Skip to content

0.5.0
Compare
Choose a tag to compare
@mstemm mstemm released this 22 Dec 21:28
0.5.0
4ab72d0

Released 2016-12-22

Starting with this release, we're adding a new section "Rule Changes" devoted to changes to the default ruleset falco_rules.yaml.

Major Changes

  • Cache event formatting objects so they are not re-created for every falco notification. This can result in significant speedups when the ruleset results in lots of notifications. [#158]
  • Falco notifications are now throttled by a token bucket, preventing a flood of notifications when many events match a rule. Controlled by the outputs, rate and outputs, max_burst options. [#161]

Minor Changes

  • When run from a container, you can provide the environment variable SYSDIG_SKIP_LOAD to skip the process of building/loading the kernel module. Thanks @carlsverre for the fix. [#145]
  • Fully implement USE_BUNDLED_DEPS within CMakeFiles so you can build with external third-party libraries. [#147]
  • Improve error messages that result when trying to load a rule with a malformed output: attribute [#150] [#151]
  • Add the ability to write event capture statistics to a file via the -s <statsfile> option. [#155]
  • New configuration option log_level controls the verbosity of falco's logging. [#160]

Bug Fixes

  • Improve compatibility with Sysdig Cloud Agent build [#148]

Rule Changes

  • Add DNF as non-alerting for RPM and package management. Thanks @djcross for the fix. [#153]
  • Make google_containers/kube-proxy a trusted image, affecting the File Open by Privileged Container/Sensitive Mount by Container rules. [#159]
  • Add fail2ban-server as a program that can spawn shells. Thanks @jcoetzee for the fix. [#168]
  • Add systemd as a program that can access sensitive files. Thanks @jcoetzee for the fix. [#169]
  • Add apt/apt-get as programs that can spawn shells. Thanks @jcoetzee for the fix. [#170]
Assets 2
Loading