Merge remote-tracking branch 'origin/dev'

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

.github/stale.yml

@@ -0,0 +1,19 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - cncf
+  - roadmap
+  - enhancement
+  - "help wanted"
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

.gitignore

@@ -18,3 +18,4 @@ docker/event-generator/mysqld
 docker/event-generator/httpd
 docker/event-generator/sha1sum
 docker/event-generator/vipw
+.vscode/*

.travis.yml

@@ -26,31 +26,17 @@ services:
 before_install:
     - sudo apt-get update
 install:
+    - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
     - sudo apt-get install rpm linux-headers-$(uname -r) libelf-dev
     - git clone https://github.com/draios/sysdig.git ../sysdig
-    - sudo apt-get install -y python-pip libvirt-dev jq dkms
-    - cd ..
-    - curl -Lo avocado-36.0-tar.gz https://github.com/avocado-framework/avocado/archive/36.0lts.tar.gz
-    - tar -zxvf avocado-36.0-tar.gz
-    - cd avocado-36.0lts
-    - sed -e 's/libvirt-python>=1.2.9/libvirt-python>=1.2.9,<4.1.0/' < requirements.txt  > /tmp/requirements.txt && mv /tmp/requirements.txt ./requirements.txt
-    - sudo -H pip install -r requirements.txt
-    - sudo python setup.py install
-    - cd ../falco
-before_script:
-    - export KERNELDIR=/lib/modules/$(uname -r)/build
+    # if available, use the branch with the same name in sysdig
+    - pushd ../sysdig && (git checkout "${BRANCH}" || exit 0) && echo "Using sysdig branch:" $(git rev-parse --abbrev-ref HEAD) && popd
 script:
-    - set -e
     - mkdir build
     - cd build
-    - cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE -DDRAIOS_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
-    - make VERBOSE=1
-    - make package
-    - cp falco*.deb ../docker/local
-    - cd ../docker/local
-    - docker build -t sysdig/falco:test .
-    - cd ../..
-    - sudo test/run_regression_tests.sh $TRAVIS_BRANCH
+    - docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-builder cmake
+    - docker run --user $(id -u):$(id -g) -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-builder package
+    - docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v /etc/passwd:/etc/passwd:ro -e MAKE_JOBS=4 -v $TRAVIS_BUILD_DIR/..:/source -v $TRAVIS_BUILD_DIR/build:/build falcosecurity/falco-tester
 notifications:
   webhooks:
     urls:

CHANGELOG.md

@@ -2,6 +2,204 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
+## v0.15.1
+
+Released 2019-06-07
+
+## Major Changes
+
+* Drop unnecessary events at the kernel level instead of userspace, which should improve performance [[#635](https://github.com/falcosecurity/falco/pull/635)]
+
+## Minor Changes
+
+* Add instructions for k8s audit support in >= 1.13 [[#608](https://github.com/falcosecurity/falco/pull/608)]
+
+* Fix security issues reported by GitHub on Anchore integration [[#592](https://github.com/falcosecurity/falco/pull/592)]
+
+* Several docs/readme improvements [[#620](https://github.com/falcosecurity/falco/pull/620)] [[#616](https://github.com/falcosecurity/falco/pull/616)] [[#631](https://github.com/falcosecurity/falco/pull/631)] [[#639](https://github.com/falcosecurity/falco/pull/639)] [[#642](https://github.com/falcosecurity/falco/pull/642)]
+
+* Better tracking of rule counts per ruleset [[#645](https://github.com/falcosecurity/falco/pull/645)]
+
+## Bug Fixes
+
+* Handle rule patterns that are invalid regexes [[#636](https://github.com/falcosecurity/falco/pull/636)]
+
+* Fix kernel module builds on newer kernels [[#646](https://github.com/falcosecurity/falco/pull/646)] [[#sysdig/1413](https://github.com/draios/sysdig/pull/1413)]
+
+## Rule Changes
+
+* New rule `Launch Remote File Copy Tools in Container` could be used to identify exfiltration attacks [[#600](https://github.com/falcosecurity/falco/pull/600)]
+
+* New rule `Create Symlink Over Sensitive Files` can help detect attacks like [[CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664)] [[#613](https://github.com/falcosecurity/falco/pull/613)] [[#637](https://github.com/falcosecurity/falco/pull/637)]
+
+* Let etcd-manager write to /etc/hosts. [[#613](https://github.com/falcosecurity/falco/pull/613)]
+
+* Let additional processes spawned by google-accounts-daemon access sensitive files [[#593](https://github.com/falcosecurity/falco/pull/593)]
+
+* Add Sematext Monitoring & Logging agents to trusted k8s containers [[#594](https://github.com/falcosecurity/falco/pull/594/)]
+
+* Add additional coverage for `Netcat Remote Code Execution in Container` rule. [[#617](https://github.com/falcosecurity/falco/pull/617/)]
+
+* Fix `egrep` typo. [[#617](https://github.com/falcosecurity/falco/pull/617/)]
+
+* Allow Ansible to run using Python 3 [[#625](https://github.com/falcosecurity/falco/pull/625/)]
+
+* Additional `Write below etc` exceptions for nginx, rancher [[#637](https://github.com/falcosecurity/falco/pull/637)] [[#648](https://github.com/falcosecurity/falco/pull/648)] [[#652](https://github.com/falcosecurity/falco/pull/652)]
+
+* Add rules for running with IBM Cloud Kubernetes Service [[#634](https://github.com/falcosecurity/falco/pull/634)]
+
+## v0.15.0
+
+Released 2019-05-13
+
+## Major Changes
+
+* **Actions and alerts for dropped events**: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. [[#561](https://github.com/falcosecurity/falco/pull/561)] [[#571](https://github.com/falcosecurity/falco/pull/571)]
+
+* **Support for Containerd/CRI-O**: Falco now supports containerd/cri-o containers. [[#585](https://github.com/falcosecurity/falco/pull/585)] [[#591](https://github.com/falcosecurity/falco/pull/591)] [[#599](https://github.com/falcosecurity/falco/pull/599)] [[#sysdig/1376](https://github.com/draios/sysdig/pull/1376)] [[#sysdig/1310](https://github.com/draios/sysdig/pull/1310)] [[#sysdig/1399](https://github.com/draios/sysdig/pull/1399)]
+
+* **Perform docker metadata fetches asynchronously**: When new containers are discovered, fetch metadata about the container asynchronously, which should significantly reduce the likelihood of dropped system call events. [[#sysdig/1326](https://github.com/draios/sysdig/pull/1326)] [[#550](https://github.com/falcosecurity/falco/pull/550)] [[#570](https://github.com/falcosecurity/falco/pull/570)]
+
+* Better syscall event performance: improve algorithm for reading system call events from kernel module to handle busy event streams [[#sysdig/1372](https://github.com/draios/sysdig/pull/1372)]
+
+* HTTP Output: Falco can now send alerts to http endpoints directly without having to use curl. [[#523](https://github.com/falcosecurity/falco/pull/523)]
+
+* Move Kubernetes Response Engine to own repo: The Kubernetes Response Engine is now in its [own github repository](https://github.com/falcosecurity/kubernetes-response-engine). [[#539](https://github.com/falcosecurity/falco/pull/539)]
+
+* Updated Puppet Module: An all-new puppet module compatible with puppet 4 with a smoother installation process and updated package links. [[#537](https://github.com/falcosecurity/falco/pull/537)] [[#543](https://github.com/falcosecurity/falco/pull/543)] [[#546](https://github.com/falcosecurity/falco/pull/546)]
+
+* RHEL-based falco image: Provide dockerfiles that use RHEL 7 as the base image instead of debian:unstable. [[#544](https://github.com/falcosecurity/falco/pull/544)]
+
+
+## Minor Changes
+
+* ISO-8601 Timestamps: Add the ability to write timestamps in ISO-8601 w/ UTC, and use this format by default when running falco in a container [[#518](https://github.com/falcosecurity/falco/pull/518)]
+
+* Docker-based builder/tester: You can now build Falco using the [falco-builder](https://falco.org/docs/source/#build-using-falco-builder-container) docker image, and run regression tests using the [falco-tester](https://falco.org/docs/source/#test-using-falco-tester-container) docker image. [[#522](https://github.com/falcosecurity/falco/pull/522)] [[#584](https://github.com/falcosecurity/falco/pull/584)]
+
+* Several small docs changes to improve clarity and readibility [[#524](https://github.com/falcosecurity/falco/pull/524)] [[#540](https://github.com/falcosecurity/falco/pull/540)] [[#541](https://github.com/falcosecurity/falco/pull/541)] [[#542](https://github.com/falcosecurity/falco/pull/542)]
+
+* Add instructions on how to enable K8s Audit Logging for kops [[#535](https://github.com/falcosecurity/falco/pull/535)]
+
+* Add a "stale issue" bot that marks and eventually closes old issues with no activity [[#548](https://github.com/falcosecurity/falco/pull/548)]
+
+* Improvements to sample K8s daemonset/service/etc files [[#562](https://github.com/falcosecurity/falco/pull/562)]
+
+## Bug Fixes
+
+* Fix regression that broke json output [[#581](https://github.com/falcosecurity/falco/pull/581)]
+
+* Fix errors when building via docker from MacOS [[#582](https://github.com/falcosecurity/falco/pull/582)]
+
+## Rule Changes
+
+* **Tag rules using Mitre Attack Framework**: Add tags for all relevant rules linking them to the [MITRE Attack Framework](https://attack.mitre.org). We have an associated [blog post](https://sysdig.com/blog/mitre-attck-framework-for-container-runtime-security-with-sysdig-falco/). [[#575](https://github.com/falcosecurity/falco/pull/575)] [[#578](https://github.com/falcosecurity/falco/pull/578)]
+
+* New rules for additional use cases: New rules `Schedule Cron Jobs`, `Update Package Repository`, `Remove Bulk Data from Disk`, `Set Setuid or Setgid bit`, `Detect bash history deletion`, `Create Hidden Files or Directories` look for additional common follow-on activity you might see from an attacker. [[#578](https://github.com/falcosecurity/falco/pull/578)] [[#580](https://github.com/falcosecurity/falco/pull/580)]
+
+* Allow docker's "exe" (usually part of docker save/load) to write to many filesystem locations [[#552](https://github.com/falcosecurity/falco/pull/552)]
+
+* Let puppet write below /etc [[#563](https://github.com/falcosecurity/falco/pull/563)
+
+* Add new `user_known_write_root_conditions`, `user_known_non_sudo_setuid_conditions`, and `user_known_write_monitored_dir_conditions` macros to allow those rules to be easily customized in user rules files [[#563](https://github.com/falcosecurity/falco/pull/563)] [[#566](https://github.com/falcosecurity/falco/pull/566)]
+
+* Better coverage and exceptions for rancher [[#559](https://github.com/falcosecurity/falco/pull/559)]
+
+* Allow prometheus to write to its conf directory under etc [[#564](https://github.com/falcosecurity/falco/pull/564)]
+
+* Better coverage and exceptions for openshift/related tools [[#567](https://github.com/falcosecurity/falco/pull/567)] [[#573](https://github.com/falcosecurity/falco/pull/573)]
+
+* Better coverage for cassandra/kubelet/kops to reduce FPs [[#551](https://github.com/falcosecurity/falco/pull/551)]
+
+* Better coverage for docker, openscap to reduce FPs [[#573](https://github.com/falcosecurity/falco/pull/573)]
+
+* Better coverage for fluentd/jboss to reduce FPs [[#590](https://github.com/falcosecurity/falco/pull/590)]
+
+* Add `ash` (Alpine Linux-related shell) as a shell binary [[#597](https://github.com/falcosecurity/falco/pull/597)]
+
+
+## v0.14.0
+
+Released 2019-02-06
+
+## Major Changes
+
+* Rules versioning support: The falco engine and executable now have an *engine version* that represents the fields they support. Similarly, rules files have an optional *required_engine_version: NNN* object that names the minimum engine version required to read that rules file. Any time the engine adds new fields, event sources, etc, the engine version will be incremented, and any time a rules file starts using new fields, event sources, etc, the required engine version will be incremented. [[#492](https://github.com/falcosecurity/falco/pull/492)]
+
+* Allow SSL for K8s audit endpoint/embedded webserver [[#471](https://github.com/falcosecurity/falco/pull/471)]
+
+* Add stale issues bot that automatically flags old github issues as stale after 60 days of inactivity and closes issues after 67 days of inactivity. [[#500](https://github.com/falcosecurity/falco/pull/500)]
+
+* Support bundle: When run with `--support`, falco will print a json object containing necessary information like falco version, command line, operating system information, and falco rules files contents. This could be useful when reporting issues. [[#517](https://github.com/falcosecurity/falco/pull/517)]
+
+## Minor Changes
+
+* Support new third-party library dependencies from open source sysdig. [[#498](https://github.com/falcosecurity/falco/pull/498)]
+
+* Add CII best practices badge. [[#499](https://github.com/falcosecurity/falco/pull/499)]
+
+* Fix kernel module builds when running on centos as a container by installing gcc 5 by hand instead of directly from debian/unstable. [[#501](https://github.com/falcosecurity/falco/pull/501)]
+
+* Mount `/etc` when running as a container, which allows container to build kernel module/ebpf program on COS/Minikube. [[#475](https://github.com/falcosecurity/falco/pull/475)]
+
+* Improved way to specify the source of generic event objects [[#480](https://github.com/falcosecurity/falco/pull/480)]
+
+* Readability/clarity improvements to K8s Audit/K8s Daemonset READMEs. [[#503](https://github.com/falcosecurity/falco/pull/503)]
+
+* Add additional RBAC permissions to track deployments/daemonsets/replicasets. [[#514](https://github.com/falcosecurity/falco/pull/514)]
+
+## Bug Fixes
+
+* Fix formatting of nodejs examples README [[#502](https://github.com/falcosecurity/falco/pull/502)]
+
+## Rule Changes
+
+* Remove FPs for `Launch Sensitive Mount Container` rule [[#509](https://github.com/falcosecurity/falco/pull/509/files)]
+
+* Update Container rules/macros to use the more reliable `container.image.{repository,tag}` that always return the repository/tag of an image instead of `container.image`, which may not for some docker daemon versions. [[#513](https://github.com/falcosecurity/falco/pull/513)]
+
+## v0.13.1
+
+Released 2019-01-16
+
+## Major Changes
+
+
+## Minor Changes
+
+* Unbuffer outputs by default. This helps make output readable when used in environments like K8s. [[#494](https://github.com/falcosecurity/falco/pull/494)]
+
+* Improved documentation for running Falco within K8s and getting K8s Audit Logging to work with Minikube and Falco as a Daemonset within K8s. [[#496](https://github.com/falcosecurity/falco/pull/496)]
+
+* Fix AWS Permissions for Kubernetes Response Engine [[#465](https://github.com/falcosecurity/falco/pull/465)]
+
+* Tighten compilation flags to include `-Wextra` and `-Werror` [[#479](https://github.com/falcosecurity/falco/pull/479)]
+
+* Add `k8s.ns.name` to outputs when `-pk` argument is used [[#472](https://github.com/falcosecurity/falco/pull/472)]
+
+* Remove kubernetes-response-engine from system:masters [[#488](https://github.com/falcosecurity/falco/pull/488)]
+
+## Bug Fixes
+
+* Ensure `-pc`/`-pk` only apply to syscall rules and not k8s_audit rules [[#495](https://github.com/falcosecurity/falco/pull/495)]
+
+* Fix a potential crash that could occur when using the falco engine and rulesets [[#468](https://github.com/falcosecurity/falco/pull/468)]
+
+* Fix a regression where format output options were mistakenly removed [[#485](https://github.com/falcosecurity/falco/pull/485)]
+
+## Rule Changes
+
+* Fix FPs related to calico and writing files below etc [[#481](https://github.com/falcosecurity/falco/pull/481)]
+
+* Fix FPs related to `apt-config`/`apt-cache`, `apk` [[#490](https://github.com/falcosecurity/falco/pull/490)]
+
+* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, `Lauch Suspicious Network Tool in Container` look for host-level network tools like `netcat`, package management tools like `apt-get`, or network tool binaries being run in a container. [[#490](https://github.com/falcosecurity/falco/pull/490)]
+
+* Fix the `inbound` and `outbound` macros so they work with sendto/recvfrom/sendmsg/recvmsg. [[#470](https://github.com/falcosecurity/falco/pull/470)]
+
+* Fix FPs related to prometheus/openshift writing config below /etc. [[#470](https://github.com/falcosecurity/falco/pull/470)]
+
+
 ## v0.13.0
 
 Released 2018-11-09

CMakeLists.txt

@@ -19,6 +19,8 @@ cmake_minimum_required(VERSION 2.8.2)
 
 project(falco)
 
+option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags")
+
 if(NOT DEFINED FALCO_VERSION)
 	set(FALCO_VERSION "0.1.1dev")
 endif()
@@ -35,8 +37,15 @@ if(NOT DRAIOS_DEBUG_FLAGS)
 	set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
 endif()
 
-set(CMAKE_C_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
-set(CMAKE_CXX_FLAGS "-Wall -ggdb --std=c++0x ${DRAIOS_FEATURE_FLAGS}")
+set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
+
+if(BUILD_WARNINGS_AS_ERRORS)
+	set(CMAKE_SUPPRESSED_WARNINGS "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation")
+	set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}")
+endif()
+
+set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
+set(CMAKE_CXX_FLAGS "--std=c++0x ${CMAKE_COMMON_FLAGS}")
 
 set(CMAKE_C_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
 set(CMAKE_CXX_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
@@ -232,11 +241,9 @@ else()
 	message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
 	set(YAMLCPP_LIB "${YAMLCPP_SRC}/libyaml-cpp.a")
 	set(YAMLCPP_INCLUDE_DIR "${YAMLCPP_SRC}/include")
-	# Once the next version of yaml-cpp is released (first version not requiring
-	# boost), we can switch to that and no longer pull from github.
 	ExternalProject_Add(yamlcpp
-		GIT_REPOSITORY "https://github.com/jbeder/yaml-cpp.git"
-		GIT_TAG "7d2873ce9f2202ea21b6a8c5ecbc9fe38032c229"
+		URL "https://s3.amazonaws.com/download.draios.com/dependencies/yaml-cpp-yaml-cpp-0.6.2.tar.gz"
+		URL_MD5 "5b943e9af0060d0811148b037449ef82"
 		BUILD_IN_SOURCE 1
 		INSTALL_COMMAND "")
 endif()
@@ -440,10 +447,10 @@ endif()
 
 option(USE_BUNDLED_TBB "Enable building of the bundled tbb" ${USE_BUNDLED_DEPS})
 if(NOT USE_BUNDLED_TBB)
-	find_path(TBB_INCLUDE tbb.h PATH_SUFFIXES tbb)
+	find_path(TBB_INCLUDE_DIR tbb.h PATH_SUFFIXES tbb)
 	find_library(TBB_LIB NAMES tbb)
-	if(TBB_INCLUDE AND TBB_LIB)
-		message(STATUS "Found tbb: include: ${TBB_INCLUDE}, lib: ${TBB_LIB}")
+	if(TBB_INCLUDE_DIR AND TBB_LIB)
+		message(STATUS "Found tbb: include: ${TBB_INCLUDE_DIR}, lib: ${TBB_LIB}")
 	else()
 		message(FATAL_ERROR "Couldn't find system tbb")
 	endif()
@@ -452,7 +459,7 @@ else()
 
 	message(STATUS "Using bundled tbb in '${TBB_SRC}'")
 
-	set(TBB_INCLUDE "${TBB_SRC}/include/")
+	set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
 	set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
 	ExternalProject_Add(tbb
 		URL "http://s3.amazonaws.com/download.draios.com/dependencies/tbb-2018_U5.tar.gz"
@@ -496,12 +503,105 @@ else()
 		INSTALL_COMMAND ${CMD_MAKE} install-lib install-headers PREFIX=${CIVETWEB_SRC}/install WITH_CPP=1)
 endif()
 
+option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
+if(NOT USE_BUNDLED_CARES)
+	find_path(CARES_INCLUDE NAMES cares/ares.h)
+	find_library(CARES_LIB NAMES libcares.a)
+	if(CARES_INCLUDE AND CARES_LIB)
+		message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system c-ares")
+	endif()
+else()
+	set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
+	message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
+	set(CARES_INCLUDE "${CARES_SRC}/target/include")
+	set(CARES_LIB "${CARES_SRC}/target/lib/libcares.a")
+	ExternalProject_Add(c-ares
+		URL "https://download.sysdig.com/dependencies/c-ares-1.13.0.tar.gz"
+		URL_MD5 "d2e010b43537794d8bedfb562ae6bba2"
+		CONFIGURE_COMMAND ./configure --prefix=${CARES_SRC}/target
+		BUILD_COMMAND ${CMD_MAKE}
+		BUILD_IN_SOURCE 1
+		BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
+		INSTALL_COMMAND ${CMD_MAKE} install)
+endif()
+
+option(USE_BUNDLED_PROTOBUF "Enable building of the bundled protobuf" ${USE_BUNDLED_DEPS})
+if(NOT USE_BUNDLED_PROTOBUF)
+	find_program(PROTOC NAMES protoc)
+	find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
+	find_library(PROTOBUF_LIB NAMES libprotobuf.a)
+	if(PROTOC AND PROTOBUF_INCLUDE AND PROTOBUF_LIB)
+		message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system protobuf")
+	endif()
+else()
+	set(PROTOBUF_SRC "${PROJECT_BINARY_DIR}/protobuf-prefix/src/protobuf")
+	message(STATUS "Using bundled protobuf in '${PROTOBUF_SRC}'")
+	set(PROTOC "${PROTOBUF_SRC}/target/bin/protoc")
+	set(PROTOBUF_INCLUDE "${PROTOBUF_SRC}/target/include")
+	set(PROTOBUF_LIB "${PROTOBUF_SRC}/target/lib/libprotobuf.a")
+	ExternalProject_Add(protobuf
+		DEPENDS openssl zlib
+		URL "https://github.com/google/protobuf/releases/download/v3.5.0/protobuf-cpp-3.5.0.tar.gz"
+		URL_MD5 "e4ba8284a407712168593e79e6555eb2"
+		# TODO what if using system zlib?
+		CONFIGURE_COMMAND /usr/bin/env CPPFLAGS=-I${ZLIB_INCLUDE} LDFLAGS=-L${ZLIB_SRC} ./configure --with-zlib --prefix=${PROTOBUF_SRC}/target
+		BUILD_COMMAND ${CMD_MAKE}
+		BUILD_IN_SOURCE 1
+		BUILD_BYPRODUCTS ${PROTOC} ${PROTOBUF_INCLUDE} ${PROTOBUF_LIB}
+		# TODO s390x support
+		INSTALL_COMMAND make install)
+endif()
+
+option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
+if(NOT USE_BUNDLED_GRPC)
+	find_path(GRPC_INCLUDE grpc++/impl/codegen/rpc_method.h)
+	find_library(GRPC_LIB NAMES libgrpc_unsecure.a)
+	find_library(GRPCPP_LIB NAMES libgrpc++_unsecure.a)
+	if(GRPC_INCLUDE AND GRPC_LIB AND GRPCPP_LIB)
+		message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPC_PP_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system grpc")
+	endif()
+	find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
+	if(NOT GRPC_CPP_PLUGIN)
+		message(FATAL_ERROR "System grpc_cpp_plugin not found")
+	endif()
+else()
+	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
+	message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
+	set(GRPC_INCLUDE "${GRPC_SRC}/include")
+	set(GRPC_LIB "${GRPC_SRC}/libs/opt/libgrpc_unsecure.a")
+	set(GRPCPP_LIB "${GRPC_SRC}/libs/opt/libgrpc++_unsecure.a")
+	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
+
+	get_filename_component(PROTOC_DIR ${PROTOC} DIRECTORY)
+
+	ExternalProject_Add(grpc
+		DEPENDS protobuf zlib c-ares
+		URL "http://download.draios.com/dependencies/grpc-1.8.1.tar.gz"
+		URL_MD5 "2fc42c182a0ed1b48ad77397f76bb3bc"
+		CONFIGURE_COMMAND ""
+		# TODO what if using system openssl, protobuf or cares?
+		BUILD_COMMAND HAS_SYSTEM_ZLIB=false LDFLAGS=-static PATH=${PROTOC_DIR}:$ENV{PATH} PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}:${PROTOBUF_SRC}:${CARES_SRC} make grpc_cpp_plugin static_cxx static_c
+		BUILD_IN_SOURCE 1
+		BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
+		# TODO s390x support
+		# TODO what if using system zlib
+		PATCH_COMMAND rm -rf third_party/zlib && ln -s ${ZLIB_SRC} third_party/zlib && wget https://download.sysdig.com/dependencies/grpc-1.1.4-Makefile.patch && patch < grpc-1.1.4-Makefile.patch
+		INSTALL_COMMAND "")
+endif()
 
 
 install(FILES falco.yaml
 	DESTINATION "${FALCO_ETC_DIR}")
 
+add_subdirectory(test)
 add_subdirectory(rules)
+add_subdirectory(docker)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_subdirectory("${SYSDIG_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")

GOVERNANCE

@@ -22,11 +22,11 @@
 * Triage GitHub issues and perform pull request reviews for other maintainers and the community.
 * During GitHub issue triage, apply all applicable [labels](https://github.com/falcosecurity/falco/labels)
   to each new issue. Labels are extremely useful for future issue follow up. Which labels to apply
-  is somewhat subjective so just use your best judgment. 
+  is somewhat subjective so just use your best judgment.
 * Make sure that ongoing PRs are moving forward at the right pace or closing them.
-* Participate when called upon in the security releases. Note that although this should be a rare 
+* Participate when called upon in the security releases. Note that although this should be a rare
   occurrence, if a serious vulnerability is found, the process may take up to several full days of
-  work to implement. This reality should be taken into account when discussing time commitment 
+  work to implement. This reality should be taken into account when discussing time commitment
   obligations with employers.
 * In general continue to be willing to spend at least 25% of ones time working on Falco (~1.25
   business days per week).

MAINTAINERS

@@ -1,9 +1,11 @@
 Current maintainers:
 @mstemm - Mark Stemm <mark.stemm@sysdig.com>
 @ldegio - Loris Degioanni <loris@sysdig.com>
+@fntlnz - Lorenzo Fontana <lo@sysdig.com>
+@leodido - Leonardo Di Donato <leo@sysdig.com>
 
 Community Mangement:
 @mfdii - Michael Ducy <michael@sysdig.com>
 
 Emeritus maintainers:
-@henridf - Henri Dubois-Ferriere <henri.dubois-ferriere@sysdig.com>
+@henridf - Henri Dubois-Ferriere <henri.dubois-ferriere@sysdig.com>

README.md

@@ -2,42 +2,44 @@
 
 #### Latest release
 
-**v0.13.0**
+**v0.15.1**
 Read the [change log](https://github.com/falcosecurity/falco/blob/dev/CHANGELOG.md)
 
-Dev Branch: [![Build Status](https://travis-ci.org/falcosecurity/falco.svg?branch=dev)](https://travis-ci.org/falcosecurity/falco)<br />
-Master Branch: [![Build Status](https://travis-ci.org/falcosecurity/falco.svg?branch=master)](https://travis-ci.org/falcosecurity/falco)
+Dev Branch: [![Build Status](https://travis-ci.com/falcosecurity/falco.svg?branch=dev)](https://travis-ci.com/falcosecurity/falco)<br />
+Master Branch: [![Build Status](https://travis-ci.com/falcosecurity/falco.svg?branch=master)](https://travis-ci.com/falcosecurity/falco)<br />
+CII Best Practices: [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2317/badge)](https://bestpractices.coreinfrastructure.org/projects/2317)
+
 
 ## Overview
-Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by [sysdig’s](https://github.com/draios/sysdig) system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of rules.
+Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by [sysdig’s](https://github.com/draios/sysdig) system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
 
 Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the [Falco CNCF project proposal](https://github.com/cncf/toc/tree/master/proposals/falco.adoc).
 
 #### What kind of behaviors can Falco detect?
 
-Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:
+Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
 
-- A shell is run inside a container
-- A container is running in privileged mode, or is mounting a sensitive path like `/proc` from the host.
-- A server process spawns a child process of an unexpected type
-- Unexpected read of a sensitive file (like `/etc/shadow`)
-- A non-device file is written to `/dev`
-- A standard system binary (like `ls`) makes an outbound network connection
+- A shell is running inside a container.
+- A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
+- A server process is spawning a child process of an unexpected type.
+- Unexpected read of a sensitive file, such as `/etc/shadow`.
+- A non-device file is written to `/dev`.
+- A standard system binary, such as `ls`, is making an outbound network connection.
 
-#### How Falco Compares to Other Security Tools like SELinux, Auditd, etc.
+#### How do you compare Falco with other security tools?
 
-One of the questions we often get when we talk about Falco is “How does it compare to other tools like SELinux, AppArmor, Auditd, etc. that also have security policies?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco to other tools.
+One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco with other tools.
 
 
 Documentation
 ---
-[Visit the wiki](https://github.com/falcosecurity/falco/wiki) for full documentation on falco.
+See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.
 
 Join the Community
 ---
 * [Website](https://falco.org) for Falco.
 * We are working on a blog for the Falco project. In the meantime you can find [Falco](https://sysdig.com/blog/tag/falco/) posts over on the Sysdig blog.
-* Join our [Public Slack](https://slack.sysdig.com) channel for open source sysdig and Falco announcements and discussions.
+* Join our [Public Slack](https://slack.sysdig.com) channel for open source Sysdig and Falco announcements and discussions.
 
 License Terms
 ---
@@ -46,11 +48,11 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 Contributor License Agreements
 ---
 ### Background
- We are formalizing the way that we accept contributions of code from the contributing community. We must now ask that contributions to falco be provided subject to the terms and conditions of a [Contributor License Agreement (CLA)](./cla). The CLA comes in two forms, applicable to contributions by individuals, or by legal entities such as corporations and their employees. We recognize that entering into a CLA with us involves real consideration on your part, and we’ve tried to make this process as clear and simple as possible.
+We are formalizing the way that we accept contributions of code from the contributing community. We must now ask that contributions to falco be provided subject to the terms and conditions of a [Contributor License Agreement (CLA)](./cla). The CLA comes in two forms, applicable to contributions by individuals, or by legal entities such as corporations and their employees. We recognize that entering into a CLA with us involves real consideration on your part, and we’ve tried to make this process as clear and simple as possible.
 
- We’ve modeled our CLA off of industry standards, such as [the CLA used by Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md). Note that this agreement is not a transfer of copyright ownership, this simply is a license agreement for contributions, intended to clarify the intellectual property license granted with contributions from any person or entity. It is for your protection as a contributor as well as the protection of falco; it does not change your rights to use your own contributions for any other purpose.
+We’ve modeled our CLA off of industry standards, such as [the CLA used by Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md). Note that this agreement is not a transfer of copyright ownership, this simply is a license agreement for contributions, intended to clarify the intellectual property license granted with contributions from any person or entity. It is for your protection as a contributor as well as the protection of falco; it does not change your rights to use your own contributions for any other purpose.
 
- For some background on why contributor license agreements are necessary, you can read FAQs from many other open source projects:
+For some background on why contributor license agreements are necessary, you can read FAQs from many other open source projects:
 
 - [Django’s excellent CLA FAQ](https://www.djangoproject.com/foundation/cla/faq/)
 - [A well-written chapter from Karl Fogel’s Producing Open Source Software on CLAs](http://producingoss.com/en/copyright-assignment.html)
@@ -60,6 +62,8 @@ As always, we are grateful for your past and present contributions to falco.
 
 ### What do I need to do in order to contribute code?
 
+At first, you need to make the changes based on the dev branch not the master branch.
+
 **Individual contributions**: Individuals who wish to make contributions must review the [Individual Contributor License Agreement](./cla/falco_contributor_agreement.txt) and indicate agreement by adding the following line to every GIT commit message:
 
 ```

docker/CMakeLists.txt

@@ -0,0 +1 @@
+add_subdirectory(local)

docker/builder/Dockerfile

@@ -0,0 +1,52 @@
+FROM centos:6
+
+ENV FALCO_VERSION 0.1.1dev
+ENV BUILD_TYPE Release
+ENV BUILD_DRIVER OFF
+ENV BUILD_BPF OFF
+ENV BUILD_WARNINGS_AS_ERRORS ON
+ENV MAKE_JOBS 4
+
+# copied from builder script
+RUN curl -o /etc/yum.repos.d/devtools-2.repo https://people.centos.org/tru/devtools-2/devtools-2.repo && \
+    rpm -i http://mirror.pnl.gov/epel/6/i386/epel-release-6-8.noarch.rpm && \
+    sed -e 's,$basearch,i386,' -e 's,$releasever\],$releasever-i686\],' /etc/yum.repos.d/devtools-2.repo > /etc/yum.repos.d/devtools-2-i686.repo && \
+    yum -y install \
+        createrepo \
+        devtoolset-2-toolchain \
+        dpkg \
+        dpkg-devel \
+        expect \
+        gcc \
+        gcc-c++ \
+        git \
+        glibc-static \
+	libcurl-devel \
+        make \
+	curl \
+	libcurl-devel \
+	zlib-devel \
+        pkg-config \
+        rpm-build \
+        unzip \
+        wget \
+        tar \
+        autoconf \
+        automake \
+        libtool && \
+    yum -y install \
+        glibc-devel.i686 \
+        devtoolset-2-libstdc++-devel.i686 \
+        devtoolset-2-elfutils-libelf-devel && \
+    yum clean all
+RUN curl -o docker.tgz https://get.docker.com/builds/Linux/x86_64/docker-1.11.0.tgz && \
+    tar xfz docker.tgz docker/docker && \
+    mv docker/docker /usr/local/bin/docker && \
+    chmod +x /usr/local/bin/docker && \
+    rm -fr docker.tgz docker/
+
+# TEMPORARY until dependencies in CMakeLists.txt are fixed
+RUN yum -y install libyaml-devel
+COPY entrypoint.sh /
+
+ENTRYPOINT ["/entrypoint.sh"]

docker/builder/entrypoint.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+SOURCE_DIR=/source
+BUILD_DIR=/build
+TASK=${1:-all}
+
+MANPATH=
+
+. /opt/rh/devtoolset-2/enable
+
+# Download and install cmake if not downloaded
+CMAKE_DIR=$BUILD_DIR/cmake
+if [ ! -e $CMAKE_DIR ]; then
+    cd $BUILD_DIR
+    mkdir -p $BUILD_DIR/cmake
+    wget -nv https://s3.amazonaws.com/download.draios.com/dependencies/cmake-3.3.2.tar.gz
+    tar -C $CMAKE_DIR --strip-components 1 -xzf cmake-3.3.2.tar.gz
+    cd $CMAKE_DIR
+    ./bootstrap --system-curl
+    make -j$MAKE_JOBS
+fi
+
+if [ $TASK == "cmake" ]; then
+    mkdir -p $BUILD_DIR/$BUILD_TYPE
+    cd $BUILD_DIR/$BUILD_TYPE
+    $CMAKE_DIR/bin/cmake -DCMAKE_BUILD_TYPE=$BUILD_TYPE -DFALCO_VERSION=$FALCO_VERSION -DCMAKE_INSTALL_PREFIX=/usr -DBUILD_DRIVER=${BUILD_DRIVER} -DBUILD_BPF=${BUILD_BPF} -DBUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS} $SOURCE_DIR/falco
+    exit 0
+fi
+
+if [ $TASK == "bash" ]; then
+    exec /bin/bash
+fi
+
+cd $BUILD_DIR/$BUILD_TYPE
+make -j$MAKE_JOBS $TASK
+
+
+

docker/dev/Dockerfile

@@ -24,8 +24,6 @@ RUN apt-get update \
 	dkms \
 	gnupg2 \
 	gcc \
-	gcc-5 \
-	gcc-6 \
 	gdb \
 	jq \
 	libc6-dev \
@@ -35,6 +33,39 @@ RUN apt-get update \
 	xz-utils \
  && rm -rf /var/lib/apt/lists/*
 
+# gcc 6 is no longer included in debian unstable, but we need it to
+# build kernel modules on the default debian-based ami used by
+# kops. So grab copies we've saved from debian snapshots with the
+# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
+# or so.
+
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
+    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+
+# gcc 5 is no longer included in debian unstable, but we need it to
+# build centos kernels, which are 3.x based and explicitly want a gcc
+# version 3, 4, or 5 compiler. So grab copies we've saved from debian
+# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
+
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+ && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+ && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+ && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+ && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+ && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+ && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
+ && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+ && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
@@ -51,6 +82,11 @@ RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public |
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+ && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
@@ -60,14 +96,15 @@ RUN rm -df /lib/modules \
 # debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
- && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
- && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
- && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
- && dpkg -i *binutils*.deb
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb \
+ && rm -f *binutils*.deb
 
 COPY ./docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
-CMD ["/usr/bin/falco"]
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/local/CMakeLists.txt

@@ -0,0 +1,17 @@
+add_subdirectory(traces)
+add_subdirectory(rules)
+
+add_custom_target(local-Dockerfile ALL
+	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile)
+
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
+	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
+	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile)
+
+add_custom_target(local-docker-entrypoint ALL
+	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint)
+
+add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint
+	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint.sh
+	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh)
+

docker/local/Dockerfile

@@ -2,7 +2,8 @@ FROM debian:unstable
 
 LABEL maintainer="Sysdig <support@sysdig.com>"
 
-ENV FALCO_VERSION 0.1.1dev
+ARG FALCO_VERSION=0.1.1dev
+ENV FALCO_VERSION ${FALCO_VERSION}
 
 LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 
@@ -24,8 +25,6 @@ RUN apt-get update \
 	dkms \
 	gnupg2 \
 	gcc \
-	gcc-5 \
-	gcc-6 \
 	jq \
 	libc6-dev \
 	libelf-dev \
@@ -34,6 +33,39 @@ RUN apt-get update \
 	xz-utils \
  && rm -rf /var/lib/apt/lists/*
 
+# gcc 6 is no longer included in debian unstable, but we need it to
+# build kernel modules on the default debian-based ami used by
+# kops. So grab copies we've saved from debian snapshots with the
+# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
+# or so.
+
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
+    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+
+# gcc 5 is no longer included in debian unstable, but we need it to
+# build centos kernels, which are 3.x based and explicitly want a gcc
+# version 3, 4, or 5 compiler. So grab copies we've saved from debian
+# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
+
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+ && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+ && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+ && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+ && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+ && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+ && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
+ && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+ && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
@@ -52,14 +84,25 @@ RUN rm -df /lib/modules \
 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+ && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
 # debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
- && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
- && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
- && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
- && dpkg -i *binutils*.deb
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb \
+ && rm -f *binutils*.deb
+
+# The local container also copies some test trace files and
+# corresponding rules that are used when running regression tests.
+COPY rules/*.yaml /rules/
+COPY traces/*.scap /traces/
 
 COPY ./docker-entrypoint.sh /
 

docker/local/rules/CMakeLists.txt

@@ -0,0 +1,13 @@
+# Note: list of rules is created at cmake time, not build time
+file(GLOB test_rule_files
+	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/rules/*.yaml")
+
+foreach(rule_file_path ${test_rule_files})
+	get_filename_component(rule_file ${rule_file_path} NAME)
+	add_custom_target(docker-local-rule-${rule_file} ALL
+		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${rule_file})
+	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
+		COMMAND ${CMAKE_COMMAND} -E copy ${rule_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
+		DEPENDS ${rule_file_path})
+endforeach()
+

docker/local/traces/CMakeLists.txt

@@ -0,0 +1,13 @@
+# Note: list of traces is created at cmake time, not build time
+file(GLOB test_trace_files
+	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/trace_files/*.scap")
+
+foreach(trace_file_path ${test_trace_files})
+	get_filename_component(trace_file ${trace_file_path} NAME)
+	add_custom_target(docker-local-trace-${trace_file} ALL
+		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
+	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
+		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
+		DEPENDS ${trace_file_path})
+endforeach()
+

docker/rhel/Dockerfile

@@ -0,0 +1,38 @@
+FROM registry.access.redhat.com/rhel7
+
+MAINTAINER Sysdig Support Team <support@sysdig.com>
+
+### Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
+LABEL name="falco" \
+      vendor="Sysdig" \
+      url="http://falco.org/" \
+      summary="Container Native runtime security" \
+      description="Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms." \
+      run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco'
+
+COPY help.md /tmp/
+
+ENV SYSDIG_HOST_ROOT /host
+ENV HOME /root
+
+ADD http://download.draios.com/stable/rpm/draios.repo /etc/yum.repos.d/draios.repo
+RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public && \
+    rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
+    yum clean all && \
+    REPOLIST=rhel-7-server-rpms,rhel-7-server-optional-rpms,epel,draios \
+    INSTALL_PKGS="gcc dkms kernel-devel kernel-headers python golang-github-cpuguy83-go-md2man falco" && \
+    yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \
+      --security --sec-severity=Important --sec-severity=Critical && \
+    yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
+### help file markdown to man conversion
+    go-md2man -in /tmp/help.md -out /help.1 && \
+### we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
+    rm -fr /usr/src/kernels && \
+    rm -df /lib/modules && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules && \
+    yum clean all
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/falco"]

docker/rhel/docker-entrypoint.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+#
+# This file is part of falco.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#set -e
+
+# Set the SYSDIG_SKIP_LOAD variable to skip loading the sysdig kernel module
+
+if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
+    echo "* Setting up /usr/src links from host"
+
+    for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
+    do
+        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
+    done
+
+    /usr/bin/falco-probe-loader
+fi
+
+exec "$@"

docker/rhel/help.md

@@ -0,0 +1,15 @@
+% falco (1) Container Image Pages
+% Falco Team
+% June, 2017
+
+# NAME
+falco \- Container Native runtime security
+
+# DESCRIPTION
+Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms. See Falco website for more information: http://falco.org/
+
+# EXAMPLE
+    docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco
+
+# AUTHORS
+Falco Team

docker/stable/Dockerfile

@@ -24,8 +24,6 @@ RUN apt-get update \
 	dkms \
 	gnupg2 \
 	gcc \
-	gcc-5 \
-	gcc-6 \
 	jq \
 	libc6-dev \
 	libelf-dev \
@@ -34,6 +32,39 @@ RUN apt-get update \
 	xz-utils \
  && rm -rf /var/lib/apt/lists/*
 
+# gcc 6 is no longer included in debian unstable, but we need it to
+# build kernel modules on the default debian-based ami used by
+# kops. So grab copies we've saved from debian snapshots with the
+# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
+# or so.
+
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
+    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+
+# gcc 5 is no longer included in debian unstable, but we need it to
+# build centos kernels, which are 3.x based and explicitly want a gcc
+# version 3, 4, or 5 compiler. So grab copies we've saved from debian
+# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
+
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+ && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+ && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+ && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+ && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+ && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+ && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
+ && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+ && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
@@ -50,6 +81,11 @@ RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public |
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+ && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
@@ -59,11 +95,12 @@ RUN rm -df /lib/modules \
 # debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
- && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
- && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
- && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
- && dpkg -i *binutils*.deb
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb \
+ && rm -f *binutils*.deb
 
 COPY ./docker-entrypoint.sh /
 

docker/tester/Dockerfile

@@ -0,0 +1,17 @@
+FROM centos:7
+
+ENV FALCO_VERSION 0.1.1dev
+ENV BUILD_TYPE Release
+
+RUN yum -y install epel-release && \
+    yum -y install \
+      python-pip \
+      docker \
+      jq \
+      unzip
+
+RUN pip install avocado-framework avocado-framework-plugin-varianter-yaml-to-mux
+
+COPY entrypoint.sh /
+
+ENTRYPOINT ["/entrypoint.sh"]

docker/tester/entrypoint.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+SOURCE_DIR=/source
+BUILD_DIR=/build
+TASK=${1:-test}
+
+if [ $TASK == "test" ]; then
+    echo "Building local docker image falcosecurity/falco:test from latest debian package..."
+    cp $BUILD_DIR/$BUILD_TYPE/falco*.deb $BUILD_DIR/$BUILD_TYPE/docker/local
+    cd $BUILD_DIR/$BUILD_TYPE/docker/local && docker build --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test .
+
+    echo "Running regression tests"
+    cd $SOURCE_DIR/falco/test
+    bash run_regression_tests.sh $BUILD_DIR/$BUILD_TYPE
+
+    docker rmi falcosecurity/falco:test || true
+    exit 0
+fi
+
+if [ $TASK == "bash" ]; then
+    exec /bin/bash
+fi

examples/bad-mount-cryptomining/attacker_files/minerd

@@ -5,4 +5,3 @@ while true; do
       sleep 60
 done
 
-      

examples/bad-mount-cryptomining/demo.yml

@@ -26,8 +26,8 @@ services:
       - ${PWD}/attacker_files:/usr/share/nginx/html
       - ${PWD}/attacker-nginx.conf:/etc/nginx/conf.d/default.conf
     depends_on:
-      - "falco"      
-  
+      - "falco"
+
   falco:
     image: sysdig/falco:latest
     privileged: true

examples/k8s_audit_config/README.md

@@ -1,23 +1,136 @@
-# Introduction
+This page describes how to get [Kubernetes Auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit) working with Falco.
+Either using static audit backends in Kubernetes 1.11, or in Kubernetes 1.13 with dynamic sink which configures webhook backends through an AuditSink API object.
 
-The files in this directory can be used to configure k8s audit logging. The relevant files are:
+<!-- toc -->
 
-* [audit-policy.yaml](./audit-policy.yaml): The k8s audit log configuration we used to create the rules in [k8s_audit_rules.yaml](../../rules/k8s_audit_rules.yaml). You may find it useful as a reference when creating your own K8s Audit Log configuration.
-* [webhook-config.yaml](./webhook-config.yaml): A webhook configuration that sends audit events to localhost, port 8765. You may find it useful as a starting point when deciding how to route audit events to the embedded webserver within falco.
+- [Instructions for Kubernetes 1.11](#instructions-for-kubernetes-111)
+  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster)
+  * [Define your audit policy and webhook configuration](#define-your-audit-policy-and-webhook-configuration)
+  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging)
+  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco)
+- [Instructions for Kubernetes 1.13](#instructions-for-kubernetes-113)
+  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster-1)
+  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging-1)
+  * [Deploy AuditSink objects](#deploy-auditsink-objects)
+  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco-1)
+- [Instructions for Kubernetes 1.13 with dynamic webhook and local log file](#instructions-for-kubernetes-113-with-dynamic-webhook-and-local-log-file)
 
-This file is only needed when using Minikube, which doesn't currently
-have the ability to provide an audit config/webhook config directly
-from the minikube commandline. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.
+<!-- tocstop -->
 
-* [apiserver-config.patch.sh](./apiserver-config.patch.sh): A script that changes the configuration file `/etc/kubernetes/manifests/kube-apiserver.yaml` to add necessary config options and mounts for the kube-apiserver container that runs within the minikube vm.
+## Instructions for Kubernetes 1.11
 
-A way to use these files with minikube to enable audit logging would be to run the following commands, from this directory:
+The main steps are:
+
+1. Deploy Falco to your Kubernetes cluster
+1. Define your audit policy and webhook configuration
+1. Restart the API Server to enable Audit Logging
+1. Observe Kubernetes audit events at falco
+
+### Deploy Falco to your Kubernetes cluster
+
+Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a falco service account, service, configmap, and daemonset.
+
+### Define your audit policy and webhook configuration
+
+The files in this directory can be used to configure Kubernetes audit logging. The relevant files are:
+
+* [audit-policy.yaml](./audit-policy.yaml): The Kubernetes audit log configuration we used to create the rules in [k8s_audit_rules.yaml](../../rules/k8s_audit_rules.yaml).
+* [webhook-config.yaml.in](./webhook-config.yaml.in): A (templated) webhook configuration that sends audit events to an ip associated with the falco service, port 8765. It is templated in that the *actual* IP is defined in an environment variable `FALCO_SERVICE_CLUSTERIP`, which can be plugged in using a program like `envsubst`.
+
+Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the `ClusterIP`s associated with those services are routable.
 
 ```
-minikube start --kubernetes-version v1.11.0 --mount --mount-string $PWD:/tmp/k8s_audit_config --feature-gates AdvancedAuditing=true
-ssh -i $(minikube ssh-key) docker@$(minikube ip) sudo bash /tmp/k8s_audit_config/apiserver-config.patch.sh
-ssh -i $(minikube ssh-key) -R 8765:localhost:8765 docker@$(minikube ip)
+FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < webhook-config.yaml.in > webhook-config.yaml
 ```
 
-K8s audit events will then be sent to localhost on the host (not minikube vm) machine, port 8765.
+### Restart the API Server to enable Audit Logging
 
+A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling audit log support for the apiserver, including copying the audit policy/webhook files to the apiserver machine, modifying the apiserver command line to add `--audit-log-path`, `--audit-policy-file`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
+
+It is run as `bash ./enable-k8s-audit.sh <variant> static`. `<variant>` can be one of the following:
+
+* `minikube`
+* `kops`
+
+When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
+
+Its output looks like this:
+
+```
+$ bash enable-k8s-audit.sh minikube static
+***Copying apiserver config patch script to apiserver...
+apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
+***Copying audit policy/webhook files to apiserver...
+audit-policy.yaml                                                                           100% 2519     1.2MB/s   00:00
+webhook-config.yaml                                                                         100%  248   362.0KB/s   00:00
+***Modifying k8s apiserver config (will result in apiserver restarting)...
+***Done!
+$
+```
+### Observe Kubernetes audit events at falco
+
+Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
+
+## Instructions for Kubernetes 1.13
+
+The main steps are:
+
+1. Deploy Falco to your Kubernetes cluster
+2. Restart the API Server to enable Audit Logging
+3. Deploy the AuditSink object for your audit policy and webhook configuration
+4. Observe Kubernetes audit events at falco
+
+### Deploy Falco to your Kubernetes cluster
+
+Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a Falco service account, service, configmap, and daemonset.
+
+### Restart the API Server to enable Audit Logging
+
+A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling dynamic audit support for the apiserver by modifying the apiserver command line to add `--audit-dynamic-configuration`, `--feature-gates=DynamicAuditing=true`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
+
+It is run as `bash ./enable-k8s-audit.sh <variant> dynamic`. `<variant>` can be one of the following:
+
+* `minikube`
+* `kops`
+
+When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
+
+Its output looks like this:
+
+```
+$ bash enable-k8s-audit.sh minikube dynamic
+***Copying apiserver config patch script to apiserver...
+apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
+***Modifying k8s apiserver config (will result in apiserver restarting)...
+***Done!
+$
+```
+
+### Deploy AuditSink objects
+
+[audit-sink.yaml.in](./audit-sink.yaml.in), in this directory, is a template audit sink configuration that defines the dynamic audit policy and webhook to route Kubernetes audit events to Falco.
+
+Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the ClusterIPs associated with those services are routable.
+
+```
+FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < audit-sink.yaml.in > audit-sink.yaml
+```
+
+### Observe Kubernetes audit events at falco
+
+Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
+
+## Instructions for Kubernetes 1.13 with dynamic webhook and local log file
+
+If you want to use a mix of `AuditSink` for remote audit events as well as a local audit log file, you can run `enable-k8s-audit.sh` with the `"dynamic+log"` argument e.g. `bash ./enable-k8s-audit.sh <variant> dynamic+log`. This will enable dynamic audit logs as well as a static audit log to a local file. Its output looks like this:
+
+```
+***Copying apiserver config patch script to apiserver...
+apiserver-config.patch.sh                                                                          100% 2211   662.9KB/s   00:00
+***Copying audit policy file to apiserver...
+audit-policy.yaml                                                                                  100% 2519   847.7KB/s   00:00
+***Modifying k8s apiserver config (will result in apiserver restarting)...
+***Done!
+```
+
+The audit log will be available on the apiserver host at `/var/lib/k8s_audit/audit.log`.

examples/k8s_audit_config/apiserver-config.patch.sh

@@ -1,35 +1,67 @@
-#!/bin/sh
+#!/usr/bin/env bash
+
+set -euo pipefail
 
 IFS=''
 
-FILENAME="/etc/kubernetes/manifests/kube-apiserver.yaml"
+FILENAME=${1:-/etc/kubernetes/manifests/kube-apiserver.yaml}
+VARIANT=${2:-minikube}
+AUDIT_TYPE=${3:-static}
 
-if grep audit-webhook-config-file $FILENAME ; then
-    echo audit-webhook patch already applied
-    exit 0
+if [ "$AUDIT_TYPE" == "static" ]; then
+    if grep audit-webhook-config-file "$FILENAME" ; then
+	echo audit-webhook patch already applied
+	exit 0
+    fi
+else
+    if grep audit-dynamic-configuration "$FILENAME" ; then
+	echo audit-dynamic-configuration patch already applied
+	exit 0
+    fi
 fi
 
 TMPFILE="/tmp/kube-apiserver.yaml.patched"
 rm -f "$TMPFILE"
 
-while read LINE
+APISERVER_PREFIX="    -"
+APISERVER_LINE="- kube-apiserver"
+
+if [ "$VARIANT" == "kops" ]; then
+    APISERVER_PREFIX="     "
+    APISERVER_LINE="/usr/local/bin/kube-apiserver"
+fi
+
+while read -r LINE
 do
     echo "$LINE" >> "$TMPFILE"
     case "$LINE" in
-        *"- kube-apiserver"*)
-            echo "    - --audit-log-path=/tmp/k8s_audit_config/audit.log" >> "$TMPFILE"
-            echo "    - --audit-policy-file=/tmp/k8s_audit_config/audit-policy.yaml" >> "$TMPFILE"
-            echo "    - --audit-webhook-config-file=/tmp/k8s_audit_config/webhook-config.yaml" >> "$TMPFILE"
-            echo "    - --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
+        *$APISERVER_LINE*)
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "$APISERVER_PREFIX --audit-log-path=/var/lib/k8s_audit/audit.log" >> "$TMPFILE"
+		echo "$APISERVER_PREFIX --audit-policy-file=/var/lib/k8s_audit/audit-policy.yaml" >> "$TMPFILE"
+		if [[ $AUDIT_TYPE == "static" ]]; then
+		    echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE"
+		    echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
+		fi
+	    fi
+	    if [[ ($AUDIT_TYPE == "dynamic" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "$APISERVER_PREFIX --audit-dynamic-configuration" >> "$TMPFILE"
+		echo "$APISERVER_PREFIX --feature-gates=DynamicAuditing=true" >> "$TMPFILE"
+		echo "$APISERVER_PREFIX --runtime-config=auditregistration.k8s.io/v1alpha1=true" >> "$TMPFILE"
+	    fi
             ;;
         *"volumeMounts:"*)
-            echo "    - mountPath: /tmp/k8s_audit_config/" >> "$TMPFILE"
-            echo "      name: data" >> "$TMPFILE"
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "    - mountPath: /var/lib/k8s_audit/" >> "$TMPFILE"
+		echo "      name: data" >> "$TMPFILE"
+	    fi
             ;;
         *"volumes:"*)
-            echo "  - hostPath:" >> "$TMPFILE"
-            echo "      path: /tmp/k8s_audit_config" >> "$TMPFILE"
-            echo "    name: data" >> "$TMPFILE"
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "  - hostPath:" >> "$TMPFILE"
+		echo "      path: /var/lib/k8s_audit" >> "$TMPFILE"
+		echo "    name: data" >> "$TMPFILE"
+	    fi
             ;;
 
     esac

examples/k8s_audit_config/audit-sink.yaml.in

@@ -0,0 +1,16 @@
+apiVersion: auditregistration.k8s.io/v1alpha1
+kind: AuditSink
+metadata:
+  name: falco-audit-sink
+spec:
+  policy:
+    level: RequestResponse
+    stages:
+      - ResponseComplete
+      - ResponseStarted
+  webhook:
+    throttle:
+      qps: 10
+      burst: 15
+    clientConfig:
+      url: "http://$FALCO_SERVICE_CLUSTERIP:8765/k8s_audit"

examples/k8s_audit_config/enable-k8s-audit.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+VARIANT=${1:-minikube}
+AUDIT_TYPE=${2:-static}
+
+if [ "$VARIANT" == "minikube" ]; then
+    APISERVER_HOST=$(minikube ip)
+    SSH_KEY=$(minikube ssh-key)
+    SSH_USER="docker"
+    MANIFEST="/etc/kubernetes/manifests/kube-apiserver.yaml"
+fi
+
+if [ "$VARIANT" == "kops" ]; then
+    # APISERVER_HOST=api.your-kops-cluster-name.com
+    SSH_KEY=~/.ssh/id_rsa
+    SSH_USER="admin"
+    MANIFEST=/etc/kubernetes/manifests/kube-apiserver.manifest
+
+    if [ -z "${APISERVER_HOST+xxx}" ]; then
+	echo "***You must specify APISERVER_HOST with the name of your kops api server"
+	exit 1
+    fi
+fi
+
+echo "***Copying apiserver config patch script to apiserver..."
+ssh -i $SSH_KEY "$SSH_USER@$APISERVER_HOST" "sudo mkdir -p /var/lib/k8s_audit && sudo chown $SSH_USER /var/lib/k8s_audit"
+scp -i $SSH_KEY apiserver-config.patch.sh "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+
+if [ "$AUDIT_TYPE" == "static" ]; then
+    echo "***Copying audit policy/webhook files to apiserver..."
+    scp -i $SSH_KEY audit-policy.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+    scp -i $SSH_KEY webhook-config.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+fi
+
+if [ "$AUDIT_TYPE" == "dynamic+log" ]; then
+    echo "***Copying audit policy file to apiserver..."
+    scp -i $SSH_KEY audit-policy.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+fi
+
+echo "***Modifying k8s apiserver config (will result in apiserver restarting)..."
+
+ssh -i $SSH_KEY "$SSH_USER@$APISERVER_HOST" "sudo bash /var/lib/k8s_audit/apiserver-config.patch.sh $MANIFEST $VARIANT $AUDIT_TYPE"
+
+echo "***Done!"

examples/k8s_audit_config/webhook-config.yaml.in

@@ -3,7 +3,7 @@ kind: Config
 clusters:
 - name: falco
   cluster:
-    server: http://127.0.0.1:8765/k8s_audit
+    server: http://$FALCO_SERVICE_CLUSTERIP:8765/k8s_audit
 contexts:
 - context:
     cluster: falco

examples/mitm-sh-installer/README.md

@@ -1,4 +1,4 @@
-#Demo of falco with man-in-the-middle attacks on installation scripts
+# Demo of falco with man-in-the-middle attacks on installation scripts
 
 For context, see the corresponding [blog post](http://sysdig.com/blog/making-curl-to-bash-safer) for this demo.
 

examples/nodejs-bad-rest-api/README.md

@@ -1,4 +1,4 @@
-#Demo of falco with bash exec via poorly designed REST API.
+# Demo of falco with bash exec via poorly designed REST API.
 
 ## Introduction
 

falco.yaml

@@ -34,6 +34,11 @@ rules_file:
  - /etc/falco/k8s_audit_rules.yaml
  - /etc/falco/rules.d
 
+# If true, the times displayed in log messages and output messages
+# will be in ISO 8601. By default, times are displayed in the local
+# time zone, as governed by /etc/localtime.
+time_format_iso_8601: false
+
 # Whether to output events in json or text
 json_output: false
 
@@ -60,8 +65,28 @@ log_level: info
 priority: debug
 
 # Whether or not output to any of the output channels below is
-# buffered. Defaults to true
-buffered_outputs: true
+# buffered. Defaults to false
+buffered_outputs: false
+
+# Falco uses a shared buffer between the kernel and userspace to pass
+# system call information. When falco detects that this buffer is
+# full and system calls have been dropped, it can take one or more of
+# the following actions:
+#   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
+#   - "log": log a CRITICAL message noting that the buffer was full.
+#   - "alert": emit a falco alert noting that the buffer was full.
+#   - "exit": exit falco with a non-zero rc.
+#
+# The rate at which log/alert messages are emitted is governed by a
+# token bucket. The rate corresponds to one message every 30 seconds
+# with a burst of 10 messages.
+
+syscall_event_drops:
+  actions:
+    - log
+    - alert
+  rate: .03333
+  max_burst: 10
 
 # A throttling mechanism implemented as a token bucket limits the
 # rate of falco notifications. This throttling is controlled by the following configuration
@@ -104,11 +129,20 @@ stdout_output:
 # Falco contains an embedded webserver that can be used to accept K8s
 # Audit Events. These config options control the behavior of that
 # webserver. (By default, the webserver is disabled).
-#  enabled: false
+#
+# The ssl_certificate is a combination SSL Certificate and corresponding
+# key contained in a single file. You can generate a key/cert as follows:
+#
+# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
+# $ cat certificate.pem key.pem > falco.pem
+# $ sudo cp falco.pem /etc/falco/falco.pem
+
 webserver:
   enabled: true
   listen_port: 8765
   k8s_audit_endpoint: /k8s_audit
+  ssl_enabled: false
+  ssl_certificate: /etc/falco/falco.pem
 
 # Possible additional things you might want to do with program output:
 #   - send to a slack webhook:
@@ -128,4 +162,9 @@ webserver:
 program_output:
   enabled: false
   keep_alive: false
-  program: mail -s "Falco Notification" someone@example.com
+  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
+
+http_output:
+  enabled: false
+  url: http://some.url
+

integrations/anchore-falco/Pipfile

@@ -13,4 +13,4 @@ expects = "*"
 requests = "*"
 
 [requires]
-python_version = "3.6"
+python_version = "3.7"

integrations/anchore-falco/Pipfile.lock

@@ -1,11 +1,11 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "f2737a14e8f562cf355e13ae09f1eed0f80415effd2aa01b86125e94523da345"
+            "sha256": "3bdeb3ebfc2760431a59b0a27dc9e747b5d21f9156591ebb7994d94c21f33648"
         },
         "pipfile-spec": 6,
         "requires": {
-            "python_version": "3.6"
+            "python_version": "3.7"
         },
         "sources": [
             {
@@ -18,10 +18,10 @@
     "default": {
         "certifi": {
             "hashes": [
-                "sha256:13e698f54293db9f89122b0581843a782ad0934a4fe0172d2a980ba77fc61bb7",
-                "sha256:9fa520c1bacfb634fa7af20a76bcbd3d5fb390481724c597da32c719a7dca4b0"
+                "sha256:59b7658e26ca9c7339e00f8f4636cdfe59d34fa37b9b04f6f9e9926b3cece1a5",
+                "sha256:b26104d6835d1f5e49452a26eb2ff87fe7090b89dfcaee5ea2212697e1e1d7ae"
             ],
-            "version": "==2018.4.16"
+            "version": "==2019.3.9"
         },
         "chardet": {
             "hashes": [
@@ -32,25 +32,25 @@
         },
         "idna": {
             "hashes": [
-                "sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e",
-                "sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16"
+                "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407",
+                "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"
             ],
-            "version": "==2.7"
+            "version": "==2.8"
         },
         "requests": {
             "hashes": [
-                "sha256:63b52e3c866428a224f97cab011de738c36aec0185aa91cfacd418b5d58911d1",
-                "sha256:ec22d826a36ed72a7358ff3fe56cbd4ba69dd7a6718ffd450ff0e9df7a47ce6a"
+                "sha256:502a824f31acdacb3a35b6690b5fbf0bc41d63a24a45c4004352b0242707598e",
+                "sha256:7bf2a778576d825600030a110f3c0e3e8edc51dfaafe1c146e39a2027784957b"
             ],
             "index": "pypi",
-            "version": "==2.19.1"
+            "version": "==2.21.0"
         },
         "urllib3": {
             "hashes": [
-                "sha256:a68ac5e15e76e7e5dd2b8f94007233e01effe3e50e8daddf69acfd81cb686baf",
-                "sha256:b5725a0bd4ba422ab0e66e89e030c806576753ea3ee08554382c14e685d117b5"
+                "sha256:2393a695cd12afedd0dcb26fe5d50d0cf248e5a66f75dbd89a3d4eb333a61af4",
+                "sha256:a637e5fae88995b256e3409dc4d52c2e2e0ba32c42a6365fee8bbd2238de3cfb"
             ],
-            "version": "==1.23"
+            "version": "==1.24.3"
         }
     },
     "develop": {
@@ -68,51 +68,56 @@
         },
         "coverage": {
             "hashes": [
-                "sha256:03481e81d558d30d230bc12999e3edffe392d244349a90f4ef9b88425fac74ba",
-                "sha256:0b136648de27201056c1869a6c0d4e23f464750fd9a9ba9750b8336a244429ed",
-                "sha256:104ab3934abaf5be871a583541e8829d6c19ce7bde2923b2751e0d3ca44db60a",
-                "sha256:15b111b6a0f46ee1a485414a52a7ad1d703bdf984e9ed3c288a4414d3871dcbd",
-                "sha256:198626739a79b09fa0a2f06e083ffd12eb55449b5f8bfdbeed1df4910b2ca640",
-                "sha256:1c383d2ef13ade2acc636556fd544dba6e14fa30755f26812f54300e401f98f2",
-                "sha256:28b2191e7283f4f3568962e373b47ef7f0392993bb6660d079c62bd50fe9d162",
-                "sha256:2eb564bbf7816a9d68dd3369a510be3327f1c618d2357fa6b1216994c2e3d508",
-                "sha256:337ded681dd2ef9ca04ef5d93cfc87e52e09db2594c296b4a0a3662cb1b41249",
-                "sha256:3a2184c6d797a125dca8367878d3b9a178b6fdd05fdc2d35d758c3006a1cd694",
-                "sha256:3c79a6f7b95751cdebcd9037e4d06f8d5a9b60e4ed0cd231342aa8ad7124882a",
-                "sha256:3d72c20bd105022d29b14a7d628462ebdc61de2f303322c0212a054352f3b287",
-                "sha256:3eb42bf89a6be7deb64116dd1cc4b08171734d721e7a7e57ad64cc4ef29ed2f1",
-                "sha256:4635a184d0bbe537aa185a34193898eee409332a8ccb27eea36f262566585000",
-                "sha256:56e448f051a201c5ebbaa86a5efd0ca90d327204d8b059ab25ad0f35fbfd79f1",
-                "sha256:5a13ea7911ff5e1796b6d5e4fbbf6952381a611209b736d48e675c2756f3f74e",
-                "sha256:69bf008a06b76619d3c3f3b1983f5145c75a305a0fea513aca094cae5c40a8f5",
-                "sha256:6bc583dc18d5979dc0f6cec26a8603129de0304d5ae1f17e57a12834e7235062",
-                "sha256:701cd6093d63e6b8ad7009d8a92425428bc4d6e7ab8d75efbb665c806c1d79ba",
-                "sha256:7608a3dd5d73cb06c531b8925e0ef8d3de31fed2544a7de6c63960a1e73ea4bc",
-                "sha256:76ecd006d1d8f739430ec50cc872889af1f9c1b6b8f48e29941814b09b0fd3cc",
-                "sha256:7aa36d2b844a3e4a4b356708d79fd2c260281a7390d678a10b91ca595ddc9e99",
-                "sha256:7d3f553904b0c5c016d1dad058a7554c7ac4c91a789fca496e7d8347ad040653",
-                "sha256:7e1fe19bd6dce69d9fd159d8e4a80a8f52101380d5d3a4d374b6d3eae0e5de9c",
-                "sha256:8c3cb8c35ec4d9506979b4cf90ee9918bc2e49f84189d9bf5c36c0c1119c6558",
-                "sha256:9d6dd10d49e01571bf6e147d3b505141ffc093a06756c60b053a859cb2128b1f",
-                "sha256:9e112fcbe0148a6fa4f0a02e8d58e94470fc6cb82a5481618fea901699bf34c4",
-                "sha256:ac4fef68da01116a5c117eba4dd46f2e06847a497de5ed1d64bb99a5fda1ef91",
-                "sha256:b8815995e050764c8610dbc82641807d196927c3dbed207f0a079833ffcf588d",
-                "sha256:be6cfcd8053d13f5f5eeb284aa8a814220c3da1b0078fa859011c7fffd86dab9",
-                "sha256:c1bb572fab8208c400adaf06a8133ac0712179a334c09224fb11393e920abcdd",
-                "sha256:de4418dadaa1c01d497e539210cb6baa015965526ff5afc078c57ca69160108d",
-                "sha256:e05cb4d9aad6233d67e0541caa7e511fa4047ed7750ec2510d466e806e0255d6",
-                "sha256:e4d96c07229f58cb686120f168276e434660e4358cc9cf3b0464210b04913e77",
-                "sha256:f3f501f345f24383c0000395b26b726e46758b71393267aeae0bd36f8b3ade80",
-                "sha256:f8a923a85cb099422ad5a2e345fe877bbc89a8a8b23235824a93488150e45f6e"
+                "sha256:0c5fe441b9cfdab64719f24e9684502a59432df7570521563d7b1aff27ac755f",
+                "sha256:2b412abc4c7d6e019ce7c27cbc229783035eef6d5401695dccba80f481be4eb3",
+                "sha256:3684fabf6b87a369017756b551cef29e505cb155ddb892a7a29277b978da88b9",
+                "sha256:39e088da9b284f1bd17c750ac672103779f7954ce6125fd4382134ac8d152d74",
+                "sha256:3c205bc11cc4fcc57b761c2da73b9b72a59f8d5ca89979afb0c1c6f9e53c7390",
+                "sha256:42692db854d13c6c5e9541b6ffe0fe921fe16c9c446358d642ccae1462582d3b",
+                "sha256:465ce53a8c0f3a7950dfb836438442f833cf6663d407f37d8c52fe7b6e56d7e8",
+                "sha256:48020e343fc40f72a442c8a1334284620f81295256a6b6ca6d8aa1350c763bbe",
+                "sha256:4ec30ade438d1711562f3786bea33a9da6107414aed60a5daa974d50a8c2c351",
+                "sha256:5296fc86ab612ec12394565c500b412a43b328b3907c0d14358950d06fd83baf",
+                "sha256:5f61bed2f7d9b6a9ab935150a6b23d7f84b8055524e7be7715b6513f3328138e",
+                "sha256:6899797ac384b239ce1926f3cb86ffc19996f6fa3a1efbb23cb49e0c12d8c18c",
+                "sha256:68a43a9f9f83693ce0414d17e019daee7ab3f7113a70c79a3dd4c2f704e4d741",
+                "sha256:6b8033d47fe22506856fe450470ccb1d8ba1ffb8463494a15cfc96392a288c09",
+                "sha256:7ad7536066b28863e5835e8cfeaa794b7fe352d99a8cded9f43d1161be8e9fbd",
+                "sha256:7bacb89ccf4bedb30b277e96e4cc68cd1369ca6841bde7b005191b54d3dd1034",
+                "sha256:839dc7c36501254e14331bcb98b27002aa415e4af7ea039d9009409b9d2d5420",
+                "sha256:8e679d1bde5e2de4a909efb071f14b472a678b788904440779d2c449c0355b27",
+                "sha256:8f9a95b66969cdea53ec992ecea5406c5bd99c9221f539bca1e8406b200ae98c",
+                "sha256:932c03d2d565f75961ba1d3cec41ddde00e162c5b46d03f7423edcb807734eab",
+                "sha256:93f965415cc51604f571e491f280cff0f5be35895b4eb5e55b47ae90c02a497b",
+                "sha256:988529edadc49039d205e0aa6ce049c5ccda4acb2d6c3c5c550c17e8c02c05ba",
+                "sha256:998d7e73548fe395eeb294495a04d38942edb66d1fa61eb70418871bc621227e",
+                "sha256:9de60893fb447d1e797f6bf08fdf0dbcda0c1e34c1b06c92bd3a363c0ea8c609",
+                "sha256:9e80d45d0c7fcee54e22771db7f1b0b126fb4a6c0a2e5afa72f66827207ff2f2",
+                "sha256:a545a3dfe5082dc8e8c3eb7f8a2cf4f2870902ff1860bd99b6198cfd1f9d1f49",
+                "sha256:a5d8f29e5ec661143621a8f4de51adfb300d7a476224156a39a392254f70687b",
+                "sha256:a9abc8c480e103dc05d9b332c6cc9fb1586330356fc14f1aa9c0ca5745097d19",
+                "sha256:aca06bfba4759bbdb09bf52ebb15ae20268ee1f6747417837926fae990ebc41d",
+                "sha256:bb23b7a6fd666e551a3094ab896a57809e010059540ad20acbeec03a154224ce",
+                "sha256:bfd1d0ae7e292105f29d7deaa9d8f2916ed8553ab9d5f39ec65bcf5deadff3f9",
+                "sha256:c22ab9f96cbaff05c6a84e20ec856383d27eae09e511d3e6ac4479489195861d",
+                "sha256:c62ca0a38958f541a73cf86acdab020c2091631c137bd359c4f5bddde7b75fd4",
+                "sha256:c709d8bda72cf4cd348ccec2a4881f2c5848fd72903c185f363d361b2737f773",
+                "sha256:c968a6aa7e0b56ecbd28531ddf439c2ec103610d3e2bf3b75b813304f8cb7723",
+                "sha256:ca58eba39c68010d7e87a823f22a081b5290e3e3c64714aac3c91481d8b34d22",
+                "sha256:df785d8cb80539d0b55fd47183264b7002077859028dfe3070cf6359bf8b2d9c",
+                "sha256:f406628ca51e0ae90ae76ea8398677a921b36f0bd71aab2099dfed08abd0322f",
+                "sha256:f46087bbd95ebae244a0eda01a618aff11ec7a069b15a3ef8f6b520db523dcf1",
+                "sha256:f8019c5279eb32360ca03e9fac40a12667715546eed5c5eb59eb381f2f501260",
+                "sha256:fc5f4d209733750afd2714e9109816a29500718b32dd9a5db01c0cb3a019b96a"
             ],
-            "version": "==4.5.1"
+            "version": "==4.5.3"
         },
         "doublex": {
             "hashes": [
-                "sha256:062af49d9e4148bc47b7512d3fdc8e145dea4671d074ffd54b2464a19d3757ab"
+                "sha256:4e9f17f346276db7faa461dfa105f17de7f837e5ceccca34f4c70d4ff9d2f20c"
             ],
             "index": "pypi",
-            "version": "==1.8.4"
+            "version": "==1.9.2"
         },
         "doublex-expects": {
             "hashes": [
@@ -123,17 +128,17 @@
         },
         "expects": {
             "hashes": [
-                "sha256:37538d7b0fa9c0d53e37d07b0e8c07d89754d3deec1f0f8ed1be27f4f10363dd"
+                "sha256:419902ccafe81b7e9559eeb6b7a07ef9d5c5604eddb93000f0642b3b2d594f4c"
             ],
             "index": "pypi",
-            "version": "==0.8.0"
+            "version": "==0.9.0"
         },
         "mamba": {
             "hashes": [
-                "sha256:63e70a8666039cf143a255000e23f29be4ea4b5b8169f2b053f94eb73a2ea9e2"
+                "sha256:25328151ea94d97a0b461d7256dc7350c99b5f8d2de22d355978378edfeac545"
             ],
             "index": "pypi",
-            "version": "==0.9.3"
+            "version": "==0.10"
         },
         "pyhamcrest": {
             "hashes": [
@@ -147,10 +152,10 @@
         },
         "six": {
             "hashes": [
-                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
-                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
+                "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
+                "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
             ],
-            "version": "==1.11.0"
+            "version": "==1.12.0"
         }
     }
 }

integrations/k8s-using-daemonset/README.md

@@ -1,10 +1,10 @@
 # Example Kubernetes Daemon Sets for Sysdig Falco
 
-This directory gives you the required YAML files to stand up Sysdig Falco on Kubernetes as a Daemon Set. This will result in a Falco Pod being deployed to each node, and thus the ability to monitor any running containers for abnormal behavior. 
+This directory gives you the required YAML files to stand up Sysdig Falco on Kubernetes as a Daemon Set. This will result in a Falco Pod being deployed to each node, and thus the ability to monitor any running containers for abnormal behavior.
 
 The two options are provided to deploy a Daemon Set:
 - `k8s-with-rbac` - This directory provides a definition to deploy a Daemon Set on Kubernetes with RBAC enabled.
-- `k8s-without-rbac` - This directory provides a definition to deploy a Daemon Set on Kubernetes without RBAC enabled. 
+- `k8s-without-rbac` - This directory provides a definition to deploy a Daemon Set on Kubernetes without RBAC enabled. **This method is deprecated in favor of RBAC-based installs, and won't be updated going forward.**
 
 Also provided:
 - `falco-event-generator-deployment.yaml` - A Kubernetes Deployment to generate sample events. This is useful for testing, but note it will generate a large number of events.
@@ -21,11 +21,21 @@ clusterrolebinding "falco-cluster-role-binding" created
 k8s-using-daemonset$
 ```
 
-The Daemon Set also relies on a Kubernetes ConfigMap to store the Falco configuration and make the configuration available to the Falco Pods. This allows you to manage custom configuration without rebuilding and redeploying the underlying Pods. In order to create the ConfigMap you'll need to first need to copy the required configuration from their location in this GitHub repo to the `k8s-with-rbac/falco-config/` directory. Any modification of the configuration should be performed on these copies rather than the original files.
+We also create a service that allows other services to reach the embedded webserver in falco, which listens on https port 8765:
 
 ```
+k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-service.yaml
+service/falco-service created
+k8s-using-daemonset$
+```
+
+The Daemon Set also relies on a Kubernetes ConfigMap to store the Falco configuration and make the configuration available to the Falco Pods. This allows you to manage custom configuration without rebuilding and redeploying the underlying Pods. In order to create the ConfigMap you'll need to first need to copy the required configuration from their location in this GitHub repo to the `k8s-with-rbac/falco-config/` directory (please note that you will need to create the /falco-config directory). Any modification of the configuration should be performed on these copies rather than the original files.
+
+```
+k8s-using-daemonset$ mkdir -p k8s-with-rbac/falco-config
 k8s-using-daemonset$ cp ../../falco.yaml k8s-with-rbac/falco-config/
 k8s-using-daemonset$ cp ../../rules/falco_rules.* k8s-with-rbac/falco-config/
+k8s-using-daemonset$ cp ../../rules/k8s_audit_rules.yaml k8s-with-rbac/falco-config/
 ```
 
 If you want to send Falco alerts to a Slack channel, you'll want to modify the `falco.yaml` file to point to your Slack webhook. For more information on getting a webhook URL for your Slack team, refer to the [Slack documentation](https://api.slack.com/incoming-webhooks). Add the below to the bottom of the `falco.yaml` config file you just copied to enable Slack messages.
@@ -37,7 +47,7 @@ program_output:
   program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"
 ```
 
-You will also need to enable JSON output. Find the `json_output: false` setting in the `falco.yaml` file and change it to read `json_output: true`. Any custom rules for your environment can be added to into the `falco_rules.local.yaml` file and they will be picked up by Falco at start time. You can now create the ConfigMap in Kubernetes. 
+You will also need to enable JSON output. Find the `json_output: false` setting in the `falco.yaml` file and change it to read `json_output: true`. Any custom rules for your environment can be added to into the `falco_rules.local.yaml` file and they will be picked up by Falco at start time. You can now create the ConfigMap in Kubernetes.
 
 ```
 k8s-using-daemonset$ kubectl create configmap falco-config --from-file=k8s-with-rbac/falco-config
@@ -48,13 +58,14 @@ k8s-using-daemonset$
 Now that we have the requirements for our Daemon Set in place, we can create our Daemon Set.
 
 ```
-k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-daemonset-configmap.yaml 
-daemonset "falco" created
+k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-daemonset-configmap.yaml
+daemonset.extensions "falco-daemonset" created
+
 k8s-using-daemonset$
 ```
 
 
-## Deploying to Kubernetes without RBAC enabled
+## Deploying to Kubernetes without RBAC enabled (**Deprecated**)
 
 If you are running Kubernetes with Legacy Authorization enabled, you can use `kubectl` to deploy the Daemon Set provided in the `k8s-without-rbac` directory. The example provides the ability to post messages to a Slack channel via a webhook. For more information on getting a webhook URL for your Slack team, refer to the [Slack documentation](https://api.slack.com/incoming-webhooks). Modify the [`args`](https://github.com/draios/falco/blob/dev/examples/k8s-using-daemonset/falco-daemonset.yaml#L21) passed to the Falco container to point to the appropriate URL for your webhook.
 
@@ -62,6 +73,24 @@ If you are running Kubernetes with Legacy Authorization enabled, you can use `ku
 k8s-using-daemonset$ kubectl create -f k8s-without-rbac/falco-daemonset.yaml
 ```
 
+When running falco via a container, you might see error messages like the following:
+```
+mkdir: cannot create directory '/lib/modules/3.10.0-693.el7.centos.test.x86_64/kernel/extra': Read-only file system
+cp: cannot create regular file '/lib/modules/3.10.0-693.el7.centos.test.x86_64/kernel/extra/falco-probe.ko.xz': No such file or directory
+```
+
+These error messages are innocuous, but if you would like to remove them you can change the /host/lib/modules mount to read-write, by doing below change in `k8s-with-rbac/falco
+daemonset-configmap.yaml`:
+
+```
+             - mountPath: /host/lib/modules
+               name: lib-modules
+-              readOnly: true
++              #readOnly: true
+```
+
+However, note that this will result in the `falco-probe.ko.xz` file being saved to `/lib/modules` on the host, even after the falco container is removed.
+
 
 ## Verifying the installation
 
@@ -69,18 +98,17 @@ In order to test that Falco is working correctly, you can launch a shell in a Po
 
 ```
 k8s-using-daemonset$ kubectl get pods
-NAME          READY     STATUS    RESTARTS   AGE
-falco-74htl   1/1       Running   0          13h
-falco-fqz2m   1/1       Running   0          13h
-falco-sgjfx   1/1       Running   0          13h
-k8s-using-daemonset$ kubectl exec -it falco-74htl bash
-root@falco-74htl:/# exit
-k8s-using-daemonset$ kubectl logs falco-74htl
-{"output":"17:48:58.590038385: Notice A shell was spawned in a container with an attached terminal (user=root k8s.pod=falco-74htl container=a98c2aa8e670 shell=bash parent=<NA> cmdline=bash  terminal=34816)","priority":"Notice","rule":"Terminal shell in container","time":"2017-12-20T17:48:58.590038385Z", "output_fields": {"container.id":"a98c2aa8e670","evt.time":1513792138590038385,"k8s.pod.name":"falco-74htl","proc.cmdline":"bash ","proc.name":"bash","proc.pname":null,"proc.tty":34816,"user.name":"root"}}
+NAME                    READY     STATUS    RESTARTS   AGE
+falco-daemonset-b695d   1/1       Running   0          2d
+falco-daemonset-n8q2v   1/1       Running   0          2d
+k8s-using-daemonset$ kubectl exec -it falco-daemonset-b695d bash
+root@falco-daemonset-b695d:/# exit
+k8s-using-daemonset$ kubectl logs falco-daemonset-b695d
+07:16:09.217866519: Error File below known binary directory renamed/removed (user=root command=event_generator pcmdline=<NA> operation=rename file=<NA> res=0 oldpath=/bin/true newpath=/bin/true.event-generator-sh ) k8s.ns=default k8s.pod=falco-event-generator-deployment-645444689b-j6mth container=0e67aad65846 k8s.ns=default k8s.pod=falco-event-generator-deployment-645444689b-j6mth container=0e67aad65846
 k8s-using-daemonset$
-``` 
+```
 
-Alternatively, you can deploy the [Falco Event Generator](https://github.com/draios/falco/wiki/Generating-Sample-Events) deployement to have events automatically generated. Please note that this Deployment will generate a large number of events. 
+Alternatively, you can deploy the [Falco Event Generator](https://github.com/draios/falco/wiki/Generating-Sample-Events) deployement to have events automatically generated. Please note that this Deployment will generate a large number of events.
 
 ```
 k8s-using-daemonset$ kubectl create -f falco-event-generator-deployment.yaml \
@@ -88,5 +116,5 @@ k8s-using-daemonset$ kubectl create -f falco-event-generator-deployment.yaml \
 && kubectl delete -f falco-event-generator-deployment.yaml
 deployment "falco-event-generator-deployment" created
 deployment "falco-event-generator-deployment" deleted
-k8s-using-daemonset$ 
+k8s-using-daemonset$
 ```

integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml

@@ -2,14 +2,20 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: falco-account
+  labels:
+    app: falco-example
+    role: security
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: falco-cluster-role
+  labels:
+    app: falco-example
+    role: security
 rules:
   - apiGroups: ["extensions",""]
-    resources: ["nodes","namespaces","pods","replicationcontrollers","services","events","configmaps"]
+    resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]
     verbs: ["get","list","watch"]
   - nonResourceURLs: ["/healthz", "/healthz/*"]
     verbs: ["get"]
@@ -19,6 +25,9 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: falco-cluster-role-binding
   namespace: default
+  labels:
+    app: falco-example
+    role: security
 subjects:
   - kind: ServiceAccount
     name: falco-account

integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml

@@ -1,16 +1,15 @@
 apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
-  name: falco
+  name: falco-daemonset
   labels:
-    name: falco-daemonset
-    app: demo
+    app: falco-example
+    role: security
 spec:
   template:
     metadata:
       labels:
-        name: falco
-        app: demo
+        app: falco-example
         role: security
     spec:
       serviceAccount: falco-account
@@ -19,10 +18,19 @@ spec:
           image: falcosecurity/falco:latest
           securityContext:
             privileged: true
-          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk"]
+# Uncomment the 3 lines below to enable eBPF support for Falco.
+# This allows Falco to run on Google COS.
+# Leave blank for the default probe location, or set to the path
+# of a precompiled probe.
+#          env:
+#          - name: SYSDIG_BPF_PROBE
+#            value: ""
+          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
           volumeMounts:
             - mountPath: /host/var/run/docker.sock
               name: docker-socket
+            - mountPath: /host/run/containerd/containerd.sock
+              name: containerd-socket
             - mountPath: /host/dev
               name: dev-fs
             - mountPath: /host/proc
@@ -37,12 +45,18 @@ spec:
             - mountPath: /host/usr
               name: usr-fs
               readOnly: true
+            - mountPath: /host/etc/
+              name: etc-fs
+              readOnly: true
             - mountPath: /etc/falco
               name: falco-config
       volumes:
         - name: docker-socket
           hostPath:
             path: /var/run/docker.sock
+        - name: containerd-socket
+          hostPath:
+            path: /run/containerd/containerd.sock
         - name: dev-fs
           hostPath:
             path: /dev
@@ -58,6 +72,9 @@ spec:
         - name: usr-fs
           hostPath:
             path: /usr
+        - name: etc-fs
+          hostPath:
+            path: /etc
         - name: falco-config
           configMap:
             name: falco-config

integrations/k8s-using-daemonset/k8s-with-rbac/falco-service.yaml

@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: falco-service
+  labels:
+    app: falco-example
+    role: security
+spec:
+  selector:
+    app: falco-example
+  ports:
+  - protocol: TCP
+    port: 8765

integrations/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml

@@ -18,10 +18,12 @@ spec:
           image: falcosecurity/falco:latest
           securityContext:
             privileged: true
-          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
+          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
           volumeMounts:
             - mountPath: /host/var/run/docker.sock
               name: docker-socket
+            - mountPath: /host/run/containerd/containerd.sock
+              name: containerd-socket
             - mountPath: /host/dev
               name: dev-fs
             - mountPath: /host/proc
@@ -40,6 +42,9 @@ spec:
         - name: docker-socket
           hostPath:
             path: /var/run/docker.sock
+        - name: containerd-socket
+          hostPath:
+            path: /run/containerd/containerd.sock
         - name: dev-fs
           hostPath:
             path: /dev

integrations/kubernetes-response-engine/README.md

@@ -1,18 +1,6 @@
-# Kubernetes Response Engine for Sysdig Falco
+# Kubernetes Response Engine directory moved
 
-A response engine for Falco that allows to process security events executing playbooks to respond to security threats.
+As long as Kubernetes Response Engine and Falco has different release cycles,
+the Kubernetes Response Engine has been moved to its own repository.
 
-## Architecture
-
-* *[Falco](https://sysdig.com/opensource/falco/)* monitors containers and processes to alert on unexpected behavior. This is defined through the runtime policy built from multiple rules that define what the system should and shouldn't do.
-* *falco-nats* forwards the alert to a message broker service into a topic compound by `falco.<severity>.<rule_name_slugified>`.
-* *[NATS](https://nats.io/)*, our message broker, delivers the alert to any subscribers to the different topics.
-* *[Kubeless](https://kubeless.io/)*, a FaaS framework that runs in Kubernetes, receives the security events and executes the configured playbooks.
-
-## Glossary
-
-* *Security event*: Alert sent by Falco when a configured rule matches the behaviour on that host.
-* *Playbook*: Each piece code executed when an alert is received to respond to that threat in an automated way, some examples include:
-  - sending an alert to Slack
-  - stop the pod killing the container
-  - taint the specific node where the pod is running
+You can find it in https://github.com/falcosecurity/kubernetes-response-engine

integrations/kubernetes-response-engine/deployment/aws/.gitignore

@@ -1,4 +0,0 @@
-.terraform/*
-.terraform.*
-terraform.*
-*.yaml

integrations/kubernetes-response-engine/deployment/aws/Makefile

@@ -1,11 +0,0 @@
-all: create configure
-
-create:
-	terraform apply
-
-configure:
-	kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$(shell terraform output patch_for_aws_auth)\";next}1" > aws-auth-patch.yml
-	kubectl -n kube-system replace -f aws-auth-patch.yml
-
-clean:
-	terraform destroy

integrations/kubernetes-response-engine/deployment/aws/README.md

@@ -1,23 +0,0 @@
-# Terraform manifests for Kubernetes Response Engine running on AWS
-
-In this directory are the Terraform manifests for creating required infrasturcture
-for the Kubernetes Response Engine running with AWS technology: SNS for messaging
-and Lambda for executing the playbooks.
-
-## Deploy
-
-For creating the resources, just run default Makefile target:
-
-```
-make
-```
-
-This will ask for an IAM user which creates the bridge between EKS rbac and AWS IAM.
-
-## Clean
-
-You can clean IAM roles and SNS topics with:
-
-```
-make clean
-```

integrations/kubernetes-response-engine/deployment/aws/lambda.tf

@@ -1,25 +0,0 @@
-resource "aws_iam_role" "iam-for-lambda" {
-  name = "iam_for_lambda"
-
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "lambda.amazonaws.com",
-        "AWS": "${var.iam-user-arn}"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "iam-for-lambda" {
-  policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
-  role       = "${aws_iam_role.iam-for-lambda.name}"
-}

integrations/kubernetes-response-engine/deployment/aws/outputs.tf

@@ -1,16 +0,0 @@
-locals {
-  patch_for_aws_auth = <<CONFIGMAPAWSAUTH
-    - rolearn: ${aws_iam_role.iam-for-lambda.arn}\n
-     username: kubernetes-admin\n
-     groups:\n
-       - system:masters
-CONFIGMAPAWSAUTH
-}
-
-output "patch_for_aws_auth" {
-  value = "${local.patch_for_aws_auth}"
-}
-
-output "iam_for_lambda" {
-  value = "${aws_iam_role.iam-for-lambda.arn}"
-}

integrations/kubernetes-response-engine/deployment/aws/sns.tf

@@ -1,3 +0,0 @@
-resource "aws_sns_topic" "falco-alerts" {
-  name = "falco-alerts"
-}

integrations/kubernetes-response-engine/deployment/aws/variables.tf

@@ -1,3 +0,0 @@
-variable "iam-user-arn" {
-  type    = "string"
-}

integrations/kubernetes-response-engine/deployment/cncf/Makefile

@@ -1,10 +0,0 @@
-deploy:
-	kubectl apply -f nats/
-	kubectl apply -f kubeless/
-	kubectl apply -f network-policy.yaml
-	kubectl apply -f .
-
-clean:
-	kubectl delete -f kubeless/
-	kubectl delete -f nats/
-	kubectl delete -f .

integrations/kubernetes-response-engine/deployment/cncf/README.md

@@ -1,20 +0,0 @@
-# Kubernetes Manifests for Kubernetes Response Engine
-
-In this directory are the manifests for creating required infrastructure in the
-Kubernetes cluster
-
-## Deploy
-
-For deploying NATS, Falco + Falco-NATS output and Kubeless just run default Makefile target:
-
-```
-make
-```
-
-## Clean
-
-You can clean your cluster with:
-
-```
-make clean
-```

integrations/kubernetes-response-engine/deployment/cncf/kubeless/kubeless-namespace.yaml

@@ -1,5 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: kubeless

integrations/kubernetes-response-engine/deployment/cncf/kubeless/kubeless-v1.0.0-alpha.6.yaml

@@ -1,366 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: controller-acct
-  namespace: kubeless
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: kubeless-controller-deployer
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - services
-  - configmaps
-  verbs:
-  - create
-  - get
-  - delete
-  - list
-  - update
-  - patch
-- apiGroups:
-  - apps
-  - extensions
-  resources:
-  - deployments
-  verbs:
-  - create
-  - get
-  - delete
-  - list
-  - update
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - list
-  - delete
-- apiGroups:
-  - ""
-  resourceNames:
-  - kubeless-registry-credentials
-  resources:
-  - secrets
-  verbs:
-  - get
-- apiGroups:
-  - kubeless.io
-  resources:
-  - functions
-  - httptriggers
-  - cronjobtriggers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - delete
-- apiGroups:
-  - batch
-  resources:
-  - cronjobs
-  - jobs
-  verbs:
-  - create
-  - get
-  - delete
-  - deletecollection
-  - list
-  - update
-  - patch
-- apiGroups:
-  - autoscaling
-  resources:
-  - horizontalpodautoscalers
-  verbs:
-  - create
-  - get
-  - delete
-  - list
-  - update
-  - patch
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - monitoring.coreos.com
-  resources:
-  - alertmanagers
-  - prometheuses
-  - servicemonitors
-  verbs:
-  - '*'
-- apiGroups:
-  - extensions
-  resources:
-  - ingresses
-  verbs:
-  - create
-  - get
-  - list
-  - update
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: kubeless-controller-deployer
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubeless-controller-deployer
-subjects:
-- kind: ServiceAccount
-  name: controller-acct
-  namespace: kubeless
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: functions.kubeless.io
-spec:
-  group: kubeless.io
-  names:
-    kind: Function
-    plural: functions
-    singular: function
-  scope: Namespaced
-  version: v1beta1
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: httptriggers.kubeless.io
-spec:
-  group: kubeless.io
-  names:
-    kind: HTTPTrigger
-    plural: httptriggers
-    singular: httptrigger
-  scope: Namespaced
-  version: v1beta1
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: cronjobtriggers.kubeless.io
-spec:
-  group: kubeless.io
-  names:
-    kind: CronJobTrigger
-    plural: cronjobtriggers
-    singular: cronjobtrigger
-  scope: Namespaced
-  version: v1beta1
----
-apiVersion: v1
-data:
-  builder-image: kubeless/function-image-builder:v1.0.0-alpha.6
-  builder-image-secret: ""
-  deployment: '{}'
-  enable-build-step: "false"
-  function-registry-tls-verify: "true"
-  ingress-enabled: "false"
-  provision-image: kubeless/unzip@sha256:f162c062973cca05459834de6ed14c039d45df8cdb76097f50b028a1621b3697
-  provision-image-secret: ""
-  runtime-images: |-
-    [
-      {
-        "ID": "python",
-        "compiled": false,
-        "versions": [
-          {
-            "name": "python27",
-            "version": "2.7",
-            "runtimeImage": "kubeless/python@sha256:07cfb0f3d8b6db045dc317d35d15634d7be5e436944c276bf37b1c630b03add8",
-            "initImage": "python:2.7"
-          },
-          {
-            "name": "python34",
-            "version": "3.4",
-            "runtimeImage": "kubeless/python@sha256:f19640c547a3f91dbbfb18c15b5e624029b4065c1baf2892144e07c36f0a7c8f",
-            "initImage": "python:3.4"
-          },
-          {
-            "name": "python36",
-            "version": "3.6",
-            "runtimeImage": "kubeless/python@sha256:0c9f8f727d42625a4e25230cfe612df7488b65f283e7972f84108d87e7443d72",
-            "initImage": "python:3.6"
-          }
-        ],
-        "depName": "requirements.txt",
-        "fileNameSuffix": ".py"
-      },
-      {
-        "ID": "nodejs",
-        "compiled": false,
-        "versions": [
-          {
-            "name": "node6",
-            "version": "6",
-            "runtimeImage": "kubeless/nodejs@sha256:013facddb0f66c150844192584d823d7dfb2b5b8d79fd2ae98439c86685da657",
-            "initImage": "node:6.10"
-          },
-          {
-            "name": "node8",
-            "version": "8",
-            "runtimeImage": "kubeless/nodejs@sha256:b155d7e20e333044b60009c12a25a97c84eed610f2a3d9d314b47449dbdae0e5",
-            "initImage": "node:8"
-          }
-        ],
-        "depName": "package.json",
-        "fileNameSuffix": ".js"
-      },
-      {
-        "ID": "nodejs_distroless",
-        "compiled": false,
-        "versions": [
-          {
-            "name": "node8",
-            "version": "8",
-            "runtimeImage": "henrike42/kubeless/runtimes/nodejs/distroless:0.0.2",
-            "initImage": "node:8"
-          }
-        ],
-        "depName": "package.json",
-        "fileNameSuffix": ".js"
-      },
-      {
-        "ID": "ruby",
-        "compiled": false,
-        "versions": [
-          {
-            "name": "ruby24",
-            "version": "2.4",
-            "runtimeImage": "kubeless/ruby@sha256:01665f1a32fe4fab4195af048627857aa7b100e392ae7f3e25a44bd296d6f105",
-            "initImage": "bitnami/ruby:2.4"
-          }
-        ],
-        "depName": "Gemfile",
-        "fileNameSuffix": ".rb"
-      },
-      {
-        "ID": "php",
-        "compiled": false,
-        "versions": [
-          {
-            "name": "php72",
-            "version": "7.2",
-            "runtimeImage": "kubeless/php@sha256:9b86066b2640bedcd88acb27f43dfaa2b338f0d74d9d91131ea781402f7ec8ec",
-            "initImage": "composer:1.6"
-          }
-        ],
-        "depName": "composer.json",
-        "fileNameSuffix": ".php"
-      },
-      {
-        "ID": "go",
-        "compiled": true,
-        "versions": [
-          {
-            "name": "go1.10",
-            "version": "1.10",
-            "runtimeImage": "kubeless/go@sha256:e2fd49f09b6ff8c9bac6f1592b3119ea74237c47e2955a003983e08524cb3ae5",
-            "initImage": "kubeless/go-init@sha256:983b3f06452321a2299588966817e724d1a9c24be76cf1b12c14843efcdff502"
-          }
-        ],
-        "depName": "Gopkg.toml",
-        "fileNameSuffix": ".go"
-      },
-      {
-        "ID": "dotnetcore",
-        "compiled": true,
-        "versions": [
-          {
-            "name": "dotnetcore2.0",
-            "version": "2.0",
-            "runtimeImage": "allantargino/kubeless-dotnetcore@sha256:1699b07d9fc0276ddfecc2f823f272d96fd58bbab82d7e67f2fd4982a95aeadc",
-            "initImage": "allantargino/aspnetcore-build@sha256:0d60f845ff6c9c019362a68b87b3920f3eb2d32f847f2d75e4d190cc0ce1d81c"
-          }
-        ],
-        "depName": "project.csproj",
-        "fileNameSuffix": ".cs"
-      },
-      {
-        "ID": "java",
-        "compiled": true,
-        "versions": [
-          {
-            "name": "java1.8",
-            "version": "1.8",
-            "runtimeImage": "kubeless/java@sha256:debf9502545f4c0e955eb60fabb45748c5d98ed9365c4a508c07f38fc7fefaac",
-            "initImage": "kubeless/java-init@sha256:7e5e4376d3ab76c336d4830c9ed1b7f9407415feca49b8c2bf013e279256878f"
-          }
-        ],
-        "depName": "pom.xml",
-        "fileNameSuffix": ".java"
-      },
-      {
-         "ID": "ballerina",
-         "compiled": true,
-         "versions": [
-           {
-              "name": "ballerina0.975.0",
-              "version": "0.975.0",
-              "runtimeImage": "kubeless/ballerina@sha256:83e51423972f4b0d6b419bee0b4afb3bb87d2bf1b604ebc4366c430e7cc28a35",
-              "initImage": "kubeless/ballerina-init@sha256:05857ce439a7e290f9d86f8cb38ea3b574670c0c0e91af93af06686fa21ecf4f"
-           }
-         ],
-         "depName": "",
-         "fileNameSuffix": ".bal"
-      }
-    ]
-  service-type: ClusterIP
-kind: ConfigMap
-metadata:
-  name: kubeless-config
-  namespace: kubeless
----
-apiVersion: apps/v1beta1
-kind: Deployment
-metadata:
-  labels:
-    kubeless: controller
-  name: kubeless-controller-manager
-  namespace: kubeless
-spec:
-  selector:
-    matchLabels:
-      kubeless: controller
-  template:
-    metadata:
-      labels:
-        kubeless: controller
-    spec:
-      containers:
-      - env:
-        - name: KUBELESS_INGRESS_ENABLED
-          valueFrom:
-            configMapKeyRef:
-              key: ingress-enabled
-              name: kubeless-config
-        - name: KUBELESS_SERVICE_TYPE
-          valueFrom:
-            configMapKeyRef:
-              key: service-type
-              name: kubeless-config
-        - name: KUBELESS_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: KUBELESS_CONFIG
-          value: kubeless-config
-        image: bitnami/kubeless-controller-manager:v1.0.0-alpha.6
-        imagePullPolicy: IfNotPresent
-        name: kubeless-controller-manager
-      serviceAccountName: controller-acct

integrations/kubernetes-response-engine/deployment/cncf/kubeless/nats-v1.0.0-alpha.6.yaml

@@ -1,73 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: nats-controller-deployer
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - services
-  - configmaps
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - kubeless.io
-  resources:
-  - functions
-  - natstriggers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: nats-controller-deployer
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: nats-controller-deployer
-subjects:
-- kind: ServiceAccount
-  name: controller-acct
-  namespace: kubeless
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: natstriggers.kubeless.io
-spec:
-  group: kubeless.io
-  names:
-    kind: NATSTrigger
-    plural: natstriggers
-    singular: natstrigger
-  scope: Namespaced
-  version: v1beta1
----
-apiVersion: apps/v1beta1
-kind: Deployment
-metadata:
-  labels:
-    kubeless: nats-trigger-controller
-  name: nats-trigger-controller
-  namespace: kubeless
-spec:
-  selector:
-    matchLabels:
-      kubeless: nats-trigger-controller
-  template:
-    metadata:
-      labels:
-        kubeless: nats-trigger-controller
-    spec:
-      containers:
-      - image: bitnami/nats-trigger-controller:v1.0.0-alpha.6
-        imagePullPolicy: IfNotPresent
-        name: nats-trigger-controller
-      serviceAccountName: controller-acct

integrations/kubernetes-response-engine/deployment/cncf/nats/deployment-rbac.yaml

@@ -1,82 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: nats-io
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: nats-operator
-  namespace: nats-io
----
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: nats-operator
-  namespace: nats-io
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      name: nats-operator
-  template:
-    metadata:
-      labels:
-        name: nats-operator
-    spec:
-      serviceAccountName: nats-operator
-      containers:
-      - name: nats-operator
-        image: connecteverything/nats-operator:0.2.2-v1alpha2
-        imagePullPolicy: Always
-        env:
-        - name: MY_POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: MY_POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: nats-io:nats-operator-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: nats-io:nats-operator
-subjects:
-- kind: ServiceAccount
-  name: nats-operator
-  namespace: nats-io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: nats-io:nats-operator
-rules:
-# Allow creating CRDs
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs: ["*"]
-# Allow all actions on NatsClusters
-- apiGroups:
-  - nats.io
-  resources:
-  - natsclusters
-  verbs: ["*"]
-# Allow actions on basic Kubernetes objects
-- apiGroups: [""]
-  resources:
-  - configmaps
-  - secrets
-  - pods
-  - services
-  - endpoints
-  - events
-  verbs: ["*"]

integrations/kubernetes-response-engine/deployment/cncf/nats/nats-cluster.yaml

@@ -1,8 +0,0 @@
-apiVersion: "nats.io/v1alpha2"
-kind: "NatsCluster"
-metadata:
-  name: "nats"
-  namespace: "nats-io"
-spec:
-  size: 3
-  version: "1.1.0"

integrations/kubernetes-response-engine/deployment/cncf/network-policy.yaml

@@ -1,11 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: isolate
-spec:
-  podSelector:
-    matchLabels:
-      isolated: 'true'
-  policyTypes:
-  - Ingress
-  - Egress

integrations/kubernetes-response-engine/deployment/cncf/rbac.yaml

@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: sysdig-kubeless
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: default

integrations/kubernetes-response-engine/falco-nats/.gitignore

@@ -1 +0,0 @@
-falco-nats

integrations/kubernetes-response-engine/falco-nats/Dockerfile

@@ -1,5 +0,0 @@
-FROM alpine:latest
-
-COPY ./falco-nats /bin/
-
-CMD ["/bin/falco-nats"]

integrations/kubernetes-response-engine/falco-nats/Makefile

@@ -1,12 +0,0 @@
-build:
-	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s" -o falco-nats main.go
-
-deps:
-	go get -u github.com/nats-io/go-nats
-
-clean:
-	rm falco-nats
-
-docker: build
-	docker build -t sysdig/falco-nats .
-	docker push sysdig/falco-nats

integrations/kubernetes-response-engine/falco-nats/README.md

@@ -1,27 +0,0 @@
-# NATS output for Sysdig Falco
-
-As Falco does not support a NATS output natively, we have created this small
-golang utility wich reads Falco alerts from a named pipe and sends them to a
-NATS server.
-
-This utility is designed to being run in a sidecar container in the same
-Pod as Falco.
-
-## Configuration
-
-You have a [complete Kubernetes manifest available](https://github.com/draios/falco/tree/kubernetes-response-engine/deployment/falco/falco-daemonset.yaml) for future reading.
-
-Take a look at sidecar container and to the initContainers directive which
-craetes the shared pipe between containers.
-
-### Container image
-
-You have this adapter available as a container image. Its name is *sysdig/falco-nats*.
-
-### Parameters Reference
-
-* -s: Specifies the NATS server URL where message will be published.  By default
-    is: *nats://nats.nats-io.svc.cluster.local:4222*
-
-* -f: Specifies the named pipe path where Falco publishes its alerts. By default
-    is: */var/run/falco/nats*

integrations/kubernetes-response-engine/falco-nats/main.go

@@ -1,100 +0,0 @@
-// Copyright 2012-2018 The NATS Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// +build ignore
-
-package main
-
-import (
-	"bufio"
-	"encoding/json"
-	"flag"
-	"github.com/nats-io/go-nats"
-	"log"
-	"os"
-	"regexp"
-	"strings"
-)
-
-var slugRegularExpression = regexp.MustCompile("[^a-z0-9]+")
-
-func main() {
-	var urls = flag.String("s", "nats://nats.nats-io.svc.cluster.local:4222", "The nats server URLs (separated by comma)")
-	var pipePath = flag.String("f", "/var/run/falco/nats", "The named pipe path")
-
-	log.SetFlags(0)
-	flag.Usage = usage
-	flag.Parse()
-
-	nc, err := nats.Connect(*urls)
-	if err != nil {
-		log.Fatal(err)
-	}
-	defer nc.Close()
-
-	pipe, err := os.OpenFile(*pipePath, os.O_RDONLY, 0600)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	log.Printf("Opened pipe %s", *pipePath)
-
-	reader := bufio.NewReader(pipe)
-	scanner := bufio.NewScanner(reader)
-
-	log.Printf("Scanning %s", *pipePath)
-
-	for scanner.Scan() {
-		msg := []byte(scanner.Text())
-
-		subj, err := subjectAndRuleSlug(msg)
-		if err != nil {
-			log.Fatal(err)
-		}
-		nc.Publish(subj, msg)
-		nc.Flush()
-
-		if err := nc.LastError(); err != nil {
-			log.Fatal(err)
-		} else {
-			log.Printf("Published [%s] : '%s'\n", subj, msg)
-		}
-	}
-}
-
-func usage() {
-	log.Fatalf("Usage: nats-pub [-s server (%s)] <subject> <msg> \n", nats.DefaultURL)
-}
-
-type parsedAlert struct {
-	Priority string `json:"priority"`
-	Rule     string `json:"rule"`
-}
-
-func subjectAndRuleSlug(alert []byte) (string, error) {
-	var result parsedAlert
-	err := json.Unmarshal(alert, &result)
-
-	if err != nil {
-		return "", err
-	}
-
-	subject := "falco." + result.Priority + "." + slugify(result.Rule)
-	subject = strings.ToLower(subject)
-
-	return subject, nil
-}
-
-func slugify(input string) string {
-	return strings.Trim(slugRegularExpression.ReplaceAllString(strings.ToLower(input), "_"), "_")
-}

integrations/kubernetes-response-engine/falco-sns/.gitignore

@@ -1 +0,0 @@
-falco-sns

integrations/kubernetes-response-engine/falco-sns/Dockerfile

@@ -1,8 +0,0 @@
-FROM alpine:latest
-MAINTAINER Néstor Salceda<nestor.salceda@sysdig.com>
-
-RUN apk add --no-cache ca-certificates
-
-COPY ./falco-sns /bin/
-
-CMD ["/bin/falco-sns"]

integrations/kubernetes-response-engine/falco-sns/Makefile

@@ -1,12 +0,0 @@
-build:
-	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s" -o falco-sns main.go
-
-deps:
-	go get -u github.com/aws/aws-sdk-go/
-
-clean:
-	rm falco-sns
-
-docker: build
-	docker build -t sysdig/falco-sns .
-	docker push sysdig/falco-sns

integrations/kubernetes-response-engine/falco-sns/README.md

@@ -1,26 +0,0 @@
-# SNS output for Sysdig Falco
-
-As Falco does not support AWS SNS output natively, we have created this small
-golang utility wich reads Falco alerts from a named pipe and sends them to a
-SNS topic.
-
-This utility is designed to being run in a sidecar container in the same
-Pod as Falco.
-
-## Configuration
-
-You have a [complete Kubernetes manifest available](https://github.com/draios/falco/tree/kubernetes-response-engine/deployment/falco/falco-daemonset.yaml) for future reading.
-
-Take a look at sidecar container and to the initContainers directive which
-craetes the shared pipe between containers.
-
-### Container image
-
-You have this adapter available as a container image. Its name is *sysdig/falco-sns*.
-
-### Parameters Reference
-
-* -t: Specifies the ARN SNS topic where message will be published.
-
-* -f: Specifies the named pipe path where Falco publishes its alerts. By default
-    is: */var/run/falco/nats*

integrations/kubernetes-response-engine/falco-sns/main.go

@@ -1,101 +0,0 @@
-// Copyright 2012-2018 The Sysdig Tech Marketing Team
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// +build ignore
-
-package main
-
-import (
-	"bufio"
-	"encoding/json"
-	"flag"
-	"log"
-	"os"
-
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/sns"
-)
-
-func main() {
-	var topic = flag.String("t", "", "The AWS SNS topic ARN")
-	var pipePath = flag.String("f", "/var/run/falco/nats", "The named pipe path")
-
-	log.SetFlags(0)
-	flag.Usage = usage
-	flag.Parse()
-
-	session, err := session.NewSession(&aws.Config{Region: aws.String(os.Getenv("AWS_DEFAULT_REGION"))})
-	if err != nil {
-		log.Fatal(err)
-	}
-	svc := sns.New(session)
-
-	pipe, err := os.OpenFile(*pipePath, os.O_RDONLY, 0600)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	log.Printf("Opened pipe %s", *pipePath)
-
-	reader := bufio.NewReader(pipe)
-	scanner := bufio.NewScanner(reader)
-
-	log.Printf("Scanning %s", *pipePath)
-
-	for scanner.Scan() {
-		msg := []byte(scanner.Text())
-		alert := parseAlert(msg)
-
-		params := &sns.PublishInput{
-			Message: aws.String(string(msg)),
-			MessageAttributes: map[string]*sns.MessageAttributeValue{
-				"priority": &sns.MessageAttributeValue{
-					DataType:    aws.String("String"),
-					StringValue: aws.String(alert.Priority),
-				},
-				"rule": &sns.MessageAttributeValue{
-					DataType:    aws.String("String"),
-					StringValue: aws.String(alert.Rule),
-				},
-			},
-			TopicArn: aws.String(*topic),
-		}
-
-		_, err := svc.Publish(params)
-		if err != nil {
-			log.Fatal(err)
-		} else {
-			log.Printf("Published [%s] : '%s'\n", *topic, msg)
-		}
-	}
-}
-
-func usage() {
-	log.Fatalf("Usage: falco-sns -t topic <subject> <msg> \n")
-}
-
-type parsedAlert struct {
-	Priority string `json:"priority"`
-	Rule     string `json:"rule"`
-}
-
-func parseAlert(alert []byte) *parsedAlert {
-	var result parsedAlert
-	err := json.Unmarshal(alert, &result)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	return &result
-}

integrations/kubernetes-response-engine/playbooks/.gitignore

@@ -1,104 +0,0 @@
-# Byte-compiled / optimized / DLL files
-__pycache__/
-*.py[cod]
-*$py.class
-
-# C extensions
-*.so
-
-# Distribution / packaging
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-MANIFEST
-
-# PyInstaller
-#  Usually these files are written by a python script from a template
-#  before PyInstaller builds the exe, so as to inject date/other infos into it.
-*.manifest
-*.spec
-
-# Installer logs
-pip-log.txt
-pip-delete-this-directory.txt
-
-# Unit test / coverage reports
-htmlcov/
-.tox/
-.coverage
-.coverage.*
-.cache
-nosetests.xml
-coverage.xml
-*.cover
-.hypothesis/
-.pytest_cache/
-
-# Translations
-*.mo
-*.pot
-
-# Django stuff:
-*.log
-local_settings.py
-db.sqlite3
-
-# Flask stuff:
-instance/
-.webassets-cache
-
-# Scrapy stuff:
-.scrapy
-
-# Sphinx documentation
-docs/_build/
-
-# PyBuilder
-target/
-
-# Jupyter Notebook
-.ipynb_checkpoints
-
-# pyenv
-.python-version
-
-# celery beat schedule file
-celerybeat-schedule
-
-# SageMath parsed files
-*.sage.py
-
-# Environments
-.env
-.venv
-env/
-venv/
-ENV/
-env.bak/
-venv.bak/
-
-# Spyder project settings
-.spyderproject
-.spyproject
-
-# Rope project settings
-.ropeproject
-
-# mkdocs documentation
-/site
-
-# mypy
-.mypy_cache/

integrations/kubernetes-response-engine/playbooks/Pipfile

@@ -1,21 +0,0 @@
-[[source]]
-url = "https://pypi.python.org/simple"
-verify_ssl = true
-name = "pypi"
-
-[dev-packages]
-mamba = "*"
-expects = "*"
-doublex = "*"
-doublex-expects = "==0.7.0rc2"
-six = "*"
-playbooks = {path = "."}
-
-[packages]
-kubernetes = "*"
-requests = "*"
-"e1839a8" = {path = ".", editable = true}
-maya = "*"
-
-[requires]
-python_version = "*"

integrations/kubernetes-response-engine/playbooks/Pipfile.lock

@@ -1,415 +0,0 @@
-{
-    "_meta": {
-        "hash": {
-            "sha256": "ee8fff436e311a11069488c3d0955fef8cc3b4dd0d42ef8515e2e5858448623b"
-        },
-        "pipfile-spec": 6,
-        "requires": {
-            "python_version": "*"
-        },
-        "sources": [
-            {
-                "name": "pypi",
-                "url": "https://pypi.python.org/simple",
-                "verify_ssl": true
-            }
-        ]
-    },
-    "default": {
-        "adal": {
-            "hashes": [
-                "sha256:ba52913c38d76b4a4d88eaab41a5763d056ab6d073f106e0605b051ab930f5c1",
-                "sha256:bf79392b8e9e5e82aa6acac3835ba58bbac0ccf7e15befa215863f83d5f6a007"
-            ],
-            "version": "==1.2.0"
-        },
-        "asn1crypto": {
-            "hashes": [
-                "sha256:2f1adbb7546ed199e3c90ef23ec95c5cf3585bac7d11fb7eb562a3fe89c64e87",
-                "sha256:9d5c20441baf0cb60a4ac34cc447c6c189024b6b4c6cd7877034f4965c464e49"
-            ],
-            "version": "==0.24.0"
-        },
-        "cachetools": {
-            "hashes": [
-                "sha256:0a258d82933a1dd18cb540aca4ac5d5690731e24d1239a08577b814998f49785",
-                "sha256:4621965b0d9d4c82a79a29edbad19946f5e7702df4afae7d1ed2df951559a8cc"
-            ],
-            "version": "==3.0.0"
-        },
-        "certifi": {
-            "hashes": [
-                "sha256:339dc09518b07e2fa7eda5450740925974815557727d6bd35d319c1524a04a4c",
-                "sha256:6d58c986d22b038c8c0df30d639f23a3e6d172a05c3583e766f4c0b785c0986a"
-            ],
-            "version": "==2018.10.15"
-        },
-        "cffi": {
-            "hashes": [
-                "sha256:151b7eefd035c56b2b2e1eb9963c90c6302dc15fbd8c1c0a83a163ff2c7d7743",
-                "sha256:1553d1e99f035ace1c0544050622b7bc963374a00c467edafac50ad7bd276aef",
-                "sha256:1b0493c091a1898f1136e3f4f991a784437fac3673780ff9de3bcf46c80b6b50",
-                "sha256:2ba8a45822b7aee805ab49abfe7eec16b90587f7f26df20c71dd89e45a97076f",
-                "sha256:3bb6bd7266598f318063e584378b8e27c67de998a43362e8fce664c54ee52d30",
-                "sha256:3c85641778460581c42924384f5e68076d724ceac0f267d66c757f7535069c93",
-                "sha256:3eb6434197633b7748cea30bf0ba9f66727cdce45117a712b29a443943733257",
-                "sha256:495c5c2d43bf6cebe0178eb3e88f9c4aa48d8934aa6e3cddb865c058da76756b",
-                "sha256:4c91af6e967c2015729d3e69c2e51d92f9898c330d6a851bf8f121236f3defd3",
-                "sha256:57b2533356cb2d8fac1555815929f7f5f14d68ac77b085d2326b571310f34f6e",
-                "sha256:770f3782b31f50b68627e22f91cb182c48c47c02eb405fd689472aa7b7aa16dc",
-                "sha256:79f9b6f7c46ae1f8ded75f68cf8ad50e5729ed4d590c74840471fc2823457d04",
-                "sha256:7a33145e04d44ce95bcd71e522b478d282ad0eafaf34fe1ec5bbd73e662f22b6",
-                "sha256:857959354ae3a6fa3da6651b966d13b0a8bed6bbc87a0de7b38a549db1d2a359",
-                "sha256:87f37fe5130574ff76c17cab61e7d2538a16f843bb7bca8ebbc4b12de3078596",
-                "sha256:95d5251e4b5ca00061f9d9f3d6fe537247e145a8524ae9fd30a2f8fbce993b5b",
-                "sha256:9d1d3e63a4afdc29bd76ce6aa9d58c771cd1599fbba8cf5057e7860b203710dd",
-                "sha256:a36c5c154f9d42ec176e6e620cb0dd275744aa1d804786a71ac37dc3661a5e95",
-                "sha256:a6a5cb8809091ec9ac03edde9304b3ad82ad4466333432b16d78ef40e0cce0d5",
-                "sha256:ae5e35a2c189d397b91034642cb0eab0e346f776ec2eb44a49a459e6615d6e2e",
-                "sha256:b0f7d4a3df8f06cf49f9f121bead236e328074de6449866515cea4907bbc63d6",
-                "sha256:b75110fb114fa366b29a027d0c9be3709579602ae111ff61674d28c93606acca",
-                "sha256:ba5e697569f84b13640c9e193170e89c13c6244c24400fc57e88724ef610cd31",
-                "sha256:be2a9b390f77fd7676d80bc3cdc4f8edb940d8c198ed2d8c0be1319018c778e1",
-                "sha256:ca1bd81f40adc59011f58159e4aa6445fc585a32bb8ac9badf7a2c1aa23822f2",
-                "sha256:d5d8555d9bfc3f02385c1c37e9f998e2011f0db4f90e250e5bc0c0a85a813085",
-                "sha256:e55e22ac0a30023426564b1059b035973ec82186ddddbac867078435801c7801",
-                "sha256:e90f17980e6ab0f3c2f3730e56d1fe9bcba1891eeea58966e89d352492cc74f4",
-                "sha256:ecbb7b01409e9b782df5ded849c178a0aa7c906cf8c5a67368047daab282b184",
-                "sha256:ed01918d545a38998bfa5902c7c00e0fee90e957ce036a4000a88e3fe2264917",
-                "sha256:edabd457cd23a02965166026fd9bfd196f4324fe6032e866d0f3bd0301cd486f",
-                "sha256:fdf1c1dc5bafc32bc5d08b054f94d659422b05aba244d6be4ddc1c72d9aa70fb"
-            ],
-            "version": "==1.11.5"
-        },
-        "chardet": {
-            "hashes": [
-                "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
-                "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
-            ],
-            "version": "==3.0.4"
-        },
-        "cryptography": {
-            "hashes": [
-                "sha256:02602e1672b62e803e08617ec286041cc453e8d43f093a5f4162095506bc0beb",
-                "sha256:10b48e848e1edb93c1d3b797c83c72b4c387ab0eb4330aaa26da8049a6cbede0",
-                "sha256:17db09db9d7c5de130023657be42689d1a5f60502a14f6f745f6f65a6b8195c0",
-                "sha256:227da3a896df1106b1a69b1e319dce218fa04395e8cc78be7e31ca94c21254bc",
-                "sha256:2cbaa03ac677db6c821dac3f4cdfd1461a32d0615847eedbb0df54bb7802e1f7",
-                "sha256:31db8febfc768e4b4bd826750a70c79c99ea423f4697d1dab764eb9f9f849519",
-                "sha256:4a510d268e55e2e067715d728e4ca6cd26a8e9f1f3d174faf88e6f2cb6b6c395",
-                "sha256:6a88d9004310a198c474d8a822ee96a6dd6c01efe66facdf17cb692512ae5bc0",
-                "sha256:76936ec70a9b72eb8c58314c38c55a0336a2b36de0c7ee8fb874a4547cadbd39",
-                "sha256:7e3b4aecc4040928efa8a7cdaf074e868af32c58ffc9bb77e7bf2c1a16783286",
-                "sha256:8168bcb08403ef144ff1fb880d416f49e2728101d02aaadfe9645883222c0aa5",
-                "sha256:8229ceb79a1792823d87779959184a1bf95768e9248c93ae9f97c7a2f60376a1",
-                "sha256:8a19e9f2fe69f6a44a5c156968d9fc8df56d09798d0c6a34ccc373bb186cee86",
-                "sha256:8d10113ca826a4c29d5b85b2c4e045ffa8bad74fb525ee0eceb1d38d4c70dfd6",
-                "sha256:be495b8ec5a939a7605274b6e59fbc35e76f5ad814ae010eb679529671c9e119",
-                "sha256:dc2d3f3b1548f4d11786616cf0f4415e25b0fbecb8a1d2cd8c07568f13fdde38",
-                "sha256:e4aecdd9d5a3d06c337894c9a6e2961898d3f64fe54ca920a72234a3de0f9cb3",
-                "sha256:e79ab4485b99eacb2166f3212218dd858258f374855e1568f728462b0e6ee0d9",
-                "sha256:f995d3667301e1754c57b04e0bae6f0fa9d710697a9f8d6712e8cca02550910f"
-            ],
-            "version": "==2.3.1"
-        },
-        "dateparser": {
-            "hashes": [
-                "sha256:940828183c937bcec530753211b70f673c0a9aab831e43273489b310538dff86",
-                "sha256:b452ef8b36cd78ae86a50721794bc674aa3994e19b570f7ba92810f4e0a2ae03"
-            ],
-            "version": "==0.7.0"
-        },
-        "e1839a8": {
-            "editable": true,
-            "path": "."
-        },
-        "google-auth": {
-            "hashes": [
-                "sha256:9ca363facbf2622d9ba828017536ccca2e0f58bd15e659b52f312172f8815530",
-                "sha256:a4cf9e803f2176b5de442763bd339b313d3f1ed3002e3e1eb6eec1d7c9bbc9b4"
-            ],
-            "version": "==1.5.1"
-        },
-        "humanize": {
-            "hashes": [
-                "sha256:a43f57115831ac7c70de098e6ac46ac13be00d69abbf60bdcac251344785bb19"
-            ],
-            "version": "==0.5.1"
-        },
-        "idna": {
-            "hashes": [
-                "sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e",
-                "sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16"
-            ],
-            "version": "==2.7"
-        },
-        "kubernetes": {
-            "hashes": [
-                "sha256:0cc9ce02d838da660efa0a67270b4b7d47e6beb8889673cd45c86f897e2d6821",
-                "sha256:54f8e7bb1dd9a55cf416dff76a63c4ae441764280942d9913f2243676f29d02c"
-            ],
-            "index": "pypi",
-            "version": "==8.0.0"
-        },
-        "maya": {
-            "hashes": [
-                "sha256:6f63bc69aa77309fc220bc02618da8701a21da87c2e7a747ee5ccd56a907c3a5",
-                "sha256:f526bc8596d993f4bd9755668f66aaf61d635bb4149e084d4a2bc0ebe42aa0b6"
-            ],
-            "index": "pypi",
-            "version": "==0.5.0"
-        },
-        "oauthlib": {
-            "hashes": [
-                "sha256:ac35665a61c1685c56336bda97d5eefa246f1202618a1d6f34fccb1bdd404162",
-                "sha256:d883b36b21a6ad813953803edfa563b1b579d79ca758fe950d1bc9e8b326025b"
-            ],
-            "version": "==2.1.0"
-        },
-        "pendulum": {
-            "hashes": [
-                "sha256:4173ce3e81ad0d9d61dbce86f4286c43a26a398270df6a0a89f501f0c28ad27d",
-                "sha256:56a347d0457859c84b8cdba161fc37c7df5db9b3becec7881cd770e9d2058b3c",
-                "sha256:738878168eb26e5446da5d1f7b3312ae993a542061be8882099c00ef4866b1a2",
-                "sha256:95536b33ae152e3c831eb236c1bf9ac9dcfb3b5b98fdbe8e9e601eab6c373897",
-                "sha256:c04fcf955e622e97e405e5f6d1b1f4a7adc69d79d82f3609643de69283170d6d",
-                "sha256:dd6500d27bb7ccc029d497da4f9bd09549bd3c0ea276dad894ea2fdf309e83f3",
-                "sha256:ddaf97a061eb5e2ae37857a8cb548e074125017855690d20e443ad8d9f31e164",
-                "sha256:e7df37447824f9af0b58c7915a4caf349926036afd86ad38e7529a6b2f8fc34b",
-                "sha256:e9732b8bb214fad2c72ddcbfec07542effa8a8b704e174347ede1ff8dc679cce",
-                "sha256:f4eee1e1735487d9d25cc435c519fd4380cb1f82cde3ebad1efbc2fc30deca5b"
-            ],
-            "version": "==1.5.1"
-        },
-        "pyasn1": {
-            "hashes": [
-                "sha256:b9d3abc5031e61927c82d4d96c1cec1e55676c1a991623cfed28faea73cdd7ca",
-                "sha256:f58f2a3d12fd754aa123e9fa74fb7345333000a035f3921dbdaa08597aa53137"
-            ],
-            "version": "==0.4.4"
-        },
-        "pyasn1-modules": {
-            "hashes": [
-                "sha256:a0cf3e1842e7c60fde97cb22d275eb6f9524f5c5250489e292529de841417547",
-                "sha256:a38a8811ea784c0136abfdba73963876328f66172db21a05a82f9515909bfb4e"
-            ],
-            "version": "==0.2.2"
-        },
-        "pycparser": {
-            "hashes": [
-                "sha256:a988718abfad80b6b157acce7bf130a30876d27603738ac39f140993246b25b3"
-            ],
-            "version": "==2.19"
-        },
-        "pyjwt": {
-            "hashes": [
-                "sha256:30b1380ff43b55441283cc2b2676b755cca45693ae3097325dea01f3d110628c",
-                "sha256:4ee413b357d53fd3fb44704577afac88e72e878716116270d722723d65b42176"
-            ],
-            "version": "==1.6.4"
-        },
-        "python-dateutil": {
-            "hashes": [
-                "sha256:063df5763652e21de43de7d9e00ccf239f953a832941e37be541614732cdfc93",
-                "sha256:88f9287c0174266bb0d8cedd395cfba9c58e87e5ad86b2ce58859bc11be3cf02"
-            ],
-            "version": "==2.7.5"
-        },
-        "pytz": {
-            "hashes": [
-                "sha256:31cb35c89bd7d333cd32c5f278fca91b523b0834369e757f4c5641ea252236ca",
-                "sha256:8e0f8568c118d3077b46be7d654cc8167fa916092e28320cde048e54bfc9f1e6"
-            ],
-            "version": "==2018.7"
-        },
-        "pytzdata": {
-            "hashes": [
-                "sha256:10c74b0cfc51a9269031f86ecd11096c9c6a141f5bb15a3b8a88f9979f6361e2",
-                "sha256:279cbd9900d5da9a8f9053e60db0db7f42d9a799673744b76aaeb6b4f14abe77"
-            ],
-            "version": "==2018.7"
-        },
-        "pyyaml": {
-            "hashes": [
-                "sha256:3d7da3009c0f3e783b2c873687652d83b1bbfd5c88e9813fb7e5b03c0dd3108b",
-                "sha256:3ef3092145e9b70e3ddd2c7ad59bdd0252a94dfe3949721633e41344de00a6bf",
-                "sha256:40c71b8e076d0550b2e6380bada1f1cd1017b882f7e16f09a65be98e017f211a",
-                "sha256:558dd60b890ba8fd982e05941927a3911dc409a63dcb8b634feaa0cda69330d3",
-                "sha256:a7c28b45d9f99102fa092bb213aa12e0aaf9a6a1f5e395d36166639c1f96c3a1",
-                "sha256:aa7dd4a6a427aed7df6fb7f08a580d68d9b118d90310374716ae90b710280af1",
-                "sha256:bc558586e6045763782014934bfaf39d48b8ae85a2713117d16c39864085c613",
-                "sha256:d46d7982b62e0729ad0175a9bc7e10a566fc07b224d2c79fafb5e032727eaa04",
-                "sha256:d5eef459e30b09f5a098b9cea68bebfeb268697f78d647bd255a085371ac7f3f",
-                "sha256:e01d3203230e1786cd91ccfdc8f8454c8069c91bee3962ad93b87a4b2860f537",
-                "sha256:e170a9e6fcfd19021dd29845af83bb79236068bf5fd4df3327c1be18182b2531"
-            ],
-            "version": "==3.13"
-        },
-        "regex": {
-            "hashes": [
-                "sha256:384c78351ceb08b9f04e28552edea9af837d05ad4fda9a187a7bbd82759f29b6",
-                "sha256:41b70db2608726396de185e7571a70391507ab47a64b564f59861ff13f2c50a5",
-                "sha256:50f4b57696883fdbb0494cf1ff1cf6e04790d5e1848dff0b2cf28a2b97614351",
-                "sha256:81515123132f9ab0cc8128d035ba7db7783206e4616bdabd3faba335b9add185",
-                "sha256:91e965833a9f93b3e6abfef815026ccb8a9abe12c0958c723fc6c0d396384602",
-                "sha256:9cb058e53c2488b6cba85a7e6ce6d659b3f33ebe00f613dc9fda46de788a1298",
-                "sha256:b41a81228c3994789d4785d9fef96770f9a6b564a30c10af671bd5a4078da6f4",
-                "sha256:cf20d6539e00021793df23c2a98d57aff84f9402f81ac5896fffb4f8c8a08897",
-                "sha256:f937fdbcdb1e455c23709f5cf6df91a0ecfe8c23268f601606173232958daa8d"
-            ],
-            "version": "==2018.11.6"
-        },
-        "requests": {
-            "hashes": [
-                "sha256:99dcfdaaeb17caf6e526f32b6a7b780461512ab3f1d992187801694cba42770c",
-                "sha256:a84b8c9ab6239b578f22d1c21d51b696dcfe004032bb80ea832398d6909d7279"
-            ],
-            "index": "pypi",
-            "version": "==2.20.0"
-        },
-        "requests-oauthlib": {
-            "hashes": [
-                "sha256:8886bfec5ad7afb391ed5443b1f697c6f4ae98d0e5620839d8b4499c032ada3f",
-                "sha256:e21232e2465808c0e892e0e4dbb8c2faafec16ac6dc067dd546e9b466f3deac8"
-            ],
-            "version": "==1.0.0"
-        },
-        "rsa": {
-            "hashes": [
-                "sha256:14ba45700ff1ec9eeb206a2ce76b32814958a98e372006c8fb76ba820211be66",
-                "sha256:1a836406405730121ae9823e19c6e806c62bbad73f890574fff50efa4122c487"
-            ],
-            "version": "==4.0"
-        },
-        "six": {
-            "hashes": [
-                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
-                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
-            ],
-            "version": "==1.11.0"
-        },
-        "snaptime": {
-            "hashes": [
-                "sha256:e3f1eb89043d58d30721ab98cb65023f1a4c2740e3b197704298b163c92d508b"
-            ],
-            "version": "==0.2.4"
-        },
-        "tzlocal": {
-            "hashes": [
-                "sha256:4ebeb848845ac898da6519b9b31879cf13b6626f7184c496037b818e238f2c4e"
-            ],
-            "version": "==1.5.1"
-        },
-        "urllib3": {
-            "hashes": [
-                "sha256:61bf29cada3fc2fbefad4fdf059ea4bd1b4a86d2b6d15e1c7c0b582b9752fe39",
-                "sha256:de9529817c93f27c8ccbfead6985011db27bd0ddfcdb2d86f3f663385c6a9c22"
-            ],
-            "version": "==1.24.1"
-        },
-        "websocket-client": {
-            "hashes": [
-                "sha256:8c8bf2d4f800c3ed952df206b18c28f7070d9e3dcbd6ca6291127574f57ee786",
-                "sha256:e51562c91ddb8148e791f0155fdb01325d99bb52c4cdbb291aee7a3563fd0849"
-            ],
-            "version": "==0.54.0"
-        }
-    },
-    "develop": {
-        "args": {
-            "hashes": [
-                "sha256:a785b8d837625e9b61c39108532d95b85274acd679693b71ebb5156848fcf814"
-            ],
-            "version": "==0.1.0"
-        },
-        "clint": {
-            "hashes": [
-                "sha256:05224c32b1075563d0b16d0015faaf9da43aa214e4a2140e51f08789e7a4c5aa"
-            ],
-            "version": "==0.5.1"
-        },
-        "coverage": {
-            "hashes": [
-                "sha256:03481e81d558d30d230bc12999e3edffe392d244349a90f4ef9b88425fac74ba",
-                "sha256:0b136648de27201056c1869a6c0d4e23f464750fd9a9ba9750b8336a244429ed",
-                "sha256:0bf8cbbd71adfff0ef1f3a1531e6402d13b7b01ac50a79c97ca15f030dba6306",
-                "sha256:10a46017fef60e16694a30627319f38a2b9b52e90182dddb6e37dcdab0f4bf95",
-                "sha256:198626739a79b09fa0a2f06e083ffd12eb55449b5f8bfdbeed1df4910b2ca640",
-                "sha256:23d341cdd4a0371820eb2b0bd6b88f5003a7438bbedb33688cd33b8eae59affd",
-                "sha256:28b2191e7283f4f3568962e373b47ef7f0392993bb6660d079c62bd50fe9d162",
-                "sha256:2a5b73210bad5279ddb558d9a2bfedc7f4bf6ad7f3c988641d83c40293deaec1",
-                "sha256:2eb564bbf7816a9d68dd3369a510be3327f1c618d2357fa6b1216994c2e3d508",
-                "sha256:337ded681dd2ef9ca04ef5d93cfc87e52e09db2594c296b4a0a3662cb1b41249",
-                "sha256:3a2184c6d797a125dca8367878d3b9a178b6fdd05fdc2d35d758c3006a1cd694",
-                "sha256:3c79a6f7b95751cdebcd9037e4d06f8d5a9b60e4ed0cd231342aa8ad7124882a",
-                "sha256:3d72c20bd105022d29b14a7d628462ebdc61de2f303322c0212a054352f3b287",
-                "sha256:3eb42bf89a6be7deb64116dd1cc4b08171734d721e7a7e57ad64cc4ef29ed2f1",
-                "sha256:4635a184d0bbe537aa185a34193898eee409332a8ccb27eea36f262566585000",
-                "sha256:56e448f051a201c5ebbaa86a5efd0ca90d327204d8b059ab25ad0f35fbfd79f1",
-                "sha256:5a13ea7911ff5e1796b6d5e4fbbf6952381a611209b736d48e675c2756f3f74e",
-                "sha256:69bf008a06b76619d3c3f3b1983f5145c75a305a0fea513aca094cae5c40a8f5",
-                "sha256:6bc583dc18d5979dc0f6cec26a8603129de0304d5ae1f17e57a12834e7235062",
-                "sha256:701cd6093d63e6b8ad7009d8a92425428bc4d6e7ab8d75efbb665c806c1d79ba",
-                "sha256:7608a3dd5d73cb06c531b8925e0ef8d3de31fed2544a7de6c63960a1e73ea4bc",
-                "sha256:76ecd006d1d8f739430ec50cc872889af1f9c1b6b8f48e29941814b09b0fd3cc",
-                "sha256:7aa36d2b844a3e4a4b356708d79fd2c260281a7390d678a10b91ca595ddc9e99",
-                "sha256:7d3f553904b0c5c016d1dad058a7554c7ac4c91a789fca496e7d8347ad040653",
-                "sha256:7e1fe19bd6dce69d9fd159d8e4a80a8f52101380d5d3a4d374b6d3eae0e5de9c",
-                "sha256:8c3cb8c35ec4d9506979b4cf90ee9918bc2e49f84189d9bf5c36c0c1119c6558",
-                "sha256:9d6dd10d49e01571bf6e147d3b505141ffc093a06756c60b053a859cb2128b1f",
-                "sha256:be6cfcd8053d13f5f5eeb284aa8a814220c3da1b0078fa859011c7fffd86dab9",
-                "sha256:c1bb572fab8208c400adaf06a8133ac0712179a334c09224fb11393e920abcdd",
-                "sha256:de4418dadaa1c01d497e539210cb6baa015965526ff5afc078c57ca69160108d",
-                "sha256:e05cb4d9aad6233d67e0541caa7e511fa4047ed7750ec2510d466e806e0255d6",
-                "sha256:f05a636b4564104120111800021a92e43397bc12a5c72fed7036be8556e0029e",
-                "sha256:f3f501f345f24383c0000395b26b726e46758b71393267aeae0bd36f8b3ade80"
-            ],
-            "version": "==4.5.1"
-        },
-        "doublex": {
-            "hashes": [
-                "sha256:bdfa5007ec6f93fcdb05683ef559dd7919b7fe217df41fd240f8d4b2f681ba21"
-            ],
-            "index": "pypi",
-            "version": "==1.9.1"
-        },
-        "doublex-expects": {
-            "hashes": [
-                "sha256:5421bd92319c77ccc5a81d595d06e9c9f7f670de342b33e8007a81e70f9fade8"
-            ],
-            "index": "pypi",
-            "version": "==0.7.0rc2"
-        },
-        "expects": {
-            "hashes": [
-                "sha256:419902ccafe81b7e9559eeb6b7a07ef9d5c5604eddb93000f0642b3b2d594f4c"
-            ],
-            "index": "pypi",
-            "version": "==0.9.0"
-        },
-        "mamba": {
-            "hashes": [
-                "sha256:25328151ea94d97a0b461d7256dc7350c99b5f8d2de22d355978378edfeac545"
-            ],
-            "index": "pypi",
-            "version": "==0.10"
-        },
-        "playbooks": {
-            "path": "."
-        },
-        "pyhamcrest": {
-            "hashes": [
-                "sha256:6b672c02fdf7470df9674ab82263841ce8333fb143f32f021f6cb26f0e512420",
-                "sha256:8ffaa0a53da57e89de14ced7185ac746227a8894dbd5a3c718bf05ddbd1d56cd"
-            ],
-            "version": "==1.9.0"
-        },
-        "six": {
-            "hashes": [
-                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
-                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
-            ],
-            "version": "==1.11.0"
-        }
-    }
-}

integrations/kubernetes-response-engine/playbooks/README.md

@@ -1,228 +0,0 @@
-# Playbooks
-
-Following [owasp ideas](https://owaspsummit.org/Working-Sessions/Security-Playbooks/index.html),
-playbooks are workflows and prescriptive instructions on how to handle specific
-Security activities or incidents.
-
-Being more specific, playbooks are actions that are going to be executed when
-Falco finds a weird behavior in our Kubernetes cluster. We have implemented
-them with Python and we have found that several Serverless concepts fits well
-with playbooks, so we use [Kubeless](https://kubeless.io/) for its deployment.
-
-## Requirements
-
-* A working Kubernetes cluster
-* [kubeless cli executable](https://kubeless.io/docs/quick-start/)
-* Python 3.6
-* pipenv
-
-## Deploying a playbook
-
-Deploying a playbook involves a couple of components, the function that is going
-to be with Kubeless and a trigger for that function.
-
-We have automated those steps in a generic script *deploy_playbook* who packages
-the reaction and its dependencies, uploads to Kubernetes and creates the kubeless
-trigger.
-
-```
-./deploy_playbook -p slack -e SLACK_WEBHOOK_URL="https://..." -t "falco.error.*" -t "falco.info.*"
-```
-
-### Parameters
-
-* -p: The playbook to deploy, it must match with the top-level script. In this
-    example *slack.py* that contains the wiring between playbooks and Kubeless
-    functions.
-
-* -e: Sets configuration settings for Playbook. In this case the URL where we
-    have to post messages. You can specify multiple *-e* flags.
-
-* -t: Topic to susbcribe. You can specify multiple *-t* flags and a trigger
-    will be created for each topic, so when we receive a message in that topic,
-    our function will be ran. In this case, playbook will be run when a
-    falco.error or falco.info alert is raised.
-
-### Kubeless 101
-
-Under the hood, there are several useful commands for checking function state with kubeless.
-
-
-We can retrieve all functions deployed in our cluster:
-```
-kubeless function list
-```
-
-And we can see several interesting stats about a function usage:
-```
-kubeless function top
-```
-
-And we can see bindings between functions and NATS topics:
-```
-kubeless trigger nats list
-```
-
-### Undeploying a function
-
-You have to delete every component using kubeless cli tool.
-
-Generally, it takes 2 steps: Remove the triggers and remove the function.
-
-Remove the triggers:
-```
-kubeless trigger nats delete trigger-name
-```
-
-If you have deployed with the script, trigger-name look like:
-*falco-<playbook>-trigger-<index>* where index is the index of the topic created.
-Anyway, you can list all triggers and select the name.
-
-
-Remove the function:
-```
-kubeless function delete function-name
-```
-
-If you have deployed with the script, the function name will start with *falco-<playbook>*,
-but you can list all functions and select its name.
-
-## Testing
-
-One of the goals of the project was that playbooks were tested.
-
-You can execute the tests with:
-
-```
-pipenv --three install -d
-export KUBERNETES_LOAD_KUBE_CONFIG=1
-pipenv run mamba --format=documentation
-```
-
-The first line install development tools, which includes test runner and assertions.
-The second one tells Kubernetes Client to use the same configuration than kubectl and
-the third one runs the test.
-
-The tests under *specs/infrastructure* runs against a real Kubernetes cluster,
-but the *spec/reactions* can be run without any kind of infrastructure.
-
-## Available Playbooks
-
-### Delete a Pod
-
-This playbook kills a pod using Kubernetes API
-
-```
-./deploy_playbook -p delete -t "falco.notice.terminal_shell_in_container"
-```
-
-In this example, everytime we receive a *Terminal shell in container* alert from
-Falco, that pod will be deleted.
-
-### Send message to Slack
-
-This playbook posts a message to Slack
-
-```
-./deploy_playbook -p slack -t "falco.error.*" -e SLACK_WEBHOOK_URL="https://..."
-```
-
-#### Parameters
-
-* SLACK_WEBHOOK_URL: This is the webhook used for posting messages in Slack
-
-In this example, when Falco raises an error we will be notified in Slack
-
-### Taint a Node
-
-This playbook taints the node which where pod is running.
-
-```
-$ ./deploy_playbook -p taint -t “falco.notice.contact_k8s_api_server_from_container”
-```
-
-#### Parameters:
-* TAINT_KEY: This is the taint key. Default value: ‘falco/alert’
-* TAINT_VALUE: This is the taint value. Default value: ‘true’
-* TAINT_EFFECT: This is the taint effect. Default value: ‘NoSchedule’
-
-In this example, we avoid scheduling in the node which originates the Contact
-K8S API server from container.  But we can use a more aggresive approach and
-use -e TAINT_EFFECT=NoExecute
-
-### Network isolate a Pod
-
-This reaction denies all ingress/egress traffic from a Pod. It's intended to
-be used with Calico or other similar projects for managing networking in
-Kubernetes.
-
-```
-./deploy_playbook -p isolate -t “falco.notice.write_below_binary_dir” -t “falco.error.write_below_etc”
-```
-
-So as soon as we notice someone wrote under /bin (and additional binaries) or
-/etc, we disconnect that pod. It's like a trap for our attackers.
-
-### Create an incident in Demisto
-
-This playbook creates an incident in Demisto
-
-```
-./deploy_playbook -p demisto -t "falco.*.*" -e DEMISTO_API_KEY=XxXxxXxxXXXx -e DEMISTO_BASE_URL=https://..."
-```
-
-#### Parameters
-
-* DEMISTO_API_KEY: This is the API key used for authenticating against Demisto. Create one under settings -> API keys
-* DEMISTO_BASE_URL: This is the base URL where your Demisto server lives on. Ensure there's no trailing slash.
-* VERIFY_SSL: Verify SSL certificates for HTTPS requests. By default is enabled.
-
-In this example, when Falco raises any kind of alert, the alert will be created in Demisto
-
-### Start a capture using Sysdig
-
-This playbook starts to capture information about pod using sysdig and uploads
-to a s3 bucket.
-
-```
-$ ./deploy_playbook -p capture -e CAPTURE_DURATION=300 -e AWS_S3_BUCKET=s3://xxxxxxx -e AWS_ACCESS_KEY_ID=xxxxXXXxxXXxXX -e AWS_SECRET_ACCESS_KEY=xxXxXXxxxxXXX -t "falco.notice.terminal_shell_in_container"
-```
-
-#### Parameters:
-* CAPTURE_DURATION: Captures data for this duration in seconds. By default is
-  120 seconds (2 minutes)
-* AWS_S3_BUCKET: This is the bucket where data is going to be uploaded. Jobs
-  starts with sysdig- prefix and contain pod name and time where event starts.
-* AWS_ACCESS_KEY_ID: This is the Amazon access key id.
-* AWS_SECRET_ACCESS_KEY: This is the Amazon secret access key.
-
-In this example, when we detect a shell in a container, we start to collect data
-for 300 seconds. This playbook requires permissions for creating a new pod from
-a Kubeless function.
-
-### Create a container in Phantom
-This playbook creates a container in Phantom
-
-```
-./deploy_playbook -p phantom -t "falco.*.*" -e PHANTOM_USER=user -e PHANTOM_PASSWORD=xxxXxxxX -e PHANTOM_BASE_URL=https://..."
-```
-
-#### Parameters
-* PHANTOM_USER: This is the user used to connect to Phantom
-* PHANTOM_PASSWORD: This is the password used to connect to Phantom
-* PHANTOM_BASE_URL: This is the base URL where your Phantom server lives on. Ensure there's no trailing slash.
-* VERIFY_SSL: Verify SSL certificates for HTTPS requests. By default is enabled.
-
-In this example, when Falco raises any kind of alert, the alert will be created in Phantom.
-
-## Deploying playbooks to AWS Lambda
-
-You can deploy functions to AWS Lambda using the `./deploy_playbook_aws` script.
-
-### Parameters
-
-* -p: The playbook to deploy, it must match with the top-level script.
-
-* -e: Sets configuration settings for Playbook. You can specify multiple *-e* flags.
-
-* -k: EKS cluster name against playbook is going to connect via K8s API.

integrations/kubernetes-response-engine/playbooks/deploy_playbook

@@ -1,87 +0,0 @@
-#!/bin/bash
-#
-# Deploys a playbook
-
-set -e
-
-function usage() {
-  cat<<EOF
-Usage: $0 [options]
-
--p playbook     Playbook to be deployed. Is the script for Kubeless: slack, taint, isolate.
--e environment  Environment variables for the Kubeless function.  You can pass multiple environment variables passing several -e parameters.
--t topic        NATS topic to subscribe function. You can bind to multiple topics passing several -t parameters.
-
-You must pass the playbook and at least one topic to subscribe.
-
-Example:
-
-deploy_playbook -p slack -t "falco.error.*" -e SLACK_WEBHOOK_URL=http://foobar.com/...
-EOF
-  exit 1
-}
-
-function create_environment_flags {
-  for env in ${environment[*]}; do
-    echo "--env ${env} "
-  done
-}
-
-playbook=""
-environment=()
-topics=()
-
-while getopts "p:e:t:" arg; do
-  case $arg in
-    p)
-      playbook="${OPTARG}"
-      ;;
-    e)
-      environment+=("${OPTARG}")
-      ;;
-    t)
-      topics+=("${OPTARG}")
-      ;;
-    *)
-      usage
-      ;;
-  esac
-done
-
-if [[ "${playbook}" == "" || ${#topics[@]} -eq 0 ]]; then
-  usage
-fi
-
-pipenv lock --requirements | sed '/^-/ d' > requirements.txt
-
-mkdir -p kubeless-function
-
-cp -r playbooks kubeless-function/
-
-cat > kubeless-function/"${playbook}".py <<EOL
-import sys
-import os.path
-sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__))))
-
-EOL
-cat functions/"${playbook}".py >> kubeless-function/"${playbook}".py
-
-
-cd kubeless-function
-zip ../"${playbook}".zip -r *
-cd ..
-
-kubeless function deploy  --from-file "${playbook}".zip \
-                          --dependencies requirements.txt \
-                          $(create_environment_flags ${environment[*]}) \
-                          --runtime python3.6 \
-                          --handler "${playbook}".handler \
-                          falco-"${playbook}"
-
-rm -fr requirements.txt ${playbook}.zip kubeless-function
-
-for index in ${!topics[*]}; do
-  kubeless trigger nats create falco-"${playbook}"-trigger-"${index}" \
-      --function-selector created-by=kubeless,function=falco-${playbook} \
-      --trigger-topic "${topics[$index]}"
-done

integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws

@@ -1,76 +0,0 @@
-#!/bin/bash
-#
-# Deploys a playbook
-
-set -e
-
-function usage() {
-  cat<<EOF
-Usage: $0 [options]
-
--p playbook             Playbook to be deployed. Is the script for Kubeless: slack, taint, isolate.
--e environment          Environment variables for the Kubeless function.  You can pass multiple environment variables passing several -e parameters.
--k kubernetes_cluster   Kubernetes cluster from aws eks list-clusters where function will be applied.
-
-You must pass the playbook and at least one topic to subscribe.
-
-Example:
-
-deploy_playbook -p slack -t "falco.error.*" -e SLACK_WEBHOOK_URL=http://foobar.com/... -k sysdig_eks
-EOF
-  exit 1
-}
-
-function join { local IFS="$1"; shift; echo "$*"; }
-
-playbook=""
-environment=("KUBECONFIG=kubeconfig" "KUBERNETES_LOAD_KUBE_CONFIG=1")
-eks_cluster="${EKS_CLUSTER}"
-
-while getopts "r:e:t:" arg; do
-  case $arg in
-    p)
-      playbook="${OPTARG}"
-      ;;
-    e)
-      environment+=("${OPTARG}")
-      ;;
-    k)
-      eks_cluster="${OPTARG}"
-      ;;
-    *)
-      usage
-      ;;
-  esac
-done
-
-if [[ "${playbook}" == "" ]] || [[ "${eks_cluster}" == "" ]]; then
-  usage
-fi
-
-pipenv lock --requirements | sed '/^-/ d' > requirements.txt
-
-mkdir -p lambda
-pip install -t lambda -r requirements.txt
-pip install -t lambda  .
-
-aws eks update-kubeconfig --name "${eks_cluster}" --kubeconfig lambda/kubeconfig
-sed -i "s/command: aws-iam-authenticator/command: .\/aws-iam-authenticator/g" lambda/kubeconfig
-
-cp extra/aws-iam-authenticator lambda/
-
-cp functions/"${playbook}".py lambda/
-
-cd lambda
-zip ../"${playbook}".zip  -r *
-cd ..
-
-aws lambda create-function \
-  --function-name falco-"${playbook}" \
-  --runtime python2.7 \
-  --role $(terraform output --state=../deployment/aws/terraform.tfstate iam_for_lambda) \
-  --environment Variables={"$(join , ${environment[*]})"} \
-  --handler "${playbook}".handler \
-  --zip-file fileb://./"${playbook}".zip
-
-rm -fr "${playbook}".zip lambda requirements.txt

integrations/kubernetes-response-engine/playbooks/functions/capture.py

@@ -1,20 +0,0 @@
-import sys
-import os.path
-sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__))))
-
-import os
-import playbooks
-from playbooks import infrastructure
-
-
-playbook = playbooks.StartSysdigCaptureForContainer(
-    infrastructure.KubernetesClient(),
-    int(os.environ.get('CAPTURE_DURATION', 120)),
-    os.environ['AWS_S3_BUCKET'],
-    os.environ['AWS_ACCESS_KEY_ID'],
-    os.environ['AWS_SECRET_ACCESS_KEY']
-)
-
-
-def handler(event, context):
-    playbook.run(event['data'])

integrations/kubernetes-response-engine/playbooks/functions/delete.py

@@ -1,11 +0,0 @@
-import playbooks
-from playbooks import infrastructure
-
-
-playbook = playbooks.DeletePod(
-    infrastructure.KubernetesClient()
-)
-
-
-def handler(event, context):
-    playbook.run(playbooks.falco_alert(event))

integrations/kubernetes-response-engine/playbooks/functions/demisto.py

@@ -1,22 +0,0 @@
-import sys
-import os.path
-sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__))))
-
-import os
-import playbooks
-from playbooks import infrastructure
-
-
-def _to_bool(value):
-    return value.lower() in ('yes', 'true', '1')
-
-
-playbook = playbooks.CreateIncidentInDemisto(
-    infrastructure.DemistoClient(os.environ['DEMISTO_API_KEY'],
-                                 os.environ['DEMISTO_BASE_URL']
-                                 verify_ssl=_to_bool(os.environ.get('VERIFY_SSL', 'True')))
-)
-
-
-def handler(event, context):
-    playbook.run(event['data'])

integrations/kubernetes-response-engine/playbooks/functions/isolate.py

@@ -1,11 +0,0 @@
-import playbooks
-from playbooks import infrastructure
-
-
-playbook = playbooks.NetworkIsolatePod(
-    infrastructure.KubernetesClient()
-)
-
-
-def handler(event, context):
-    playbook.run(playbooks.falco_alert(event))

integrations/kubernetes-response-engine/playbooks/functions/phantom.py

@@ -1,25 +0,0 @@
-import sys
-import os.path
-sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__))))
-
-import os
-import playbooks
-from playbooks import infrastructure
-
-
-def _to_bool(value):
-    return value.lower() in ('yes', 'true', '1')
-
-
-playbook = playbooks.CreateContainerInPhantom(
-    infrastructure.PhantomClient(
-        os.environ['PHANTOM_USER'],
-        os.environ['PHANTOM_PASSWORD'],
-        os.environ['PHANTOM_BASE_URL'],
-        verify_ssl=_to_bool(os.environ.get('VERIFY_SSL', 'True'))
-    )
-)
-
-
-def handler(event, context):
-    playbook.run(event['data'])

integrations/kubernetes-response-engine/playbooks/functions/slack.py

@@ -1,12 +0,0 @@
-import os
-import playbooks
-from playbooks import infrastructure
-
-
-playbook = playbooks.AddMessageToSlack(
-    infrastructure.SlackClient(os.environ['SLACK_WEBHOOK_URL'])
-)
-
-
-def handler(event, context):
-    playbook.run(playbooks.falco_alert(event))

integrations/kubernetes-response-engine/playbooks/functions/taint.py

@@ -1,15 +0,0 @@
-import os
-import playbooks
-from playbooks import infrastructure
-
-
-playbook = playbooks.TaintNode(
-    infrastructure.KubernetesClient(),
-    os.environ.get('TAINT_KEY', 'falco/alert'),
-    os.environ.get('TAINT_VALUE', 'true'),
-    os.environ.get('TAINT_EFFECT', 'NoSchedule')
-)
-
-
-def handler(event, context):
-    playbook.run(playbooks.falco_alert(event))

integrations/kubernetes-response-engine/playbooks/playbooks/__init__.py

@@ -1,210 +0,0 @@
-import json
-import maya
-
-
-class DeletePod(object):
-    def __init__(self, k8s_client):
-        self._k8s_client = k8s_client
-
-    def run(self, alert):
-        pod_name = alert['output_fields']['k8s.pod.name']
-
-        self._k8s_client.delete_pod(pod_name)
-
-
-class AddMessageToSlack(object):
-    def __init__(self, slack_client):
-        self._slack_client = slack_client
-
-    def run(self, alert):
-        message = self._build_slack_message(alert)
-        self._slack_client.post_message(message)
-
-        return message
-
-    def _build_slack_message(self, alert):
-        return {
-            'text': _output_from_alert(alert),
-            'attachments':  [{
-                'color': self._color_from(alert['priority']),
-                'fields': [
-                    {
-                        'title': 'Rule',
-                        'value': alert['rule'],
-                        'short': False
-                    },
-                    {
-                        'title': 'Priority',
-                        'value': alert['priority'],
-                        'short': True
-                    },
-                    {
-                        'title': 'Time',
-                        'value': str(maya.parse(alert['time'])),
-                        'short': True
-                    },
-                    {
-                        'title': 'Kubernetes Pod Name',
-                        'value': alert['output_fields']['k8s.pod.name'],
-                        'short': True
-                    },
-                    {
-                        'title': 'Container Id',
-                        'value': alert['output_fields']['container.id'],
-                        'short': True
-                    }
-                ]
-            }]
-        }
-
-    _COLORS = {
-        'Emergency': '#b12737',
-        'Alert': '#f24141',
-        'Critical': '#fc7335',
-        'Error': '#f28143',
-        'Warning': '#f9c414',
-        'Notice': '#397ec3',
-        'Informational': '#8fc0e7',
-        'Debug': '#8fc0e7',
-    }
-
-    def _color_from(self, priority):
-        return self._COLORS.get(priority, '#eeeeee')
-
-
-def _output_from_alert(alert):
-    output = alert['output'].split(': ')[1]
-    priority_plus_whitespace_length = len(alert['priority']) + 1
-
-    return output[priority_plus_whitespace_length:]
-
-
-class TaintNode(object):
-    def __init__(self, k8s_client, key, value, effect):
-        self._k8s_client = k8s_client
-        self._key = key
-        self._value = value
-        self._effect = effect
-
-    def run(self, alert):
-        pod = alert['output_fields']['k8s.pod.name']
-        node = self._k8s_client.find_node_running_pod(pod)
-
-        self._k8s_client.taint_node(node, self._key, self._value, self._effect)
-
-
-class NetworkIsolatePod(object):
-    def __init__(self, k8s_client):
-        self._k8s_client = k8s_client
-
-    def run(self, alert):
-        pod = alert['output_fields']['k8s.pod.name']
-
-        self._k8s_client.add_label_to_pod(pod, 'isolated', 'true')
-
-
-class CreateIncidentInDemisto(object):
-    def __init__(self, demisto_client):
-        self._demisto_client = demisto_client
-
-    def run(self, alert):
-        incident = {
-            'type': 'Policy Violation',
-            'name': alert['rule'],
-            'details': _output_from_alert(alert),
-            'severity': self._severity_from(alert['priority']),
-            'occurred': alert['time'],
-            'labels': [
-                {'type': 'Brand', 'value': 'Sysdig'},
-                {'type': 'Application', 'value': 'Falco'},
-                {'type': 'container.id', 'value': alert['output_fields']['container.id']},
-                {'type': 'k8s.pod.name', 'value': alert['output_fields']['k8s.pod.name']}
-            ]
-        }
-        self._demisto_client.create_incident(incident)
-
-        return incident
-
-    def _severity_from(self, priority):
-        return self._SEVERITIES.get(priority, 0)
-
-    _SEVERITIES = {
-        'Emergency': 4,
-        'Alert': 4,
-        'Critical': 4,
-        'Error': 3,
-        'Warning': 2,
-        'Notice': 1,
-        'Informational': 5,
-        'Debug': 5,
-    }
-
-
-class StartSysdigCaptureForContainer(object):
-    def __init__(self, k8s_client, duration_in_seconds, s3_bucket,
-                 aws_access_key_id, aws_secret_access_key):
-        self._k8s_client = k8s_client
-        self._duration_in_seconds = duration_in_seconds
-        self._s3_bucket = s3_bucket
-        self._aws_access_key_id = aws_access_key_id
-        self._aws_secret_access_key = aws_secret_access_key
-
-    def run(self, alert):
-        pod = alert['output_fields']['k8s.pod.name']
-        event_time = alert['output_fields']['evt.time']
-
-        self._k8s_client.start_sysdig_capture_for(pod,
-                                                  event_time,
-                                                  self._duration_in_seconds,
-                                                  self._s3_bucket,
-                                                  self._aws_access_key_id,
-                                                  self._aws_secret_access_key)
-
-
-class CreateContainerInPhantom(object):
-    def __init__(self, phantom_client):
-        self._phantom_client = phantom_client
-
-    def run(self, alert):
-        container = self._build_container_from(alert)
-        self._phantom_client.create_container(container)
-
-        return container
-
-    def _build_container_from(self, alert):
-        return {
-            'description': _output_from_alert(alert),
-            'name': alert['rule'],
-            'start_time': maya.parse(alert['time']).iso8601(),
-            'severity': self._severity_from(alert['priority']),
-            'label': 'events',
-            'status': 'new',
-            'data': {
-                'container.id': alert['output_fields']['container.id'],
-                'k8s.pod.name': alert['output_fields']['k8s.pod.name'],
-            }
-        }
-
-    def _severity_from(self, priority):
-        return self._SEVERITIES.get(priority, 0)
-
-    _SEVERITIES = {
-        'Emergency': 'high',
-        'Alert': 'high',
-        'Critical': 'high',
-        'Error': 'medium',
-        'Warning': 'medium',
-        'Notice': 'low',
-        'Informational': 'low',
-        'Debug': 'low',
-    }
-
-
-def falco_alert(event):
-    if 'data' in event:
-        return event['data']
-
-    if 'Records' in event:
-        return json.loads(event['Records'][0]['Sns']['Message'])
-
-    return event

integrations/kubernetes-response-engine/playbooks/playbooks/infrastructure.py

@@ -1,267 +0,0 @@
-import os
-import json
-from six.moves import http_client
-
-from kubernetes import client, config
-import requests
-
-
-class KubernetesClient(object):
-    def __init__(self):
-        if 'KUBERNETES_LOAD_KUBE_CONFIG' in os.environ:
-            config.load_kube_config()
-        else:
-            config.load_incluster_config()
-
-        self._v1 = client.CoreV1Api()
-        self._batch_v1 = client.BatchV1Api()
-
-    def delete_pod(self, name):
-        namespace = self._find_pod_namespace(name)
-        body = client.V1DeleteOptions()
-        self._v1.delete_namespaced_pod(name=name,
-                                       namespace=namespace,
-                                       body=body)
-
-    def exists_pod(self, name):
-        response = self._v1.list_pod_for_all_namespaces(watch=False)
-        for item in response.items:
-            if item.metadata.name == name:
-                if item.metadata.deletion_timestamp is None:
-                    return True
-
-        return False
-
-    def _find_pod_namespace(self, name):
-        response = self._v1.list_pod_for_all_namespaces(watch=False)
-        for item in response.items:
-            if item.metadata.name == name:
-                return item.metadata.namespace
-
-    def find_node_running_pod(self, name):
-        response = self._v1.list_pod_for_all_namespaces(watch=False)
-        for item in response.items:
-            if item.metadata.name == name:
-                return item.spec.node_name
-
-    def taint_node(self, name, key, value, effect):
-        body = client.V1Node(
-            spec=client.V1NodeSpec(
-                taints=[
-                    client.V1Taint(key=key, value=value, effect=effect)
-                ]
-            )
-        )
-
-        return self._v1.patch_node(name, body)
-
-    def add_label_to_pod(self, name, label, value):
-        namespace = self._find_pod_namespace(name)
-
-        body = client.V1Pod(
-            metadata=client.V1ObjectMeta(
-                labels={label: value}
-            )
-        )
-
-        return self._v1.patch_namespaced_pod(name, namespace, body)
-
-    def start_sysdig_capture_for(self, pod_name, event_time,
-                                 duration_in_seconds, s3_bucket,
-                                 aws_access_key_id, aws_secret_access_key):
-        job_name = 'sysdig-{}-{}'.format(pod_name, event_time)
-
-        node_name = self.find_node_running_pod(pod_name)
-        namespace = self._find_pod_namespace(pod_name)
-        body = self._build_sysdig_capture_job_body(job_name,
-                                                   node_name,
-                                                   duration_in_seconds,
-                                                   s3_bucket,
-                                                   aws_access_key_id,
-                                                   aws_secret_access_key)
-
-        return self._batch_v1.create_namespaced_job(namespace, body)
-
-    def _build_sysdig_capture_job_body(self, job_name, node_name,
-                                       duration_in_seconds, s3_bucket,
-                                       aws_access_key_id, aws_secret_access_key):
-        return client.V1Job(
-            metadata=client.V1ObjectMeta(
-                name=job_name
-            ),
-            spec=client.V1JobSpec(
-                template=client.V1PodTemplateSpec(
-                    metadata=client.V1ObjectMeta(
-                        name=job_name
-                    ),
-                    spec=client.V1PodSpec(
-                        containers=[client.V1Container(
-                            name='capturer',
-                            image='sysdig/capturer',
-                            image_pull_policy='Always',
-                            security_context=client.V1SecurityContext(
-                                privileged=True
-                            ),
-                            env=[
-                                client.V1EnvVar(
-                                    name='AWS_S3_BUCKET',
-                                    value=s3_bucket
-                                ),
-                                client.V1EnvVar(
-                                    name='CAPTURE_DURATION',
-                                    value=str(duration_in_seconds)
-                                ),
-                                client.V1EnvVar(
-                                    name='CAPTURE_FILE_NAME',
-                                    value=job_name
-                                ),
-                                client.V1EnvVar(
-                                    name='AWS_ACCESS_KEY_ID',
-                                    value=aws_access_key_id,
-                                ),
-                                client.V1EnvVar(
-                                    name='AWS_SECRET_ACCESS_KEY',
-                                    value=aws_secret_access_key,
-                                )
-                            ],
-                            volume_mounts=[
-                                client.V1VolumeMount(
-                                    mount_path='/host/var/run/docker.sock',
-                                    name='docker-socket'
-                                ),
-                                client.V1VolumeMount(
-                                    mount_path='/host/dev',
-                                    name='dev-fs'
-                                ),
-                                client.V1VolumeMount(
-                                    mount_path='/host/proc',
-                                    name='proc-fs',
-                                    read_only=True
-                                ),
-                                client.V1VolumeMount(
-                                    mount_path='/host/boot',
-                                    name='boot-fs',
-                                    read_only=True
-                                ),
-                                client.V1VolumeMount(
-                                    mount_path='/host/lib/modules',
-                                    name='lib-modules',
-                                    read_only=True
-                                ),
-                                client.V1VolumeMount(
-                                    mount_path='/host/usr',
-                                    name='usr-fs',
-                                    read_only=True
-                                ),
-                                client.V1VolumeMount(
-                                    mount_path='/dev/shm',
-                                    name='dshm'
-                                )
-                            ]
-                        )],
-                        volumes=[
-                            client.V1Volume(
-                                name='dshm',
-                                empty_dir=client.V1EmptyDirVolumeSource(
-                                    medium='Memory'
-                                )
-                            ),
-                            client.V1Volume(
-                                name='docker-socket',
-                                host_path=client.V1HostPathVolumeSource(
-                                    path='/var/run/docker.sock'
-                                )
-                            ),
-                            client.V1Volume(
-                                name='dev-fs',
-                                host_path=client.V1HostPathVolumeSource(
-
-                                    path='/dev'
-                                )
-                            ),
-                            client.V1Volume(
-                                name='proc-fs',
-                                host_path=client.V1HostPathVolumeSource(
-                                    path='/proc'
-                                )
-                            ),
-
-                            client.V1Volume(
-                                name='boot-fs',
-                                host_path=client.V1HostPathVolumeSource(
-                                    path='/boot'
-                                )
-                            ),
-                            client.V1Volume(
-                                name='lib-modules',
-                                host_path=client.V1HostPathVolumeSource(
-                                    path='/lib/modules'
-                                )
-                            ),
-                            client.V1Volume(
-                                name='usr-fs',
-                                host_path=client.V1HostPathVolumeSource(
-                                    path='/usr'
-                                )
-                            )
-                        ],
-                        node_name=node_name,
-                        restart_policy='Never'
-                    )
-                )
-            )
-        )
-
-
-class SlackClient(object):
-    def __init__(self, slack_webhook_url):
-        self._slack_webhook_url = slack_webhook_url
-
-    def post_message(self, message):
-        requests.post(self._slack_webhook_url,
-                      data=json.dumps(message))
-
-
-class DemistoClient(object):
-    def __init__(self, api_key, base_url, verify_ssl=True):
-        self._api_key = api_key
-        self._base_url = base_url
-        self._verify_ssl = verify_ssl
-
-    def create_incident(self, incident):
-        response = requests.post(self._base_url + '/incident',
-                                 headers=self._headers(),
-                                 data=json.dumps(incident),
-                                 verify=self._verify_ssl)
-
-        if response.status_code != http_client.CREATED:
-            raise RuntimeError(response.text)
-
-    def _headers(self):
-        return {
-            'Content-Type': 'application/json',
-            'Accept': 'application/json',
-            'Authorization': self._api_key,
-        }
-
-
-class PhantomClient(object):
-    def __init__(self, user, password, base_url, verify_ssl=True):
-        self._user = user
-        self._password = password
-        self._base_url = base_url
-        self._verify_ssl = verify_ssl
-
-    def create_container(self, container):
-        response = requests.post(self._base_url + '/rest/container',
-                                 data=json.dumps(container),
-                                 auth=(self._user, self._password),
-                                 verify=self._verify_ssl)
-
-        response_as_json = response.json()
-        if 'success' in response_as_json:
-            result = container.copy()
-            result['id'] = response_as_json['id']
-            return result
-
-        raise RuntimeError(response_as_json['message'])

integrations/kubernetes-response-engine/playbooks/setup.py

@@ -1,11 +0,0 @@
-from setuptools import setup
-
-setup(name='playbooks',
-      version='0.1',
-      description='A set of playbooks for Falco alerts',
-      url='http://github.com/draios/falco-playbooks',
-      author='Néstor Salceda',
-      author_email='nestor.salceda@sysdig.com',
-      license='',
-      packages=['playbooks'],
-      zip_safe=False)

integrations/kubernetes-response-engine/playbooks/specs/infrastructure/demisto_client_spec.py

@@ -1,32 +0,0 @@
-from mamba import description, it, context, before
-from expects import expect, raise_error
-
-import os
-
-from playbooks import infrastructure
-
-
-with description(infrastructure.DemistoClient) as self:
-    with before.each:
-        self.demisto_client = infrastructure.DemistoClient(
-            os.environ['DEMISTO_API_KEY'],
-            os.environ['DEMISTO_BASE_URL'],
-            verify_ssl=False
-        )
-
-    with it('creates an incident'):
-        incident = {
-            "type": "Policy Violation",
-            "name": "Falco incident",
-            "severity": 2,
-            "details": "Some incident details"
-        }
-
-        self.demisto_client.create_incident(incident)
-
-    with context('when an error happens'):
-        with it('raises an exception'):
-            incident = {}
-
-            expect(lambda: self.demisto_client.create_incident(incident)).\
-                to(raise_error(RuntimeError))

integrations/kubernetes-response-engine/playbooks/specs/infrastructure/kubernetes_client_spec.py

@@ -1,78 +0,0 @@
-from mamba import description, context, it, before
-from expects import expect, be_false, be_true, start_with, equal, have_key, be_none
-
-import subprocess
-import os.path
-import time
-
-from playbooks import infrastructure
-
-
-with description(infrastructure.KubernetesClient) as self:
-    with before.each:
-        self.kubernetes_client = infrastructure.KubernetesClient()
-
-    with context('when checking if a pod exists'):
-        with before.each:
-            self._create_nginx_pod()
-
-        with context('and pod exists'):
-            with it('returns true'):
-                expect(self.kubernetes_client.exists_pod('nginx')).to(be_true)
-
-        with context('and pod does not exist'):
-            with it('returns false'):
-                self.kubernetes_client.delete_pod('nginx')
-
-                expect(self.kubernetes_client.exists_pod('nginx')).to(be_false)
-
-    with it('finds node running pod'):
-        self._create_nginx_pod()
-
-        node = self.kubernetes_client.find_node_running_pod('nginx')
-
-        expect(node).to(start_with('gke-sysdig-work-default-pool'))
-
-    with it('taints node'):
-        self._create_nginx_pod()
-
-        node_name = self.kubernetes_client.find_node_running_pod('nginx')
-
-        node = self.kubernetes_client.taint_node(node_name,
-                                                 'playbooks',
-                                                 'true',
-                                                 'NoSchedule')
-
-        expect(node.spec.taints[0].effect).to(equal('NoSchedule'))
-        expect(node.spec.taints[0].key).to(equal('playbooks'))
-        expect(node.spec.taints[0].value).to(equal('true'))
-
-    with it('adds label to a pod'):
-        self._create_nginx_pod()
-
-        pod = self.kubernetes_client.add_label_to_pod('nginx',
-                                                      'testing',
-                                                      'true')
-
-        expect(pod.metadata.labels).to(have_key('testing', 'true'))
-
-    with it('starts sysdig capture for'):
-        self._create_nginx_pod()
-
-        job = self.kubernetes_client.start_sysdig_capture_for('nginx',
-                                                              int(time.time()),
-                                                              10,
-                                                              'any s3 bucket',
-                                                              'any aws key id',
-                                                              'any aws secret key')
-
-        expect(job).not_to(be_none)
-
-    def _create_nginx_pod(self):
-        current_directory = os.path.dirname(os.path.realpath(__file__))
-        pod_manifesto = os.path.join(current_directory,
-                                     '..',
-                                     'support',
-                                     'deployment.yaml')
-
-        subprocess.call(['kubectl', 'create', '-f', pod_manifesto])

integrations/kubernetes-response-engine/playbooks/specs/infrastructure/phantom_client_spec.py

@@ -1,45 +0,0 @@
-from mamba import description, it, before, context
-from expects import expect, be_none, raise_error
-
-import os
-
-from playbooks import infrastructure
-
-
-with description(infrastructure.PhantomClient) as self:
-    with before.each:
-        self.phantom_client = infrastructure.PhantomClient(
-            os.environ['PHANTOM_USER'],
-            os.environ['PHANTOM_PASSWORD'],
-            os.environ['PHANTOM_BASE_URL'],
-            verify_ssl=False
-        )
-
-    with it('creates a container in Phantom Server'):
-        container = {
-            'name': 'My Container',
-            'description': 'Useful description of this container.',
-            'label': 'events',
-            'run_automation': False,
-            'severity': 'high',
-            'status': 'new',
-            'start_time': '2015-03-21T19:28:13.759Z',
-        }
-
-        container = self.phantom_client.create_container(container)
-
-        expect(container['id']).not_to(be_none)
-
-    with context('when an error happens'):
-        with it('raises an error'):
-            container = {
-                'description': 'Useful description of this container.',
-                'label': 'events',
-                'run_automation': False,
-                'severity': 'high',
-                'status': 'new',
-                'start_time': '2015-03-21T19:28:13.759Z',
-            }
-
-            expect(lambda: self.phantom_client.create_container(container))\
-                .to(raise_error(RuntimeError))

integrations/kubernetes-response-engine/playbooks/specs/infrastructure/slack_client_spec.py

@@ -1,16 +0,0 @@
-from mamba import description, it
-
-import os
-
-from playbooks import infrastructure
-
-
-with description(infrastructure.SlackClient) as self:
-    with it('posts a message to #kubeless-demo channel'):
-        slack_client = infrastructure.SlackClient(os.environ['SLACK_WEBHOOK_URL'])
-
-        message = {
-            'text': 'Hello from Python! :metal:'
-        }
-
-        slack_client.post_message(message)

integrations/kubernetes-response-engine/playbooks/specs/playbooks/add_message_to_slack_playbook_spec.py

@@ -1,62 +0,0 @@
-from mamba import description, it, before, context
-from expects import expect, have_key, have_keys, contain
-
-from doublex import Spy
-from doublex_expects import have_been_called_with
-
-from playbooks import infrastructure
-import playbooks
-
-
-
-with description(playbooks.AddMessageToSlack) as self:
-    with before.each:
-        self.slack_client = Spy(infrastructure.SlackClient)
-        self.playbook = playbooks.AddMessageToSlack(self.slack_client)
-
-    with context('when publishing a message to slack'):
-        with before.each:
-            self.alert = {
-                "output": "10:22:15.576767292: Notice Unexpected setuid call by non-sudo, non-root program (user=bin cur_uid=2 parent=event_generator command=event_generator  uid=root) k8s.pod=falco-event-generator-6fd89678f9-cdkvz container=1c76f49f40b4",
-                "output_fields": {
-                    "container.id": "1c76f49f40b4",
-                    "evt.arg.uid": "root",
-                    "evt.time": 1527157335576767292,
-                    "k8s.pod.name": "falco-event-generator-6fd89678f9-cdkvz",
-                    "proc.cmdline": "event_generator ",
-                    "proc.pname": "event_generator",
-                    "user.name": "bin",
-                    "user.uid": 2
-                },
-                "priority": "Notice",
-                "rule": "Non sudo setuid",
-                "time": "2018-05-24T10:22:15.576767292Z"
-            }
-
-            self.message = self.playbook.run(self.alert)
-
-        with it('publishes message to slack'):
-            expect(self.slack_client.post_message).to(have_been_called_with(self.message))
-
-        with it('includes falco output'):
-            falco_output = 'Unexpected setuid call by non-sudo, non-root program (user=bin cur_uid=2 parent=event_generator command=event_generator  uid=root) k8s.pod=falco-event-generator-6fd89678f9-cdkvz container=1c76f49f40b4'
-
-            expect(self.message).to(have_key('text', falco_output))
-
-        with it('includes color based on priority'):
-            expect(self.message['attachments'][0]).to(have_key('color'))
-
-        with it('includes priority'):
-            expect(self.message['attachments'][0]['fields']).to(contain(have_keys(title='Priority', value='Notice')))
-
-        with it('includes rule name'):
-            expect(self.message['attachments'][0]['fields']).to(contain(have_keys(title='Rule', value='Non sudo setuid')))
-
-        with it('includes time when alert happened'):
-            expect(self.message['attachments'][0]['fields']).to(contain(have_keys(title='Time', value='Thu, 24 May 2018 10:22:15 GMT')))
-
-        with it('includes kubernetes pod name'):
-            expect(self.message['attachments'][0]['fields']).to(contain(have_keys(title='Kubernetes Pod Name', value='falco-event-generator-6fd89678f9-cdkvz')))
-
-        with it('includes container id'):
-            expect(self.message['attachments'][0]['fields']).to(contain(have_keys(title='Container Id', value='1c76f49f40b4')))

integrations/kubernetes-response-engine/playbooks/specs/playbooks/create_container_in_phantom_playbook_spec.py

@@ -1,63 +0,0 @@
-from mamba import description, it, before, context
-from expects import expect, have_key
-
-from doublex import Spy
-from doublex_expects import have_been_called_with
-
-from playbooks import infrastructure
-import playbooks
-
-
-with description(playbooks.CreateContainerInPhantom) as self:
-    with before.each:
-        self.phantom_client = Spy(infrastructure.PhantomClient)
-        self.playbook = playbooks.CreateContainerInPhantom(self.phantom_client)
-
-        self.alert = {
-            "output": "10:22:15.576767292: Notice Unexpected setuid call by non-sudo, non-root program (user=bin cur_uid=2 parent=event_generator command=event_generator  uid=root) k8s.pod=falco-event-generator-6fd89678f9-cdkvz container=1c76f49f40b4",
-            "output_fields": {
-                "container.id": "1c76f49f40b4",
-                "evt.arg.uid": "root",
-                "evt.time": 1527157335576767292,
-                "k8s.pod.name": "falco-event-generator-6fd89678f9-cdkvz",
-                "proc.cmdline": "event_generator ",
-                "proc.pname": "event_generator",
-                "user.name": "bin",
-                "user.uid": 2
-            },
-            "priority": "Notice",
-            "rule": "Non sudo setuid",
-            "time": "2018-05-24T10:22:15.576767292Z"
-        }
-
-        self.container = self.playbook.run(self.alert)
-
-    with it('creates the container in phantom'):
-        expect(self.phantom_client.create_container).to(have_been_called_with(self.container))
-
-    with it('includes falco output'):
-        falco_output = 'Unexpected setuid call by non-sudo, non-root program (user=bin cur_uid=2 parent=event_generator command=event_generator  uid=root) k8s.pod=falco-event-generator-6fd89678f9-cdkvz container=1c76f49f40b4'
-
-        expect(self.container).to(have_key('description', falco_output))
-
-    with it('includes severity'):
-        expect(self.container).to(have_key('severity', 'low'))
-
-    with it('includes rule name'):
-        expect(self.container).to(have_key('name', 'Non sudo setuid'))
-
-    with it('includes time when alert happened'):
-        expect(self.container).to(have_key('start_time', '2018-05-24T10:22:15.576767Z'))
-
-    with it('includes label'):
-        expect(self.container).to(have_key('label', 'events'))
-
-    with it('includes status'):
-        expect(self.container).to(have_key('status', 'new'))
-
-    with context('when building additional data'):
-        with it('includes kubernetes pod name'):
-            expect(self.container['data']).to(have_key('k8s.pod.name', 'falco-event-generator-6fd89678f9-cdkvz'))
-
-        with it('includes container id'):
-            expect(self.container['data']).to(have_key('container.id', '1c76f49f40b4'))

integrations/kubernetes-response-engine/playbooks/specs/playbooks/create_incident_in_demisto_playbook_spec.py

@@ -1,70 +0,0 @@
-from mamba import description, it, before, context
-from expects import expect, have_key, have_keys, contain
-
-from doublex import Spy
-from doublex_expects import have_been_called_with
-
-from playbooks import infrastructure
-import playbooks
-
-import os
-
-
-with description(playbooks.CreateIncidentInDemisto) as self:
-    with before.each:
-        self.demisto_client = Spy(infrastructure.DemistoClient)
-        self.playbook = playbooks.CreateIncidentInDemisto(self.demisto_client)
-
-    with context('when publishing a message to slack'):
-        with before.each:
-            self.alert = {
-                "output": "10:22:15.576767292: Notice Unexpected setuid call by non-sudo, non-root program (user=bin cur_uid=2 parent=event_generator command=event_generator  uid=root) k8s.pod=falco-event-generator-6fd89678f9-cdkvz container=1c76f49f40b4",
-                "output_fields": {
-                    "container.id": "1c76f49f40b4",
-                    "evt.arg.uid": "root",
-                    "evt.time": 1527157335576767292,
-                    "k8s.pod.name": "falco-event-generator-6fd89678f9-cdkvz",
-                    "proc.cmdline": "event_generator ",
-                    "proc.pname": "event_generator",
-                    "user.name": "bin",
-                    "user.uid": 2
-                },
-                "priority": "Notice",
-                "rule": "Non sudo setuid",
-                "time": "2018-05-24T10:22:15.576767292Z"
-            }
-
-            self.incident = self.playbook.run(self.alert)
-
-        with it('creates incident in demisto'):
-            expect(self.demisto_client.create_incident).to(have_been_called_with(self.incident))
-
-        with it('sets incident type as Policy Violation'):
-            expect(self.incident).to(have_key('type', 'Policy Violation'))
-
-        with it('includes rule name'):
-            expect(self.incident).to(have_key('name', 'Non sudo setuid'))
-
-        with it('includes falco output'):
-            falco_output = 'Unexpected setuid call by non-sudo, non-root program (user=bin cur_uid=2 parent=event_generator command=event_generator  uid=root) k8s.pod=falco-event-generator-6fd89678f9-cdkvz container=1c76f49f40b4'
-
-            expect(self.incident).to(have_key('details', falco_output))
-
-        with it('includes severity'):
-            expect(self.incident).to(have_key('severity', 1))
-
-        with it('includes time when alert happened'):
-            expect(self.incident).to(have_key('occurred', "2018-05-24T10:22:15.576767292Z"))
-
-        with context('when adding labels'):
-            with it('includes Sysdig as Brand'):
-                expect(self.incident['labels']).to(contain(have_keys(type='Brand', value='Sysdig')))
-
-            with it('includes Falco as Application'):
-                expect(self.incident['labels']).to(contain(have_keys(type='Application', value='Falco')))
-
-            with it('includes container.id'):
-                expect(self.incident['labels']).to(contain(have_keys(type='container.id', value='1c76f49f40b4')))
-
-            with it('includes k8s.pod.name'):
-                expect(self.incident['labels']).to(contain(have_keys(type='k8s.pod.name', value='falco-event-generator-6fd89678f9-cdkvz')))

integrations/kubernetes-response-engine/playbooks/specs/playbooks/delete_pod_playbook_spec.py

@@ -1,22 +0,0 @@
-from mamba import description, it, before
-from expects import expect
-
-from doublex import Spy
-from doublex_expects import have_been_called_with
-
-from playbooks import infrastructure
-import playbooks
-
-
-with description(playbooks.DeletePod) as self:
-    with before.each:
-        self.k8s_client = Spy(infrastructure.KubernetesClient)
-        self.playbook = playbooks.DeletePod(self.k8s_client)
-
-    with it('deletes a pod'):
-        pod_name = 'a pod name'
-        alert = {'output_fields': {'k8s.pod.name': pod_name}}
-
-        self.playbook.run(alert)
-
-        expect(self.k8s_client.delete_pod).to(have_been_called_with(pod_name))

integrations/kubernetes-response-engine/playbooks/specs/playbooks/network_isolate_pod_playbook_spec.py

@@ -1,22 +0,0 @@
-from mamba import description, it, before
-from expects import expect
-
-from doublex import Spy
-from doublex_expects import have_been_called
-
-from playbooks import infrastructure
-import playbooks
-
-
-with description(playbooks.NetworkIsolatePod) as self:
-    with before.each:
-        self.k8s_client = Spy(infrastructure.KubernetesClient)
-        self.playbook = playbooks.NetworkIsolatePod(self.k8s_client)
-
-    with it('adds isolation label to pod'):
-        pod_name = 'any pod name'
-        alert = {'output_fields': {'k8s.pod.name': pod_name}}
-
-        self.playbook.run(alert)
-
-        expect(self.k8s_client.add_label_to_pod).to(have_been_called)

integrations/kubernetes-response-engine/playbooks/specs/playbooks/start_sysdig_capture_for_container_playbook_spec.py

@@ -1,40 +0,0 @@
-from mamba import description, it, before
-from expects import expect
-
-from doublex import Spy
-from doublex_expects import have_been_called_with
-
-from playbooks import infrastructure
-import playbooks
-
-
-with description(playbooks.StartSysdigCaptureForContainer) as self:
-    with before.each:
-        self.k8s_client = Spy(infrastructure.KubernetesClient)
-        self.duration_in_seconds = 'any duration in seconds'
-        self.s3_bucket = 'any s3 bucket url'
-        self.aws_access_key_id = 'any aws access key id'
-        self.aws_secret_access_key = 'any aws secret access key'
-        self.playbook = playbooks.StartSysdigCaptureForContainer(self.k8s_client,
-                                                                 self.duration_in_seconds,
-                                                                 self.s3_bucket,
-                                                                 self.aws_access_key_id,
-                                                                 self.aws_secret_access_key)
-
-    with it('add starts capturing job in same node than Pod alerted'):
-        pod_name = 'any pod name'
-        event_time = 'any event time'
-        alert = {'output_fields': {
-            'k8s.pod.name': pod_name,
-            'evt.time': event_time,
-        }}
-
-        self.playbook.run(alert)
-
-        expect(self.k8s_client.start_sysdig_capture_for)\
-            .to(have_been_called_with(pod_name,
-                                      event_time,
-                                      self.duration_in_seconds,
-                                      self.s3_bucket,
-                                      self.aws_access_key_id,
-                                      self.aws_secret_access_key))

integrations/kubernetes-response-engine/playbooks/specs/playbooks/taint_node_playbook_spec.py

@@ -1,34 +0,0 @@
-from mamba import description, it, before
-from expects import expect
-
-from doublex import Spy, when
-from doublex_expects import have_been_called_with
-
-from playbooks import infrastructure
-import playbooks
-
-
-with description(playbooks.TaintNode) as self:
-    with before.each:
-        self.k8s_client = Spy(infrastructure.KubernetesClient)
-        self.key = 'falco/alert'
-        self.value = 'true'
-        self.effect = 'NoSchedule'
-        self.playbook = playbooks.TaintNode(self.k8s_client,
-                                            self.key,
-                                            self.value,
-                                            self.effect)
-
-    with it('taints the node'):
-        pod_name = 'any pod name'
-        alert = {'output_fields': {'k8s.pod.name': pod_name}}
-
-        node = 'any node'
-        when(self.k8s_client).find_node_running_pod(pod_name).returns(node)
-
-        self.playbook.run(alert)
-
-        expect(self.k8s_client.taint_node).to(have_been_called_with(node,
-                                                                    self.key,
-                                                                    self.value,
-                                                                    self.effect))

integrations/kubernetes-response-engine/playbooks/specs/support/deployment.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: nginx
-spec:
-  containers:
-  - name: nginx
-    image: nginx:latest
-    ports:
-    - containerPort: 80

integrations/kubernetes-response-engine/sysdig-capturer/Dockerfile

@@ -1,26 +0,0 @@
-FROM sysdig/sysdig:latest
-
-MAINTAINER Néstor Salceda <nestor.salceda@sysdig.com>
-
-RUN apt-get update \
- && apt-get --fix-broken install -y \
- && apt-get install -y --no-install-recommends \
-        s3cmd \
- && rm -rf /var/lib/apt/lists/*
-
-# debian:unstable head contains binutils 2.31, which generates
-# binaries that are incompatible with kernels < 4.16. So manually
-# forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
- && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
- && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
- && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
- && dpkg -i *binutils*.deb
-
-ENV CAPTURE_DURATION 120
-
-COPY ./docker-entrypoint.sh /
-
-RUN mkdir -p /captures
-
-ENTRYPOINT ["/docker-entrypoint.sh"]

integrations/kubernetes-response-engine/sysdig-capturer/Makefile

@@ -1,7 +0,0 @@
-all: build push
-
-build:
-	docker build -t sysdig/capturer .
-
-push:
-	docker push sysdig/capturer

integrations/kubernetes-response-engine/sysdig-capturer/docker-entrypoint.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-set -eo
-
-echo "* Setting up /usr/src links from host"
-
-for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
-do
-        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
-done
-
-/usr/bin/sysdig-probe-loader
-
-sysdig -S -M $CAPTURE_DURATION -pk -z -w /captures/$CAPTURE_FILE_NAME.scap.gz
-
-if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ] && [ -n "$AWS_S3_BUCKET" ]; then
-  s3cmd --access_key=$AWS_ACCESS_KEY_ID \
-        --secret_key=$AWS_SECRET_ACCESS_KEY \
-        put /captures/$CAPTURE_FILE_NAME.scap.gz $AWS_S3_BUCKET
-fi

integrations/puppet-module/sysdig-falco/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 3.3']
+puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 4.7']
 gem 'puppet', puppetversion
 gem 'puppetlabs_spec_helper', '>= 0.1.0'
 gem 'puppet-lint', '>= 0.3.2'

integrations/puppet-module/sysdig-falco/README.md

@@ -1,12 +1,12 @@
-# falco
+# Falco
 
 #### Table of Contents
 
 1. [Overview](#overview)
 2. [Module Description - What the module does and why it is useful](#module-description)
-3. [Setup - The basics of getting started with falco](#setup)
-    * [What falco affects](#what-falco-affects)
-    * [Beginning with falco](#beginning-with-falco)
+3. [Setup - The basics of getting started with Falco](#setup)
+    * [What Falco affects](#what-falco-affects)
+    * [Beginning with Falco](#beginning-with-falco)
 4. [Usage - Configuration options and additional functionality](#usage)
 5. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
 5. [Limitations - OS compatibility, etc.](#limitations)
@@ -14,11 +14,11 @@
 
 ## Overview
 
-Sysdig Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, falco lets you continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of rules.
+Sysdig Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of rules.
 
 #### What kind of behaviors can Falco detect?
 
-Falco can detect and alert on any behavior that involves making Linux system calls. Thanks to Sysdig's core decoding and state tracking functionality, falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:
+Falco can detect and alert on any behavior that involves making Linux system calls. Thanks to Sysdig's core decoding and state tracking functionality, Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:
 
 - A shell is run inside a container
 - A container is running in privileged mode, or is mounting a sensitive path like `/proc` from the host.
@@ -29,17 +29,17 @@ Falco can detect and alert on any behavior that involves making Linux system cal
 
 ## Module Description
 
-This module configures falco as a systemd service. You configure falco
+This module configures Falco as a systemd service. You configure Falco
 to send its notifications to one or more output channels (syslog,
 files, programs).
 
 ## Setup
 
-### What falco affects
+### What Falco affects
 
 This module affects the following:
 
-* The main falco configuration file `/etc/falco/falco.yaml`, including
+* The main Falco configuration file `/etc/falco/falco.yaml`, including
 ** Output format (JSON vs plain text)
 ** Log level
 ** Rule priority level to run
@@ -47,9 +47,9 @@ This module affects the following:
 ** Output throttling
 ** Output channels (syslog, file, program)
 
-### Beginning with falco
+### Beginning with Falco
 
-To have Puppet install falco with the default parameters, declare the falco class:
+To have Puppet install Falco with the default parameters, declare the Falco class:
 
 ``` puppet
 class { 'falco': }
@@ -57,9 +57,9 @@ class { 'falco': }
 
 When you declare this class with the default options, the module:
 
-* Installs the appropriate falco software package and installs the falco-probe kernel module for your operating system.
+* Installs the appropriate Falco software package and installs the falco-probe kernel module for your operating system.
 * Creates the required configuration file `/etc/falco/falco.yaml`. By default only syslog output is enabled.
-* Starts the falco service.
+* Starts the Falco service.
 
 ## Usage
 
@@ -101,12 +101,12 @@ class { 'falco':
 
 #### Class: `falco`
 
-Guides the basic setup and installation of falco on your system.
+Guides the basic setup and installation of Falco on your system.
 
 When this class is declared with the default options, Puppet:
 
-* Installs the appropriate falco software package and installs the falco-probe kernel module for your operating system.
-* Creates the required configuration file `/etc/falco/falco.yaml`. By default only syslog output is enabled.
+* Installs the appropriate Falco software package and installs the falco-probe kernel module for your operating system.
+* Creates the required configuration file `/etc/Falco/falco.yaml`. By default only syslog output is enabled.
 * Starts the falco service.
 
 You can simply declare the default `falco` class:
@@ -117,7 +117,7 @@ class { 'falco': }
 
 ###### `rules_file`
 
-An array of files for falco to load. Order matters--the first file listed will be loaded first.
+An array of files for Falco to load. Order matters--the first file listed will be loaded first.
 
 Default: `['/etc/falco/falco_rules.yaml', '/etc/falco/falco_rules.local.yaml']`
 
@@ -129,15 +129,15 @@ Default: `false`
 
 ##### `log_stderr`
 
-Send falco's logs to stderr. Note: this is not notifications, this is
-logs from the falco daemon itself.
+Send Falco's logs to stderr. Note: this is not notifications, this is
+logs from the Falco daemon itself.
 
 Default: `false`
 
 ##### `log_syslog`
 
-Send falco's logs to syslog. Note: this is not notifications, this is
-logs from the falco daemon itself.
+Send Falco's logs to syslog. Note: this is not notifications, this is
+logs from the Falco daemon itself.
 
 Default: `true`
 
@@ -145,7 +145,7 @@ Default: `true`
 
 Minimum log level to include in logs. Note: these levels are
 separate from the priority field of rules. This refers only to the
-log level of falco's internal logging. Can be one of "emergency",
+log level of Falco's internal logging. Can be one of "emergency",
 "alert", "critical", "error", "warning", "notice", "info", "debug".
 
 Default: `info`
@@ -169,7 +169,7 @@ Default: `true`
 ##### `outputs_rate`/`outputs_max_burst`
 
 A throttling mechanism implemented as a token bucket limits the
-rate of falco notifications. This throttling is controlled by the following configuration
+rate of Falco notifications. This throttling is controlled by the following configuration
 options:
 
 * `outputs_rate`: the number of tokens (i.e. right to send a notification)
@@ -234,8 +234,8 @@ class { 'falco':
 
 ## Limitations
 
-The module works where falco works as a daemonized service (generally, Linux only).
+The module works where Falco works as a daemonized service (generally, Linux only).
 
 ## Development
 
-For more information on Sysdig Falco, visit our [github](https://github.com/draios/falco) or [web site](https://sysdig.com/opensource/falco/).
+For more information on Sysdig Falco, visit our [github](https://github.com/falcosecurity/falco) or [web site](https://sysdig.com/opensource/falco/).