Released on 2021-01-18

Packages	Download
rpm
deb
tgz

Major Changes

• new: Added falco engine version to grpc version service [#1507] - @nibalizer
• BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [#1494] - @nibalizer
• new: asynchronous outputs implementation, outputs channels will not block event processing anymore [#1451] - @leogr
• new: slow outputs detection [#1451] - @leogr
• new: output_timeout config option for slow outputs detection [#1451] - @leogr

Minor Changes

• build: bump b64 to v2.0.0.1 [#1441] - @fntlnz
• rules(macro container_started): re-use spawned_process macro inside container_started macro [#1449] - @leodido
• docs: reach out documentation [#1472] - @fntlnz
• docs: Broken outputs.proto link [#1493] - @deepskyblue86
• docs(README.md): correct broken links [#1506] - @leogr
• docs(proposals): Exceptions handling proposal [#1376] - @mstemm
• docs: fix a broken link of README [#1516] - @oke-py
• docs: adding the kubernetes privileged use case to use cases [#1484] - @fntlnz
• rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
• rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [#1386] - @jhwbarlow
• docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [#1518] - @leodido
• build: falcosecurity/falco:master also available on the AWS ECR Public registry [#1512] - @leodido
• build: falcosecurity/falco:latest also available on the AWS ECR Public registry [#1512] - @leodido
• update: gRPC clients can now subscribe to drop alerts via gRCP API [#1451] - @leogr
• macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [#1444] - @fntlnz

Bug Fixes

• fix(userspace/falco): use given priority in falco_outputs::handle_msg() [#1450] - @leogr
• fix(userspace/engine): free formatters, if any [#1447] - @leogr
• fix(scripts/falco-driver-loader): lsmod usage [#1474] - @dnwe
• fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [#1485] - @leodido
• fix: set HOST_ROOT=/host environment variable for the falcosecurity/falco-no-driver container image by default [#1492] - @leogr

Rule Changes

• rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [#1501] - @Kaizhe
• rule(Container Run as Root User): new rule created [#1500] - @Kaizhe
• rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using insmod from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [#1478] - @d1vious
• rule(macro multipath_writing_conf): create and use the macro [#1475] - @nmarier-coveo
• rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [#1457] - @czunker
• rule(Full K8s Administrative Access): use the right list of admin users (fix) [#1454] - @mstemm

Non user-facing changes

• chore(cmake): remove unnecessary whitespace patch [#1522] - @leogr
• remove stale bot in favor of the new lifecycle bot [#1490] - @leodido
• chore(cmake): mark some variables as advanced [#1496] - @deepskyblue86
• chore(cmake/modules): avoid useless rebuild [#1495] - @deepskyblue86
• build: BUILD_BYPRODUCTS for civetweb [#1489] - @fntlnz
• build: remove duplicate item from FALCO_SOURCES [#1480] - @leodido
• build: make our integration tests report clear steps for CircleCI UI [#1473] - @fntlnz
• further improvements outputs impl. [#1443] - @leogr
• fix(test): make integration tests properly fail [#1439] - @leogr
• Falco outputs refactoring [#1412] - @leogr

Statistics