July 22, 2021 | No rule changes. No default policy changes. Fix a defect related to installing rules for older backend versions (Sysdig 4.0.*). | 0.30.0 |
July 20, 2021 | Default Policy Changes | 0.29.0 |
July 19, 2021 | Rule Changes Add additional exceptions formats to aid in addressing false positive for rules: | 0.28.0 |
July 16, 2021 | Default Policy Changes Disabled Access Cryptomining Network Policy by default | 0.27.0 |
July 15, 2021 | Rule Changes Add additional exceptions formats to aid in addressing false positive for rules: | 0.26.0 |
July 11, 2021 | Default Policy Changes Rule changes have been applied in the following default policies: Suspicious Package Management Changes
Notable Filesystem Changes
Suspicious Filesystem Reads Policy
Suspicious Filesystem Changes
User Management Changes
Disallowed Network Activity
Inadvised Container Activity
Disallowed Container Activity
Suspicious Container Activity
New default policies created: Default policies removed: Suspicious Package Management Changes
Suspicious Filesystem Reads Policy
User Management Changes
Disallowed Network Activity
Disallowed Container Activity
Inadvised Container Activity
Existent policies status changes: Access AcceCryptomining Network enabled by Default | 0.25.0 |
July 01, 2021 | Rule Changes Add additional exceptions formats to aid in addressing false proofs for rules: Netcat Remote Code Execution in Container
Launch Sensitive Mount Container
Redirect STDOUT/STDIN to Network Connection in Container
| 0.24.0 |
June 25, 2021 | Rule Changes Add additional exceptions formats to aid in addressing false proofs for rules: Write below root
Change thread namespace
| 0.23.0 |
June 22, 2021 | Rule Changes Add additional exceptions formats for rules: Change thread namespace
Create Privileged Pod
Modify Shell Configuration File
Write below binary dir
Launch Privileged Container
The docker client is executed in a container
ClusterRole With Wildcard Created
Create HostNetwork Pod
Service Account Created in Kube Namespace
K8s Role/Clusterrole Created
K8s Role/Clusterrole Deleted
K8s Role/Clusterrolebinding Created
Netcat Remote Code Execution in Container
Delete Bash History
ClusterRole With Write Privileges Created
Clear Log Activities
Modify binary dirs
Unexpected outbound connection destination
Unexpected UDP Traffic
| 0.22.0 |
June 19, 2021 | A new policy, Sysdig GCP Best Practices, has been added. Rule Changes New GCP Rules have been added for AuditLog: GCP Create API Keys for a Project
GCP Create Bucket
GCP Delete Bucket
GCP List Buckets
GCP List Bucket Objects
GCP Put Bucket ACL
GCP Set Bucket IAM Policy
GCP Update Bucket
GCP Create Cloud Function Not Using Latest Runtime
GCP Create Cloud Function
GCP Update Cloud Function
CloudRun Create Service
CloudRun Replace Service
GCP Create a Default VPC Network
GCP Disable Subnet Flow Logs
GCP Enable Connecting to Serial Ports for a VM Instance
GCP Creation of a VM Instance with IP Forwarding Enabled
GCP Suspected Disable of OS Login in a VM Instance
GCP Enable Project-wide SSH keys for a VM InstanceGCP Shield Disabled for a VM Instance
GCP Create or Patch DNS Zone without DNSSEC
GCP Describe Instance
GCP Command Executed on Unused Region
GCP Create GCP-managed Service Account Key
GCP Create User-managed Service Account Key
GCP Invitation Sent to Non-corporate Account
GCP Operation by a Non-corporate Account
GCP Super Admin Executing Command
GCP Update, Disable or Delete SinkGCP Monitoring Alert Deleted
GCP Monitoring Alert Updated
GCP Disable Automatic Backups for a Cloud SQL Instance
GCP Disable the Requirement for All Incoming Connections to Use SSL for a Cloud SQL Instance
| 0.21.0 |
June 17, 2021 | Fixed a defect in v0.20.3. The fix is for the detection of older backend versions when looking for accounts scheduled for deletion. | 0.20.4 |
June 17, 2021 | Skip accounts scheduled for deletion when verifying Falco rules compatibility. | 0.20.3 |
June 16, 2021 | Rule Changes Add additional exceptions formats to allow addressing false positives for rules: | 0.20.2 |
June 11, 2021 | Rules Changes Add additional exceptions formats to help address false positives for rules: Run shell untrusted
Set Setuid or Setgid bit
| 0.20.1 |
June 03, 2021 | Rule Changes The Non sudo setuid rule: Add macmnsvc (mcafee service host) to set of programs that are allowed to setuid. The Launch Suspicious Network Tool in Container rule: Add another zookeeper image pattern that's allowed to run network tools. The Clear Log Activities rule: Add another fluentd image as allowed to clear log files. Add additional exceptions formats to aid in addressing false positives for rules: System procs network activity
K8s Serviceaccount Created
K8s Serviceaccount Deleted
K8s Role/Clusterrole Created
K8s Role/Clusterrole Deleted
| 0.20.0 |
June 01, 2021 | Rule Changes The Read Sensitive File Untrusted rule: The Launch Suspicious Network Tool in Container rule: Add another zookeeper image that is allowed to run nc inside a container. Add additional exception patterns for the following rules: Launch Package Management Process in Container
K8s Serviceaccount Created
K8s Serviceaccount Deleted
K8s Role/Clusterrole Created
K8s Role/Clusterrole Deleted
| 0.19.0 |
May 26, 2021 | Rule Changes Add additional Qualys binaries as exceptions for rules: The Write below etc rule: Allow newrelic to write below /root/newrelic instead of specific files Allow nessuscli write state file Allow masvc to write below /etc/ma.d/ Allow grafana to write state
The Write below root rule : Add an additional cmdline writing to exec.fifo. The DB program spawned process rule: Allow sqlplus spawn oracle. Add additional sets of exception fields for rules:
| 0.18.0 |
May 25, 2021 | The Sysdig AWS Best Practices policy no longer includes the Logged in without Using MFA rule. Rule Changes Add five new rules for AWS Cloudtrail events. Disable the AWS Cloudtrail rule, Logged in without Using MFA. The Read Sensitive File Untrusted rule: Let the TaniumEndpoint agent read additional sensitive files. The Write below root rule, docker_writing_state macro: Allow for paths that simply specify a path below an implied / or /root of current working directory. The DB program spawned process rule: Add additional allowed Postgres backup utilities. The Write below root rule: Use a more flexible string match against the /exec.fifo paths. Allow newrelic CLI to write to CLI log file. Allow the docker cleanup image utility to write state files below /.
The Write below rpm database rule: Allow tanium endpoint script to write to the rpm database. The Contact K8S API Server From Container rule: Add another fluent-bit program that is allowed to contact the API Server.
| 0.17.0 |
May 20, 2021 | Rule Changes Added exception to the following to address false positives: The Non sudo setuid rule: Let swiagent read setuid. The Read sensitive file untrusted rule: Let refresh-mcollec (tive-metadata), part of puppet, read sensitive files. Let puppet directly read sensitive files. Let Tanium endpoint read sensitive files. Let ir_agent (rapid7 agent) read sensitive files.
The Write below root rule: Add an additional command line pattern for Cassandra to allow writes to /root/.cassandra. Add additional exec.fifo path below root for runc. Let docker write to certain files below /. It is part of some docker-in-docker setups. Let Tanium joval write to /root/.jOVAL/.
The Change thread namespace rule: The System procs network activity rule : Add an additional exception pattern. The User mgmt binaries: Let refresh-mcollec (tive-metadata), part of puppet, run user management binaries. The Contact K8S API Server From Container rule: Let fluent-bit images run programs to contact the API server. The Launch Suspicious Network Tool in Container rule: Let certain Openshift images run dig to perform DNS lookups. The Clear Log Activities rule: Let certain Workinggrafana-related images clear log files in the container.
| 0.16.0 |
May 19, 2021 | Rule Changes Additional exception fields are added to the following rules to aid in customization: K8s Secret Created K8s Secret Deleted
| 0.15.1 |
May 18, 2021 | Rule Changes The Detect outbound connections to common miner pool ports rule: Add additional known miner domains. Add additional exception fields to the following rules to aid customization: Modify Shell Configuration File
Write below monitored dir
Write below etc
Write below root
Write below rpm database
Launch Privileged Container
Launch Sensitive Mount Container
Terminal shell in container
System procs network activity
Launch Suspicious Network Tool in Container
Set Setuid or Setgid bit
Launch Remote File Copy Tools in Container
The docker client is executed in a container
Disallowed K8s User
Create Privileged Pod
Create Sensitive Mount Pod
Create HostNetwork Pod
Attach/Exec Pod
Pod Created in Kube Namespace
Service Account Created in Kube Namespace
ClusterRole With Wildcard Created
K8s Secret Created
K8s Secret Deleted
The Change thread namespace rule: Add an additional exception for the Sysdig agent. The Pod created in the Kube Namespace rule: Allow users starting with "system:" to create pods in the kube-system/kube-public namespaces. The Read sensitive file untrusted rule: Allow puppet to run scripts that might read sensitive files. The Write below root rule: Add an additional way to detect Cassandra to allow writes to /root/.cassandra. The Change thread namespace rule: Allow Weaveworks Kured (Kubernetes Reboot Daemon) to change thread namespaces.
| 0.15.0 |
May 17, 2021 | Rule Changes Add rpmdb_verify as an RPM Package Management program. This affects the following rules: Update Package Repository
Write below binary dir
Write below monitored dir
Write below etc
Read sensitive file untrusted
Modify binary dirs
Mkdir binary dirs
Run shell untrusted
Package management process ran inside container
Write below etc: Add haproxy-ingress as a program that can write below /etc/haproxy. Change thread namespace: Allow images ending with /ext-cilium-startup-script to change namespaces. Launch Suspicious Network Tool in Container: Allow images ending with sysdig/cassandra and bitnami/zookeeper to run network tools inside containers. Set setuid or setgid bit: Allow the images in the sysdig_commercial_images list to include applications with setuid/setgid binaries.
| 0.14.0 |
May 05, 2021 | Rule Changes Add a macro to allow backward compatibility for using older pre-exceptions rules content. | 0.13.2 |
May 05, 2021 | Rule Changes Remove the aws_cloudtrail rule named Create Internet-facing AWS Public Facing Load Balancer without Required Tags from the previous release that uses features yet to be released. | 0.13.1 |
May 04, 2021 | Added the Launch Root User Container rule to the Notable Container Activity policy. Rule Changes All Rules with the source, aws_cloudtrail: Switch from using jevt.value[/path] to aws.xxx to extract information out of aws_cloudtrail events. A new rule, Launch Root User Container , has been added. It matches when a container is started and is configured to run as root. This works for Docker and CRI-O container runtimes, but not for Openshift 4.x, which does not make the necessary information available. Macro spawned_process: Consider only successful executables. For example, where the return value is 0. This affects the following rules: Schedule Cron Jobs
DB program spawned process
Run shell untrusted
System user interactive
Terminal shell in container
Program run with disallowed http proxy env
User mgmt binaries
Launch Package Management Process in Container
Netcat Remote Code Execution in Container
Launch Suspicious Network Tool in Container
Launch Suspicious Network Tool on Host
Search Private Keys or Passwords
Remove Bulk Data from Disk
Delete Bash History
Launch Remote File Copy Tools in Container
Detect crypto miners using the Stratum protocol
The docker client is executed in a container
Linux Kernel Module Injection Detected
Container Run as Root User
This could affect the following rules if they are triggered based on an exec() process rather than a container-started event. Launch Privileged Container
Launch Sensitive Mount Container
Launch Disallowed Container
Launch Root User Container
| 0.13.0 |
April 09, 2021 | Rule Changes Restore several old macros and lists that are no longer used by any of the default rules, but might be used by some users' local rules. | 0.12.2 |
April 05, 2021 | Fixed a defect that could prevent deploying rules to several older Sysdig backend versions. | 0.12.1 |
March 31, 2021 | Rule Changes Added new versions of falco_rules.yaml/k8s_audit_rules.yaml that uses exceptions instead of collections of macros and long condition strings. The rules coverage should be identical to older versions. | 0.12.0 |
March 19, 2021 | Fixed minor problems with the rules installation script. | 0.11.1 |
March 11, 2021 | Rule Changes Added 164 rules that detect suspicious/anomalous/notable behavior from a stream of AWS CloudTrail events. This requires a Sysdig backend that supports policy types and running the Cloud Connector. For a full list of rules for different AWS services, see CloudTrail Rules for Cloud Connector. Default Policy Changes The new policy, Sysdig AWS Best Practices, includes 41 of the above rules that Sysdig recommends using for the AWS environments. | 0.11.0 |
February 9, 2021 | Rule Changes rule Change thread namespace: Let cilium nsenter rule Change thread namespace: Let dynatrace setns rule Change thread namespace: Let sysdig agent setns (the process name was changed recently) rule Clear Log Activities: Allow fluentd to write/access log files in a container macro exe_running_docker_save: Added support for Crio setting up containers. This affects several rules including: Modify Shell Configuration File Update Package Repository Write below binary dir Write below monitored dir Write below etc Write below root Write below rpm database Modify binary dirs mkdir binary dirs Set Setuid or Setgid bit Create Hidden Files or Directories
rule Launch Package Management Process in Container: Let sysdig node-image-analyzer run rpm
| 0.10.5 |
December 14, 2020 | Rule Changes Add a new rule, Container Run as Root User ,to the Inadvised Container Activity policy. Add crio and multus to the user_known_change_thread_namespace_binaries list
| 0.10.4 |
December 1, 2020 | Rule Changes | 0.10.3 |
November 16, 2020 | Rule Changes Add the new rule, Linux Kernel Module Injection Detected, to the Notable Filesystem Changes policy. Add the multipath_writing_conf macro as an exception in the Write below etc rule. Add the chage_list macro as exception in the User mgmt binaries rule Update compliance tags.
| 0.10.2 |
October 14, 2020 | Add CSRF token protection. Rule Changes Add a new rule, Outbound Connection to C2 Servers, to the Disallowed Network Activity policy. | 0.10.1 |
September 30, 2020 | Rule Changes Write below root: Similar to the rules that rely on a process name for exceptions, events will not be triggered if the process name is missing. For example, "". Delete or rename shell history. Ignore docker programs that would prevent modifying shell history, when the path is expressed within the container filesystem (/.bash_history) and host filesystem (/var/lib/docker/overlay/.../.bash_history). All Rules: Changes to the tags to add NIST 800-53 and SOC2 tags:
| 0.10.0 |
September 23, 2020 | Rule Changes Launch Sensitive Mount Container: Change image matching to correctly identify Sysdig images as compared to names starting with "sysdig..." Detect shell history deletion: Ignore paths below /var/lib/docker. For example, the container filesystem overlay images that are removed when a container is removed. The Packet socket created in container rule is now enabled by default.
| 0.9.1 |
September 10, 2020 | Rule Changes All Rules: Add user.loginuid as an output field. This uid is generally unchanging across sudo/su commands, and can more reliably identify users. Launch Privileged Container: Add additional images that can run with privileged=true. Launch Sensitive Mount Container: Fix a typo that allows docker.io/sysdig/agent-slim to perform sensitive mounts. Read sensitive file untrusted: Allow linux-bench to read sensitive files containing user information. Update Package Repository: Restrict checks to files below known package management directories. Write below etc: Add exceptions related to calico within containers. Write below root: Allow mysqlsh write to /root/.mysqlsh . Read sensitive file untrusted: Allow google_oslogin_{control} read sensitive files. Change thread namespace: Trigger only when the process name is known. Create HostNetwork Pod: Allow several images related to GKE + default metrics/routing services run with hostnetwork=true. Disallowed Kubernetes User: Add several known Kubernetes users to allowed list. Pod Created in Kube Namespace: Allow several images related to GKE + default metrics/routing services run in kube-system/kube-public namespaces. System ClusterRole Modified/Deleted: Allow modifications to the role system:managed-certificate-controller.
| 0.9.0 |
September 08, 2020 | Added support for updating Falco rules across multiple accounts in an on-prem setup. | 0.8.3 |
August 17, 2020 | Rule Changes Created a new rule, EphemeralContainers Created for the Suspicious K8s Activity policy. Replace the endswith operator when checking with an image repository. Whitelisted sysdig/agent and sysdig/agent-slim . They are not available with the open-source Falco Rules. Whitelisted dockerd-current and docker-current in the exe_running_docker_save macro.
| 0.8.2 |
August 03, 2020 | Rule Changes Add the k8s_image_list list to the trusted_pod macro | 0.8.1 |
July 27, 2020 | Rule Changes Move the Write below root rule from the Suspicious Filesystem Changes policy to the Notable Filesystem Changes policy Delete the NIST 800-190 Application Container Security Guide policy Delete the Payment Card Industry Data Security Standard (PCI DSS) policy Add a new macro, user_read_sensitive_file_containers for the Read sensitive file untrusted rule Add docker.io/falcosecurity/falco to the falco_privileged_images list Add kubernetes-admin to the allowed_k8s_users list
| 0.8.0 |
July 20, 2020 | Rule Changes Disable Disallowed K8s Activity policy Add placeholder macros for multiple rules Fix the root_dir macro Add snapd to the package_mgmt_binaries list Add zmap to the network_tool_binaries list Whitelist protokube, dockerd, tini, and aws in the change thread namespace rule Add sysdig/agent-slim and sysdig/node-image-analyzer images to the user_trusted_containers macro Add kube-apiserver-healthcheck to the allowed_k8s_users list
| 0.7.9 |
July 7, 2020 | | 0.7.8 |
July 1, 2020 | Handle an improper error. | 0.7.7 |
June 25, 2020 | Disable rule Container Drift Detected (chmod) by default | 0.7.6 |
June 23, 2020 | Update rule Container Drift Detected (open+create) to avoid warning | 0.7.5 |
June 22, 2020 | Rule Changes Added two new rules: Container Drift Detected (chmod) and Container Drift Detected (open+create) to policy Suspicious Container Activity NoteThe Container Drift Detected (open+create) rule is disabled until an agent is released that supports the new evt.is_open_exec filter. Updated macros bin_dir_mkdir and bin_dir_rename using evt.arg.path instead of evt.arg Added placeholder macro user_known_write_below_binary_dir_activities to rule Write below binary dir Fixed rule Anonymous Request Allowed to update the auth decision with ka.auth.decision=allow instead of ka.auth.decision!=reject | 0.7.4 |
May 28, 2020 | Rule Changes Write below etc: Added lvs as a logical volume writing program that can write below /etc/lvm.
Clear Log Activities: Allowed additional Fluentd images to write to log file directories.
Set Setuid or Setgid bit: Added macro user_known_set_setuid_or_setgid_bit_conditionsthat makes it easier to add locally provided exceptions.
Launch Remote File Copy Tools in Container: Fixed the use of the list remote_file_copy_binaries so the list items are included.
The docker client is executed in a container: Now allow hcp-tunnelfront to run kubectl in containers.
Disallowed K8s User: Added vertical pod autoscaler programs as known Kubernetes users.
| 0.7.3 |
May 5, 2020 | Rule Changes For a brief time, Falco rules/macros had fields with k8s.* in them. These fields do not work in Sysdig Secure, so the relevant macros have been rewritten to omit them: | 0.7.2 |
May 1, 2020 | Rule Changes Add new rule Redirect stdout/stdin to network connection in container to policy Suspicious Container Activity Add new rules Network Connection outside Local Subnet and Outbound or Inbound Traffic not to Authorized Server Process and Port to policy Suspicious Network Activity Add new rules K8s Secret Created and K8s Secret Deleted to policy All K8s Object Modifications Add rules Untrusted Node Successfully Joined the Cluster and Untrusted Node Unsuccessfully Tried to Join the Cluster to policy Suspicious K8s Activit Add rule Full K8s Administrative Access to policy Suspicious K8s User Activity Add rule Ingress Object without TLS Certificate Created to policy Inadvised K8s Activity Check dsc_host in macro ms_oms_writing_conf Add macros mcafee_writing_cma_d and avinetworks_supervisor_writing_ssh as exceptions in rule Write below etc Add macro runc_writing_exec_fifo as exception in rule Write below root Use "pmatch" instead of "in" operator to check known files under root directory Update rule Change thread namespace to check exit event only Add macro known_system_procs_network_activity_binaries for rule System procs network activity
| 0.7.1 |
April 9, 2020 | Rule Changes Default Policy Changes Remove the default Policy Launch Privileged Container. The rule it used is also in the existing default policy Inadvised Container Activity, so there's no change in rule coverage. New default policies Payment Card Industry Data Security Standard (PCI DSS) and NIST 800-190 Application Container Security Guide, which are disabled by default, contain rules specifically related to PCI and NIST standards.
| 0.7.0 |
Dec 9, 2019 | Expand allowed_k8s_users list with default users created by Kops Add macro calico_writing_envvars to whitelist of rule Write below etc Update operators with intersect Add calico/node in the falco_privlieged_image list Add amazon/amazon-ecs-agent in falco_sensitive_mounts_image list Add hyperkube to the whitelist of rule Set Setuid or Setgit bit Add docker-runc-cur to container_entrypoint macro Add a rule to detect Kubernetes client tool in container Add rules Contact cloud metadata service from container and Packet socket created in container to policy Suspicious Container Activity Update macro exe_running_docker_save Add exe_running_docker_save as exception to rules Modify Shell Configuration File, and Update Package Repository Create macro automount_using_mtab and add it as exception to rule Write below etc Update macro k8s_api_server with Kubernetes headless service name Add placeholder macro user_known_package_manager_in_container to rule Launch Package Management Process in Container Add kubelet to list user_known_chmod_applications Create macro user_known_k8s_client_container and add it as exception to rule The docker client is executed in a container Add more directories to Sensitive mounts rules | 0.6.0 |
Oct 9, 2019 | Add rule Delete or rename shell history (a better version of Delete Bash History) to policy Suspicious Filesystem Changes Add rule Detect crypto miners using the Stratum protocol to policy Suspicious Container Activity Add a new policy, Access Cryptomining Network ,with a new rule Detect outbound connections to common miner pool ports associated (disabled by default) Add new macros chmod and modify_repositories Enhance rules Update Package Repository, Set Setuid or Setgid bit, and Create Hidden Files or Directories Add imagefluent/fluentd-kubernetes-daemonset to macro trusted_logging_images | 0.5.0 |
Aug 21, 2019 | Update rule Update Package Repository with modify action Update rule Delete Bash History with more bash history files Update rule Set Setuid or Setgid bit using system calls instead of process name Update rule Create Hidden Files or Directories with modify action | 0.4.9 |
Aug 1, 2019 | Add /exec.fifo to known_root_files macro (GKE) Add macro amazon_linux_running_python_yum as exception in rule Write below rpm database (Amazon Linux 2) Add docker.io/google/cadvisor and docker.io/prom/node-exporter to list falco_sensitive_mount_images | 0.4.8 |
July 23, 2019 | Add image k8s.gcr.io/kube-proxy to list falco_privileged_images Add runc to macro container_entrypoint Add macro trusted_logging_images for rule Clear Log Activities Add image docker.io/netdata/netdata to list falco_sensitive_mount_images | 0.4.7 |
July 1, 2019 | Add placeholder for user macro Add rfc 1918 addresses Add image prometheus-node-exporter to macro openshift_image Add weaveworks_scope macro used by rule Change thread namespace | 0.4.6 |
June 20, 2019 | Add whitelist to rules Change thread namespace and Non sudo setuid | 0.4.5 |
June 17, 2019 | Add trusted_container macro back | 0.4.4 |
June 13, 2019 | Extend macro mkdir with syscall mkdirat Add placeholder for whitelist in rule Clear Log Activities Add docker.io/ to the trusted images list Add container.id and image in the rule output, except those rules with "not container" in condition | 0.4.3 |
June 6, 2019 | Remove image check from rancher_write_conf macro Remove healthcheck from rancher_writing_conf Update nginx_writing_conf macro | 0.3.7 |
June 5, 2019 | Updated macro container_started IBM Cloud Kubernetes Service is a hosted Kubernetes from IBM Allow Ansible to run using Python 3 Fix egrep rule and ncat rule Add Sematext Monitoring & Logging agents to trusted Kubernetes containers | 0.3.6 |
May 30, 2019 | Add rules: remote file copy in container, create symlink over sensitive files In macro prometheus_conf_writing_conf, use startswith instead of = | 0.3.5 |
Apr 18, 2019 | Add MITRE tags to existing rules Add new MITRE rules mainly for persistence category | 0.3.4 |