github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2026-03-19 03:06:22 +00:00
Code Issues Projects Releases Wiki Activity
5,058 Commits 122 Branches 184 Tags
0.43.0
Commit Graph

1735 Commits

Author SHA1 Message Date
Leonardo Grasso
6a9531a0f7 fix(userspace)!: show source config path only in debug builds 
Starting from Falco 0.40, the `falco --help` output incorrectly showed
  the source config path (e.g., /home/runner/work/falco/falco/falco.yaml)
  in release packages. This path was intended only for local development.

  The issue was introduced when RelWithDebInfo build type support was
  added (commit 6bf33ffd). The existing code checked for BUILD_TYPE_RELEASE
  to determine release behavior, but RelWithDebInfo builds defined
  BUILD_TYPE_RELWITHDEBINFO instead, causing them to fall into the
  debug code path.

  This fix introduces BUILD_TYPE_DEBUG and changes the conditionals to
  enable dev features only when CMAKE_BUILD_TYPE is explicitly "debug".
  Both Release and RelWithDebInfo builds now correctly show only
  /etc/falco/falco.yaml.

  Fixes the regression introduced in 0.40.0

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2026-01-23 16:58:48 +01:00
Leonardo Di Giovanna
f589cd3a6c chore(userspace): deprecate --gvisor-generate-config CLI option 
DEPRECATION NOTICE: deprecate `--gvisor-generate-config` CLI option

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2026-01-23 14:23:47 +01:00
Leonardo Grasso
a653a576de fix(userspace/engine): missing closing quote in deprecated field warning 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2026-01-22 11:47:39 +01:00
Kevin Vu
3dabda4b7d fix: prevent NULL pointer crash in program_output on popen failure 
Signed-off-by: Kevin Vu <vietcgi@gmail.com>
 2026-01-12 09:31:44 +01:00
Leonardo Di Giovanna
8b01753f6e chore(userspace): deprecate legacy eBPF probe, gVisor engine and gRPC 
DEPRECATION NOTICE: deprecate legacy eBPF, gVisor and gRPC

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2026-01-08 15:50:17 +01:00
Leonardo Di Giovanna
e34a6b28eb chore(cmake): bump libs/drivers to 0.23.0/9.1.0+driver 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-12-24 09:36:41 +01:00
Adnan Ali
f4df5681fd fix(metrics): Add null check for state.outputs in metrics collection 
This change adds a defensive null check before accessing state.outputs->get_outputs_queue_num_drops() to prevent segfaults if outputs is destroyed while metrics are being collected.

Signed-off-by: Adnan Ali <adduali1310@hotmail.com>
 2025-12-23 15:18:38 +01:00
irozzo-1A
5b53681d2f chore(engine): add deprecation warning for evt.latency when used in conditions 
Emit a deprecation warning when `evt.latency` is detected in a rule
condition.

Signed-off-by: irozzo-1A <iacopo@sysdig.com>
 2025-12-01 12:54:18 +01:00
Leonardo Grasso
933fb7e823 fix(userspace/falco): correct default duration calculation 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-10-21 20:53:44 +02:00
Iacopo Rozzo
9eacf5e58f chore(deps): bump libs version to 0.22.0 
Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com>
 2025-10-17 15:09:15 +02:00
Iacopo Rozzo
1717a98749 feat(engine): emit warning when a rule output uses deprecated "evt.dir" 
Emit a warning when a rule uses the deprecated "evt.dir" field in output.

Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com>
 2025-10-14 09:46:43 +02:00
Leonardo Grasso
38be8ba5d2 update(cmake): update libs and driver to 0.22 dev 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-10-13 12:32:37 +02:00
Iacopo Rozzo
8c4e5aa854 Use generic DEPRECATED_ITEM warning code 
Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com>
 2025-10-09 14:06:12 +02:00
Iacopo Rozzo
42085c9d7a feat(engine): emit warning when a condition uses deprecated "evt.dir" 
Emit a warning when a rule with a condition using "evt.dir" field is
encountered.
The direction have been deprecated in the scope of enter event
suppression initiative.

Signed-off-by: Iacopo Rozzo <iacopo.rozzo@iacopo.rozzo>
 2025-10-09 14:06:12 +02:00
Leonardo Grasso
573871955c chore(userspace/engine): bump Falco engine version to 0.56.0 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-09-30 18:52:12 +02:00
Tero Kauppinen
eee4acc488 fix(userspace/falco): fix actions taken when events are dropped 
User can configure a list of actions that are taken when Falco
detects a threshold exceeding value in drop statistics.

However, the logic that handles the list of configured actions
is designed to process only a single action; it takes only the
first action of the list. This approach has the problem that the
order of the actions comes as the deciding factor in choosing
which action is taken in case there are more than one action.

This fix enables Falco to process all actions on the list.

Signed-off-by: Tero Kauppinen <tero.kauppinen@est.tech>
 2025-09-30 18:36:12 +02:00
Iacopo Rozzo
7fb9986e5a fix(prometheus): deprecate enter events drop stats 
Enter events are no longer tracked by the Falco libs, this change
deprecates the Prometheus metrics related to enter event drops.

Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com>
 2025-09-23 10:37:08 +02:00
Leonardo Di Giovanna
4fa53452c3 fix(userspace/engine): fix logger date format 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-09-18 14:54:46 +02:00
Leonardo Di Giovanna
4d3b685c8b feat: make libs internal auto thread purging intervals configurable 
Make Falco's libs internal auto thread purging interval and timeout
configurable and set their default values to 5 minutes. This helps
controlling the memory impact of process exit events dropping and
events re-ordering.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
 2025-09-16 15:42:34 +02:00
Samuel Gaist
7c7196f1f0 chore: pre-commit cleanup 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
e34caee3f8 Revert "refactor(userspace/falco): remove duplicate condition test" 
This reverts commit 0ae61528fb.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
909122a849 refactor(userspace/falco): remove duplicate condition test 
handled is test a second time for the same while it's already
part of the initial entry condition.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
e8c527f204 refactor(userspace/falco): comment out unused variable names 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
179234e08e refactor(userspace/falco): add missing override 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
d6fde4ac16 refactore(userspace/falco): use static_cast rather than c style cast 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
cdea5ad35f refactor(userspace/falco): correct variable scope 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
07438534e7 refactor(userspace/falco): add missing initial value 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
dadf81ed9d fix(userspace/falco): use correct qualifier for size_t in printf 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
3b91cb685f refactor(userspace/falco): const correctness 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
e5654849d4 refactor(userspace/engine): port from asctime to strftime 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
0cc39ac5e7 refactor(userspace/engine): make constructor explicit 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
d9f561cd7b refactor(userspace/engine): remove unused variable 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
668bbfc9de refactor(userpsace/engine): add missing override 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
4d03686999 refactor(userspace/engine): fix variable scope 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Samuel Gaist
2da40e798b refactor(userspace/engine): const correctness 
Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
 2025-09-16 09:38:29 +02:00
Leonardo Grasso
fda1430afb fix(userspace/falco): smart pointer for sinsp_dumper 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
97d88d12f1 chore(userspace/engine): initialize bool member for falco_rule 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
3af03998eb fix(userspace/falco): correct typo in type 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
aa501437a4 fix(userspace/engine): adding capture members to to the rule equility operator 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
504d52e694 fix(userspace/falco): address init ordering warning for falco_configuration 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
8dbd04816d fix(userspace/falco): add "capture" in config schema 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
63d27fbe1b chore: fix formatting 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
81f26b7e5d chore(userspace/falco): fix codespell 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
15e8a746cb new(userspace/falco): capture feature impl 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
a818d48806 new(userspace/falco): add file name generator helper for capture 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
1da5514012 new(userspapace/engine): add capture and capture_duration to the engine 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
21350a282c new(userspapace/engine): add capture and capture_duration to rules loader 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
e6cd74995c new(userspace/falco): config parsing 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Leonardo Grasso
5ebfa1b05b new: add config options and docs for capture feature 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
 2025-08-12 11:25:43 +02:00
Federico Di Pierro
539294595e update(userspace/engine): bump engine version and checksum. 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
 2025-08-04 17:12:50 +02:00