Releases: falcosecurity/falco
Releases · falcosecurity/falco
0.12.1
0.12.0
v0.12.0
Released 2018-09-11
Major Changes
-
Improved IPv6 Support to fully support use of IPv6 addresses in events, connections and filters [#sysdig/1204]
-
Ability to associate connections with dns names: new filterchecks
fd.*ip.nameallow looking up the DNS name for a connection's IP address. This can be used to identify or restrict connections by dns names e.g.evt.type=connect and fd.sip.name=github.com. [#412] [#sysdig/1213] -
New filterchecks
user.loginuidanduser.loginnamecan be used to match the login uid, which stays consistent across sudo/su. This can be used to find the actual user running a given process [#sysdig/1189]
Minor Changes
- Upgrade zlib to 1.2.11, openssl to 1.0.2n, and libcurl to 7.60.0 to address software vulnerabilities [#402]
- New
endswithoperator can be used for suffix matching on strings [#sysdig/1209]
Bug Fixes
- Better control of specifying location of lua source code [#406]
Rule Changes
- None for this release.
0.11.1
0.11.0
Released 2018-07-24
Major Changes
- EBPF Support (Beta): Falco can now read events via an ebpf program loaded into the kernel instead of the
falco-probekernel module. Full docs here. [#365]
Minor Changes
- Rules may now have an
skip-if-unknown-filterproperty. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g.fd.some-new-attibute) that is not present in the current falco version. [#364] [[#345](https://github.co
m//issues/345)] - Small changes to Falco
COPYINGfile so github automatically recognizes license [#380] - New example integration showing how to connect Falco with Anchore to dynamically create falco rules based on negative scan results [#390]
- New example integration showing how to connect Falco, nats, and K8s to run flexible "playbooks" based on Falco events [#389]
Bug Fixes
- Ensure all rules are enabled by default [#379]
- Fix libcurl compilation problems [#374]
- Add gcc-6 to docker container, which improves compatibility when building kernel module [#382] [#371]
- Ensure the /lib/modules symlink to /host/lib/modules is set correctly [#392]
Rule Changes
- Add additional binary writing programs [#366]
- Add additional package management programs [#388] [#366]
- Expand write_below_etc handling for additional programs [#388] [#366]
- Expand set of programs allowed to write to
/etc/pki[#388] - Expand set of root written directories/files [#388] [#366]
- Let pam-config read sensitive files [#388]
- Add additional trusted containers: openshift, datadog, docker ucp agent, gliderlabs logspout [#388]
- Let coreos update-ssh-keys write to /home/core/.ssh [#388]
- Expand coverage for MS OMS [#388] [#387]
- Expand the set of shell spawning programs [#366]
- Add additional mysql programs/directories [#366]
- Let program
idopen network connections [#366] - Opt-in rule for protecting tomcat shell spawns [#366]
- New rule
Write below monitored directory[#366]
0.10.0
Released 2018-04-24
Major Changes
- Rules Directory Support: Falco will read rules files from
/etc/falco/rules.din addition to/etc/falco/falco_rules.yamland/etc/falco/falco_rules.local.yaml. Also, when the argument to-r/falco.yamlrules_fileis a directory, falco will read rules files from that directory. [#348] [#187] - Properly support all syscalls (e.g. those without parameter extraction by the kernel module) in falco conditions, so they can be included in
evt.type=<name>conditions. [#352] - When packaged as a container, start building kernel module with gcc 5.0 instead of gcc 4.9. [#331]
- New example puppet module for falco. [#341] [#115]
- When signaled with
USR1, falco will close/reopen log files. Include a logrotate example that shows how to use this feature for log rotation. [#347] [#266] - To improve resource usage, further restrict the set of system calls available to falco [#351] [draios/sysdig#1105]
Minor Changes
- Add gdb to the development Docker image (sysdig/falco:dev) to aid in debugging. [#323]
- You can now specify -V multiple times on the command line to validate multiple rules files at once. [#329]
- When run with
-v, falco will print dangling macros/lists that are not used by any rules. [#329] - Add an example demonstrating cryptomining attack that exploits an open docker daemon using host mounts. [#336]
- New falco.yaml option
json_include_output_propertycontrols whether the formatted string "output" is included in the json object when json output is enabled. [#342] - Centralize testing event types for consideration by falco into a single function [draios/sysdig#1105) [#356]
- If a rule has an attribute
warn_evttypes, falco will not complain aboutevt.typerestrictions on that rule [#355] - When run with
-i, print all ignored events/syscalls and exit. [#359]
Bug Fixes
- Minor bug fixes to k8s daemonset configuration. [#325] [#296] [#295]
- Ensure
--validatecan be used interchangeably with-V. [#334] [#322] - Rule conditions like
fd.netcan now be used with theinoperator e.g.evt.type=connect and fd.net in ("127.0.0.1/24"). [draios/sysdig#1091] [#343] - Ensure that
keep_alivecan be used both with file and program output at the same time. [#335] - Make it possible to append to a skipped macro/rule without falco complaining [#346] [#305]
- Ensure rule order is preserved even when rules do not contain any
evt.typerestriction. [#354] [#355]
Rule Changes
- Make it easier to extend the
Change thread namespacerule via auser_known_change_thread_namespace_binarieslist. [#324] - Various FP fixes from users. [#321] [#326] [#344] [#350]
- New rule
Disallowed SSH Connectiondetects ssh connection attempts to hosts outside of an expected set. In order to be effective, you need to override the macroallowed_ssh_hostsin a user rules file. [#321] - New rule
Unexpected K8s NodePort Connectiondetects attempts to contact the K8s NodePort range from a program running inside a container. In order to be effective, you need to override the macronodeport_containersin a user rules file. [#321] - Improve
Modify binary dirsrule to work with new syscalls [#353] - New rule
Unexpected UDP Trafficchecks for udp traffic not on a list of expected ports. Somewhat FP-prone, so it must be explicitly enabled by overriding the macrodo_unexpected_udp_checkin a user rules file. [#320] [#357]
0.9.0
Released 2018-01-18
Bug Fixes
- Fix driver incompatibility problems with some linux kernel versions that can disable pagefault tracepoints [#sysdig/1034]
- Fix OSX Build incompatibility with latest version of libcurl [#291]
Minor Changes
- Updated the Kubernetes example to provide an additional example: Daemon Set using RBAC and a ConfigMap for configuration. Also expanded the documentation for both the RBAC and non-RBAC examples. [#309]
Rule Changes
- Refactor the shell-related rules to reduce false positives. These changes significantly decrease the scope of the rules so they trigger only for shells spawned below specific processes instead of anywhere. [#301] [#304]
- Lots of rule changes based on feedback from Sysdig Secure community [#293] [#298] [#300] [#307] [#315]
0.8.1
0.8.0
Released 2017-10-10
Important: the location for falco's configuration file has moved from /etc/falco.yaml to /etc/falco/falco.yaml. The default rules file has moved from /etc/falco_rules.yaml to /etc/falco/falco_rules.yaml. In addition, 0.8.0 has added a local rules file to /etc/falco/falco_rules.local.yaml. See the documentation for more details.
Major Changes
- Add the ability to append one list to another list by setting an
append: trueattribute. [#264] - Add the ability to append one macro/rule to another list by setting an
append: trueattribute. [#277] - Ensure that falco rules/config files are preserved across package upgrades/removes if modified. [#278]
- Add the notion of a "local" rules file that should contain modifications to the default falco rules file. [#278]
- When using json output, separately include the individual templated fields in the json object. [#282]
- Add the ability to keep a file/program pipe handle open across rule notifications. [#283]
- New argument
-Vvalidates rules file and immediately exits. [#286]
Minor Changes
- Minor updates to falco example programs [#248] [#275]
- Also validate macros at rule parse time. [#257]
- Minor README typo fixes [#276]
- Add a government CLA (contributor license agreement). [#263]
- Add ability to only run rules with a priority >= some threshold [#281]
- Add ability to make output channels unbuffered [#285]
Bug Fixes
- Fix installation of falco on OSX [#252]
- Fix a bug that caused the trailing whitespace of a quoted string to be accidentally removed [#254]
- When multiple sets of kernel headers are installed, find the one for the running kernel [#260]
- Allow pathnames in rule/macro conditions to contain '.' characters [#262]
- Fix a bug where a list named "foo" would be substituted even if it were a substring of a longer word like "my_foo" [#258]
- Remove extra trailing newlines from rule output strings [#265]
- Improve build pathnames to avoid relative paths when possible [#284]
Rule Changes
- Significant changes to default ruleset to address FPs. These changes resulted from hundreds of hours of use in actual customer environments. [#247] [#259]
- Add official gitlab EE docker image to list of known shell spawning images. Thanks @dkerwin! [#270]
- Add keepalived to list of shell spawning binaries. Thanks @dkerwin! [#269]
0.7.0
Released 2016-05-30
Major Changes
- Update the priorities of falco rules to use a wider range of priorities rather than just ERROR/WARNING. More info on the use of priorities in the ruleset can be found here. [#244]
Minor Changes
None.
Bug Fixes
- Fix typos in various markdown files. Thanks @sublimino! [#241]
Rule Changes
- Add gitlab-mon as a gitlab binary, which allows it to run shells, etc. Thanks @dkerwin! [#237]
- A new rule Terminal shell in container" that looks for shells spawned in a container with an attached terminal. [#242]
- Fix some FPs related to the sysdig monitor agent. [#243]
- Fix some FPs related to stating containers combined with missed events [#243]