Bot releases are visible (Hide)
Published by mstemm over 7 years ago
Released 2016-03-29
sysdig-probe
kernel module. This ensures you can upgrade sysdig and falco without kernel driver compatibility problems. More details on the kernel module and its installation are on the wiki. [#215] [#223] [#224]/dev/tty*
files. [#209]Published by mstemm almost 8 years ago
Released 2016-12-22
Starting with this release, we're adding a new section "Rule Changes" devoted to changes to the default ruleset falco_rules.yaml
.
outputs, rate
and outputs, max_burst
options. [#161]SYSDIG_SKIP_LOAD
to skip the process of building/loading the kernel module. Thanks @carlsverre for the fix. [#145]USE_BUNDLED_DEPS
within CMakeFiles so you can build with external third-party libraries. [#147]output:
attribute [#150] [#151]-s <statsfile>
option. [#155]log_level
controls the verbosity of falco's logging. [#160]google_containers/kube-proxy
a trusted image, affecting the File Open by Privileged Container/Sensitive Mount by Container rules. [#159]Published by mstemm almost 8 years ago
Released 2016-10-25
As falco depends heavily on sysdig, many changes here were actually made to sysdig and pulled in as a part of the build process. Issues/PRs starting with sysdig/#XXX
are sysdig changes.
container.privileged
to match containers running in privileged mode [sysdig/#655] [sysdig/#658]container.mount*
to match container mount points [sysdig/#655]container.image.id
to match container image id [sysdig/#661]-pc
/-pk
/-pm
/-k
/-m
analogous to sysdig command line options. These options pull metadata information from k8s/mesos servers and adjust default falco notification outputs to contain container/orchestration information when applicable. [#131] [#134]glob
operator for strings, works as classic shell glob path matcher [sysdig/#653]pmatch
operator to efficiently test a subject pathname against a set of target pathnames, to see if the subject is a prefix of any target [sysdig/#660] [#125]-v
, print statistics on the number of events processed and dropped [#139]-w
. This can be useful to write a trace file in parallel with live event monitoring so you can reproduce it later. [#140]enabled
flag. With enabled: false
, a rule will not be loaded or run against events. By default all rules are enabled [#119]docker
/dockerd
split in 1.12 [#112]debian:unstable
docker image [#124]/etc/falco.yaml
are properly detected [#135] [#136]Published by mstemm about 8 years ago
Released 2016-08-05
Significantly improved performance, involving changes in the falco and sysdig repositories:
startswith
as a string comparison operator when possible. [#623]is_open_read
/is_open_write
when possible instead of searching through open flags. [#610]All of these changes result in dramatically reduced CPU usage. Here are some comparisons between 0.2.0 and 0.3.0 for the following workloads:
pts/apache
and pts/dbench
tests.Workload | 0.2.0 CPU Usage | 0.3.0 CPU Usage |
---|---|---|
pts/apache | 24% | 7% |
pts/dbench | 70% | 5% |
Kubernetes-Demo (Running) | 6% | 2% |
Kubernetes-Demo (During Teardown) | 15% | 3% |
Juttle-examples | 3% | 1% |
As a part of these changes, falco now prefers rule conditions that have at least one evt.type=
operator, at the beginning of the condition, before any negative operators (i.e. not
or !=
). If a condition does not have any evt.type=
operator, falco will log a warning like:
Rule no_evttype: warning (no-evttype):
proc.name=foo
did not contain any evt.type restriction, meaning it will run for all event types.
This has a significant performance penalty. Consider adding an evt.type restriction if possible.
If a rule has a evt.type
operator in the later portion of the condition, falco will log a warning like:
Rule evttype_not_equals: warning (trailing-evttype):
evt.type!=execve
does not have all evt.type restrictions at the beginning of the condition,
or uses a negative match (i.e. "not"/"!=") for some evt.type restriction.
This has a performance penalty, as the rule can not be limited to specific event types.
Consider moving all evt.type restrictions to the beginning of the rule and/or
replacing negative matches with positive matches if possible.
EF_DROP_FALCO
. (These events are high-volume, low-value events that are ignored by default to improve performance). [#107] [#102]Published by mstemm over 8 years ago
Released 2016-06-09
For full handling of setsid system calls and session id tracking using proc.sname
, falco requires a sysdig version >= 0.10.0.
Published by mstemm over 8 years ago
Released 2016-05-17