December 14, 2020 | Rule Changes Add a new rule, Container Run as Root User ,to the Inadvised Container Activity policy. Add crio and multus to the user_known_change_thread_namespace_binaries list
| 0.10.4 |
December 1, 2020 | Rule Changes | 0.10.3 |
November 16, 2020 | Rule Changes Add the new rule, Linux Kernel Module Injection Detected , to the Notable Filesystem Changes policy. Add the multipath_writing_conf macro as an exception in the Write below etc rule. Add the chage_list macro as exception in the User mgmt binaries rule Update compliance tags.
| 0.10.2 |
October 14, 2020 | Add CSRF token protection. Rule Changes Add a new rule, Outbound Connection to C2 Servers, to the Disallowed Network Activity policy. | 0.10.1 |
September 30, 2020 | Rule Changes Write below root : Similar to the rules that rely on a process name for exceptions, events will not be triggered if the process name is missing. For example, "" . Delete or rename shell history. Ignore docker programs that would prevent modifying shell history, when the path is expressed within the container filesystem (/.bash_history ) and host filesystem (/var/lib/docker/overlay/.../.bash_history ). All Rules: Changes to the tags to add NIST 800-53 and SOC2 tags:
| 0.10.0 |
September 23, 2020 | Rule Changes Launch Sensitive Mount Container: Change image matching to correctly identify Sysdig images as compared to names starting with "sysdig..." Detect shell history deletion: Ignore paths below /var/lib/docker . For example, the container filesystem overlay images that are removed when a container is removed. The Packet socket created in container rule is now enabled by default.
| 0.9.1 |
September 10, 2020 | Rule Changes All Rules: Add user.loginuid as an output field. This uid is generally unchanging across sudo /su commands, and can more reliably identify users. Launch Privileged Container: Add additional images that can run with privileged=true . Launch Sensitive Mount Container: Fix a typo that allows docker.io/sysdig/agent-slim to perform sensitive mounts. Read sensitive file untrusted: Allow linux-bench to read sensitive files containing user information. Update Package Repository: Restrict checks to files below known package management directories. Write below etc : Add exceptions related to calico within containers. Write below root : Allow mysqlsh write to /root/.mysqlsh . Read sensitive file untrusted: Allow google_oslogin_{control} read sensitive files. Change thread namespace: Trigger only when the process name is known. Create HostNetwork Pod: Allow several images related to GKE + default metrics/routing services run with hostnetwork=true . Disallowed Kubernetes User: Add several known Kubernetes users to allowed list. Pod Created in Kube Namespace: Allow several images related to GKE + default metrics/routing services run in kube-system/kube-public namespaces. System ClusterRole Modified/Deleted: Allow modifications to the role system:managed-certificate-controller .
| 0.9.0 |
September 08, 2020 | Added support for updating Falco rules across multiple accounts in an on-prem setup. | 0.8.3 |
August 17, 2020 | Rule Changes Created a new rule, EphemeralContainers Created for the Suspicious K8s Activity policy. Replace the endswith operator when checking with an image repository. Whitelisted sysdig/agent and sysdig/agent-slim . They are not available with the open-source Falco Rules. Whitelisted dockerd -current and docker-current in the exe_running_docker_save macro.
| 0.8.2 |
August 03, 2020 | Rule Changes Add the k8s_image_list list to the trusted_pod macro | 0.8.1 |
July 27, 2020 | Rule Changes Move the Write below root rule from the Suspicious Filesystem Changes policy to the Notable Filesystem Changes policy Delete the NIST 800-190 Application Container Security Guide policy Delete the Payment Card Industry Data Security Standard (PCI DSS) policy Add a new macro, user_read_sensitive_file_containers for the Read sensitive file untrusted rule Add docker.io/falcosecurity/falco to the falco_privileged_images list Add kubernetes-admin to the allowed_k8s_users list
| 0.8.0 |
July 20, 2020 | Rule Changes Disable Disallowed K8s Activity policy Add placeholder macros for multiple rules Fix the root_dir macro Add snapd to the package_mgmt_binaries list Add zmap to the network_tool_binaries list Whitelist protokube , dockerd , tini , and aws in the change thread namespace rule Add sysdig/agent-slim and sysdig/node-image-analyzer images to the user_trusted_containers macro Add kube-apiserver-healthcheck to the allowed_k8s_users list
| 0.7.9 |
July 7, 2020 | | 0.7.8 |
July 1, 2020 | Handle an improper error. | 0.7.7 |
June 25, 2020 | Disable rule Container Drift Detected (chmod) by default | 0.7.6 |
June 23, 2020 | Update rule Container Drift Detected (open+create) to avoid warning | 0.7.5 |
June 22, 2020 | Rule Changes Added two new rules: Container Drift Detected (chmod) and Container Drift Detected (open+create) to policy Suspicious Container Activity The Container Drift Detected (open+create) rule is disabled until an agent is released that supports the new evt.is_open_exec filter. Updated macros bin_dir_mkdir and bin_dir_rename using evt.arg.path instead of evt.arg Added placeholder macro user_known_write_below_binary_dir_activities to rule Write below binary dir Fixed rule Anonymous Request Allowed to update the auth decision with ka.auth.decision=allow instead of ka.auth.decision!=reject | 0.7.4 |
May 28, 2020 | Rule Changes Write below etc : Added lvs as a logical volume writing program that can write below /etc/lvm .
Clear Log Activities : Allowed additional Fluentd images to write to log file directories.
Set Setuid or Setgid bit : Added macro user_known_set_setuid_or_setgid_bit_conditions that makes it easier to add locally provided exceptions.
Launch Remote File Copy Tools in Container : Fixed the use of the list remote_file_copy_binaries so the list items are included.
The docker client is executed in a container : Now allow hcp -tunnelfront to run kubectl in containers.
Disallowed K8s User : Added vertical pod autoscaler programs as known Kubernetes users.
| 0.7.3 |
May 5, 2020 | Rule Changes For a brief time, Falco rules/macros had fields with k8s.* in them. These fields do not work in Sysdig Secure, so the relevant macros have been rewritten to omit them: | 0.7.2 |
May 1, 2020 | Rule Changes Add new rule Redirect stdout/stdin to network connection in container to policy Suspicious Container Activity Add new rules Network Connection outside Local Subnet and Outbound or Inbound Traffic not to Authorized Server Process and Port to policy Suspicious Network Activity Add new rules K8s Secret Created and K8s Secret Deleted to policy All K8s Object Modifications Add rules Untrusted Node Successfully Joined the Cluster and Untrusted Node Unsuccessfully Tried to Join the Cluster to policy Suspicious K8s Activit Add rule Full K8s Administrative Access to policy Suspicious K8s User Activity Add rule Ingress Object without TLS Certificate Created to policy Inadvised K8s Activity Check dsc_host in macro ms_oms_writing_conf Add macros mcafee_writing_cma_d and avinetworks_supervisor_writing_ssh as exceptions in rule Write below etc Add macro runc_writing_exec_fifo as exception in rule Write below root Use "pmatch" instead of "in" operator to check known files under root directory Update rule Change thread namespace to check exit event only Add macro known_system_procs_network_activity_binaries for rule System procs network activity
| 0.7.1 |
April 9, 2020 | Rule Changes Default Policy Changes Remove the default Policy Launch Privileged Container . The rule it used is also in the existing default policy Inadvised Container Activity , so there's no change in rule coverage. New default policies Payment Card Industry Data Security Standard (PCI DSS) and NIST 800-190 Application Container Security Guide , which are disabled by default, contain rules specifically related to PCI and NIST standards.
| 0.7.0 |