Falco 0.21.0 is out!
Even though there's the lockdown, Falco 0.21.0 decided to go out! Such a bad guy!
Notably, this is the first release that happens with the new build & release process. 🚀
In case you just want Falco 0.21.0, you can find its packages at the following repositories:
- https://bintray.com/falcosecurity/rpm/falco/0.21.0
- https://bintray.com/falcosecurity/deb/falco/0.21.0
- https://bintray.com/falcosecurity/bin/falco/0.21.0
Instructions to install using them are already updated on the Falco website:
Instead, for people preferring docker images... 🐳
docker pull falcosecurity/falco:0.21.0
docker pull falcosecurity/falco:0.21.0-minimal
docker pull falcosecurity/falco:0.21.0-slim
Notable Changes
Release #100 of Falco comes with some notable changes.
New release process in place
During past weeks, I worked together with Lorenzo to put in place a completely new and automated release process for Falco.
We did most of the work into PR 1059.
This process takes place in two cases:
- A pull request is merged into master, which leads to the release of a development version of Falco
- A commit on master receives a git tag, which leads to the release of a stable version of Falco
When one of these two conditions happen:
- it packages Falco into signed (GPG public key) packages: DEB, a RPM, and a TAR.GZ
- it pushes these packages to their new open repositories
- it builds the docker images from these packages
- it pushes the docker images to the docker hub
falcosecurity/falco:master
,falcosecurity/falco:master-slim
,falcosecurity/falco:master-minimal
for development versionsfalcosecurity/falco:latest
,falcosecurity/falco:latest-slim
,falcosecurity/falco:latest-minimal
for stable versions
March 2021 update: All packages are now published to download.falco.org.
FALCO_BPF_PROBE
Thanks to Lorenzo contribution (PR 1050),
to make Falco use the eBPF probe as a driver you need to specify an environment variable named FALCO_BPF_PROBE
, not SYSDIG_BPF_PROBE
anymore.
FALCO_BPF_PROBE="" ./build/release/userspace/falco/falco -r ...
Please update your systemd scripts or Kubernetes deployments.
Falco versions are now SemVer 2.0 compliant
In PR 1086, I completed the process of creating the Falco version as SemVer 2.0 compliant version strings, from the git index.
This PR introduces the pre-release part into Falco versions.
Now Falco versions are something like 0.21.0-3+c5674c9
, where 3 is the number of commits since the latest stable version (0.21.0
) of Falco, while c5674c9
is the commit hash of the current development version.
Please notice that the Falco gRPC version API already contains this version part, too.
Detect outbound connections to common miner pool ports rule disabled by default
Thanks to Khaize work in PR 1061 users will not be hit from a tedious amount of alerts about hypothetical mining tools.
From now on, this rule is disabled by default.
Also, if it is enabled by you, it will ignore localhost and RFC1918 addresses.
Other changes
You can read the full changelog here!
Some statistics
19 PRs merged in, 12 of which containing changes targeting end-users.
64 commits since past release, in 17 days.
Upcoming things
Stay tuned for the upcoming drivers build grid which, using driverkit - a quarantine project by me and Lorenzo - will pre-build and release (in the open too!) the Falco kernel modules and the Falco eBPF probes for a set of predefined target systems and kernel releases.