts): remove driver versions with
dkms-3.0.3 [#2027] - @Andreagit97
- chore(userspace/falco): fix punctuation typo in output message when loading plugins [#2026] - @alacuku
- refactor(userspace): change falco engine design to properly support multiple sources [#2017] - @jasondellaluce
- update(userspace/falco): improve falco termination [#2012] - @Andreagit97
- update(userspace/engine): introduce new
check_plugin_requirements API [#2009] - @Andreagit97
- fix(userspace/engine): improve rule loader source checks [#2010] - @Andreagit97
- fix: split filterchecks per source-idx [#1999] - @FedeDP
- new: port CI builds to github actions [#2000] - @FedeDP
- build(userspace/engine): cleanup unused...
0.31.1
| Packages |
Download |
| rpm |
 |
| deb |
|
| tgz |
|
| Images |
docker pull docker.io/falcosecurity/falco:0.31.1 |
docker pull public.ecr.aws/falcosecurity/falco:0.31.1 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.31.1 |
docker pull docker.io/falcosecurity/falco-no-driver:0.31.1 |
Major Changes
Minor Changes
- refactor(userspace/falco): replace direct getopt_long() cmdline option parsing with third-party cxxopts library. [#1886] - @mstemm
- update: driver version is b7eb0dd [#1923] - @LucaGuerra
Bug Fixes
- fix(userspace/falco): correct plugins init config conversion from YAML to JSON [#1907] - @jasondellaluce
- fix(userspace/engine): for rules at the informational level being loaded at the notice level [#1885] - @mike-stewart
- chore(userspace/falco): fixes truncated -b option description. [#1915] - @andreabonanno
- update(falco): updates usage description for -o, --option [#1903] - @andreabonanno
Rule Changes
- rule(Detect outbound connections to common miner pool ports): fix url in rule output [#1918] - @jsoref
- rule(macro somebody_becoming_themself): renaming macro to somebody_becoming_themselves [#1918] - @jsoref
- rule(list package_mgmt_binaries):
npm added [#1866] - @rileydakota
- rule(Launch Package Management Process in Container): support for detecting
npm usage [#1866] - @rileydakota
- rule(Polkit Local Privilege Escalation Vulnerability): new rule created to detect CVE-2021-4034 [#1877] - @darryk10
- rule(macro: modify_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
- rule(macro: truncate_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [#1832] - @m4wh6k
- rule(macro sssd_writing_krb): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
- rule(macro write_etc_common): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [#1825] - @mac-chaffee
- upgrade macro(keepalived_writing_conf) [#1742] - @pabloopez
- rule_output(Delete Bucket Public Access Block) typo [#1888] - @pabloopez
Non user-facing changes
- fix(build): fix civetweb linking in cmake module [#1919] - @LucaGuerra
- chore(userspace/engine): remove unused lua functions and state vars [#1908] - @jasondellaluce
- fix(userspace/falco): applies FALCO_INSTALL_CONF_FILE as the default … [#1900] - @andreabonanno
- fix(scripts): correct typo in
falco-driver-loader help message [#1899] - @leogr
- update(build)!: replaced various
PROBE with DRIVER where necessary. [#1887] - @FedeDP
- Add Fairwinds to the adopters list [#1917] - @sudermanjr
- build(cmake): several cmake changes to speed up/simplify builds for external projects and copying files from source-to-build directories [#1905] - @mstemm
Statistics
| Merged PRs |
Number |
| Not user-facing |
11 |
| Release note |
13 |
| Total |
24 |
0.31.0
| Packages |
Download |
| rpm |
 |
| deb |
|
| tgz |
|
| Images |
docker pull docker.io/falcosecurity/falco:0.31.0 |
docker pull public.ecr.aws/falcosecurity/falco:0.31.0 |
docker pull docker.io/falcosecurity/falco-driver-loader:0.31.0 |
docker pull docker.io/falcosecurity/falco-no-driver:0.31.0 |
Major Changes
- new: add support for plugins to extend Falco functionality to new event sources and custom fields [#1753] - @mstemm
- new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurit/falco'. [#1850] - @yoshi314
- new(configuration): support defining plugin init config as a YAML [#1852] - @jasondellaluce
Minor Changes
- rules: add the official Falco ECR repository to rules [#1817] - @calvinbui
- build: update CircleCI machine image for eBPF tests to a newer version of ubuntu [#1764] - @mstemm
- update(engine): refactor Falco engine to be agnostic to specific event sources [#1715] - @mstemm
- build: upgrade civetweb to v1.15 [#1782] - @FedeDP
- update: driver version is 319368f1ad778691164d33d59945e00c5752cd27 now [#1861] - @FedeDP
- build: allow using local libs source dir by setting
FALCOSECURITY_LIBS_SOURCE_DIR in cmake [#1791] - @jasondellaluce
- build: the statically linked binary package is now published with the
-static suffix [#1873] - @LucaGuerra
- update!: removed "--alternate-lua-dir" cmdline option as lua scripts are now embedded in Falco executable. [#1872] - @FedeDP
- build: switch to dynamic build for the binary package (
.tar.gz) [#1853] - @LucaGuerra
- update: simpleconsumer filtering is now being done at kernel level [#1846] - @FedeDP
- update(scripts/falco-driver-loader): first try to load the latest kmod version, then fallback to an already installed if any [#1863] - @leogr
- refactor: clean up --list output with better formatting and no duplicate sections across event sources. [#1816] - @mstemm
- update: embed .lua files used to load/compile rules into the main falco executable, for simplicity and to avoid tampering. [#1843] - @mstemm
- update: support non-enumerable event sources in gRPC outputs service [#1840] - @jasondellaluce
- docs: add jasondellaluce to OWNERS [#1818] - @jasondellaluce
- chore: --list option can be used to selectively list fields related to new sources that are introduced by plugins [#1839] - @loresuso
- update(userspace/falco): support arbitrary-depth nested values in YAML configuration [#1792] - @jasondellaluce
- build: bump FakeIt version to 2.0.9 [#1797] - @jasondellaluce
- update: allow append of new exceptions to rules [#1780] - @sai-arigeli
- update: Linux packages are now signed with SHA256 [#1758] - @twa16
Bug Fixes
- fix(scripts/falco-driver-loader): fix for SELinux insmod denials [#1756] - @dwindsor
- fix(scripts/falco-driver-loader): correctly clean loaded drivers when using
--clean [#1795] - @jasondellaluce
- fix(userspace/falco): in case output_file cannot be opened, throw a falco exception [#1773] - @FedeDP
- fix(userspace/engine): support jsonpointer escaping in rule parser [#1777] - @jasondellaluce
- fix(scripts/falco-driver-loader): support kernel object files in
.zst and .gz compression formats [#1863] - @leogr
- fix(engine): correctly format json output in json_event [#1847] - @jasondellaluce
- fix: set http output contenttype to text/plain when json output is disabled [#1829] - @FedeDP
- fix(userspace/falco): accept 'Content-Type' header that contains "application/json", but it is not strictly equal to it [#1800] - @FedeDP
- fix(userspace/engine): supporting enabled-only overwritten rules [#1775] - @jasondellaluce
Rule Changes
- rule(Create Symlink Over Sensitive File): corrected typo in rule output [#1820] - @deepskyblue86
- rule(macro open_write): add support to openat2 [#1796] - @jasondellaluce
- rule(macro open_read): add support to openat2 [#1796] - @jasondellaluce
- rule(macro open_directory): add support to openat2 [#1796] - @jasondellaluce
- rule(Create files below dev): add support to openat2 [#1796] - @jasondellaluce
- rule(Container Drift Detected (open+create)): add support to openat2 [#1796] - @jasondellaluce
- rule(macro sensitive_mount): add containerd socket [#1815] - @loresuso
- rule(macro spawned_process): monitor also processes spawned by
execveat [#1868] - @Andreagit97
- rule(Create Hardlink Over Sensitive Files): new rule to detect hard links created over sensitive files [#1810] - @sberkovich
- rule(Detect crypto miners using the Stratum protocol): add
stratum2+tcp and stratum+ssl protocols detection [#1810] - @sberkovich
- rule(Sudo Potential Privilege Escalation): correct special case for the CVE-2021-3156 exploit [#1810] - @sberkovich
- rule(list falco_hostnetwork_images): moved to k8s_audit_rules.yaml to avoid a warning when usng falco_rules.yaml only [#1681] - @leodido
- rule(list deb_binaries): remove
apt-config [#1860] - @Andreagit97
- rule(Launch Remote File Copy Tools in Container): add additional binaries: curl and wget. [#1771] - [@ec4n6](https:...
