Skip to content

0.8.0
Compare
Choose a tag to compare
@mstemm mstemm released this 10 Oct 00:24
· 4071 commits to master since this release
0.8.0
74556e5

Released 2017-10-10

Important: the location for falco's configuration file has moved from /etc/falco.yaml to /etc/falco/falco.yaml. The default rules file has moved from /etc/falco_rules.yaml to /etc/falco/falco_rules.yaml. In addition, 0.8.0 has added a local rules file to /etc/falco/falco_rules.local.yaml. See the documentation for more details.

Major Changes

  • Add the ability to append one list to another list by setting an append: true attribute. [#264]
  • Add the ability to append one macro/rule to another list by setting an append: true attribute. [#277]
  • Ensure that falco rules/config files are preserved across package upgrades/removes if modified. [#278]
  • Add the notion of a "local" rules file that should contain modifications to the default falco rules file. [#278]
  • When using json output, separately include the individual templated fields in the json object. [#282]
  • Add the ability to keep a file/program pipe handle open across rule notifications. [#283]
  • New argument -V validates rules file and immediately exits. [#286]

Minor Changes

  • Minor updates to falco example programs [#248] [#275]
  • Also validate macros at rule parse time. [#257]
  • Minor README typo fixes [#276]
  • Add a government CLA (contributor license agreement). [#263]
  • Add ability to only run rules with a priority >= some threshold [#281]
  • Add ability to make output channels unbuffered [#285]

Bug Fixes

  • Fix installation of falco on OSX [#252]
  • Fix a bug that caused the trailing whitespace of a quoted string to be accidentally removed [#254]
  • When multiple sets of kernel headers are installed, find the one for the running kernel [#260]
  • Allow pathnames in rule/macro conditions to contain '.' characters [#262]
  • Fix a bug where a list named "foo" would be substituted even if it were a substring of a longer word like "my_foo" [#258]
  • Remove extra trailing newlines from rule output strings [#265]
  • Improve build pathnames to avoid relative paths when possible [#284]

Rule Changes

  • Significant changes to default ruleset to address FPs. These changes resulted from hundreds of hours of use in actual customer environments. [#247] [#259]
  • Add official gitlab EE docker image to list of known shell spawning images. Thanks @dkerwin! [#270]
  • Add keepalived to list of shell spawning binaries. Thanks @dkerwin! [#269]
Assets 2
Loading