Falco - 0.31.0

Security

| Packages | Download |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| rpm | rpm |
| deb | deb |
| tgz | tgz |

| Images |
| --------------------------------------------------------------------------- |
| docker pull docker.io/falcosecurity/falco:0.31.0 |
| docker pull public.ecr.aws/falcosecurity/falco:0.31.0 |
| docker pull docker.io/falcosecurity/falco-driver-loader:0.31.0 |
| docker pull docker.io/falcosecurity/falco-no-driver:0.31.0 |

Major Changes

  • new: add support for plugins to extend Falco functionality to new event sources and custom fields [#1753] - @mstemm
  • new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurit/falco'. [#1850] - @yoshi314
  • new(configuration): support defining plugin init config as a YAML [#1852] - @jasondellaluce

Minor Changes

  • rules: add the official Falco ECR repository to rules [#1817] - @calvinbui
  • build: update CircleCI machine image for eBPF tests to a newer version of ubuntu [#1764] - @mstemm
  • update(engine): refactor Falco engine to be agnostic to specific event sources [#1715] - @mstemm
  • build: upgrade civetweb to v1.15 [#1782] - @FedeDP
  • update: driver version is 319368f1ad778691164d33d59945e00c5752cd27 now [#1861] - @FedeDP
  • build: allow using local libs source dir by setting FALCOSECURITY_LIBS_SOURCE_DIR in cmake [#1791] - @jasondellaluce
  • build: the statically linked binary package is now published with the -static suffix [#1873] - @LucaGuerra
  • update!: removed "--alternate-lua-dir" cmdline option as lua scripts are now embedded in Falco executable. [#1872] - @FedeDP
  • build: switch to dynamic build for the binary package (.tar.gz) [#1853] - @LucaGuerra
  • update: simpleconsumer filtering is now being done at kernel level [#1846] - @FedeDP
  • update(scripts/falco-driver-loader): first try to load the latest kmod version, then fallback to an already installed if any [#1863] - @leogr
  • refactor: clean up --list output with better formatting and no duplicate sections across event sources. [#1816] - @mstemm
  • update: embed .lua files used to load/compile rules into the main falco executable, for simplicity and to avoid tampering. [#1843] - @mstemm
  • update: support non-enumerable event sources in gRPC outputs service [#1840] - @jasondellaluce
  • docs: add jasondellaluce to OWNERS [#1818] - @jasondellaluce
  • chore: --list option can be used to selectively list fields related to new sources that are introduced by plugins [#1839] - @loresuso
  • update(userspace/falco): support arbitrary-depth nested values in YAML configuration [#1792] - @jasondellaluce
  • build: bump FakeIt version to 2.0.9 [#1797] - @jasondellaluce
  • update: allow append of new exceptions to rules [#1780] - @sai-arigeli
  • update: Linux packages are now signed with SHA256 [#1758] - @twa16

Bug Fixes

  • fix(scripts/falco-driver-loader): fix for SELinux insmod denials [#1756] - @dwindsor
  • fix(scripts/falco-driver-loader): correctly clean loaded drivers when using --clean [#1795] - @jasondellaluce
  • fix(userspace/falco): in case output_file cannot be opened, throw a falco exception [#1773] - @FedeDP
  • fix(userspace/engine): support jsonpointer escaping in rule parser [#1777] - @jasondellaluce
  • fix(scripts/falco-driver-loader): support kernel object files in .zst and .gz compression formats [#1863] - @leogr
  • fix(engine): correctly format json output in json_event [#1847] - @jasondellaluce
  • fix: set http output contenttype to text/plain when json output is disabled [#1829] - @FedeDP
  • fix(userspace/falco): accept 'Content-Type' header that contains "application/json", but it is not strictly equal to it [#1800] - @FedeDP
  • fix(userspace/engine): supporting enabled-only overwritten rules [#1775] - @jasondellaluce

Rule Changes

  • rule(Create Symlink Over Sensitive File): corrected typo in rule output [#1820] - @deepskyblue86
  • rule(macro open_write): add support to openat2 [#1796] - @jasondellaluce
  • rule(macro open_read): add support to openat2 [#1796] - @jasondellaluce
  • rule(macro open_directory): add support to openat2 [#1796] - @jasondellaluce
  • rule(Create files below dev): add support to openat2 [#1796] - @jasondellaluce
  • rule(Container Drift Detected (open+create)): add support to openat2 [#1796] - @jasondellaluce
  • rule(macro sensitive_mount): add containerd socket [#1815] - @loresuso
  • rule(macro spawned_process): monitor also processes spawned by execveat [#1868] - @Andreagit97
  • rule(Create Hardlink Over Sensitive Files): new rule to detect hard links created over sensitive files [#1810] - @sberkovich
  • rule(Detect crypto miners using the Stratum protocol): add stratum2+tcp and stratum+ssl protocols detection [#1810] - @sberkovich
  • rule(Sudo Potential Privilege Escalation): correct special case for the CVE-2021-3156 exploit [#1810] - @sberkovich
  • rule(list falco_hostnetwork_images): moved to k8s_audit_rules.yaml to avoid a warning when usng falco_rules.yaml only [#1681] - @leodido
  • rule(list deb_binaries): remove apt-config [#1860] - @Andreagit97
  • rule(Launch Remote File Copy Tools in Container): add additional binaries: curl and wget. [#1771] - @ec4n6
  • rule(list known_sa_list): add coredns, coredns-autoscaler, endpointslicemirroring-controller, horizontal-pod-autoscaler, job-controller, node-controller (nodelifecycle), persistent-volume-binder, pv-protection-controller, pvc-protection-controller, root-ca-cert-publisher and service-account-controller as allowed service accounts in the kube-system namespace [#1760] - @sboschman

Non user-facing changes

  • fix: force-set evt.type for plugin source events [#1878] - @FedeDP
  • fix: updated some warning strings; properly refresh lua files embedded in falco [#1864] - @FedeDP
  • style(userspace/engine): avoid creating multiple versions of methods only to assume default ruleset. Use a default argument instead. [#1754] - @FedeDP
  • add raft in the adopters list [#1776] - @teshsharma
  • build: always populate partial version variables [#1778] - @dnwe
  • build: updated cloudtrail plugin to latest version [#1865] - @FedeDP
  • replace ".." concatenation with table.concat [#1834] - @VadimZy
  • fix(userspace/engine): actually make m_filter_all_event_types useful by properly using it as fallback when no filter event types is provided [#1875] - @FedeDP
  • fix(build): do not show plugin options in musl optimized builds [#1871] - @LucaGuerra
  • fix(aws_cloudtrail_rules.yaml): correct required plugin versions [#1867] - @FedeDP
  • docs: fix priority level "info" to "informational" [#1858] - @Andreagit97
  • Field properties changes [#1838] - @mstemm
  • update(build): updated libs to latest master version; updated plugins versions [#1856] - @FedeDP
  • Add Giant Swarm to Adopters list [#1842] - @stone-z
  • update(tests): remove token_bucket unit tests [#1798] - @jasondellaluce
  • fix(build): use consistent 7-character build abbrev sha [#1830] - @LucaGuerra
  • add Phoenix to adopters list [#1806] - @kaldyka
  • remove unused files in test directory [#1801] - @jasondellaluce
  • drop Falco luajit module, use the one provied by libs [#1788] - @FedeDP
  • chore(build): update libs version to 7906f7e [#1790] - @LucaGuerra
  • Add SysFlow to list of libs adopters [#1747] - @araujof
  • build: dropped centos8 circleci build because it is useless [#1882] - @FedeDP

Statistics

| Merged PRs | Number |
| --------------- | ------ |
| Not user-facing | 23 |
| Release note | 40 |
| Total | 63 |

Release Manager @jasondellaluce

Details

date
Jan. 31, 2022, 4:06 p.m.
name
0.31.0
type
Minor
official page
https://github.com/falcosecurity/falco/releases/tag/0.31.0
👇
Register or login to:
  • 🔍View and search all Falco releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or