Skip to content

@mstemm mstemm released this May 13, 2019

Released 2019-05-13

Major Changes

  • Actions and alerts for dropped events: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. [#561] [#571]

  • Support for Containerd/CRI-O: Falco now supports containerd/cri-o containers. [#585] [#591] [#599] [#sysdig/1376] [#sysdig/1310]

  • Perform docker metadata fetches asynchronously: When new containers are discovered, fetch metadata about the container asynchronously, which should significantly reduce the likelihood of dropped system call events. [#sysdig/1326] [#550] [#570]

  • Better syscall event performance: improve algorithm for reading system call events from kernel module to handle busy event streams [#sysdig/1372]

  • HTTP Output: Falco can now send alerts to http endpoints directly without having to use curl. [#523]

  • Move Kubernetes Response Engine to own repo: The Kubernetes Response Engine is now in its own github repository. [#539]

  • Updated Puppet Module: An all-new puppet module compatible with puppet 4 with a smoother installation process and updated package links. [#537] [#543] [#546]

  • RHEL-based falco image: Provide dockerfiles that use RHEL 7 as the base image instead of debian:unstable. [#544]

Minor Changes

  • ISO-8601 Timestamps: Add the ability to write timestamps in ISO-8601 w/ UTC, and use this format by default when running falco in a container [#518]

  • Docker-based builder/tester: You can now build Falco using the falco-builder docker image, and run regression tests using the falco-tester docker image. [#522] [#584]

  • Several small docs changes to improve clarity and readibility [#524] [#540] [#541] [#542]

  • Add instructions on how to enable K8s Audit Logging for kops [#535]

  • Add a "stale issue" bot that marks and eventually closes old issues with no activity [#548]

  • Improvements to sample K8s daemonset/service/etc files [#562]

Bug Fixes

  • Fix regression that broke json output [#581]

  • Fix errors when building via docker from MacOS [#582]

Rule Changes

  • Tag rules using Mitre Attack Framework: Add tags for all relevant rules linking them to the MITRE Attack Framework. We have an associated blog post. [#575] [#578]

  • New rules for additional use cases: New rules Schedule Cron Jobs, Update Package Repository, Remove Bulk Data from Disk, Set Setuid or Setgid bit, Detect bash history deletion, Create Hidden Files or Directories look for additional common follow-on activity you might see from an attacker. [#578] [#580]

  • Allow docker's "exe" (usually part of docker save/load) to write to many filesystem locations [#552]

  • Let puppet write below /etc [#563

  • Add new user_known_write_root_conditions, user_known_non_sudo_setuid_conditions, and user_known_write_monitored_dir_conditions macros to allow those rules to be easily customized in user rules files [#563] [#566]

  • Better coverage and exceptions for rancher [#559]

  • Allow prometheus to write to its conf directory under etc [#564]

  • Better coverage and exceptions for openshift/related tools [#567] [#573]

  • Better coverage for cassandra/kubelet/kops to reduce FPs [#551]

  • Better coverage for docker, openscap to reduce FPs [#573]

  • Better coverage for fluentd/jboss to reduce FPs [#590]

  • Add ash (Alpine Linux-related shell) as a shell binary [#597]

Assets 2

@mstemm mstemm released this Feb 7, 2019 · 53 commits to master since this release

Released 2019-02-06

Major Changes

  • Rules versioning support: The falco engine and executable now have an engine version that represents the fields they support. Similarly, rules files have an optional required_engine_version: NNN object that names the minimum engine version required to read that rules file. Any time the engine adds new fields, event sources, etc, the engine version will be incremented, and any time a rules file starts using new fields, event sources, etc, the required engine version will be incremented. [#492]

  • Allow SSL for K8s audit endpoint/embedded webserver [#471]

  • Add stale issues bot that automatically flags old github issues as stale after 60 days of inactivity and closes issues after 67 days of inactivity. [#500]

  • Support bundle: When run with --support, falco will print a json object containing necessary information like falco version, command line, operating system information, and falco rules files contents. This could be useful when reporting issues. [#517]

Minor Changes

  • Support new third-party library dependencies from open source sysdig. [#498]

  • Add CII best practices badge. [#499]

  • Fix kernel module builds when running on centos as a container by installing gcc 5 by hand instead of directly from debian/unstable. [#501]

  • Mount /etc when running as a container, which allows container to build kernel module/ebpf program on COS/Minikube. [#475]

  • Improved way to specify the source of generic event objects [#480]

  • Readability/clarity improvements to K8s Audit/K8s Daemonset READMEs. [#503]

  • Add additional RBAC permissions to track deployments/daemonsets/replicasets. [#514]

Bug Fixes

  • Fix formatting of nodejs examples README [#502]

Rule Changes

  • Remove FPs for Launch Sensitive Mount Container rule [#509]

  • Update Container rules/macros to use the more reliable container.image.{repository,tag} that always return the repository/tag of an image instead of container.image, which may not for some docker daemon versions. [#513]

Assets 2

@mstemm mstemm released this Jan 17, 2019 · 71 commits to master since this release

Released 2019-01-16

Major Changes

Minor Changes

  • Unbuffer outputs by default. This helps make output readable when used in environments like K8s. [#494]

  • Improved documentation for running Falco within K8s and getting K8s Audit Logging to work with Minikube and Falco as a Daemonset within K8s. [#496]

  • Fix AWS Permissions for Kubernetes Response Engine [#465]

  • Tighten compilation flags to include -Wextra and -Werror [#479]

  • Add to outputs when -pk argument is used [#472]

  • Remove kubernetes-response-engine from system:masters [#488]

Bug Fixes

  • Ensure -pc/-pk only apply to syscall rules and not k8s_audit rules [#495]

  • Fix a potential crash that could occur when using the falco engine and rulesets [#468]

  • Fix a regression where format output options were mistakenly removed [#485]

Rule Changes

  • Fix FPs related to calico and writing files below etc [#481]

  • Fix FPs related to apt-config/apt-cache, apk [#490]

  • New rules Launch Package Management Process in Container, Netcat Remote Code Execution in Container, Lauch Suspicious Network Tool in Container look for host-level network tools like netcat, package management tools like apt-get, or network tool binaries being run in a container. [#490]

  • Fix the inbound and outbound macros so they work with sendto/recvfrom/sendmsg/recvmsg. [#470]

  • Fix FPs related to prometheus/openshift writing config below /etc. [#470]

Assets 2

@mstemm mstemm released this Nov 9, 2018 · 93 commits to master since this release

Released 2018-11-09

Major Changes

  • Support for K8s Audit Events : Falco now supports K8s Audit Events as a second stream of events in addition to syscalls. For full details on the feature, see the wiki.

  • Transparent Config/Rule Reloading: On SIGHUP, Falco will now reload all config files/rules files and start processing new events. Allows rules changes without having to restart falco [#457] [#432]

Minor Changes

  • The reference integration of falco into a action engine now supports aws actions like lambda, etc. [#460]

  • Add netcat to falco docker images, which allows easier integration of program outputs to external servers [#456] [#433]

Bug Fixes

  • Links cleanup related to the draios/falco -> falcosecurity/falco move [#447]

  • Properly load/unload kernel module when the falco service is started/stopped [#459] [#418]

Rule Changes

  • Better coverage (e.g. reduced FPs) for critical stack, hids systems, ufw, cloud-init, etc. [#445]

  • New rules Launch Package Management Process in Container, Netcat Remote Code Execution in Container, and Lauch Suspicious Network Tool in Container look for running various suspicious programs in a container. [#461]

  • Misc changes to address false positives in GKE, Istio, etc. [#455] [#439]

Assets 2
Oct 1, 2018
Merge remote-tracking branch 'origin/dev' into agent-master

@mstemm mstemm released this Sep 11, 2018 · 123 commits to dev since this release

Released 2018-09-11

Bug Fixes

  • Fig regression in libcurl configure script [#416]
Assets 2

@mstemm mstemm released this Sep 11, 2018 · 133 commits to master since this release


Released 2018-09-11

Major Changes

  • Improved IPv6 Support to fully support use of IPv6 addresses in events, connections and filters [#sysdig/1204]

  • Ability to associate connections with dns names: new filterchecks fd.* allow looking up the DNS name for a connection's IP address. This can be used to identify or restrict connections by dns names e.g. evt.type=connect and [#412] [#sysdig/1213]

  • New filterchecks user.loginuid and user.loginname can be used to match the login uid, which stays consistent across sudo/su. This can be used to find the actual user running a given process [#sysdig/1189]

Minor Changes

  • Upgrade zlib to 1.2.11, openssl to 1.0.2n, and libcurl to 7.60.0 to address software vulnerabilities [#402]
  • New endswith operator can be used for suffix matching on strings [#sysdig/1209]

Bug Fixes

  • Better control of specifying location of lua source code [#406]

Rule Changes

  • None for this release.
Assets 2
Sep 11, 2018
Merge branch 'dev' into agent-master
Aug 17, 2018
Merge branch 'dev' into agent-master
Aug 17, 2018
Merge branch 'dev' into agent-master
You can’t perform that action at this time.