Skip to content

0.18.0

Compare
Choose a tag to compare
@fntlnz fntlnz released this 31 Oct 11:39

Released 2019-10-31

Major Changes

  • falco grpc api server implementation, contains a subscribe method to subscribe to outputs from any grpc capable language [#822]
  • add support for converting k8s pod security policies (psps) into set of falco rules that can be used to evaluate the conditions specified in the psp. [#826]
  • initial redesign container images to remove build tools and leverage init containers for kernel module delivery. [#776]
  • add flags to disable syscall event source or k8s_audit event source [#779]

Minor Changes

  • allow for unique names for psp converted rules/macros/lists/rule names as generated by falcoctl 0.0.3 [#895]
  • make it easier to run regression tests without necessarily using the falco-tester docker image. [#808]
  • fix falco engine compatibility with older k8s audit rules files. [#893]
  • add tests for psp conversions with names containing spaces/dashes. [#899]

Bug Fixes

  • handle multi-document yaml files when reading rules files. [#760]
  • improvements to how the webserver handles incoming invalid inputs [#759]
  • fix: make lua state access thread-safe [#867]
  • fix compilation on gcc 5.4 by working around gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56480 [#873]
  • add explicit dependency between tests and catch2 header file. [#879]
  • fix: stable dockerfile libgcc-6-dev dependencies [#830]
  • fix: build dependencies for the local dockerfile [#782]
  • fix: a crash bug that could result from reading more than ~6 rules files [#906] [#907]

Rule Changes

  • rules: add calico/node to trusted privileged container list [#902]
  • rules: add macro calico_node_write_envvars to exception list of write below etc [#902]
  • rules: add exception for rule write below rpm, this is a fp caused by amazon linux 2 yum. [#755]
  • rules: ignore sensitive mounts from the ecs-agent [#881]
  • rules: add rules to detect crypto mining activities [#763]
  • rules: add back rule delete bash history for backport compatibility [#864]
  • rule: syscalls are used to detect suid and sgid [#765]
  • rules: delete bash history is renamed to delete or rename shell history [#762]
  • rules: add image fluent/fluentd-kubernetes-daemonset to clear log trusted images [#852]
  • rules: include default users created by kops. [#898]
  • rules: delete or rename shell history: when deleting a shell history file now the syscalls are taken into account rather than just the commands deleting the files [#762]
  • rules: delete or rename shell history: history deletion now supports fish and zsh in addition to bash [#762]
  • rules: "create hidden files or directories" and "update package repository" now trigger also if the files are moved and not just if modified or created. [#766]