0.36.0

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.36.0
docker pull public.ecr.aws/falcosecurity/falco:0.36.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.0
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0
docker pull docker.io/falcosecurity/falco-distroless:0.36.0

v0.36.0

Released on 2023-09-26

Breaking Changes ⚠️

• The default rules file that is shipped in the Falco image and/or can be downloaded via falcoctl as falco-rules is now a stable rule file. This file contains a much smaller number of rules that are less noisy and have been vetted by the community. This serves as a much requested "starter" Falco rule set that covers many common use case. The rest of that file has been expanded and split into falco-incubating-rules and falco-sandbox-rules. For more information, see the rules repository
• The main falcosecurity/falco container image and its falco-driver-loader counterpart have been upgraded. Now they are able to compile the kernel module or classic eBPF probe for relatively newer version of the kernel (5.x and above) while we no longer ship toolchains to compile the kernel module for older versions in the default images. Downloading of prebuilt drivers and the modern eBPF will work exactly like before. The older image, meant for compatibility with older kernels (4.x and below), is currently retained as falcosecurity/falco-driver-loader-legacy.
• The Falco HTTP output no longer logs to stdout by default for performance reasons. You can set stdout logging preferences and restore the previous behavior with the configuration option http_output.echo in falco.yaml.
• The --list-syscall-events command line option has been replaced by --list-events which prints all supported system events (syscall, tracepoints, metaevents, internal plugin events) in addition to extra information about flags.
• The semantics of proc.exepath have changed. Now that field contains the executable path on disk even if the binary was launched from a symbolic link.
• The -d daemonize option has been removed.
• The stats command line option (-s, --stats-interval) has been removed in favor of metrics configs in falco.yaml
• The -p option is now changed:
  • when only -pc is set Falco will print container_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name
  • when -pk is set it will print as above, but with k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name appended

Major Changes

• new(falco-driver-loader): --source-only now prints the values as env vars [#2353] - @steakunderscore
• new(docker): allow passing options to falco-driver-loader from the driver loader cointainer [#2781] - @LucaGuerra
• new(docker): add experimental falco-distroless image based on Wolfi [#2768] - @LucaGuerra
• new: the legacy falco image is available as driver-loader-legacy [#2718] - @LucaGuerra
• new: added option to enable/disable echoing of server answer to stdout (disabled by default) when using HTTP output [#2602] - @FedeDP
• new: support systemctl reload for Falco services [#2588] - @jabdr
• new(falco/config): add new configurations for http_output that allow mTLS [#2633] - @annadorottya
• new: allow falco to match multiple rules on same event [#2705] - @loresuso

Minor Changes

• update(cmake): bumped bundled falcoctl to 0.6.2 [#2829] - @FedeDP
• update(rules)!: major rule update to version 2.0.0 [#2823] - @LucaGuerra
• update(cmake): bumped plugins to latest stable versions [#2820] - @FedeDP
• update(cmake): bumped libs to 0.13.0-rc2 and driver to 6.0.1+driver [#2806] - @FedeDP
• update!: default substitution for %container.info is now equal container_id=%container.id container_name=%container.name [#2793] - @leogr
• update!: the --list-syscall-events flag is now called --list-events and lists all events [#2771] - @LucaGuerra
• update!: the Falco base image is now based on Debian 12 with gcc 11-12 [#2718] - @LucaGuerra
• update(docker): the Falco no-driver image is now based on Debian 12 [#2782] - @LucaGuerra
• feat(userspace)!: remove -d daemonize option [#2677] - @incertum
• build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 0d0e333 [#2693] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b42893a [#2756] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from b42893a to 6ed73fe [#2780] - @dependabot[bot]
• update(cmake): bumped libs to 0.13.0-rc1 and driver to 6.0.0+driver. [#2783] - @FedeDP
• feat: support parsing of system environment variables in yaml [#2562] - @therealdwright
• feat(userspace)!: deprecate stats command args option in favor of metrics configs in falco.yaml [#2739] - @incertum
• update: upgrade falcoctl to version 0.6.0 [#2764] - @leogr
• cleanup: deprecate rate limiter mechanism [#2762] - @Andreagit97
• cleanup(config): add more info [#2758] - @incertum
• update(userspace/engine): improve skip-if-unknown-filter YAML field [#2749] - @jasondellaluce
• chore: improved HTTP output performance [#2602] - @FedeDP
• update!: HTTP output will no more echo to stdout by default [#2602] - @FedeDP
• chore: remove b64 from falco dependencies [#2746] - @Andreagit97
• update(cmake): support building libs and driver from forks [#2747] - @jasondellaluce
• update: -p pres...

0.36.0-rc3

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.36.0-rc3
docker pull public.ecr.aws/falcosecurity/falco:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.36.0-rc3
docker pull docker.io/falcosecurity/falco-distroless:0.36.0-rc3

Release Candidate for Falco 0.36.0.
To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30

0.36.0-rc2

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.36.0-rc2
docker pull public.ecr.aws/falcosecurity/falco:0.36.0-rc2
docker pull docker.io/falcosecurity/falco-driver-loader:0.36.0-rc2
docker pull docker.io/falcosecurity/falco-no-driver:0.36.0-rc2

Second Release Candidate for Falco 0.36.0.
To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30

0.36.0-rc1

First Release Candidate for Falco 0.36.0.
To see what's included, check the corresponding milestone: https://github.com/falcosecurity/falco/milestone/30

0.35.1

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.35.1
docker pull public.ecr.aws/falcosecurity/falco:0.35.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.35.1
docker pull docker.io/falcosecurity/falco-no-driver:0.35.1

Major Changes

Minor Changes

• update(userspace): change description of snaplen option stating only performance implications [#2634] - @loresuso
• update(cmake): bump libs to 0.11.3 [#2662] - @jasondellaluce
• cleanup(config): minor config clarifications [#2651] - @incertum
• update(cmake): bump falco rules to v1.0.1 [#2648] - @jasondellaluce
• chore(userspace/falco): make source matching error more expressive [#2623] - @jasondellaluce
• update(.github): integrate Go regression tests [#2437] - @jasondellaluce

Bug Fixes

• fix(scripts): fixed falco-driver-loader to manage debian kernel rt and cloud flavors. [#2627] - @FedeDP
• fix(userspace/falco): solve live multi-source issues when loading more than two sources [#2653] - @jasondellaluce
• fix(driver-loader): fix ubuntu kernel version parsing [#2635] - @therealbobo
• fix(userspace): switch to timer_settime API for stats writer. [#2646] - @FedeDP

Non user-facing changes

• CI: bump ubuntu version for tests-driver-loader-integration job [#2661] - @Andreagit97

Release Manager @jasondellaluce

0.35.0

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.35.0
docker pull public.ecr.aws/falcosecurity/falco:0.35.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.35.0
docker pull docker.io/falcosecurity/falco-no-driver:0.35.0

Major Changes

• BREAKING CHANGE: support for metadata enrichment from Mesos has been removed. [#2465] - @leogr
• new(falco): introduce new metrics w/ Falco internal: metrics snapshot option and new metrics config [#2333] - @incertum
• new(scripts): properly manage talos prebuilt drivers [#2537] - @FedeDP
• new(release): released container images are now signed with cosign [#2546] - @LucaGuerra
• new(ci): ported master and release artifacts publishing CI to gha [#2501] - @FedeDP
• new(app_actions): introduce base_syscalls user option [#2428] - @incertum
• new(falco/config): add new configurations for http_output that allow custom CA certificates and stores. [#2458] - @alacuku
• new(cmake): bumped libs to c8b0d6a8fdc1bb3ea9067bc2fdc3ae5858cff48f [#2456] - @FedeDP
• new(userspace): add a new syscall_drop_failed config option to drop failed syscalls exit events [#2456] - @FedeDP

Minor Changes

• update(cmake): bump Falco rules to 1.0.0 [#2618] - @loresuso
• update(cmake): bump libs to 0.11.1 [#2614] - @loresuso
• update(cmake): bump plugins to latest versions [#2610] - @loresuso
• update(cmake): bump falco rules to 1.0.0-rc1 [#2609] - @loresuso
• update(cmake): bump libs to 0.11.0 [#2608] - @loresuso
• cleanup(docs): update release.md [#2599] - @incertum
• update(cmake): bump libs to 0.11.0-rc5 and driver to 5.0.1. [#2600] - @FedeDP
• cleanup(docs): adjust falco readme style and content [#2594] - @incertum
• cleanup(userspace, config): improve metrics UX, add include_empty_values option [#2593] - @incertum
• feat: add the curl and jq packages to the falco-no-driver docker image [#2581] - @therealdwright
• update: add missing exception, required_engine_version, required_plugin_version to -L json output [#2584] - @loresuso
• feat: add image source OCI label to docker images [#2592] - @therealdwright
• cleanup(config): improve falco config [#2571] - @incertum
• update(cmake): bump libs and plugins to latest dev versions [#2586] - @jasondellaluce
• chore(userspace/falco): always print invalid syscalls from custom set [#2578] - @jasondellaluce
• update(build): upgrade falcoctl to 0.5.0 [#2572] - @LucaGuerra
• chore(userspace/falco/app): print all supported plugin caps [#2564] - @jasondellaluce
• update: get rules details with -l or -L flags when json output format is specified [#2544] - @loresuso
• update!: bump libs version, and support latest plugin features, add --nodriver option [#2552] - @jasondellaluce
• cleanup(actions): now modern bpf support -A flag [#2551] - @Andreagit97
• update: falco-driver-loader now uses now uses $TMPDIR if set [#2518] - @jabdr
• update: improve control and UX of ignored events [#2509] - @jasondellaluce
• update: bump libs and adapt Falco to new libsinsp event source management [#2507] - @jasondellaluce
• new(app_actions)!: adjust base_syscalls option, add base_syscalls.repair [#2457] - @incertum
• update(scripts): support al2022 and al2023 in falco-driver-loader. [#2494] - @FedeDP
• update: sync libs with newest event name APIs [#2471] - @jasondellaluce
• update!: remove --mesos-api, -pmesos, and -pm command-line flags [#2465] - @leogr
• cleanup(unit_tests): try making test_configure_interesting_sets more robust [#2464] - @incertum

Bug Fixes

• fix: unquote quoted URL's to avoid libcurl errors [#2596] - @therealdwright
• fix(userspace/engine): store alternatives as array in -L json output [#2597] - @loresuso
• fix(userspace/engine): store required engine version as string in -L json output [#2595] - @loresuso
• fix(userspace/falco): report plugin deps rules issues in any case [#2589] - @jasondellaluce
• fix(userspace): hotreload on wrong metrics [#2582] - @therealbobo
• fix(userspace): check the supported number of online CPUs with modern bpf [#2575] - @Andreagit97
• fix(userspace/falco): don't hang on terminating error when multi sourcing [#2576] - @jasondellaluce
• fix(userspace/falco): properly format numeric values in metrics [#2569] - @jasondellaluce
• fix(scripts): properly support debian kernel releases embedded in kernel version [#2377] - @FedeDP

Non user-facing changes

• docs(README.md): add scope/status badge ...

0.35.0-rc2

Release Candidate for Falco 0.35.0

0.35.0-rc1

Release Candidate for Falco 0.35.0

0.35.0-alpha5

This is a test for the release pipeline.

0.35.0-alpha4

This is a test for the release pipeline.