Falco - 0.37.0

| Packages | Download |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| rpm-x86_64 | |
| deb-x86_64 | |
| tgz-x86_64 | |
| rpm-aarch64 | |
| deb-aarch64 | |
| tgz-aarch64 | |

| Images |
| --------------------------------------------------------------------------- |
| docker pull docker.io/falcosecurity/falco:0.37.0 |
| docker pull public.ecr.aws/falcosecurity/falco:0.37.0 |
| docker pull docker.io/falcosecurity/falco-driver-loader:0.37.0 |
| docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.37.0 |
| docker pull docker.io/falcosecurity/falco-no-driver:0.37.0 |
| docker pull docker.io/falcosecurity/falco-distroless:0.37.0 |

v0.37.0

Released on 2024-01-30

Major Changes

• new!: dropped falco-driver-loader script in favor of new falcoctl driver command [#2905] - @FedeDP
• update!: bump libs to latest and deprecation of k8s metadata options and configs [#2914] - @jasondellaluce
• cleanup(falco)!: remove outputs.rate and outputs.max_burst from Falco config [#2841] - @Andreagit97

• cleanup(falco)!: remove --userspace support [#2839] - @Andreagit97

• new(engine): add selective overrides for Falco rules [#2981] - @LucaGuerra

• feat(userspace/falco): falco administrators can now configure the http output to compress the data sent as well as enable keep alive for the connection. Two new fields (compress_uploads and keep_alive) in the http_output block of the falco.yaml file can be used for that purpose. Both are disabled by default. [#2974] - @sgaist
• new(userspace): support env variable expansion in all yaml, even inside strings. [#2918] - @FedeDP
• new(scripts): add a way to enforce driver kind and falcoctl enablement when installing Falco from packages and dialog is not present. [#2773] - @vjjmiras
• new(falco): print system info when Falco starts [#2927] - @Andreagit97
• new: driver selection in falco.yaml [#2413] - @therealbobo
• new(build): enable compilation on win32 and macOS. [#2889] - @therealbobo
• feat(userspace/falco): falco administrators can now configure the address on which the webserver listen using the new listen_address field in the webserver block of the falco.yaml file. [#2890] - @sgaist

Minor Changes

• update(userspace/falco): add engine_version_semver key in /versions endpoint [#2899] - @loresuso
• update: default ruleset upgrade to version 3.0 [#3034] - @leogr
• update!(config): soft deprecation of drop stats counters in syscall_event_drops [#3015] - @incertum
• update(cmake): bumped falcoctl tool to v0.7.1. [#3030] - @FedeDP
• update(rule_loader): deprecate the append flag in Falco rules [#2992] - @Andreagit97
• cleanup!(cmake): drop bundled plugins in Falco [#2997] - @FedeDP
• update(config): clarify deprecation notices + list all env vars [#2988] - @incertum
• update: now the watch_config_files config option monitors file/directory moving and deletion, too [#2965] - @NitroCao
• update(userspace): enhancements in rule description feature [#2934] - @jasondellaluce
• update(userspace/falco): add libsinsp state metrics option [#2883] - @incertum
• update(doc): Add Thought Machine as adopters [#2919] - @RichardoC
• update(docs): add Wireshark/Logray as adopter [#2867] - @geraldcombs
• update: engine_version in semver representation [#2838] - @loresuso
• update(userspace/engine): modularize rule compiler, fix and enrich rule descriptions [#2817] - @jasondellaluce

Bug Fixes

• fix(userspace/metric): minor fixes in new libsinsp state metrics handling [#3033] - @incertum
• fix(userspace/engine): avoid storing escaped strings in engine defs [#3028] - @jasondellaluce
• fix(userspace/engine): cache latest rules compilation output [#2900] - @jasondellaluce
• fix(userspace/engine): solve description of macro-only rules [#2898] - @jasondellaluce
• fix(userspace/engine): fix memory leak [#2877] - @therealbobo

Non user-facing changes

• new(docs): add changelog for 0.37.0 [#3041] - @Andreagit97
• fix: nlohmann_json lib include path [#3032] - @federico-sysdig
• chore: bump falco rules [#3021] - @Andreagit97
• chore: bump Falco to libs 0.14.1 [#3020] - @Andreagit97
• chore(build): remove outdated development libs [#2946] - @federico-sysdig
• chore(falco): bump Falco to 000d576 libs commit [#2944] - @Andreagit97
• fix(gha): update rpmsign [#2856] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 424b258 to 1221b9e [#3000] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 2ac430b to c39d31a [#3019] - @dependabot[bot]
• cleanup(falco.yaml): rename none in nodriver [#3012] - @Andreagit97
• update(config): graduate outputs_queue to stable [#3016] - @incertum
• update(cmake): bump falcoctl to v0.7.0. [#3009] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 1221b9e to 2ac430b [#3007] - @dependabot[bot]
• chore(ci): bumped rn2md to latest master. [#3006] - @FedeDP
• chore: bump Falco to latest libs [#3002] - @Andreagit97
• chore: bump driver version [#2998] - @Andreagit97
• Add addl source related methods [#2939] - @mstemm
• build(deps): Bump submodules/falcosecurity-rules from cd33bc3 to 424b258 [#2993] - @dependabot[bot]
• cleanup(engine): clarify deprecation notice for engines [#2987] - @LucaGuerra
• update(cmake): bumped falcoctl to v0.7.0-rc1. [#2983] - @FedeDP
• chore(ci): revert #2961. [#2984] - @FedeDP
• build(deps): Bump submodules/falcosecurity-testing from 930170b to 9b9630e [#2980] - @dependabot[bot]
• chore: bump Falco to latest libs [#2977] - @Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from 262f569 to cd33bc3 [#2976] - @dependabot[bot]
• Allow enabling rules by ruleset id in addition to name [#2920] - @mstemm
• chore(ci): enable aarch64 falco driver loader tests. [#2961] - @FedeDP
• chore(unit_tests): added more tests for yaml env vars expansion. [#2972] - @FedeDP
• chore(falco.yaml): use HOME env var for ebpf probe path. [#2971] - @FedeDP
• chore: bump falco to latest libs [#2970] - @Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from dd38952 to 262f569 [#2969] - @dependabot[bot]
• update(readme): add actuated.dev badge [#2967] - @LucaGuerra
• chore(cmake,docker): bumped falcoctl to v0.7.0-beta5. [#2968] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 64e2adb to dd38952 [#2959] - @dependabot[bot]
• fix(docker): small fixes in docker entrypoints for new driver loader. [#2966] - @FedeDP
• chore(build): allow usage of non-bundled nlohmann-json [#2947] - @federico-sysdig
• update(ci): enable actuated.dev [#2945] - @LucaGuerra
• cleanup: fix several warnings from a Clang build [#2948] - @federico-sysdig
• chore(docker/falco): add back some deps to falco docker image. [#2932] - @FedeDP
• build(deps): Bump submodules/falcosecurity-testing from 92c313f to 5248e6d [#2937] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from e206c1a to 8f0520f [#2904] - @dependabot[bot]
• cleanup(falco): remove decode_uri as it is no longer used [#2933] - @LucaGuerra
• update(engine): port decode_uri in falco engine [#2912] - @LucaGuerra
• chore(falco): update to libs on nov 28th [#2929] - @LucaGuerra
• cleanup(falco): remove init in the configuration constructor [#2917] - @Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from 8f0520f to 64e2adb [#2908] - @dependabot[bot]
• cleanup(userspace/engine): remove legacy k8saudit implementation [#2913] - @jasondellaluce
• fix(gha): disable branch protection rule trigger for scorecard [#2911] - @LucaGuerra
• chore(gha): set cosign-installer to v3.1.2 [#2901] - @LucaGuerra
• new(docs): sync changelog for 0.36.2. [#2894] - @FedeDP
• Run OpenSSF Scorecard in pipeline [#2888] - @maxgio92
• cleanup: replace banned.h with semgrep [#2881] - @LucaGuerra
• chore(gha): upgrade GitHub actions [#2876] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from a22d0d7 to e206c1a [#2865] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from d119706 to a22d0d7 [#2860] - @dependabot[bot]
• fix(gha): use fedora instead of centos 7 for package publishing [#2854] - @LucaGuerra
• chore(gha): pin versions to hashes [#2849] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from c366d5b to d119706 [#2847] - @dependabot[bot]
• new(ci): properly link libs and driver releases linked to a Falco release [#2846] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 7a7cf24 to c366d5b [#2842] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 77ba57a to 7a7cf24 [#2836] - @dependabot[bot]
• chore(ci): bumped rn2md to latest master. [#2844] - @FedeDP

Statistics

| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 61 |
| Release note | 31 |
| Total | 92 |

Release Manager @Andreagit97