0.30.2

This patch release fixes the scap driver loader to use env variables with the SYSDIG_ prefix instead of the FALCO_ one.

0.30.1

• update(cmake): bump libs to 0.9.1

0.30.0

Changes

• Built on most recent falcosecurity/libs tag
• Updated plugin API support to latest 2.0.0 version
• Updated scap-driver-loader script with the most recent changes of Falco's driver loader
• Support for ARM64: multiarch packages, container images, and prebuilt-drivers (to be used with scap-driver-loader)
• Enlarged prebuilt driver matrix (5000+ drivers) and support with Falco's Kernel Crawler output
• Support to some new syscalls, and lots of generic events now have a correct syscall name
• More expressive plugin loading experience: detailed info, suggestions on which plugins to be loaded
• Improved some CLI options, such --list, --list-mardown, and -L

0.29.3

Hi everyone! Here is another bugfix release for Sysdig.
It only spots a single commit, but it has 2 bug fixes!

Bug fixes

• print json root "slices" even in minimal build
• always print the json closing char

0.29.2

Hi everyone!
Welcome to yet another bugfix release for the 0.29 cycle.

Bug Fixes

• Fix -z option that did require an extra argument
• Call init_plugins as soon as possible. It fixes using filters on field extracted by system-installed plugins
• Restored plugins support for non-linux builds
• When using a source plugin, force an exit only if the plugin is actually stuck on a next(), not if its working on the close()

Moreover, helper text and man pages were update accordingly.

0.29.1

This is a small bug fix release!

Bug Fixes

• Fix release-rpm job for release

0.29.0

New features

• Full Plugins support! With colored output formatting, because we know you love it!
• Podman support
• Introduced a versioning between libscap and kernel drivers, that will allow in the future to properly tag libs release and avoid rebuilding kernel drivers when their version is not changed.
• Integrated back ~4months worth of work on libs, on par with Falco 0.31.1 release
• New syscalls: mprotect, execveat, copy_file_range, clone3

Bug Fixes

• eBPF fixes
• Security fixes
• Fixed cgroups v2 support in libscap, a bug that prevented pre-existing containers (prior to running sysdig) to be matched with their processes
• Fixed some container events related issues

Plugins info

• Same plugins that are used for Falco can be used for sysdig
• cmd line options, examples:
• • Register any found plugin from supported system folders and use dummy as input source passing to it open params:

$ sysdig -I dummy:'{"start":1,"maxEvents":10}'

• • Load and register dummy source plugin passing to it init config and open params:

sysdig -H dummy:'{"jitter":50}' -I dummy:'{"start":1,"maxEvents":10}'

• Moreover, you can also load plugins using a Falco plugin configuration file, by passing the --plugin-config-file cmdline option ()
• The --help usage text was updated with new informations.

I hope you will enjoy this new Sysdig release as much as we loved bringing it to you!

0.28.0

New Features

This is the first Sysdig release to make full use of the Falco Libs since its donation to the CNCF in 2021.

• The full changeset includes many improvements and features which have been included in Falco for this year's releases.
• The release system has been modified and is now completely open source, based on GitHub actions
• The default Docker image is now based on UBI 8
• By default the event string formatting natively supports colors, in the same way Bash does via \e escape sequences and ANSI Escape Codes if supported by the terminal.

Bug Fixes

• Fixed compilation on MacOS: #1801
• Use "%s"-style format for printf()-style functions for ncurses #1810
• Fixed GIT_TAG for gtest #1815

Note: due to an issue in the release process, a functionally equivalent release was published earlier today but the repositories were not completely updated. Sorry for the inconvenience.

0.27.1

New features

• Support minimal build (no kubernetes, kernel module, eBPF, or container support): -DMINIMAL_BUILD=On
• Support static linking with musl on Alpine Linux: -DMUSL_OPTIMIZED_BUILD=On

Bug fixes

• Improve startup times on systems with lots of containers [#1676]
• Fix paths reported in *at events [#1680, #1695]
• Build fixes for eBPF with recent kernel [#1690]
• Fix Lua out of memory errors with large captures in Sysdig Inspect [#1694]

0.27.0

New features

• Userspace instrumentation support (#1636); see https://github.com/falcosecurity/pdig for more information
• renameat2 support
• Add new filter for open+create/create with exec permissions (#1637)
• Add parent pid to v_procs chisel (#1640)

Bug fixes

• Assorted build fixes (#1672, #1663 and more)