0.35.0-alpha3

This is a test for the release pipeline.

0.35.0-alpha2

This is a test for the release pipeline

0.35.0-alpha1

This is a test for the release pipeline.

0.34.1

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.34.1
docker pull public.ecr.aws/falcosecurity/falco:0.34.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.34.1
docker pull docker.io/falcosecurity/falco-no-driver:0.34.1
docker pull docker.io/falcosecurity/falcoctl:0.4.0

Minor Changes

• fix(userspace/engine): correctly bump FALCO_ENGINE_VERSION after introduction of new fields [#2418] - @loresuso

Statistics

Merged PRs	Number
Not user-facing	1
Release note	1
Total	2

Release Manager

@alacuku

0.34.0

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.34.0
docker pull public.ecr.aws/falcosecurity/falco:0.34.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.34.0
docker pull docker.io/falcosecurity/falco-no-driver:0.34.0
docker pull docker.io/falcosecurity/falcoctl:0.4.0

Major Changes

• BREAKING CHANGE: if you relied upon application_rules.yaml you can download it from https://github.com/falcosecurity/rules/tree/main/rules and manually install it. [#2389] - @leogr
• new(rules): New rule to detect attempts to inject code into a process using PTRACE [#2226] - @Brucedh
• new(engine): Also include exact locations for rule condition compile errors (missing macros, etc). [#2216] - @mstemm
• new(scripts): Support older RHEL distros in falco-driver-loader script [#2312] - @gentooise
• new(scripts): add falcoctl config into Falco package [#2390] - @Andreagit97
• new(userspace/falco): [EXPERIMENTAL] allow modern bpf probe to assign more than one CPU to a single ring buffer [#2363] - @Andreagit97
• new(userspace/falco): add webserver endpoint for retrieving internal version numbers [#2356] - @jasondellaluce
• new(falco): add --version-json to print version information in json format [#2331] - @LucaGuerra
• new(scripts): support multiple drivers in systemd units [#2242] - @FedeDP
• new(scripts): add bottlerocket support in falco-driver-loader [#2318] - @FedeDP
• new(falco): add more version fields to --support and --version [#2325] - @LucaGuerra
• new(config): explicitly add the simulate_drops config [#2260] - @Andreagit97

Minor Changes

• build: upgrade to falcoctl v0.4.0 [#2406] - @loresuso
• update(userspace): change modern_bpf.cpus_for_each_syscall_buffer default value [#2404] - @Andreagit97
• update(build): update falcoctl to 0.3.0 [#2401] - @LucaGuerra
• update(build): update falcoctl to 0.3.0-rc7 [#2396] - @LucaGuerra
• update(cmake): bump libs to 0.10.3 [#2392] - @FedeDP
• build: /etc/falco/rules.available has been deprecated [#2389] - @leogr
• build: application_rules.yaml is not shipped anymore with Falco [#2389] - @leogr
• build: upgrade k8saudit plugin to v0.5.0 [#2381] - @leogr
• build: upgrade cloudtrail plugin to v0.6.0 [#2381] - @leogr
• new!: ship falcoctl inside Falco [#2345] - @FedeDP
• refactor: remove rules and add submodule to falcosecurity/rules [#2359] - @jasondellaluce
• update(scripts): add option for regenerating signatures of all dev and release packages [#2364] - @jasondellaluce
• update: print JSON version output when json_output is enabled [#2351] - @jasondellaluce
• update(cmake): updated libs to 0.10.1 tag. [#2362] - @FedeDP
• Install the certificates of authorities in falco:no-driver docker image [#2355] - @Issif
• update: Mesos support is now deprecated and will be removed in the next version. [#2328] - @leogr
• update(scripts/falco-driver-loader): optimize the resiliency of module download script for air-gapped environments [#2336] - @Dentrax
• doc(userspace): provide users with a correct message when some syscalls are not defined [#2329] - @Andreagit97
• update(ci): update ci jobs to generate Falco images with the modern BPF probe [#2320] - @Andreagit97
• rules: add Falco container lists [#2290] - @oscr
• rules(macro: private_key_or_password): now also check for OpenSSH private keys [#2284] - @oscr
• update(cmake): bump libs and driver to latest RC. [#2302] - @FedeDP
• Ensure that a ruleset object is copied properly in falco_engine::add_source(). [#2271] - @mstemm
• update(userspace/falco): enable using zlib with webserver [#2125] - @jasondellaluce
• update(falco): add container-gvisor and kubernetes-gvisor print options [#2288] - @LucaGuerra
• cleanup: always use bundled libz and libelf in BUNDLED_DEPS mode. [#2277] - @FedeDP
• update: updated libs and driver to version dd443b67c6b04464cb8ee2771af8ada8777e7fac [#2277] - @FedeDP
• update(falco.yaml): open_params under plugins configuration is now trimmed from surrounding whitespace [#2267] - @yardenshoham

Bug Fixes

• fix(engine): Avoid crash related to caching syscall source when the falco engine uses multiple sources at the same time. [#2272] - @mstemm
• fix(scripts): use falco-driver-loader only into install scripts [#2391] - @Andreagit97
• fix(userspace/falco): fix grpc server shutdown [#2350] - @FedeDP
• fix(docker/falco): trust latest GPG key [#2365] - @jasondellaluce
• fix(userspace/engine): improve rule loading validation results [#2344] - @jasondellaluce
• fix: graceful error handling for mac...

0.33.1

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.33.1
docker pull public.ecr.aws/falcosecurity/falco:0.33.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.33.1
docker pull docker.io/falcosecurity/falco-no-driver:0.33.1

Minor Changes

• update(falco): fix container-gvisor and kubernetes-gvisor print options [#2288]
• Update libs to 0.9.2, fixing potential CLBO on gVisor+Kubernetes and crash with eBPF when some CPUs are offline [#2299] - @LucaGuerra

Statistics

Merged PRs	Number
Not user-facing	1
Release note	2
Total	3

Release Manager

@LucaGuerra

0.33.0

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.33.0
docker pull public.ecr.aws/falcosecurity/falco:0.33.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.33.0
docker pull docker.io/falcosecurity/falco-no-driver:0.33.0

Major Changes

• new: add a drop_pct referred to the global number of events [#2130] - @Andreagit97
• new: print some info about eBPF and enabled sources when Falco starts [#2133] - @Andreagit97
• new(userspace): print architecture information [#2147] - @Andreagit97
• new(CI): add CodeQL security scanning to Falco. [#2171] - @Andreagit97
• new: configure syscall buffer dimension from Falco [#2214] - @Andreagit97
• new(cmdline): add development support for modern BPF probe [#2221] - @Andreagit97
• new(falco-driver-loader): DRIVERS_REPO now supports the use of multiple download URLs (comma separated) [#2165] - @IanRobertson-wpe
• new(userspace/engine): support alternative plugin version requirements in checks [#2190] - @jasondellaluce
• new: support running multiple event sources in parallel [#2182] - @jasondellaluce
• new(userspace/falco): automatically create paths for grpc unix socket and gvisor endpoint. [#2189] - @FedeDP
• new(scripts): allow falco-driver-loader to properly distinguish any ubuntu flavor [#2178] - @FedeDP
• new: add option to enable event sources selectively [#2085] - @jasondellaluce

Minor Changes

• docs(falco-driver-loader): add some comments in falco-driver-loader [#2153] - @Andreagit97
• update(cmake): use latest libs tag 0.9.0 [#2257] - @Andreagit97
• update(.circleci): re-enabled cppcheck [#2186] - @leogr
• update(userspace/engine): improve falco files loading performance [#2151] - @VadimZy
• update(cmake): use latest driver tag 3.0.1+driver [#2251] - @Andreagit97
• update(userspace/falco)!: adapt stats writer for multiple parallel event sources [#2182] - @jasondellaluce
• refactor(userspace/engine): remove falco engine APIs that returned a required_engine_version [#2096] - @mstemm
• update(userspace/engine): add some small changes to rules matching that reduce cpu usage with high event volumes (> 1M syscalls/sec) [#2210] - @mstemm
• rules: added process IDs to default rules [#2211] - @spyder-kyle
• update(scripts/debian): falco.service systemd unit is now cleaned-up during (re)install and removal via the DEB and RPM packages [#2138] - @Happy-Dude
• update(userspace/falco): move on from deprecated libs API for printing event list [#2253] - @jasondellaluce
• chore(userspace/falco): improve cli helper and log options with debug level [#2252] - @jasondellaluce
• update(userspace): minor pre-release improvements [#2236] - @jasondellaluce
• update: bumped libs to fd46dd139a8e35692a7d40ab2f0ed2016df827cf. [#2201] - @FedeDP
• update!: gVisor sock default path changed from /tmp/gvisor.sock to /run/falco/gvisor.sock [#2163] - @vjjmiras
• update!: gRPC server sock default path changed from /run/falco.sock.sock to /run/falco/falco.sock [#2163] - @vjjmiras
• update(scripts/falco-driver-loader): minikube environment is now correctly detected [#2191] - @alacuku
• update(rules/falco_rules.yaml): required_engine_version changed to 13 [#2179] - @incertum
• refactor(userspace/falco): re-design stats writer and make it thread-safe [#2109] - @jasondellaluce
• refactor(userspace/falco): make signal handlers thread safe [#2091] - @jasondellaluce
• refactor(userspace/engine): strengthen and document thread-safety guarantees of falco_engine::process_event [#2082] - @jasondellaluce
• update(userspace/falco): make webserver threadiness configurable [#2090] - @jasondellaluce
• refactor(userspace/falco): reduce app actions dependency on app state and inspector [#2097] - @jasondellaluce
• update(userspace/falco): use move semantics in falco logger [#2095] - @jasondellaluce
• update: use FALCO_HOSTNAME env var to override the hostname value [#2174] - @leogr
• update: bump libs and driver versions to 6599e2efebce30a95f27739d655d53f0d5f686e4 [#2177] - @jasondellaluce
• refactor(userspace/falco): make output rate limiter optional and output engine explicitly thread-safe [#2139] - @jasondellaluce
• update(falco.yaml)!: notification rate limiter disabled by default. [#2139] - @jasondellaluce

Bug Fixes

• fix: compute the drop ratio in the right way [#2128] - @Andreagit97
• fix(falco_service): falco service needs to write under /sys/module/falco [#2238] - @Andreagit97
• fix(userspace): cleanup output of ruleset validation result [#2248] - @jasondellaluce
• fix(userspace): properly print ignored syscalls messages when not in -A mode [[#2243](h...

0.32.2

Packages	Download
rpm-x86_64
deb-x86_64
tgz-x86_64
rpm-aarch64
deb-aarch64
tgz-aarch64

Images
docker pull docker.io/falcosecurity/falco:0.32.2
docker pull public.ecr.aws/falcosecurity/falco:0.32.2
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.2
docker pull docker.io/falcosecurity/falco-no-driver:0.32.2

Bug Fixes

• fix: Added ARCH to bpf download URL [#2142] - @eric-engberg

Statistics

Merged PRs	Number
Not user-facing	0
Release note	1
Total	1

Release Manager @Andreagit97

0.32.1

Packages	Download
rpm
deb
tgz
rpm-arm64
deb-arm64
tgz-arm64

Images
docker pull docker.io/falcosecurity/falco:0.32.1
docker pull public.ecr.aws/falcosecurity/falco:0.32.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.1
docker pull docker.io/falcosecurity/falco-no-driver:0.32.1

Major Changes

• new(falco): add gVisor support [#2078] - @LucaGuerra
• new(docker,scripts): add multiarch images and ARM64 packages [#1990] - @FedeDP

Minor Changes

• update(build): Switch from RSA/SHA1 to RSA/SHA256 signature in the RPM package [#2044] - @vjjmiras
• refactor(userspace/engine): drop macro source field in rules and rule loader [#2094] - @jasondellaluce
• build: introduce DRIVER_VERSION that allows setting a driver version (which may differ from the falcosecurity/libs version) [#2086] - @leogr
• update: add more info to --version output [#2086] - @leogr
• build(scripts): publish deb repo has now a InRelease file [#2060] - @FedeDP
• update(userspace/falco): make plugin init config optional and add --plugin-info CLI option [#2059] - @jasondellaluce
• update(userspace/falco): support libs logging [#2093] - @jasondellaluce
• update(falco): update libs to 0.7.0 [#2119] - @LucaGuerra

Bug Fixes

• fix(userspace/falco): ensure that only rules files named with -V are loaded when validating rules files. [#2088] - @mstemm
• fix(rules): use exit event in reverse shell detection rule [#2076] - @alacuku
• fix(scripts): falco-driver-loader script will now seek for drivers in driver/${ARCH}/ for x86_64 too. [#2057] - @FedeDP
• fix(falco-driver-loader): building falco module with DKMS on Flatcar and supporting fetching pre-built module/eBPF probe [#2043] - @jepio

Rule Changes

• rule(Redirect STDOUT/STDIN to Network Connection in Container): changed priority to NOTICE [#2092] - @leogr
• rule(Java Process Class Download): detect potential log4shell exploitation [#2041] - @pirxthepilot

Non user-facing changes

• remove kaizhe from falco rule owner [#2050] - @Kaizhe
• docs(readme): added arm64 mention + packages + badge. [#2101] - @FedeDP
• new(circleci): enable integration tests for arm64. [#2099] - @FedeDP
• chore(cmake): bump plugins versions [#2102] - @Andreagit97
• fix(docker): fixed deb tester sub image. [#2100] - @FedeDP
• fix(ci): fix sign script - avoid interpreting '{*}$argv' too soon [#2075] - @vjjmiras
• fix(tests): make tests run locally (take 2) [#2089] - @LucaGuerra
• fix(ci): creates ~/sign instead of ./sign [#2072] - @vjjmiras
• fix(ci): sign arm64 rpm packages. [#2069] - @FedeDP
• update(falco_scripts): Change Flatcar dynlinker path [#2066] - @jepio
• fix(scripts): fixed path in publish-deb script. [#2062] - @FedeDP
• fix(build): docker-container buildx engine does not support retagging images. Tag all images together. [#2058] - @FedeDP
• fix(build): fixed publish-docker-dev job context. [#2056] - @FedeDP
• Correct linting issue in rules [#2055] - @stephanmiehe
• Fix falco compilation issues with new libs [#2053] - @alacuku
• fix(scripts): forcefully create packages dir for debian packages. [#2054] - @FedeDP
• fix(build): removed leftover line in circleci config. [#2052] - @FedeDP
• fix(build): fixed circleCI artifacts publish for arm64. [#2051] - @FedeDP
• update(docker): updated falco-builder to fix multiarch support. [#2049] - @FedeDP
• fix(build): use apt instead of apk when installing deps for aws ecr publish [#2047] - @FedeDP
• fix(build): try to use root user for cimg/base [#2045] - @FedeDP
• update(build): avoid double build of docker images when pushing to aws ecr [#2046] - @FedeDP
• chore(k8s_audit_plugin): bump k8s audit plugin version [#2042] - @Andreagit97
• fix(tests): make run_regression_tests.sh work locally [#2020] - @LucaGuerra
• Circle CI build job for ARM64 [#1997] - @odidev

Statistics

Merged PRs	Number
Not user-facing	25
Release note	16
Total	41

Release Manager @LucaGuerra

0.32.0

Packages	Download
rpm
deb
tgz

Images
docker pull docker.io/falcosecurity/falco:0.32.0
docker pull public.ecr.aws/falcosecurity/falco:0.32.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.32.0
docker pull docker.io/falcosecurity/falco-no-driver:0.32.0

Major Changes

• new: added new watch_config_files config option, to trigger a Falco restart whenever a change is detected in the rules or config files [#1991] - @FedeDP
• new(rules): add rule to detect excessively capable container [#1963] - @loresuso
• new(rules): add rules to detect pods sharing host pid and IPC namespaces [#1951] - @loresuso
• new(image): add Falco image based on RedHat UBI [#1943] - @araujof
• new(falco): add --markdown and --list-syscall-events [#1939] - @LucaGuerra

Minor Changes

• update(build): updated plugins to latest versions. [#2033] - @FedeDP
• refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [#1953] - @mstemm
• rules: out of the box ruleset for OKTA Falco Plugin [#1955] - @darryk10
• update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [#2031] - @FedeDP
• update!: moving out plugins ruleset files [#1995] - @leogr
• update: added hostname as a field in JSON output [#1989] - @Milkshak3s
• refactor!: remove K8S audit logs from Falco [#1952] - @jasondellaluce
• refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [#1975] - @jasondellaluce
• refactor!: deprecate PSP regression tests and warn for unsafe usage of in k8s audit filters [#1976] - @jasondellaluce
• build(cmake): upgrade catch2 to 2.13.9 [#1977] - @leogr
• refactor(userspace/engine): reduce memory usage for resolving evttypes [#1965] - @jasondellaluce
• refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [#1966] - @jasondellaluce
• refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [#1970] - @jasondellaluce
• refactor: update definitions of falco_common [#1967] - @jasondellaluce
• update: improved Falco engine event processing performance [#1944] - @deepskyblue86
• refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [#1947] - @jasondellaluce

Bug Fixes

• fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [#1920] - @mstemm
• fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [#2019] - @jasondellaluce

Rule Changes

• rule(Launch Excessively Capable Container): fix typo in description [#1996] - @mmonitz
• rule(macro: known_shell_spawn_cmdlines): add sh -c /usr/share/lighttpd/create-mime.conf.pl to macro [#1996] - @mmonitz
• rule(macro net_miner_pool): additional syscall for detection [#2011] - @beryxz
• rule(macro truncate_shell_history): include .ash_history [#1956] - @bdashrad
• rule(macro modify_shell_history): include .ash_history [#1956] - @bdashrad
• rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [#1969] - @darryk10
• rule(k8s: secret): detect get attempts for both successful and unsuccessful attempts [#1949] - @Dentrax
• rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [#1973] - @darryk10
• rule(Disallowed K8s User): exclude allowed EKS users [#1960] - @darryk10
• rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [#1968] - @darryk10
• rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [#1930] - @mmoyerfigma
• rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [#1938] - @claudio-vellage

Non user-facing changes

• new: update plugins [#2023] - @FedeDP
• update(build): updated libs version for Falco 0.32.0 release. [#2022] - @FedeDP
• update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [#2024] - @FedeDP
• chore(userspace/falco): do not print error code in process_events.cpp [#2030] - @alacuku
• fix(falco-scripts): remove driver versions with dkms-3.0.3 [#2027] - @Andreagit97
• chore(userspace/falco): fix punctuation typo in output message when loading plugins [#2026] - @alacuku
• refactor(userspace): change falco engine design to properly support multiple sources [#2017] - @jasondellaluce
• update(userspace/falco): improve falco termination [#2012] - @Andreagit97
• update(userspace/engine): introduce new check_plugin_requirements API [#2009] - @Andreagit97
• fix(userspace/engine): improve rule loader source checks [#2010] - @Andreagit97
• fix: split filterchecks per source-idx [#1999] - @FedeDP
• new: port CI builds to github actions [#2000] - @FedeDP
• build(userspace/engine): cleanup unused...