CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog.

Types of changes:

• Added: for new features.
• Changed: for changes in existing functionality.
• Deprecated: for soon-to-be removed features.
• Removed: for now removed features.
• Fixed: for any bug fixes.
• Security: in case of vulnerabilities.

Unreleased

0.5.0 - 2022-10-17

Added

• Add support for k8s pod and event objects
• Add jsonpath expression support for policy engine

Changed

• Bumped UBI version to 8.6-943.1665521450

Fixed

• Fix bug in exists predicate
• Fix open_read and open_write macros in ttps.yaml

0.4.4 - 2022-08-01

Added

• Add rate limiting filter with time decaying

Changed

• Bump UBI to 8.6-855
• Update reference to sf-apis

Fixed

• Fix exists predicate
• Fix handling of integers and booleans in MatStr function

0.4.3 - 2022-06-21

Changed

• Update systemd service to include plugindir argument

0.4.2 - 2022-06-10

Changed

• Add missing host field to ECS encoder

0.4.1 - 2022-05-26

Changed

• Bumped UBI version to 8.6-754
• Removed binary package's dkms requirement

0.4.0 - 2022-02-18

Added

• Support for pluggable actions for policy engine
• Support for asynchonous policy engine with thread pooling
• Packaging in deb, rpm, and targz formats
• Added 14 new MITRE TTP tagging rules
• Added support for quiet logging mode
• Added plugin builder image to support plugin development and releases

Changed

• Added contextual sysflow structure, removed global cache and cache synchronization primitives; refactored handler interface
• Changed cache keys to OID types
• BREAKING Changed policy engine modes and action verbs (update policy yaml rule declarations to remove action attribute if used with alert or tag verbs)
  • alert and enrich are now policy engine modes, and action in policy rule declaration is now used for calling action handling plugins
• Updated the short union strings from gogen-avro
• Updated CI to automate packaging or release assets with release notes
• Bump go version to go1.17.7
• BREAKING Added support for architecture-dependent build (darwin, linux), due to changes in go 1.17 net package
• Updated findings short description formatting and name convention

Fixed

• Fixed cache coherence and race condition when updating the cache in the processor plugin; splits the processor plugin into two plugins, reader (which builds the cache) and processor (only reads from cache)
• Fixed stream socket reader issue introduced with the upgrade to go 1.17

Security

• Updated IBM Findings SDK to fix CVE-2020-26160

0.3.1 - 2021-09-29

Changed

• Bumped UBI version to 8.4-211.

0.3.0 - 2021-09-20

Added

• Support for pluggable export protocols
• Elastic Common Schema (ECS) export format and Elasticsearch integration
• Export to IBM Findings API
• MITRE ATT&CK ttp tagging policy
• Support for pipeline forking (tee feature)
• Custom S3 prefix to Findings exporter

Changed

• Moved away from Dockerhub CI.
• Optimized JSON export
• Updated dependencies to latest sf-apis
• Updated sample policies
• Refactoring of processor and handling APIs

Fixed

• Fixes bugs in policy engine related to lists containing quoted strings
• Fixes several issues in policy engine field mapping

Removed

• Support for flat JSON schema

0.2.2 - 2020-12-07

Changed

• Updated dependencies to latest sf-apis.

0.2.1 - 2020-12-02

Fixed

• Fixes sf.file.oid and sf.file.newoid attribute mapping.

0.2.0 - 2020-12-01

Added

• Adds lists and macro preprocessing to deal with usage before declarations in input policy language.
• Adds empty handling for process flow objects.
• Adds endswith binary operator to policy expression language.
• Added initial documentation.

Changed

• Updates the grammar and intepreter to support falco policies.
• Several refactorings and performance optimizations in policy engine.
• Tuned filter policy for k8s clusters.

Fixed

• Fixes module names and package paths.

0.1.0 - 2020-10-30

Added

• First release of SysFlow Processor.