You are viewing documentation for Falco version: v0.41.3

Falco v0.41.3 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Changelog

List of changes throughout Falco versions

Version 0.42.0

Download


Version 0.42.0-rc4

Download


Version 0.42.0-rc3

Download


Version 0.42.0-rc2

Download


Version 0.42.0-rc1

Download


Version 0.41.3

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
tgz-static-x86_64tgz-static
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.41.3
docker pull public.ecr.aws/falcosecurity/falco:0.41.3
docker pull docker.io/falcosecurity/falco-driver-loader:0.41.3
docker pull docker.io/falcosecurity/falco-driver-loader:0.41.3-buster
docker pull docker.io/falcosecurity/falco:0.41.3-debian

v0.41.3

Minor Changes

Statistics

MERGED PRSNUMBER
Not user-facing0
Release note1
Total1

Release Manager @leogr @ekoops


Version 0.41.2

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
tgz-static-x86_64tgz-static
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.41.2
docker pull public.ecr.aws/falcosecurity/falco:0.41.2
docker pull docker.io/falcosecurity/falco-driver-loader:0.41.2
docker pull docker.io/falcosecurity/falco-driver-loader:0.41.2-buster
docker pull docker.io/falcosecurity/falco:0.41.2-debian

v0.41.2

Released on 2025-06-17

Statistics

MERGED PRSNUMBER
Not user-facing0
Release note0
Total0

Release Manager @leogr @ekoops


Version 0.41.1

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
tgz-static-x86_64tgz-static
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.41.1
docker pull public.ecr.aws/falcosecurity/falco:0.41.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.41.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.41.1-buster
docker pull docker.io/falcosecurity/falco:0.41.1-debian

v0.41.1

Released on 2025-06-05

Bug Fixes

  • fix(userspace/falco): when collecting metrics for stats_writer, create a libs_metrics_collector for each source [#3585] - @FedeDP
  • fix(userspace/falco): only enable prometheus metrics once all inspectors have been opened [#3588] - @FedeDP

Statistics

MERGED PRSNUMBER
Not user-facing0
Release note2
Total2

Release Manager @FedeDP


Version 0.41.1-rc1

Download


Version 0.41.0

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
tgz-static-x86_64tgz-static
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.41.0
docker pull public.ecr.aws/falcosecurity/falco:0.41.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.41.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.41.0-buster
docker pull docker.io/falcosecurity/falco:0.41.0-debian

v0.41.0

Released on 2025-05-29

Breaking Changes :warning:

  • cleanup(engine)!: only consider .yaml/.yml rule files [#3551] - @LucaGuerra
  • cleanup(userspace)!: deprecate print of container.info [#3543] - @FedeDP
  • cleanup(userspace/falco)!: drop deprecated in 0.40.0 CLI flags. [#3496] - @FedeDP

Major Changes

  • new(falco): add json_include_output_fields option [#3527] - @LucaGuerra
  • new(build,userspace): switch to use container plugin [#3482] - @FedeDP
  • new(docker,scripts,ci): use an override config file to enable ISO 8601 output timeformat on docker images [#3488] - @FedeDP

Minor Changes

  • chore(build): update falcoctl to v0.11.2, rules for artifact follow to v4 [#3580] - @LucaGuerra
  • update(cmake): bumped falcoctl to 0.11.1 and rules to 4.0.0. [#3577] - @FedeDP
  • update(containers): update opencontainers labels [#3575] - @LucaGuerra
  • update(metrics): improve restart/hot_reload conditions inspection [#3562] - @incertum
  • update: empty values in exceptions won't emit a warning anymore [#3529] - @leogr
  • chore(falco.yaml): enable libs_logger by default with info level [#3507] - @FedeDP

Bug Fixes

  • fix(metrics/prometheus): gracefully handle multiple event sources, avoid erroneous duplicate metrics [#3563] - @incertum
  • fix(ci): properly install rpm systemd-rpm-macro package on building packages pipeline [#3521] - @FedeDP
  • fix(userspace/falco): init cmdline options after loading all config files [#3493] - @FedeDP
  • fix(cmake): add support for 16K kernel page to jemalloc [#3490] - @Darkness4
  • fix(userspace/falco): fix jemalloc enabled in minimal build. [#3478] - @FedeDP

Non user-facing changes

Statistics

MERGED PRSNUMBER
Not user-facing36
Release note17
Total53

Release Manager @FedeDP


Version 0.41.0-rc2

Download


Version 0.41.0-rc1

Download


Version 0.40.0

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
tgz-static-x86_64tgz-static
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.40.0
docker pull public.ecr.aws/falcosecurity/falco:0.40.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.40.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.40.0-buster
docker pull docker.io/falcosecurity/falco:0.40.0-debian

v0.40.0

Released on 2025-01-28

Breaking Changes :warning:

  • cleanup(userspac/falco)!: drop deprecated options. [#3361] - @FedeDP

Major Changes

  • new(docker): streamline docker images [#3273] - @FedeDP
  • new(build): reintroduce static build [#3428] - @LucaGuerra
  • new(cmake,ci): added support for using jemalloc allocator instead of glibc one and use it by default for release artifacts [#3406] - @FedeDP
  • new(userspace,cmake): honor new plugins exposed suggested output formats [#3388] - @FedeDP
  • new(userspace/falco): allow entirely disabling plugin hostinfo support. [#3412] - @FedeDP
  • new(ci): use zig compiler instead of relying on centos7. [#3307] - @FedeDP
  • new(falco): add buffer_format_base64 option, deprecate -b [#3358] - @LucaGuerra
  • new(falco): add base_syscalls.all option to falco.yaml, deprecate -A [#3352] - @LucaGuerra
  • new(falco): add falco_libs.snaplen option, deprecate -S / --snaplen [#3362] - @LucaGuerra

Minor Changes

  • update(cmake): bump falcoctl to v0.11.0 [#3467] - @alacuku
  • chore(ci): add attestation for falco [#3216] - @cpanato
  • chore(ci): build Falco in RelWithDebInfo, and upload Falco debug symbols as github artifacts [#3452] - @FedeDP
  • update(build): DEB and RPM package requirements for dkms and kernel-devel are now suggestions [#3450] - @jthiltges

Bug Fixes

  • fix(userspace/falco): fix container_engines.cri.sockets not loading from config file [#3453] - @zayaanmoez
  • fix(docker): /usr/src/'*' no longer created if $HOST_PATH/usr/src didn't exist at startup [#3434] - @shane-lawrence
  • fix(docker): add brotli to the Falco image [#3399] - @LucaGuerra
  • fix(userspace/engine): explicitly disallow appending/modifying a rule with different sources [#3383] - @mstemm

Non user-facing changes

Statistics

MERGED PRSNUMBER
Not user-facing31
Release note18
Total49

Release Manager @FedeDP


Version 0.40.0-rc1

Download


Version 0.39.2

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.39.2
docker pull public.ecr.aws/falcosecurity/falco:0.39.2
docker pull docker.io/falcosecurity/falco-driver-loader:0.39.2
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.39.2
docker pull docker.io/falcosecurity/falco-no-driver:0.39.2
docker pull docker.io/falcosecurity/falco-distroless:0.39.2

v0.39.2

Released on 2024-11-21

Minor Changes

  • update(cmake): bumped falcoctl to v0.10.1. [#3408] - @FedeDP
  • update(cmake): bump yaml-cpp to latest master. [#3394] - @FedeDP

Non user-facing changes

Statistics

MERGED PRSNUMBER
Not user-facing1
Release note2
Total3

Release Manager @FedeDP


Version 0.39.1

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.39.1
docker pull public.ecr.aws/falcosecurity/falco:0.39.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.39.1
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.39.1
docker pull docker.io/falcosecurity/falco-no-driver:0.39.1
docker pull docker.io/falcosecurity/falco-distroless:0.39.1

v0.39.1

Released on 2024-10-09

Bug Fixes

  • fix(engine): allow null init_config for plugin info [#3372] - @LucaGuerra
  • fix(engine): fix parsing issues in -o key={object} when the object definition contains a comma [#3363] - @LucaGuerra
  • fix(userspace/falco): fix event set selection for plugin with parsing capability [#3368] - @FedeDP

Non user-facing changes

  • update(changelog): updated changelog for 0.39.1. [#3373] - @FedeDP

Statistics

MERGED PRSNUMBER
Not user-facing1
Release note3
Total4

Release Manager @FedeDP


Version 0.39.1-rc1

Download


Version 0.39.0

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.39.0
docker pull public.ecr.aws/falcosecurity/falco:0.39.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.39.0
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.39.0
docker pull docker.io/falcosecurity/falco-no-driver:0.39.0
docker pull docker.io/falcosecurity/falco-distroless:0.39.0

v0.39.0

Released on 2024-10-01

Breaking Changes :warning:

  • fix(falco_metrics)!: split tags label into multiple tag_-prefixed labels [#3337] - @ekoops
  • fix(falco_metrics)!: use full name for configs and rules files [#3337] - @ekoops
  • update(falco_metrics)!: rearrange n_evts_cpu and n_drops_cpu Prometheus metrics to follow best practices [#3319] - @incertum
  • cleanup(userspace/falco)!: drop deprecated -t,-T,-D options. [#3311] - @FedeDP

Major Changes

  • feat(stats): add host_netinfo networking information stats family [#3344] - @ekoops
  • new(falco): add json_include_message_property to have a message field without date and priority [#3314] - @LucaGuerra
  • new(userspace/falco,userspace/engine): rule json schema validation [#3313] - @FedeDP
  • new(falco): introduce append_output configuration [#3308] - @LucaGuerra
  • new(userspace/falco): added --config-schema action to print config schema [#3312] - @FedeDP
  • new(falco): enable CLI options with -o key={object} [#3310] - @LucaGuerra
  • new(config): add container_engines config to falco.yaml [#3266] - @incertum
  • new(metrics): add host_ifinfo metric [#3253] - @incertum
  • new(userspace,unit_tests): validate configs against schema [#3302] - @FedeDP

Minor Changes

  • update(falco): upgrade libs to 0.18.1 [#3349] - @LucaGuerra
  • update(systemd): users can refer to systemd falco services with a constistent unique alias falco.service [#3332] - @ekoops
  • update(cmake): bump libs to 0.18.0 and driver to 7.3.0+driver. [#3330] - @FedeDP
  • chore(userspace/falco): deprecate cri related CLI options. [#3329] - @FedeDP
  • update(cmake): bumped falcoctl to v0.10.0 and rules to 3.2.0 [#3327] - @FedeDP
  • update(falco_metrics): change prometheus rules metric naming [#3324] - @incertum

Bug Fixes

  • fix(falco): allow disable_cri_async from both CLI and config [#3353] - @LucaGuerra
  • fix(engine): sync outputs before printing stats at shutdown [#3338] - @LucaGuerra
  • fix(falco): allow plugin init_config map in json schema [#3335] - @LucaGuerra
  • fix(userspace/falco): properly account for plugin with CAP_PARSING when computing interesting sc set [#3334] - @FedeDP

Non user-facing changes

Statistics

MERGED PRSNUMBER
Not user-facing35
Release note22
Total57

Release Manager @FedeDP


Version 0.39.0-rc3

Download


Version 0.39.0-rc2

Download


Version 0.39.0-rc1

Download


Version 0.38.2

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.38.2
docker pull public.ecr.aws/falcosecurity/falco:0.38.2
docker pull docker.io/falcosecurity/falco-driver-loader:0.38.2
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.38.2
docker pull docker.io/falcosecurity/falco-no-driver:0.38.2
docker pull docker.io/falcosecurity/falco-distroless:0.38.2

v0.38.2

Released on 2024-08-19

Bug Fixes

  • fix(engine): fix metrics names to better adhere to best practices [#3272] - @incertum
  • fix(ci): use vault.centos.org for centos:7 CI build. [#3274] - @FedeDP

Statistics

MERGED PRSNUMBER
Not user-facing0
Release note2
Total2

Release Manager @LucaGuerra


Version 0.38.2-rc2

Download


Version 0.38.2-rc1

Download


Version 0.38.1

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.38.1
docker pull public.ecr.aws/falcosecurity/falco:0.38.1
docker pull docker.io/falcosecurity/falco-driver-loader:0.38.1
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.38.1
docker pull docker.io/falcosecurity/falco-no-driver:0.38.1
docker pull docker.io/falcosecurity/falco-distroless:0.38.1

v0.38.1

Released on 2024-06-19

Major Changes

Minor Changes

  • cleanup(falco): clarify that --print variants only affect syscalls [#3238] - @LucaGuerra
  • update(engine): enable -p option for all sources, -pk, -pc etc only for syscall sources [#3239] - @LucaGuerra

Bug Fixes

  • fix(engine): enable output substitution only for syscall rules, prevent engine from exiting with validation errors when a plugin is loaded and -pc/pk is specified [#3236] - @mrgian
  • fix(metrics): allow each metric output channel to be selected independently [#3232] - @incertum
  • fix(userspace/falco): fixed falco_metrics::to_text implementation when running with plugins [#3230] - @FedeDP

Statistics

MERGED PRSNUMBER
Not user-facing0
Release note6
Total6

Release Manager @FedeDP


Version 0.38.1-rc1

Download


Version 0.38.0

Download

LIBS DRIVER

PackagesDownload
rpm-x86_64rpm
deb-x86_64deb
tgz-x86_64tgz
rpm-aarch64rpm
deb-aarch64deb
tgz-aarch64tgz
Images
docker pull docker.io/falcosecurity/falco:0.38.0
docker pull public.ecr.aws/falcosecurity/falco:0.38.0
docker pull docker.io/falcosecurity/falco-driver-loader:0.38.0
docker pull docker.io/falcosecurity/falco-driver-loader-legacy:0.38.0
docker pull docker.io/falcosecurity/falco-no-driver:0.38.0
docker pull docker.io/falcosecurity/falco-distroless:0.38.0

v0.38.0

Released on 2024-05-30

Breaking Changes :warning:

  • new(scripts,docker)!: enable automatic driver selection logic in packages and docker images. Modern eBPF is now also the default driver and the highest priority one in the new driver selection logic. [#3154] - @FedeDP
  • cleanup(falco.yaml)!: remove some deprecated configs [#3087] - @Andreagit97
  • cleanup(docker)!: remove unused builder dockerfile [#3088] - @Andreagit97

Major Changes

  • new(webserver): a metrics endpoint has been added providing prometheus metrics. It can be optionally enabled using the new metrics.prometheus_enabled configuration option. It will only be activated if the metrics.enabled is true as well. [#3140] - @sgaist
  • new(metrics): add rules_counters_enabled option [#3192] - @incertum
  • new(build): provide signatures for .tar.gz packages [#3201] - @LucaGuerra
  • new(engine): add print_enabled_rules_falco_logger when log_level debug [#3189] - @incertum
  • new(falco): allow selecting which rules to load from the configuration file or command line [#3178] - @LucaGuerra
  • new(metrics): add file sha256sum metrics for loaded config and rules files [#3187] - @incertum
  • new(engine): throw an error when an invalid macro/list name is used [#3116] - @mrgian
  • new(engine): raise warning instead of error on invalid macro/list name [#3167] - @mrgian
  • new(userspace): support split config files [#3024] - @FedeDP
  • new(engine): enforce unique exceptions names [#3134] - @mrgian
  • new(engine): add warning when appending an exception with no values [#3133] - @mrgian
  • feat(metrics): coherent metrics stats model including few metrics naming changes [#3129] - @incertum
  • new(config): add falco_libs.thread_table_size [#3071] - @incertum
  • new(proposals): introduce on host anomaly detection framework [#2655] - @incertum

Minor Changes

Bug Fixes

  • fix(userspace/falco): fix state initialization avoid a crash during hot reload [#3190] - @FedeDP
  • fix(userspace/engine): make sure exception fields are not optional in replace mode [#3108] - @jasondellaluce
  • fix(docker): added zstd to driver loader images [#3203] - @FedeDP
  • fix(engine): raise warning instead of error on not-unique exceptions names [#3159] - @mrgian
  • fix(engine): apply output substitutions for all sources [#3135] - @mrgian
  • fix(userspace/configuration): make sure that folders that would trigger permission denied are not traversed [#3127] - @sgaist
  • fix(engine): logical issue in exceptions condition [#3115] - @mrgian
  • fix(cmake): properly let falcoctl cmake module create /usr/share/falco/plugins/ folder. [#3105] - @FedeDP

Non user-facing changes

Statistics

MERGED PRSNUMBER
Not user-facing72
Release note38
Total110

Release Manager @LucaGuerra


Version 0.38.0-rc5

Download


Version 0.38.0-rc4

Download


Version 0.38.0-rc3

Download