feat(release): Updating notes according to PR

Signed-off-by: Kris Nóva <kris@nivenly.com>

CHANGELOG.md

@@ -1,5 +1,40 @@
 # Change Log
 
+## v0.26.0
+
+Released on 2020-24-09
+
+### Major Changes
+
+* new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)]
+* new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)]
+* new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)]
+
+
+### Minor Changes
+
+* update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)]
+* update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)]
+* update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)]
+* docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)]
+* docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)]
+
+
+
+### Rule Changes
+
+* rule: Address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)]
+* rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)]
+* rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)]
+* rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)]
+* rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)]
+* rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)]
+* rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)]
+* rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)]
+* rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)]
+
+
+
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
 ## v0.25.0

CMakeLists.txt

@@ -57,7 +57,7 @@ if(MINIMAL_BUILD)
 endif()
 
 if(MUSL_OPTIMIZED_BUILD)
-  set(MUSL_FLAGS "-static -Os -D__NEED_struct_timespec -D__NEED_time_t")
+  set(MUSL_FLAGS "-static -Os")
 endif()
 
 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")

RELEASE.md

@@ -10,8 +10,10 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
 
 ## Pre-Release Checklist
 
+Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
+
 ### 1. Release notes
-- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
     - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
     - If the PR has no milestone, assign it to the milestone currently undergoing release
@@ -28,14 +30,15 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
     - If any, manually correct it then open an issue to automate version number bumping later
     - Versions table in the `README.md` update itself automatically
 - Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
-- Add the lastest changes on top the previous `CHANGELOG.md`
+    - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
+- Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
-- Close the completed milestone as soon PR is merged
+- Close the completed milestone as soon as the PR is merged
 
 ## Release
 
-Let `x.y.z` the new version.
+Now assume `x.y.z` is the new version.
 
 ### 1. Create a tag
 

cmake/modules/sysdig.cmake

@@ -29,8 +29,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
 # -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "73554b9c48b06612eb50494ee6fa5b779c57edc0") # todo(leogr): set the correct version and checksum before merging
-  set(SYSDIG_CHECKSUM "SHA256=c1c73498a834533dea61c979786a4ac3866743c17829d81aef209ddaa1b31538")
+  set(SYSDIG_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2")
+  set(SYSDIG_CHECKSUM "SHA256=a737077543a6f3473ab306b424bcf7385d788149829ed1538252661b0f20d0f6")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
 

rules/falco_rules.yaml

@@ -2619,6 +2619,7 @@
   desc: Detect shell history deletion
   condition: >
     (modify and (
+      not evt.arg.name startswith /var/lib/docker and (
       evt.arg.name contains "bash_history" or
       evt.arg.name contains "zsh_history" or
       evt.arg.name contains "fish_read_history" or
@@ -2630,12 +2631,13 @@
       evt.arg.path contains "bash_history" or
       evt.arg.path contains "zsh_history" or
       evt.arg.path contains "fish_read_history" or
-      evt.arg.path endswith "fish_history")) or
+      evt.arg.path endswith "fish_history"))) or
     (open_write and (
+      not fd.name startswith /var/lib/docker and (
       fd.name contains "bash_history" or
       fd.name contains "zsh_history" or
       fd.name contains "fish_read_history" or
-      fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
+      fd.name endswith "fish_history")) and evt.arg.flags contains "O_TRUNC")
   output: >
     Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
@@ -2859,17 +2861,16 @@
   tags: [container, mitre_execution]
 
 
-# This rule is not enabled by default, as there are legitimate use
-# cases for raw packet. If you want to enable it, modify the
-# following macro.
+# This rule is enabled by default. 
+# If you want to disable it, modify the following macro.
 - macro: consider_packet_socket_communication
-  condition: (never_true)
+  condition: (always_true)
 
 - list: user_known_packet_socket_binaries
   items: []
 
 - rule: Packet socket created in container
-  desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker.
+  desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker.
   condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries)
   output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: NOTICE

rules/k8s_audit_rules.yaml

@@ -49,7 +49,7 @@
     "kubernetes-admin",
     vertical_pod_autoscaler_users,
     cluster-autoscaler,
-    system:addon-manager
+    "system:addon-manager"
     ]
 
 - rule: Disallowed K8s User