falco/CHANGELOG.md

Change Log

This file documents all notable changes to Falco. The release numbering uses semantic versioning.

v0.3.0

Released 2016-08-05

Major Changes

Significantly improved performance, involving changes in the falco and sysdig repositories:

• Reordering a rule condition's operators to put likely-to-fail operators at the beginning and expensive operators at the end. [#95] [#104]
• Adding the ability to perform x in (a, b, c, ...) as a single set membership test instead of individual comparisons between x=a, x=b, etc. [#624] [#98]
• Avoid unnecessary string manipulations. [#625]
• Using startswith as a string comparison operator when possible. [#623]
• Use is_open_read/is_open_write when possible instead of searching through open flags. [#610]
• Group rules by event type, which allows for an initial filter using event type before going through each rule's condition. [#627] [#101]

All of these changes result in dramatically reduced CPU usage. Here are some comparisons between 0.2.0 and 0.3.0 for the following workloads:

• Phoronix's pts/apache and pts/dbench tests.
• Sysdig Cloud Kubernetes Demo: Starts a kubernetes environment using docker with apache and wordpress instances + synthetic workloads.
• Juttle-engine examples : Several elasticsearch, node.js, logstash, mysql, postgres, influxdb instances run under docker-compose.

Workload	0.2.0 CPU Usage	0.3.0 CPU Usage
pts/apache	24%	7%
pts/dbench	70%	5%
Kubernetes-Demo (Running)	6%	2%
Kubernetes-Demo (During Teardown)	15%	3%
Juttle-examples	3%	1%

As a part of these changes, falco now prefers rule conditions that have at least one evt.type= operator, at the beginning of the condition, before any negative operators (i.e. not or !=). If a condition does not have any evt.type= operator, falco will log a warning like:

Rule no_evttype: warning (no-evttype):
proc.name=foo
     did not contain any evt.type restriction, meaning it will run for all event types.
     This has a significant performance penalty. Consider adding an evt.type restriction if possible.

If a rule has a evt.type operator in the later portion of the condition, falco will log a warning like:

Rule evttype_not_equals: warning (trailing-evttype):
evt.type!=execve
     does not have all evt.type restrictions at the beginning of the condition,
     or uses a negative match (i.e. "not"/"!=") for some evt.type restriction.
     This has a performance penalty, as the rule can not be limited to specific event types.
     Consider moving all evt.type restrictions to the beginning of the rule and/or
     replacing negative matches with positive matches if possible.

Minor Changes

• Several sets of rule cleanups to reduce false positives. [#95]
• Add example of how falco can detect abuse of a badly designed REST API. [#97]
• Add a new output type "program" that writes a formatted event to a configurable program. Each notification results in one invocation of the program. A common use of this output type would be to send an email for every falco notification. [#105] [#99]
• Add the ability to run falco on all events, including events that are flagged with EF_DROP_FALCO. (These events are high-volume, low-value events that are ignored by default to improve performance). [#107] [#102]

Bug Fixes

• Add third-party jq library now that sysdig requires it. [#96]

v0.2.0

Released 2016-06-09

For full handling of setsid system calls and session id tracking using proc.sname, falco requires a sysdig version >= 0.10.0.

Major Changes

• Add TravisCI regression tests. Testing involves a variety of positive, negative, and informational trace files with both plain and json output. [#76] [#83]
• Fairly big rework of ruleset to improve coverage, reduce false positives, and handle installation environments effectively [#83] [#87]
• Not directly a code change, but mentioning it here--the Wiki has now been populated with an initial set of articles, migrating content from the README and adding detail when necessary. [#90]

Minor Changes

• Improve JSON output to include the rule name, full output string, time, and severity [#89]

Bug Fixes

• Improve CMake quote handling [#84]
• Remove unnecessary NULL check of a delete [#85]

v0.1.0

Released 2016-05-17

Major Changes

• Initial release. Subsequent releases will have "Major Changes", "Minor Changes", and "Bug Fixes" sections, with links to github issues/pull requests as appropriate.