Falco - 0.32.0

| Packages | Download |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| rpm | |
| deb | |
| tgz | |

| Images |
| --------------------------------------------------------------------------- |
| docker pull docker.io/falcosecurity/falco:0.32.0 |
| docker pull public.ecr.aws/falcosecurity/falco:0.32.0 |
| docker pull docker.io/falcosecurity/falco-driver-loader:0.32.0 |
| docker pull docker.io/falcosecurity/falco-no-driver:0.32.0 |

Major Changes

• new: added new watch_config_files config option, to trigger a Falco restart whenever a change is detected in the rules or config files [#1991] - @FedeDP
• new(rules): add rule to detect excessively capable container [#1963] - @loresuso
• new(rules): add rules to detect pods sharing host pid and IPC namespaces [#1951] - @loresuso
• new(image): add Falco image based on RedHat UBI [#1943] - @araujof
• new(falco): add --markdown and --list-syscall-events [#1939] - @LucaGuerra

Minor Changes

• update(build): updated plugins to latest versions. [#2033] - @FedeDP
• refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [#1953] - @mstemm
• rules: out of the box ruleset for OKTA Falco Plugin [#1955] - @darryk10
• update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [#2031] - @FedeDP
• update!: moving out plugins ruleset files [#1995] - @leogr
• update: added hostname as a field in JSON output [#1989] - @Milkshak3s
• refactor!: remove K8S audit logs from Falco [#1952] - @jasondellaluce
• refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [#1975] - @jasondellaluce
• refactor!: deprecate PSP regression tests and warn for unsafe usage of in k8s audit filters [#1976] - @jasondellaluce
• build(cmake): upgrade catch2 to 2.13.9 [#1977] - @leogr
• refactor(userspace/engine): reduce memory usage for resolving evttypes [#1965] - @jasondellaluce
• refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [#1966] - @jasondellaluce
• refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [#1970] - @jasondellaluce
• refactor: update definitions of falco_common [#1967] - @jasondellaluce
• update: improved Falco engine event processing performance [#1944] - @deepskyblue86
• refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [#1947] - @jasondellaluce

Bug Fixes

• fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [#1920] - @mstemm
• fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [#2019] - @jasondellaluce

Rule Changes

• rule(Launch Excessively Capable Container): fix typo in description [#1996] - @mmonitz
• rule(macro: known_shell_spawn_cmdlines): add sh -c /usr/share/lighttpd/create-mime.conf.pl to macro [#1996] - @mmonitz
• rule(macro net_miner_pool): additional syscall for detection [#2011] - @beryxz
• rule(macro truncate_shell_history): include .ash_history [#1956] - @bdashrad
• rule(macro modify_shell_history): include .ash_history [#1956] - @bdashrad
• rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [#1969] - @darryk10
• rule(k8s: secret): detect get attempts for both successful and unsuccessful attempts [#1949] - @Dentrax
• rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [#1973] - @darryk10
• rule(Disallowed K8s User): exclude allowed EKS users [#1960] - @darryk10
• rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [#1968] - @darryk10
• rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [#1930] - @mmoyerfigma
• rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [#1938] - @claudio-vellage

Non user-facing changes

• new: update plugins [#2023] - @FedeDP
• update(build): updated libs version for Falco 0.32.0 release. [#2022] - @FedeDP
• update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [#2024] - @FedeDP
• chore(userspace/falco): do not print error code in process_events.cpp [#2030] - @alacuku
• fix(falco-scripts): remove driver versions with dkms-3.0.3 [#2027] - @Andreagit97
• chore(userspace/falco): fix punctuation typo in output message when loading plugins [#2026] - @alacuku
• refactor(userspace): change falco engine design to properly support multiple sources [#2017] - @jasondellaluce
• update(userspace/falco): improve falco termination [#2012] - @Andreagit97
• update(userspace/engine): introduce new check_plugin_requirements API [#2009] - @Andreagit97
• fix(userspace/engine): improve rule loader source checks [#2010] - @Andreagit97
• fix: split filterchecks per source-idx [#1999] - @FedeDP
• new: port CI builds to github actions [#2000] - @FedeDP
• build(userspace/engine): cleanup unused include dir [#1987] - @leogr
• rule(Anonymous Request Allowed): exclude {/livez, /readyz} [#1954] - @sledigabel
• chore(falco_scripts): Update falco-driver-loader cleaning phase [#1950] - @Andreagit97
• new(userspace/falco): use new plugin caps API [#1982] - @FedeDP
• build: correct conffiles for DEB packages [#1980] - @leogr
• Fix exception parsing regressions [#1985] - @mstemm
• Add codespell GitHub Action [#1962] - @invidian
• build: components opt-in mechanism for packages [#1979] - @leogr
• add gVisor to ADOPTERS.md [#1974] - @kevinGC
• rules: whitelist GCP's container threat detection image [#1959] - @clmssz
• Fix some typos [#1961] - @invidian
• chore(rules): remove leftover [#1958] - @leogr
• docs: readme update and plugins [#1940] - @leogr

Statistics

| Merged PRs | Number |
| --------------- | ------ |
| Not user-facing | 27 |
| Release note | 34 |
| Total | 61 |

Release Manager @FedeDP