Merge remote-tracking branch 'origin/dev'

Changelog, README.md.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

.github/ISSUE_TEMPLATE/bug-report.md

@@ -0,0 +1,28 @@
+---
+name: Bug Report
+about: Report a bug encountered while operating Falco
+labels: kind/bug
+
+---
+
+<!-- Please use this template while reporting a bug and provide as much info as possible. Not doing so may result in your bug not being addressed in a timely manner. Thanks!
+
+If the matter is security related, please disclose it privately via https://falco.org/security/
+-->
+
+**What happened**:
+
+**What you expected to happen**:
+
+**How to reproduce it (as minimally and precisely as possible)**:
+
+**Anything else we need to know?**:
+
+**Environment**:
+- Falco version (use `falco --version`):
+- System info <!-- Falco has a built-in support command you can use  "falco --support | jq .system_info" -->
+- Cloud provider or hardware configuration:
+- OS (e.g: `cat /etc/os-release`):
+- Kernel (e.g. `uname -a`):
+- Install tools (e.g. in kubernetes, rpm, deb, from source):
+- Others:

.github/ISSUE_TEMPLATE/enhancement.md

@@ -0,0 +1,11 @@
+---
+name: Enhancement Request
+about: Suggest an enhancement to the Falco project
+labels: kind/feature
+
+---
+<!-- Please only use this template for submitting enhancement requests -->
+
+**What would you like to be added**:
+
+**Why is this needed**:

.github/ISSUE_TEMPLATE/failing-tests.md

@@ -0,0 +1,20 @@
+---
+name: Failing Test
+about: Report test failures in Falco CI jobs
+labels: kind/failing-test
+
+---
+
+<!-- Please only use this template for submitting reports about failing tests in Falco CI jobs -->
+
+**Which jobs are failing**:
+
+**Which test(s) are failing**:
+
+**Since when has it been failing**:
+
+**Test link**:
+
+**Reason for failure**:
+
+**Anything else we need to know**:

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,54 @@
+<!--  Thanks for sending a pull request!  Here are some tips for you:
+
+1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
+2. Please label this pull request according to what type of issue you are addressing.
+5. Please add a release note!
+6. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
+-->
+
+**What type of PR is this?**
+> Uncomment only one ` /kind <>` line, hit enter to put that in a new line, and remove leading whitespaces from that line:
+>
+> /kind bug
+> /kind cleanup
+> /kind design
+> /kind documentation
+> /kind failing-test
+> /kind feature
+> /kind flaky-test
+
+> If contributing rules or changes to rules, please make sure to uncomment the appropriate kind
+
+> /kind rule/update
+> /kind rule/create
+
+**Any specific area of the project related to this PR?**
+
+> /area engine
+> /area rules
+> /area deployment
+> /area integrations
+> /area examples
+
+**What this PR does / why we need it**:
+
+**Which issue(s) this PR fixes**:
+<!--
+Automatically closes linked issue when PR is merged.
+Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
+If PR is `kind/failing-tests` or `kind/flaky-test`, please post the related issues/tests in a comment and do not use `Fixes`.
+-->
+Fixes #
+
+**Special notes for your reviewer**:
+
+**Does this PR introduce a user-facing change?**:
+<!--
+If no, just write "NONE" in the release-note block below.
+If yes, a release note is required:
+Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required:".
+For example, `action required: change the API interface of the rule engine`.
+-->
+```release-note
+
+```

CHANGELOG.md

@@ -2,6 +2,72 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
+## v0.15.2
+
+Released 2019-06-12
+
+## Major Changes
+
+* New documentation and process handling around issues and pull requests. [[#644](https://github.com/falcosecurity/falco/pull/644)] [[#659](https://github.com/falcosecurity/falco/pull/659)] [[#664](https://github.com/falcosecurity/falco/pull/664)] [[#665](https://github.com/falcosecurity/falco/pull/665)]
+
+## Minor Changes
+
+* None.
+
+## Bug Fixes
+
+* Fix compilation of eBPF programs on COS (used by GKE) [[#sysdig/1431](https://github.com/draios/sysdig/pull/1431)]
+
+## Rule Changes
+
+* Rework exceptions lists for `Create Privileged Pod`, `Create Sensitive Mount Pod`, `Launch Sensitive Mount Container`, `Launch Privileged Container` rules to use separate specific lists rather than a single "Trusted Containers" list. [[#651](https://github.com/falcosecurity/falco/pull/651)]
+
+## v0.15.1
+
+Released 2019-06-07
+
+## Major Changes
+
+* Drop unnecessary events at the kernel level instead of userspace, which should improve performance [[#635](https://github.com/falcosecurity/falco/pull/635)]
+
+## Minor Changes
+
+* Add instructions for k8s audit support in >= 1.13 [[#608](https://github.com/falcosecurity/falco/pull/608)]
+
+* Fix security issues reported by GitHub on Anchore integration [[#592](https://github.com/falcosecurity/falco/pull/592)]
+
+* Several docs/readme improvements [[#620](https://github.com/falcosecurity/falco/pull/620)] [[#616](https://github.com/falcosecurity/falco/pull/616)] [[#631](https://github.com/falcosecurity/falco/pull/631)] [[#639](https://github.com/falcosecurity/falco/pull/639)] [[#642](https://github.com/falcosecurity/falco/pull/642)]
+
+* Better tracking of rule counts per ruleset [[#645](https://github.com/falcosecurity/falco/pull/645)]
+
+## Bug Fixes
+
+* Handle rule patterns that are invalid regexes [[#636](https://github.com/falcosecurity/falco/pull/636)]
+
+* Fix kernel module builds on newer kernels [[#646](https://github.com/falcosecurity/falco/pull/646)] [[#sysdig/1413](https://github.com/draios/sysdig/pull/1413)]
+
+## Rule Changes
+
+* New rule `Launch Remote File Copy Tools in Container` could be used to identify exfiltration attacks [[#600](https://github.com/falcosecurity/falco/pull/600)]
+
+* New rule `Create Symlink Over Sensitive Files` can help detect attacks like [[CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664)] [[#613](https://github.com/falcosecurity/falco/pull/613)] [[#637](https://github.com/falcosecurity/falco/pull/637)]
+
+* Let etcd-manager write to /etc/hosts. [[#613](https://github.com/falcosecurity/falco/pull/613)]
+
+* Let additional processes spawned by google-accounts-daemon access sensitive files [[#593](https://github.com/falcosecurity/falco/pull/593)]
+
+* Add Sematext Monitoring & Logging agents to trusted k8s containers [[#594](https://github.com/falcosecurity/falco/pull/594/)]
+
+* Add additional coverage for `Netcat Remote Code Execution in Container` rule. [[#617](https://github.com/falcosecurity/falco/pull/617/)]
+
+* Fix `egrep` typo. [[#617](https://github.com/falcosecurity/falco/pull/617/)]
+
+* Allow Ansible to run using Python 3 [[#625](https://github.com/falcosecurity/falco/pull/625/)]
+
+* Additional `Write below etc` exceptions for nginx, rancher [[#637](https://github.com/falcosecurity/falco/pull/637)] [[#648](https://github.com/falcosecurity/falco/pull/648)] [[#652](https://github.com/falcosecurity/falco/pull/652)]
+
+* Add rules for running with IBM Cloud Kubernetes Service [[#634](https://github.com/falcosecurity/falco/pull/634)]
+
 ## v0.15.0
 
 Released 2019-05-13
@@ -10,7 +76,7 @@ Released 2019-05-13
 
 * **Actions and alerts for dropped events**: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. [[#561](https://github.com/falcosecurity/falco/pull/561)] [[#571](https://github.com/falcosecurity/falco/pull/571)]
 
-* **Support for Containerd/CRI-O**: Falco now supports containerd/cri-o containers. [[#585](https://github.com/falcosecurity/falco/pull/585)] [[#591](https://github.com/falcosecurity/falco/pull/591)] [[#599](https://github.com/falcosecurity/falco/pull/599)] [[#sysdig/1376](https://github.com/draios/sysdig/pull/1376)] [[#sysdig/1310](https://github.com/draios/sysdig/pull/1310)]
+* **Support for Containerd/CRI-O**: Falco now supports containerd/cri-o containers. [[#585](https://github.com/falcosecurity/falco/pull/585)] [[#591](https://github.com/falcosecurity/falco/pull/591)] [[#599](https://github.com/falcosecurity/falco/pull/599)] [[#sysdig/1376](https://github.com/draios/sysdig/pull/1376)] [[#sysdig/1310](https://github.com/draios/sysdig/pull/1310)] [[#sysdig/1399](https://github.com/draios/sysdig/pull/1399)]
 
 * **Perform docker metadata fetches asynchronously**: When new containers are discovered, fetch metadata about the container asynchronously, which should significantly reduce the likelihood of dropped system call events. [[#sysdig/1326](https://github.com/draios/sysdig/pull/1326)] [[#550](https://github.com/falcosecurity/falco/pull/550)] [[#570](https://github.com/falcosecurity/falco/pull/570)]
 

CONTRIBUTING.md

@@ -0,0 +1,115 @@
+# Contributing to Falco
+
+- [Contributing to Falco](#contributing-to-falco)
+  - [Code of Conduct](#code-of-conduct)
+  - [Issues](#issues)
+    - [Triage issues](#triage-issues)
+      - [More about labels](#more-about-labels)
+    - [Slack](#slack)
+  - [Pull Requests](#pull-requests)
+  - [Developer Certificate Of Origin](#developer-certificate-of-origin)
+
+## Code of Conduct
+
+Falco has a
+[Code of Conduct](CODE_OF_CONDUCT)
+to which all contributors must adhere, please read it before interacting with the repository or the community in any way.
+
+## Issues
+
+Issues are the heartbeat ❤️ of the Falco project, there are mainly three kinds of issues you can open:
+
+- Bug report: you believe you found a problem in Falco and you want to discuss and get it fixed,
+creating an issue with the **bug report template** is the best way to do so.
+- Enhancement: any kind of new feature need to be discussed in this kind of issue, do you want a new rule or a new feature? This is the kind of issue you want to open. Be very good at explaining your intent, it's always important that others can understand what you mean in order to discuss, be open and collaborative in letting others help you getting this done!
+- Failing tests: you noticed a flaky test or a problem with a build? This is the kind of issue to triage that!
+
+The best way to get **involved** in the project is through issues, you can help in many ways:
+
+- Issues triaging: participating in the discussion and adding details to open issues is always a good thing,
+sometimes issues need to be verified, you could be the one writing a test case to fix a bug!
+- Helping to resolve the issue: you can help in getting it fixed in many ways, more often by opening a pull request.
+
+### Triage issues
+
+We need help in categorizing issues. Thus any help is welcome!
+
+When you triage an issue, you:
+
+* assess whether it has merit or not
+
+* quickly close it by correctly answering a question
+
+* point the reporter to a resource or documentation answering the issue
+
+* tag it via labels, projects, or milestones
+
+* take ownership submitting a PR for it, in case you want 😇
+
+#### More about labels
+
+These guidelines are not set in stone and are subject to change.
+
+Anyway a `kind/*` label for any issue is mandatory.
+
+This is the current [label set](https://github.com/falcosecurity/falco/labels) we have.
+
+You can use commands - eg., `/label <some-label>` to add (or remove) labels or manually do it.
+
+The commands available are the following ones:
+
+```
+/[remove-](area|kind|priority|triage|label)
+```
+
+Some examples:
+
+* `/area rules`
+* `/remove-area rules`
+* `/kind kernel-module`
+* `/label good-first-issue`
+* `/triage duplicate`
+* `/triage unresolved`
+* `/triage not-reproducible`
+* `/triage support`
+* ...
+
+### Slack
+
+Other discussion, and **support requests** should go through the `#falco` channel in the Sysdig slack, please join [here](https://slack.sysdig.com).
+
+## Pull Requests
+
+Thanks for taking time to make a [pull request](https://help.github.com/articles/about-pull-requests) (hereafter PR).
+
+In the PR body, feel free to add an area label if appropriate by typing `/area <AREA>`, PRs will also
+need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.
+
+The list of labels is [here](https://github.com/falcosecurity/falco/labels).
+
+Also feel free to suggest a reviewer with `/assign @theirname`.
+
+Once your reviewer is happy, they will say `/lgtm` which will apply the
+`lgtm` label, and will apply the `approved` label if they are an
+[owner](/OWNERS).
+
+Your PR will be automatically merged once it has the `lgtm` and `approved`
+labels, does not have any `do-not-merge/*` labels, and all status checks (eg., rebase, tests, DCO) are positive.
+
+## Developer Certificate Of Origin
+
+The [Developer Certificate of Origin (DCO)](https://developercertificate.org/) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
+
+Contributors to the Falco project sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages.
+
+```
+This is my commit message
+
+Signed-off-by: John Poiana <jpoiana@falco.org>
+```
+
+Git even has a `-s` command line option to append this automatically to your commit message:
+
+```
+$ git commit -s -m 'This is my commit message'
+```

MAINTAINERS

@@ -1,9 +1,11 @@
 Current maintainers:
 @mstemm - Mark Stemm <mark.stemm@sysdig.com>
 @ldegio - Loris Degioanni <loris@sysdig.com>
+@fntlnz - Lorenzo Fontana <lo@sysdig.com>
+@leodido - Leonardo Di Donato <leo@sysdig.com>
 
 Community Mangement:
 @mfdii - Michael Ducy <michael@sysdig.com>
 
 Emeritus maintainers:
-@henridf - Henri Dubois-Ferriere <henri.dubois-ferriere@sysdig.com>
+@henridf - Henri Dubois-Ferriere <henri.dubois-ferriere@sysdig.com>

OWNERS

@@ -0,0 +1,11 @@
+approvers:
+  - leodido
+  - fntlnz
+  - mstemm
+reviewers:
+  - leodido
+  - fntlnz
+  - mfdii
+  - kaizhe
+  - mstemm
+

README.md

@@ -1,92 +1,58 @@
+<p><img align="right" src="https://github.com/falcosecurity/falco-website/raw/master/themes/falco-fresh/static/images/favicon.png" width="64px"/></p>
+<p></p>
+
 # Falco
 
 #### Latest release
 
-**v0.15.0**
+**v0.15.2**
 Read the [change log](https://github.com/falcosecurity/falco/blob/dev/CHANGELOG.md)
 
-Dev Branch: [![Build Status](https://travis-ci.org/falcosecurity/falco.svg?branch=dev)](https://travis-ci.org/falcosecurity/falco)<br />
-Master Branch: [![Build Status](https://travis-ci.org/falcosecurity/falco.svg?branch=master)](https://travis-ci.org/falcosecurity/falco)<br />
+Dev Branch: [![Build Status](https://travis-ci.com/falcosecurity/falco.svg?branch=dev)](https://travis-ci.com/falcosecurity/falco)<br />
+Master Branch: [![Build Status](https://travis-ci.com/falcosecurity/falco.svg?branch=master)](https://travis-ci.com/falcosecurity/falco)<br />
 CII Best Practices: [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2317/badge)](https://bestpractices.coreinfrastructure.org/projects/2317)
 
+---
 
-## Overview
-Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by [sysdig’s](https://github.com/draios/sysdig) system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of rules.
+Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by [sysdig’s](https://github.com/draios/sysdig) system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
 
 Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the [Falco CNCF project proposal](https://github.com/cncf/toc/tree/master/proposals/falco.adoc).
 
 #### What kind of behaviors can Falco detect?
 
-Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:
+Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
 
-- A shell is run inside a container
-- A container is running in privileged mode, or is mounting a sensitive path like `/proc` from the host.
-- A server process spawns a child process of an unexpected type
-- Unexpected read of a sensitive file (like `/etc/shadow`)
-- A non-device file is written to `/dev`
-- A standard system binary (like `ls`) makes an outbound network connection
+- A shell is running inside a container.
+- A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
+- A server process is spawning a child process of an unexpected type.
+- Unexpected read of a sensitive file, such as `/etc/shadow`.
+- A non-device file is written to `/dev`.
+- A standard system binary, such as `ls`, is making an outbound network connection.
 
-#### How Falco Compares to Other Security Tools like SELinux, Auditd, etc.
 
-One of the questions we often get when we talk about Falco is “How does it compare to other tools like SELinux, AppArmor, Auditd, etc. that also have security policies?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco to other tools.
+### Installing Falco
+
+A comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
+
+#### How do you compare Falco with other security tools?
+
+One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco with other tools.
 
 
 Documentation
 ---
-[Visit the wiki](https://github.com/falcosecurity/falco/wiki) for full documentation on falco.
+See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.
 
 Join the Community
 ---
 * [Website](https://falco.org) for Falco.
 * We are working on a blog for the Falco project. In the meantime you can find [Falco](https://sysdig.com/blog/tag/falco/) posts over on the Sysdig blog.
-* Join our [Public Slack](https://slack.sysdig.com) channel for open source sysdig and Falco announcements and discussions.
+* Join our [Public Slack](https://slack.sysdig.com) channel for open source Sysdig and Falco announcements and discussions.
 
 License Terms
 ---
 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 
-Contributor License Agreements
+Contributing
 ---
-### Background
- We are formalizing the way that we accept contributions of code from the contributing community. We must now ask that contributions to falco be provided subject to the terms and conditions of a [Contributor License Agreement (CLA)](./cla). The CLA comes in two forms, applicable to contributions by individuals, or by legal entities such as corporations and their employees. We recognize that entering into a CLA with us involves real consideration on your part, and we’ve tried to make this process as clear and simple as possible.
-
- We’ve modeled our CLA off of industry standards, such as [the CLA used by Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md). Note that this agreement is not a transfer of copyright ownership, this simply is a license agreement for contributions, intended to clarify the intellectual property license granted with contributions from any person or entity. It is for your protection as a contributor as well as the protection of falco; it does not change your rights to use your own contributions for any other purpose.
-
- For some background on why contributor license agreements are necessary, you can read FAQs from many other open source projects:
-
-- [Django’s excellent CLA FAQ](https://www.djangoproject.com/foundation/cla/faq/)
-- [A well-written chapter from Karl Fogel’s Producing Open Source Software on CLAs](http://producingoss.com/en/copyright-assignment.html)
-- [The Wikipedia article on CLAs](http://en.wikipedia.org/wiki/Contributor_license_agreement)
-
-As always, we are grateful for your past and present contributions to falco.
-
-### What do I need to do in order to contribute code?
-
-At first, you need do all changes based on dev branch not master branch.
-
-**Individual contributions**: Individuals who wish to make contributions must review the [Individual Contributor License Agreement](./cla/falco_contributor_agreement.txt) and indicate agreement by adding the following line to every GIT commit message:
-
-```
-falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
-```
-
-Use your real name; pseudonyms or anonymous contributions are not allowed.
-
-**Corporate contributions**: Employees of corporations, members of LLCs or LLPs, or others acting on behalf of a contributing entity, must review the [Corporate Contributor License Agreement](./cla/falco_corp_contributor_agreement.txt), must be an authorized representative of the contributing entity, and indicate agreement to it on behalf of the contributing entity by adding the following lines to every GIT commit message:
-
-```
-falco-CLA-1.0-contributing-entity: Full Legal Name of Entity
-falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
-```
-
-Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.
-
-**Government contributions**: Employees or officers of the United States Government, must review the [Government Contributor License Agreement](https://github.com/falcosecurity/falco/blob/dev/cla/falco_govt_contributor_agreement.txt), must be an authorized representative of the contributing entity, and indicate agreement to it on behalf of the contributing entity by adding the following lines to every GIT commit message:
-
-```
-falco-CLA-1.0-contributing-govt-entity: Full Legal Name of Entity
-falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
-This file is a work of authorship of an employee or officer of the United States Government and is not subject to copyright in the United States under 17 USC 105.
-```
-
-Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.
+See the [CONTRIBUTING.md](./CONTRIBUTING.md).

cla/falco_contributor_agreement.txt

@@ -1,30 +0,0 @@
-DRAIOS, INC. – OPEN SOURCE CONTRIBUTION LICENSE AGREEMENT (“Agreement”)
-
-Draios, Inc. dba Sysdig (“Draios” or “Sysdig”) welcomes you to work on our open source software projects. In order to clarify the intellectual property license granted with Contributions from any person or entity, you must agree to the license terms below in order to contribute code back to our repositories. This license is for your protection as a Contributor as well as the protection of Sysdig; it does not change your rights to use your own Contributions for any other purpose. To indicate your Agreement, follow the procedure set forth below under TO AGREE, after reading this Agreement.
-
-You accept and agree to the following terms and conditions for Your present and future Contributions submitted to Draios/Sysdig. Except for the license granted herein to Draios/Sysdig and recipients of software distributed by Draios/Sysdig, You reserve all right, title, and interest in and to Your Contributions.
-
-1. Definitions.  "You" (or "Your") shall mean the individual natural person and copyright owner who is making this Agreement with Draios/Sysdig. “You” excludes legal entities such as corporations, and Draios/Sysdig provides a separate CLA for corporations or other entities. "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Draios/Sysdig for inclusion in, or documentation of, any of the products owned or managed by Draios/Sysdig (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Draios/Sysdig or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Draios/Sysdig for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
-
-2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
-
-3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims that You have the right to license and that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity other than Draios/Sysdig institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
-
-4. You represent to Draios/Sysdig that You are legally entitled to grant the licenses set forth above.
-
-5. You represent that each of Your Contributions is Your original creation unless you act according to section 7 below. You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which You are personally aware and which are associated with any part of Your Contributions. You represent that Your sign-off indicating assent to this Agreement includes your real name and not a pseudonym, and that you shall not attempt or make an anonymous Contribution.
-
-6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions to Draios/Sysdig on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
-
-7. If You wish to submit work that is not Your original creation, You may submit it to Draios/Sysdig separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
-
-8. You agree to notify Draios/Sysdig of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
-
-9. You understand and agree that this project and Your Contribution are public and that a record of the contribution, including all personal information that I submit with it, including my sign-off, may be stored by Draios/Sysdig indefinitely and may be redistributed to others. You understand and agree that Draios/Sysdig has no obligation to use any Contribution in any Draios/Sysdig project or product, and Draios/Sysdig may decline to accept Your Contributions or Draios/Sysdig may remove Your Contributions from Draios/Sysdig projects or products at any time without notice. You understand and agree that Draios/Sysdig is not and will not pay you any form of compensation, in currency, equity or otherwise, in exchange for Your Contributions or for Your assent to this Agreement. You understand and agree that you are independent of Draios/Sysdig and you are not, by entering into this Agreement or providing Your Contributions, becoming employed, hired as an independent contractor, or forming any other relationship with Draios/Sysdig relating to employment, compensation or ownership or involving any fiduciary obligation.
-
-TO AGREE:
-Add the following line to every GIT commit message:
-
-falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
-
-Use your real name; pseudonyms or anonymous contributions are not allowed.

cla/falco_corp_contributor_agreement.txt

@@ -1,33 +0,0 @@
-DRAIOS, INC. – OPEN SOURCE CONTRIBUTION LICENSE AGREEMENT FOR CONTRIBUTING ENTITIES (SUCH AS CORPORATIONS) (“Agreement”)
-
-Draios, Inc. dba Sysdig (“Draios” or “Sysdig”) welcomes you to work on our open source software projects. In order to clarify the intellectual property license granted with Contributions from any person or entity, you must agree to the license terms below in order to contribute code back to our repositories. This license is for your protection as a Contributor as well as the protection of Sysdig; it does not change your rights to use your own Contributions for any other purpose. To indicate your Agreement, follow the procedure set forth below under TO AGREE, after reading this Agreement.
-
-A “contributing entity” means a corporation, limited liability company, partnership, or other entity that is organized and recognized under the laws of a state of the United States or another country (a “contributing entity”). We provide a separate CLA for individual contributors.
-
-You accept and agree to the following terms and conditions for Your present and future Contributions that are submitted to Draios/Sysdig. Except for the license granted herein to Draios/Sysdig and recipients of software distributed by Draios/Sysdig, You reserve all right, title, and interest in and to Your Contributions.
-
-1. Definitions.  "You" (or "Your") shall mean the contributing entity that owns for copyright purposes or otherwise has the right to contribute the Contribution, and that is making this Agreement with Draios/Sysdig, and all other entities that control, are controlled by, or are under common control with the contributing entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Draios/Sysdig for inclusion in, or documentation of, any of the products owned or managed by Draios/Sysdig (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Draios/Sysdig or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Draios/Sysdig for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
-
-2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
-
-3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims that You have the right to license and that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity other than Draios/Sysdig institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
-
-4. You represent to Draios/Sysdig that You own or have the right to contribute Your Contributions to Draios/Sysdig, and that You are legally entitled to grant the licenses set forth above.
-
-5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others). You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which You are personally aware and which are associated with any part of Your Contributions. You represent that Your sign-off indicating assent to this Agreement includes the real name of a natural person who is an authorized representative of You, and not a pseudonym, and that You are not attempting or making an anonymous Contribution.
-
-6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions to Draios/Sysdig on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
-
-7. If You wish to submit work that is not Your original creation, You may submit it to Draios/Sysdig separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which You are aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
-
-8. You agree to notify Draios/Sysdig of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
-
-9. You understand and agree that this project and Your Contribution are public and that a record of the contribution, including all personal information that You submit with it, including the sign-off of Your authorized representative, may be stored by Draios/Sysdig indefinitely and may be redistributed to others. You understand and agree that Draios/Sysdig has no obligation to use any Contribution in any Draios/Sysdig project or product, and Draios/Sysdig may decline to accept Your Contributions or Draios/Sysdig may remove Your Contributions from Draios/Sysdig projects or products at any time without notice. You understand and agree that Draios/Sysdig is not and will not pay You any form of compensation, in currency, equity or otherwise, in exchange for Your Contributions or for Your assent to this Agreement. You understand and agree that You are independent of Draios/Sysdig and You are not, by entering into this Agreement or providing Your Contributions, becoming employed, hired as an independent contractor, or forming any other relationship with Draios/Sysdig relating to employment, compensation or ownership or involving any fiduciary obligation.
-
-TO AGREE:
-Add the following lines to every GIT commit message:
-
-falco-CLA-1.0-contributing-entity: Full Legal Name of Entity
-falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
-
-Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.

cla/falco_govt_contributor_agreement.txt

@@ -1,33 +0,0 @@
-DRAIOS, INC. <20> OPEN SOURCE CONTRIBUTION AGREEMENT FOR UNITED STATES GOVERNMENT CONTRIBUTING ENTITIES (<28>Agreement<6E>)
-
-Draios, Inc. (<28>Draios<6F> or <20>Sysdig<69>) welcomes the work of others on our open source software projects.  To contribute code back to our repositories, we require a contributing entity that is a United States Government agency to complete, and agree to, the Government Contributor Agreement (GCA) set forth here, by and through a designated authorized representative. This agreement clarifies the ability for us to use and incorporate the contributions of a government contributing entity in our projects and products. After agreeing to these terms, a contributing entity may contribute to our projects. To indicate the agreement of the contributing entity, an authorized representative shall follow the procedure set forth below under TO AGREE, after reading this Agreement. A <20>contributing entity<74> means any agency or unit of the United States government. We provide a separate CLA for individual contributors. 
-
-You accept and agree to the following terms and conditions for Your present and future Contributions that are submitted to Draios/Sysdig.
-
-1. Definitions.  "You" (or "Your") shall mean the contributing entity that has authored or otherwise has the right to contribute the Contribution, and that is making this Agreement with Draios/Sysdig. "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Draios/Sysdig for inclusion in, or documentation of, any of the products owned or managed by Draios/Sysdig (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Draios/Sysdig or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Draios/Sysdig for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
-
-2. Contributions Not Subject to Copyright. Each Contribution is a work authored by the United States Government or an employee or officer thereof and is not subject to copyright under 17 U.S.C. 105.
-
-3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims that You have the right to license and that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity other than Draios/Sysdig institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
-
-4. You represent to Draios/Sysdig that You own or have the right to contribute Your Contributions to Draios/Sysdig, and that You are legally entitled to grant the license set forth above.
-
-5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others). You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which You are personally aware and which are associated with any part of Your Contributions. You represent that Your sign-off indicating assent to this Agreement includes the real name of a natural person who is an authorized representative of You, and not a pseudonym, and that You are not attempting or making an anonymous Contribution.
-
-6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions to Draios/Sysdig on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
-
-7. If You wish to submit work that is not Your original creation, You may submit it to Draios/Sysdig separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which You are aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
-
-8. You agree to notify Draios/Sysdig of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
-
-9. You understand and agree that this project and Your Contribution are public and that a record of the contribution, including all personal information that You submit with it, including the sign-off of Your authorized representative, may be stored by Draios/Sysdig indefinitely and may be redistributed to others. You understand and agree that Draios/Sysdig has no obligation to use any Contribution in any Draios/Sysdig project or product, and Draios/Sysdig may decline to accept Your Contributions or Draios/Sysdig may remove Your Contributions from Draios/Sysdig projects or products at any time without notice. You understand and agree that Draios/Sysdig is not and will not pay You any form of compensation, in currency, equity or otherwise, in exchange for Your Contributions or for Your assent to this Agreement. You understand and agree that You are independent of Draios/Sysdig and You are not, by entering into this Agreement or providing Your Contributions, becoming employed, hired as an independent contractor, or forming any other relationship with Draios/Sysdig relating to employment, compensation or ownership or involving any fiduciary obligation.
-
-TO AGREE:
-Add the following lines to every GIT commit message:
-
-falco-CLA-1.0-contributing-govt-entity: Full Legal Name of Entity
-falco-CLA-1.0-signed-off-by: Joe Smith joe.smith@email.com
-This file is a work of authorship of an employee or officer of the United States Government and is not subject to copyright in the United States under 17 USC 105.
-
-Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.
-

examples/k8s_audit_config/README.md

@@ -1,54 +1,136 @@
-# Introduction
+This page describes how to get [Kubernetes Auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit) working with Falco.
+Either using static audit backends in Kubernetes 1.11, or in Kubernetes 1.13 with dynamic sink which configures webhook backends through an AuditSink API object.
 
-This page describes how to get K8s Audit Logging working with Falco. For now, we'll describe how to enable audit logging in k8s 1.11, where the audit configuration needs to be directly provided to the api server. In 1.13 there is a different mechanism that allows audit confguration to be managed like other k8s objects, but these instructions are for 1.11.
+<!-- toc -->
+
+- [Instructions for Kubernetes 1.11](#instructions-for-kubernetes-111)
+  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster)
+  * [Define your audit policy and webhook configuration](#define-your-audit-policy-and-webhook-configuration)
+  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging)
+  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco)
+- [Instructions for Kubernetes 1.13](#instructions-for-kubernetes-113)
+  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster-1)
+  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging-1)
+  * [Deploy AuditSink objects](#deploy-auditsink-objects)
+  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco-1)
+- [Instructions for Kubernetes 1.13 with dynamic webhook and local log file](#instructions-for-kubernetes-113-with-dynamic-webhook-and-local-log-file)
+
+<!-- tocstop -->
+
+## Instructions for Kubernetes 1.11
 
 The main steps are:
 
-1. Deploy Falco to your K8s cluster
+1. Deploy Falco to your Kubernetes cluster
 1. Define your audit policy and webhook configuration
 1. Restart the API Server to enable Audit Logging
-1. Observe K8s audit events at falco
+1. Observe Kubernetes audit events at falco
 
-## Deploy Falco to your K8s cluster
+### Deploy Falco to your Kubernetes cluster
 
-Follow the [K8s Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a falco service account, service, configmap, and daemonset.
+Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a falco service account, service, configmap, and daemonset.
 
-## Define your audit policy and webhook configuration
+### Define your audit policy and webhook configuration
 
-The files in this directory can be used to configure k8s audit logging. The relevant files are:
+The files in this directory can be used to configure Kubernetes audit logging. The relevant files are:
 
-* [audit-policy.yaml](./audit-policy.yaml): The k8s audit log configuration we used to create the rules in [k8s_audit_rules.yaml](../../rules/k8s_audit_rules.yaml).
-* [webhook-config.yaml.in](./webhook-config.yaml.in): A (templated) webhook configuration that sends audit events to an ip associated with the falco service, port 8765. It is templated in that the *actual* ip is defined in an environment variable `FALCO_SERVICE_CLUSTERIP`, which can be plugged in using a program like `envsubst`.
+* [audit-policy.yaml](./audit-policy.yaml): The Kubernetes audit log configuration we used to create the rules in [k8s_audit_rules.yaml](../../rules/k8s_audit_rules.yaml).
+* [webhook-config.yaml.in](./webhook-config.yaml.in): A (templated) webhook configuration that sends audit events to an ip associated with the falco service, port 8765. It is templated in that the *actual* IP is defined in an environment variable `FALCO_SERVICE_CLUSTERIP`, which can be plugged in using a program like `envsubst`.
 
-Run the following to fill in the template file with the ClusterIP ip address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the ClusterIPs associated with those services are routable.
+Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the `ClusterIP`s associated with those services are routable.
 
 ```
 FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < webhook-config.yaml.in > webhook-config.yaml
 ```
 
-## Restart the API Server to enable Audit Logging
+### Restart the API Server to enable Audit Logging
 
 A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling audit log support for the apiserver, including copying the audit policy/webhook files to the apiserver machine, modifying the apiserver command line to add `--audit-log-path`, `--audit-policy-file`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
 
-It is run as `bash ./enable-k8s-audit.sh <variant>`. `<variant>` can be one of the following:
+It is run as `bash ./enable-k8s-audit.sh <variant> static`. `<variant>` can be one of the following:
 
-* "minikube"
-* "kops"
+* `minikube`
+* `kops`
 
-When running with variant="kops", you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
+When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
 
 Its output looks like this:
 
 ```
-$ bash enable-k8s-audit.sh minikube
+$ bash enable-k8s-audit.sh minikube static
+***Copying apiserver config patch script to apiserver...
+apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
 ***Copying audit policy/webhook files to apiserver...
 audit-policy.yaml                                                                           100% 2519     1.2MB/s   00:00
 webhook-config.yaml                                                                         100%  248   362.0KB/s   00:00
+***Modifying k8s apiserver config (will result in apiserver restarting)...
+***Done!
+$
+```
+### Observe Kubernetes audit events at falco
+
+Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
+
+## Instructions for Kubernetes 1.13
+
+The main steps are:
+
+1. Deploy Falco to your Kubernetes cluster
+2. Restart the API Server to enable Audit Logging
+3. Deploy the AuditSink object for your audit policy and webhook configuration
+4. Observe Kubernetes audit events at falco
+
+### Deploy Falco to your Kubernetes cluster
+
+Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a Falco service account, service, configmap, and daemonset.
+
+### Restart the API Server to enable Audit Logging
+
+A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling dynamic audit support for the apiserver by modifying the apiserver command line to add `--audit-dynamic-configuration`, `--feature-gates=DynamicAuditing=true`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
+
+It is run as `bash ./enable-k8s-audit.sh <variant> dynamic`. `<variant>` can be one of the following:
+
+* `minikube`
+* `kops`
+
+When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
+
+Its output looks like this:
+
+```
+$ bash enable-k8s-audit.sh minikube dynamic
+***Copying apiserver config patch script to apiserver...
 apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
 ***Modifying k8s apiserver config (will result in apiserver restarting)...
 ***Done!
 $
 ```
-## Observe K8s audit events at falco
 
-K8s audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
+### Deploy AuditSink objects
+
+[audit-sink.yaml.in](./audit-sink.yaml.in), in this directory, is a template audit sink configuration that defines the dynamic audit policy and webhook to route Kubernetes audit events to Falco.
+
+Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the ClusterIPs associated with those services are routable.
+
+```
+FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < audit-sink.yaml.in > audit-sink.yaml
+```
+
+### Observe Kubernetes audit events at falco
+
+Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
+
+## Instructions for Kubernetes 1.13 with dynamic webhook and local log file
+
+If you want to use a mix of `AuditSink` for remote audit events as well as a local audit log file, you can run `enable-k8s-audit.sh` with the `"dynamic+log"` argument e.g. `bash ./enable-k8s-audit.sh <variant> dynamic+log`. This will enable dynamic audit logs as well as a static audit log to a local file. Its output looks like this:
+
+```
+***Copying apiserver config patch script to apiserver...
+apiserver-config.patch.sh                                                                          100% 2211   662.9KB/s   00:00
+***Copying audit policy file to apiserver...
+audit-policy.yaml                                                                                  100% 2519   847.7KB/s   00:00
+***Modifying k8s apiserver config (will result in apiserver restarting)...
+***Done!
+```
+
+The audit log will be available on the apiserver host at `/var/lib/k8s_audit/audit.log`.

examples/k8s_audit_config/apiserver-config.patch.sh

@@ -1,13 +1,23 @@
-#!/bin/sh
+#!/usr/bin/env bash
+
+set -euo pipefail
 
 IFS=''
 
 FILENAME=${1:-/etc/kubernetes/manifests/kube-apiserver.yaml}
 VARIANT=${2:-minikube}
+AUDIT_TYPE=${3:-static}
 
-if grep audit-webhook-config-file $FILENAME ; then
-    echo audit-webhook patch already applied
-    exit 0
+if [ "$AUDIT_TYPE" == "static" ]; then
+    if grep audit-webhook-config-file "$FILENAME" ; then
+	echo audit-webhook patch already applied
+	exit 0
+    fi
+else
+    if grep audit-dynamic-configuration "$FILENAME" ; then
+	echo audit-dynamic-configuration patch already applied
+	exit 0
+    fi
 fi
 
 TMPFILE="/tmp/kube-apiserver.yaml.patched"
@@ -16,29 +26,42 @@ rm -f "$TMPFILE"
 APISERVER_PREFIX="    -"
 APISERVER_LINE="- kube-apiserver"
 
-if [ $VARIANT == "kops" ]; then
+if [ "$VARIANT" == "kops" ]; then
     APISERVER_PREFIX="     "
     APISERVER_LINE="/usr/local/bin/kube-apiserver"
 fi
 
-while read LINE
+while read -r LINE
 do
     echo "$LINE" >> "$TMPFILE"
     case "$LINE" in
         *$APISERVER_LINE*)
-            echo "$APISERVER_PREFIX --audit-log-path=/var/lib/k8s_audit/audit.log" >> "$TMPFILE"
-            echo "$APISERVER_PREFIX --audit-policy-file=/var/lib/k8s_audit/audit-policy.yaml" >> "$TMPFILE"
-            echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE"
-            echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "$APISERVER_PREFIX --audit-log-path=/var/lib/k8s_audit/audit.log" >> "$TMPFILE"
+		echo "$APISERVER_PREFIX --audit-policy-file=/var/lib/k8s_audit/audit-policy.yaml" >> "$TMPFILE"
+		if [[ $AUDIT_TYPE == "static" ]]; then
+		    echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE"
+		    echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
+		fi
+	    fi
+	    if [[ ($AUDIT_TYPE == "dynamic" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "$APISERVER_PREFIX --audit-dynamic-configuration" >> "$TMPFILE"
+		echo "$APISERVER_PREFIX --feature-gates=DynamicAuditing=true" >> "$TMPFILE"
+		echo "$APISERVER_PREFIX --runtime-config=auditregistration.k8s.io/v1alpha1=true" >> "$TMPFILE"
+	    fi
             ;;
         *"volumeMounts:"*)
-            echo "    - mountPath: /var/lib/k8s_audit/" >> "$TMPFILE"
-            echo "      name: data" >> "$TMPFILE"
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "    - mountPath: /var/lib/k8s_audit/" >> "$TMPFILE"
+		echo "      name: data" >> "$TMPFILE"
+	    fi
             ;;
         *"volumes:"*)
-            echo "  - hostPath:" >> "$TMPFILE"
-            echo "      path: /var/lib/k8s_audit" >> "$TMPFILE"
-            echo "    name: data" >> "$TMPFILE"
+	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
+		echo "  - hostPath:" >> "$TMPFILE"
+		echo "      path: /var/lib/k8s_audit" >> "$TMPFILE"
+		echo "    name: data" >> "$TMPFILE"
+	    fi
             ;;
 
     esac

examples/k8s_audit_config/audit-sink.yaml.in

@@ -0,0 +1,16 @@
+apiVersion: auditregistration.k8s.io/v1alpha1
+kind: AuditSink
+metadata:
+  name: falco-audit-sink
+spec:
+  policy:
+    level: RequestResponse
+    stages:
+      - ResponseComplete
+      - ResponseStarted
+  webhook:
+    throttle:
+      qps: 10
+      burst: 15
+    clientConfig:
+      url: "http://$FALCO_SERVICE_CLUSTERIP:8765/k8s_audit"

examples/k8s_audit_config/enable-k8s-audit.sh

@@ -1,20 +1,21 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -euo pipefail
 
 VARIANT=${1:-minikube}
+AUDIT_TYPE=${2:-static}
 
-if [ $VARIANT == "minikube" ]; then
+if [ "$VARIANT" == "minikube" ]; then
     APISERVER_HOST=$(minikube ip)
     SSH_KEY=$(minikube ssh-key)
-    SSH_USER=docker
+    SSH_USER="docker"
     MANIFEST="/etc/kubernetes/manifests/kube-apiserver.yaml"
 fi
 
-if [ $VARIANT == "kops" ]; then
-#    APISERVER_HOST=api.your-kops-cluster-name.com
+if [ "$VARIANT" == "kops" ]; then
+    # APISERVER_HOST=api.your-kops-cluster-name.com
     SSH_KEY=~/.ssh/id_rsa
-    SSH_USER=admin
+    SSH_USER="admin"
     MANIFEST=/etc/kubernetes/manifests/kube-apiserver.manifest
 
     if [ -z "${APISERVER_HOST+xxx}" ]; then
@@ -23,14 +24,23 @@ if [ $VARIANT == "kops" ]; then
     fi
 fi
 
-echo "***Copying audit policy/webhook files to apiserver..."
-ssh -i $SSH_KEY $SSH_USER@$APISERVER_HOST "sudo mkdir -p /var/lib/k8s_audit && sudo chown $SSH_USER /var/lib/k8s_audit"
-scp -i $SSH_KEY audit-policy.yaml $SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit
-scp -i $SSH_KEY webhook-config.yaml $SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit
-scp -i $SSH_KEY apiserver-config.patch.sh $SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit
+echo "***Copying apiserver config patch script to apiserver..."
+ssh -i $SSH_KEY "$SSH_USER@$APISERVER_HOST" "sudo mkdir -p /var/lib/k8s_audit && sudo chown $SSH_USER /var/lib/k8s_audit"
+scp -i $SSH_KEY apiserver-config.patch.sh "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+
+if [ "$AUDIT_TYPE" == "static" ]; then
+    echo "***Copying audit policy/webhook files to apiserver..."
+    scp -i $SSH_KEY audit-policy.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+    scp -i $SSH_KEY webhook-config.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+fi
+
+if [ "$AUDIT_TYPE" == "dynamic+log" ]; then
+    echo "***Copying audit policy file to apiserver..."
+    scp -i $SSH_KEY audit-policy.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
+fi
 
 echo "***Modifying k8s apiserver config (will result in apiserver restarting)..."
 
-ssh -i $SSH_KEY $SSH_USER@$APISERVER_HOST "sudo bash /var/lib/k8s_audit/apiserver-config.patch.sh $MANIFEST $VARIANT"
+ssh -i $SSH_KEY "$SSH_USER@$APISERVER_HOST" "sudo bash /var/lib/k8s_audit/apiserver-config.patch.sh $MANIFEST $VARIANT $AUDIT_TYPE"
 
 echo "***Done!"

examples/mitm-sh-installer/README.md

@@ -1,4 +1,4 @@
-#Demo of falco with man-in-the-middle attacks on installation scripts
+# Demo of falco with man-in-the-middle attacks on installation scripts
 
 For context, see the corresponding [blog post](http://sysdig.com/blog/making-curl-to-bash-safer) for this demo.
 

rules/OWNERS

@@ -0,0 +1,10 @@
+approvers:
+  - mstemm
+  - kaizhe
+reviewers:
+  - leodido
+  - fntlnz
+  - mfdii
+  - kaizhe
+  - mstemm
+

rules/falco_rules.yaml

@@ -69,6 +69,9 @@
 - macro: spawned_process
   condition: evt.type = execve and evt.dir=<
 
+- macro: create_symlink
+  condition: evt.type in (symlink, symlinkat) and evt.dir=<
+
 # File categories
 - macro: bin_dir
   condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
@@ -284,6 +287,9 @@
 - list: sensitive_file_names
   items: [/etc/shadow, /etc/sudoers, /etc/pam.conf, /etc/security/pwquality.conf]
 
+- list: sensitive_directory_names
+  items: [/, /etc, /etc/, /root, /root/]
+
 - macro: sensitive_files
   condition: >
     fd.name startswith /etc and
@@ -522,7 +528,7 @@
 # compatiblity with some widely used rules files.
 # Begin Deprecated
 - macro: parent_ansible_running_python
-  condition: (proc.pname in (python, pypy) and proc.pcmdline contains ansible)
+  condition: (proc.pname in (python, pypy, python3) and proc.pcmdline contains ansible)
 
 - macro: parent_bro_running_python
   condition: (proc.pname=python and proc.cmdline contains /usr/share/broctl)
@@ -604,7 +610,7 @@
 ## End Deprecated
 
 - macro: ansible_running_python
-  condition: (proc.name in (python, pypy) and proc.cmdline contains ansible)
+  condition: (proc.name in (python, pypy, python3) and proc.cmdline contains ansible)
 
 - macro: python_running_chef
   condition: (proc.name=python and (proc.cmdline contains yum-dump.py or proc.cmdline="python /usr/bin/chef-monitor.py"))
@@ -643,7 +649,8 @@
 - macro: run_by_google_accounts_daemon
   condition: >
     (proc.aname[1] startswith google_accounts or
-     proc.aname[2] startswith google_accounts)
+     proc.aname[2] startswith google_accounts or
+     proc.aname[3] startswith google_accounts)
 
 # Chef is similar.
 - macro: run_by_chef
@@ -774,7 +781,10 @@
   condition: (proc.cmdline startswith "java LiveUpdate" and fd.name in (/etc/liveupdate.conf, /etc/Product.Catalog.JavaLiveUpdate))
 
 - macro: rancher_agent
-  condition: (proc.name = agent and container.image.repository = rancher/agent)
+  condition: (proc.name=agent and container.image.repository contains "rancher/agent")
+
+- macro: rancher_network_manager
+  condition: (proc.name=rancher-bridge and container.image.repository contains "rancher/network-manager")
 
 - macro: sosreport_writing_files
   condition: >
@@ -808,7 +818,7 @@
   condition: (veritas_progs and (fd.name startswith /etc/vx or fd.name startswith /etc/opt/VRTS or fd.name startswith /etc/vom))
 
 - macro: nginx_writing_conf
-  condition: (proc.name in (nginx,nginx-ingress-c) and fd.name startswith /etc/nginx)
+  condition: (proc.name in (nginx,nginx-ingress-c,nginx-ingress) and (fd.name startswith /etc/nginx or fd.name startswith /etc/ingress-controller))
 
 - macro: nginx_writing_certs
   condition: >
@@ -872,6 +882,16 @@
 - macro: cassandra_writing_state
   condition: (java_running_cassandra and fd.directory=/root/.cassandra)
 
+# Istio
+- macro: galley_writing_state
+  condition: (proc.name=galley and fd.name in (known_istio_files))
+
+- list: known_istio_files
+  items: [/healthready, /healthliveness]
+
+- macro: calico_writing_state
+  condition: (proc.name=kube-controller and fd.name startswith /status.json and k8s.pod.name startswith calico)
+
 - list: repository_files
   items: [sources.list]
 
@@ -1023,11 +1043,21 @@
               and fd.name startswith "/etc/dd-agent")
 
 - macro: rancher_writing_conf
-  condition: (container.image.repository in (rancher_images)
-              and proc.name in (lib-controller,rancher-dns,healthcheck,rancher-metadat)
-              and (fd.name startswith "/etc/haproxy" or
-                   fd.name startswith "/etc/rancher-dns")
-             )
+  condition: ((proc.name in (healthcheck, lb-controller, rancher-dns)) and
+              (container.image.repository contains "rancher/healthcheck" or
+               container.image.repository contains "rancher/lb-service-haproxy" or
+               container.image.repository contains "rancher/dns") and
+              (fd.name startswith "/etc/haproxy" or fd.name startswith "/etc/rancher-dns"))
+
+- macro: rancher_writing_root
+  condition: (proc.name=rancher-metadat and
+              (container.image.repository contains "rancher/metadata" or container.image.repository contains "rancher/lb-service-haproxy") and
+              fd.name startswith "/answers.json")
+
+- macro: checkpoint_writing_state
+  condition: (proc.name=checkpoint and
+              container.image.repository contains "coreos/pod-checkpointer" and
+              fd.name startswith "/etc/kubernetes")
 
 - macro: jboss_in_container_writing_passwd
   condition: >
@@ -1099,6 +1129,12 @@
 - macro: openshift_writing_conf
   condition: (proc.name=oc and fd.name startswith /etc/origin/node)
 
+- macro: keepalived_writing_conf
+  condition: (proc.name=keepalived and fd.name=/etc/keepalived/keepalived.conf)
+
+- macro: etcd_manager_updating_dns
+  condition: (container and proc.name=etcd-manager and fd.name=/etc/hosts)
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -1204,8 +1240,11 @@
     and not calico_writing_conf
     and not prometheus_conf_writing_conf
     and not openshift_writing_conf
+    and not keepalived_writing_conf
     and not rancher_writing_conf
+    and not checkpoint_writing_state
     and not jboss_in_container_writing_passwd
+    and not etcd_manager_updating_dns
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc
@@ -1285,6 +1324,9 @@
     and not chef_writing_conf
     and not kubectl_writing_state
     and not cassandra_writing_state
+    and not galley_writing_state
+    and not calico_writing_state
+    and not rancher_writing_root
     and not known_root_conditions
     and not user_known_write_root_conditions
   output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name)"
@@ -1343,6 +1385,7 @@
     and not proc.cmdline contains /usr/bin/mandb
     and not run_by_qualys
     and not run_by_chef
+    and not run_by_google_accounts_daemon
     and not user_read_sensitive_file_conditions
     and not perl_running_plesk
     and not perl_running_updmap
@@ -1436,12 +1479,14 @@
     and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries,
                           sysdig, nsenter, calico, oci-umount)
     and not proc.name in (user_known_change_thread_namespace_binaries)
-    and not proc.name startswith "runc:"
+    and not proc.name startswith "runc"
+    and not proc.cmdline startswith "containerd"
     and not proc.pname in (sysdigcloud_binaries)
     and not python_running_sdchecks
     and not java_running_sdjagent
     and not kubelet_running_loopback
     and not rancher_agent
+    and not rancher_network_manager
   output: >
     Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
     parent=%proc.pname %container.info)
@@ -1620,40 +1665,95 @@
        container.image.repository contains ose-docker-registry or
        container.image.repository contains image-inspector))
 
+# These images are allowed both to run with --privileged and to mount
+# sensitive paths from the host filesystem.
+#
+# NOTE: This list is only provided for backwards compatibility with
+# older local falco rules files that may have been appending to
+# trusted_images. To make customizations, it's better to add images to
+# either privileged_images or falco_sensitive_mount_images.
 - list: trusted_images
+  items: []
+
+# Add conditions to this macro (probably in a separate file,
+# overwriting this macro) to specify additional containers that are
+# trusted and therefore allowed to run privileged *and* with sensitive
+# mounts.
+#
+# Like trusted_images, this is deprecated in favor of
+# user_privileged_containers and user_sensitive_mount_containers and
+# is only provided for backwards compatibility.
+#
+# In this file, it just takes one of the images in trusted_containers
+# and repeats it.
+- macro: user_trusted_containers
+  condition: (container.image.repository=sysdig/agent)
+
+- list: sematext_images
+  items: [sematext/sematext-agent-docker, sematext/agent, sematext/logagent,
+          registry.access.redhat.com/sematext/sematext-agent-docker,
+          registry.access.redhat.com/sematext/agent,
+          registry.access.redhat.com/sematext/logagent]
+
+# These container images are allowed to run with --privileged
+- list: falco_privileged_images
   items: [
-    sysdig/agent, sysdig/falco, sysdig/sysdig, gcr.io/google_containers/hyperkube,
-    quay.io/coreos/flannel, gcr.io/google_containers/kube-proxy, calico/node,
-    rook/toolbox, cloudnativelabs/kube-router, consul, mesosphere/mesos-slave,
-    datadog/docker-dd-agent, datadog/agent, docker/ucp-agent, gliderlabs/logspout
+    sysdig/agent, sysdig/falco, sysdig/sysdig,
+    gcr.io/google_containers/kube-proxy, calico/node,
+    rook/toolbox, cloudnativelabs/kube-router, mesosphere/mesos-slave,
+    docker/ucp-agent, sematext_images
     ]
 
-- macro: trusted_containers
+- macro: falco_privileged_containers
   condition: (openshift_image or
+              user_trusted_containers or
               container.image.repository in (trusted_images) or
+              container.image.repository in (falco_privileged_images) or
               container.image.repository startswith istio/proxy_ or
               container.image.repository startswith quay.io/sysdig)
 
+# Add conditions to this macro (probably in a separate file,
+# overwriting this macro) to specify additional containers that are
+# allowed to run privileged
+#
+# In this file, it just takes one of the images in falco_privileged_images
+# and repeats it.
+- macro: user_privileged_containers
+  condition: (container.image.repository=sysdig/agent)
+
+
 - list: rancher_images
   items: [
     rancher/network-manager, rancher/dns, rancher/agent,
     rancher/lb-service-haproxy, rancher/metadata, rancher/healthcheck
   ]
 
-# Add conditions to this macro (probably in a separate file,
-# overwriting this macro) to specify additional containers that are
-# trusted and therefore allowed to run privileged.
-#
-# In this file, it just takes one of the images in trusted_containers
-# and repeats it.
-- macro: user_trusted_containers
-  condition: (container.image.repository=sysdig/agent)
+# These container images are allowed to mount sensitive paths from the
+# host filesystem.
+- list: falco_sensitive_mount_images
+  items: [
+    sysdig/agent, sysdig/falco, sysdig/sysdig,
+    gcr.io/google_containers/hyperkube,
+    gcr.io/google_containers/kube-proxy, calico/node,
+    rook/toolbox, cloudnativelabs/kube-router, consul,
+    datadog/docker-dd-agent, datadog/agent, docker/ucp-agent, gliderlabs/logspout
+    ]
+
+- macro: falco_sensitive_mount_containers
+  condition: (user_trusted_containers or
+              container.image.repository in (trusted_images) or
+              container.image.repository in (falco_sensitive_mount_images) or
+              container.image.repository startswith quay.io/sysdig)
+
+# These container images are allowed to run with hostnetwork=true
+- list: falco_hostnetwork_images
+  items: []
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
 # allowed to perform sensitive mounts.
 #
-# In this file, it just takes one of the images in trusted_containers
+# In this file, it just takes one of the images in falco_sensitive_mount_images
 # and repeats it.
 - macro: user_sensitive_mount_containers
   condition: (container.image.repository=sysdig/agent)
@@ -1663,8 +1763,8 @@
   condition: >
     container_started and container
     and container.privileged=true
-    and not trusted_containers
-    and not user_trusted_containers
+    and not falco_privileged_containers
+    and not user_privileged_containers
   output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
   priority: INFO
   tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
@@ -1703,7 +1803,7 @@
   condition: >
     container_started and container
     and sensitive_mount
-    and not trusted_containers
+    and not falco_sensitive_mount_containers
     and not user_sensitive_mount_containers
   output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
   priority: INFO
@@ -1978,6 +2078,7 @@
     and not somebody_becoming_themself
     and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
                           nomachine_binaries)
+    and not proc.name startswith "runc:"
     and not java_running_sdjagent
     and not nrpe_becoming_nagios
     and not user_known_non_sudo_setuid_conditions
@@ -2096,7 +2197,7 @@
   items: [nc, ncat, nmap, dig, tcpdump, tshark, ngrep]
 
 - macro: network_tool_procs
-  condition: proc.name in (network_tool_binaries)
+  condition: (proc.name in (network_tool_binaries))
 
 # Container is supposed to be immutable. Package management should be done in building the image.
 - rule: Launch Package Management Process in Container
@@ -2114,7 +2215,8 @@
   condition: >
     spawned_process and container and
     ((proc.name = "nc" and (proc.args contains "-e" or proc.args contains "-c")) or
-     (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec"))
+     (proc.name = "ncat" and (proc.args contains "--sh-exec" or proc.args contains "--exec" or proc.args contains "-e " 
+                              or proc.args contains "-c " or proc.args contains "--lua-exec"))
     )
   output: >
     Netcat runs inside container that allows remote code execution (user=%user.name
@@ -2122,7 +2224,7 @@
   priority: WARNING
   tags: [network, process, mitre_execution]
 
-- rule: Lauch Suspicious Network Tool in Container
+- rule: Launch Suspicious Network Tool in Container
   desc: Detect network tools launched inside container
   condition: >
     spawned_process and container and network_tool_procs
@@ -2151,7 +2253,7 @@
   tags: [network, process, mitre_discovery, mitre_exfiltration]
 
 - list: grep_binaries
-  items: [grep, egre, fgrep]
+  items: [grep, egrep, fgrep]
 
 - macro: grep_commands
   condition: (proc.name in (grep_binaries))
@@ -2269,6 +2371,32 @@
     NOTICE
   tag: [file, mitre_persistence]
 
+- list: remote_file_copy_binaries
+  items: [rsync, scp, sftp, dcp]
+
+- macro: remote_file_copy_procs
+  condition: (proc.name in (remote_File_copy_binaries))
+
+- rule: Launch Remote File Copy Tools in Container
+  desc: Detect remote file copy tools launched in container
+  condition: >
+    spawned_process and container and remote_file_copy_procs
+  output: >
+    Remote file copy tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
+    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  priority: NOTICE
+  tags: [network, process, mitre_lateral_movement, mitre_exfiltration]
+
+
+- rule: Create Symlink Over Sensitive Files
+  desc: Detect symlink created over sensitive files
+  condition: >
+    create_symlink and
+    (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names))
+  output: >
+    Symlinks created over senstivie files (user=%user.name command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
+  priority: NOTICE
+  tags: [file, mitre_exfiltration]
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.

rules/k8s_audit_rules.yaml

@@ -17,6 +17,13 @@
 #
 - required_engine_version: 2
 
+# Like always_true/always_false, but works with k8s audit events
+- macro: k8s_audit_always_true
+  condition: (jevt.rawtime exists)
+
+- macro: k8s_audit_never_true
+  condition: (jevt.rawtime=0)
+
 # Generally only consider audit events once the response has completed
 - list: k8s_audit_stages
   items: ["ResponseComplete"]
@@ -48,11 +55,10 @@
 # explicitly enumerate the container images that you want to run in
 # your environment. In this main falco rules file, there isn't any way
 # to know all the containers that can run, so any container is
-# alllowed, by using a filter that is guaranteed to evaluate to true
-# (the event time existing). In the overridden macro, the condition
+# allowed, by using the always_true macro. In the overridden macro, the condition
 # would look something like (ka.req.container.image.repository=my-repo/my-image)
 - macro: allowed_k8s_containers
-  condition: (jevt.rawtime exists)
+  condition: (k8s_audit_always_true)
 
 - macro: response_successful
   condition: (ka.response.code startswith 2)
@@ -108,25 +114,10 @@
   source: k8s_audit
   tags: [k8s]
 
-- list: trusted_k8s_containers
-  items: [sysdig/agent, sysdig/falco, quay.io/coreos/flannel, calico/node, rook/toolbox,
-    gcr.io/google_containers/hyperkube, gcr.io/google_containers/kube-proxy,
-    openshift3/ose-sti-builder,
-    registry.access.redhat.com/openshift3/logging-fluentd,
-    registry.access.redhat.com/openshift3/logging-elasticsearch,
-    registry.access.redhat.com/openshift3/metrics-cassandra,
-    registry.access.redhat.com/openshift3/ose-sti-builder,
-    registry.access.redhat.com/openshift3/ose-docker-builder,
-    registry.access.redhat.com/openshift3/image-inspector,
-    cloudnativelabs/kube-router, istio/proxy,
-    datadog/docker-dd-agent, datadog/agent,
-    docker/ucp-agent,
-    gliderlabs/logspout]
-
 - rule: Create Privileged Pod
   desc: >
     Detect an attempt to start a pod with a privileged container
-  condition: kevt and pod and kcreate and ka.req.container.privileged=true and not ka.req.container.image.repository in (trusted_k8s_containers)
+  condition: kevt and pod and kcreate and ka.req.container.privileged=true and not ka.req.container.image.repository in (falco_privileged_images)
   output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
   priority: WARNING
   source: k8s_audit
@@ -144,7 +135,7 @@
   desc: >
     Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
     Exceptions are made for known trusted images.
-  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.container.image.repository in (trusted_k8s_containers)
+  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.container.image.repository in (falco_sensitive_mount_images)
   output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image mounts=%jevt.value[/requestObject/spec/volumes])
   priority: WARNING
   source: k8s_audit
@@ -153,7 +144,7 @@
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
   desc: Detect an attempt to start a pod using the host network.
-  condition: kevt and pod and kcreate and ka.req.container.host_network=true and not ka.req.container.image.repository in (trusted_k8s_containers)
+  condition: kevt and pod and kcreate and ka.req.container.host_network=true and not ka.req.container.image.repository in (falco_hostnetwork_images)
   output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
   priority: WARNING
   source: k8s_audit
@@ -301,7 +292,7 @@
 # represent a stream of activity for a cluster. If you wish to disable
 # these events, modify the following macro.
 - macro: consider_activity_events
-  condition: (jevt.rawtime exists)
+  condition: (k8s_audit_always_true)
 
 - macro: kactivity
   condition: (kevt and consider_activity_events)
@@ -423,7 +414,7 @@
 # following macro.
 #  condition: (jevt.rawtime exists)
 - macro: consider_all_events
-  condition: (not jevt.rawtime exists)
+  condition: (k8s_audit_never_true)
 
 - macro: kall
   condition: (kevt and consider_all_events)

test/falco_k8s_audit_tests.yaml

@@ -21,6 +21,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
     detect_counts:
@@ -30,6 +31,7 @@ trace_files: !mux
   user_in_allowed_set:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
       - ./rules/k8s_audit/allow_user_some-user.yaml
@@ -40,6 +42,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_only_apache_container.yaml
     detect_counts:
@@ -49,6 +52,7 @@ trace_files: !mux
   create_allowed_pod:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_nginx_container.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
@@ -57,6 +61,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Privileged Pod: 1
@@ -66,6 +71,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Privileged Pod: 1
@@ -74,6 +80,7 @@ trace_files: !mux
   create_privileged_trusted_pod:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
@@ -81,12 +88,14 @@ trace_files: !mux
   create_unprivileged_pod:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   create_unprivileged_trusted_pod:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
@@ -95,6 +104,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Sensitive Mount Pod: 1
@@ -104,6 +114,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Sensitive Mount Pod: 1
@@ -112,6 +123,7 @@ trace_files: !mux
   create_sensitive_mount_trusted_pod:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
@@ -119,12 +131,14 @@ trace_files: !mux
   create_unsensitive_mount_pod:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
 
   create_unsensitive_mount_trusted_pod:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
@@ -133,6 +147,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Create HostNetwork Pod: 1
@@ -141,6 +156,7 @@ trace_files: !mux
   create_hostnetwork_trusted_pod:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
@@ -148,12 +164,14 @@ trace_files: !mux
   create_nohostnetwork_pod:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
 
   create_nohostnetwork_trusted_pod:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
     trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
@@ -162,6 +180,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
     detect_counts:
@@ -171,6 +190,7 @@ trace_files: !mux
   create_nonodeport_service:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
     trace_file: trace_files/k8s_audit/create_nginx_service_nonodeport.json
@@ -179,6 +199,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
     detect_counts:
@@ -188,6 +209,7 @@ trace_files: !mux
   create_configmap_no_private_creds:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
     trace_file: trace_files/k8s_audit/create_configmap_no_sensitive_values.json
@@ -196,6 +218,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Anonymous Request Allowed: 1
@@ -205,6 +228,7 @@ trace_files: !mux
     detect: True
     detect_level: NOTICE
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Attach/Exec Pod: 1
@@ -214,6 +238,7 @@ trace_files: !mux
     detect: True
     detect_level: NOTICE
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Attach/Exec Pod: 1
@@ -223,6 +248,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_user_some-user.yaml
     detect_counts:
@@ -232,6 +258,7 @@ trace_files: !mux
   namespace_in_allowed_set:
     detect: False
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
@@ -241,6 +268,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Pod Created in Kube Namespace: 1
@@ -250,6 +278,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Pod Created in Kube Namespace: 1
@@ -259,6 +288,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Service Account Created in Kube Namespace: 1
@@ -268,6 +298,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Service Account Created in Kube Namespace: 1
@@ -277,6 +308,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - System ClusterRole Modified/Deleted: 1
@@ -286,6 +318,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - System ClusterRole Modified/Deleted: 1
@@ -295,6 +328,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - Attach to cluster-admin Role: 1
@@ -304,6 +338,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Wildcard Created: 1
@@ -313,6 +348,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Wildcard Created: 1
@@ -322,6 +358,7 @@ trace_files: !mux
     detect: True
     detect_level: NOTICE
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Write Privileges Created: 1
@@ -331,6 +368,7 @@ trace_files: !mux
     detect: True
     detect_level: WARNING
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Pod Exec Created: 1
@@ -340,6 +378,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Deployment Created: 1
@@ -349,6 +388,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Deployment Deleted: 1
@@ -358,6 +398,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Service Created: 1
@@ -367,6 +408,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Service Deleted: 1
@@ -376,6 +418,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s ConfigMap Created: 1
@@ -385,6 +428,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s ConfigMap Deleted: 1
@@ -394,6 +438,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
       - ./rules/k8s_audit/allow_user_some-user.yaml
@@ -405,6 +450,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Namespace Deleted: 1
@@ -414,6 +460,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Serviceaccount Created: 1
@@ -423,6 +470,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Serviceaccount Deleted: 1
@@ -432,6 +480,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrole Created: 1
@@ -441,6 +490,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrole Deleted: 1
@@ -450,6 +500,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrolebinding Created: 1
@@ -459,6 +510,7 @@ trace_files: !mux
     detect: True
     detect_level: INFO
     rules_file:
+      - ../rules/falco_rules.yaml
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrolebinding Deleted: 1

test/rules/k8s_audit/trust_nginx_container.yaml

@@ -1,3 +1,11 @@
-- list: trusted_k8s_containers
+- list: falco_sensitive_mount_images
+  items: [nginx]
+  append: true
+
+- list: falco_privileged_images
+  items: [nginx]
+  append: true
+
+- list: falco_hostnetwork_images
   items: [nginx]
   append: true

userspace/engine/falco_engine.cpp

@@ -251,6 +251,14 @@ uint16_t falco_engine::find_ruleset_id(const std::string &ruleset)
 	return it->second;
 }
 
+uint64_t falco_engine::num_rules_for_ruleset(const std::string &ruleset)
+{
+	uint16_t ruleset_id = find_ruleset_id(ruleset);
+
+	return m_sinsp_rules->num_rules_for_ruleset(ruleset_id) +
+		m_k8s_audit_rules->num_rules_for_ruleset(ruleset_id);
+}
+
 void falco_engine::evttypes_for_ruleset(std::vector<bool> &evttypes, const std::string &ruleset)
 {
 	uint16_t ruleset_id = find_ruleset_id(ruleset);

userspace/engine/falco_engine.h

@@ -106,6 +106,11 @@ public:
 	//
 	uint16_t find_ruleset_id(const std::string &ruleset);
 
+	//
+	// Return the number of falco rules enabled for the provided ruleset
+	//
+	uint64_t num_rules_for_ruleset(const std::string &ruleset);
+
 	//
 	// Print details on the given rule. If rule is NULL, print
 	// details on all rules.

userspace/engine/ruleset.cpp

@@ -41,6 +41,7 @@ falco_ruleset::~falco_ruleset()
 }
 
 falco_ruleset::ruleset_filters::ruleset_filters()
+	: m_num_filters(0)
 {
 }
 
@@ -58,10 +59,14 @@ falco_ruleset::ruleset_filters::~ruleset_filters()
 
 void falco_ruleset::ruleset_filters::add_filter(filter_wrapper *wrap)
 {
+
+	bool added = false;
+
 	for(uint32_t etag = 0; etag < wrap->event_tags.size(); etag++)
 	{
 		if(wrap->event_tags[etag])
 		{
+			added = true;
 			if(m_filter_by_event_tag.size() <= etag)
 			{
 				m_filter_by_event_tag.resize(etag+1);
@@ -75,10 +80,17 @@ void falco_ruleset::ruleset_filters::add_filter(filter_wrapper *wrap)
 			m_filter_by_event_tag[etag]->push_back(wrap);
 		}
 	}
+
+	if(added)
+	{
+		m_num_filters++;
+	}
 }
 
 void falco_ruleset::ruleset_filters::remove_filter(filter_wrapper *wrap)
 {
+	bool removed = false;
+
 	for(uint32_t etag = 0; etag < wrap->event_tags.size(); etag++)
 	{
 		if(wrap->event_tags[etag])
@@ -88,22 +100,38 @@ void falco_ruleset::ruleset_filters::remove_filter(filter_wrapper *wrap)
 				list<filter_wrapper *> *l = m_filter_by_event_tag[etag];
 				if(l)
 				{
-					l->erase(remove(l->begin(),
-							l->end(),
-							wrap),
-						 l->end());
+					auto it = remove(l->begin(),
+							 l->end(),
+							 wrap);
 
-					if(l->size() == 0)
+					if(it != l->end())
 					{
-						delete l;
-						m_filter_by_event_tag[etag] = NULL;
+						removed = true;
+
+						l->erase(it,
+							l->end());
+
+						if(l->size() == 0)
+						{
+							delete l;
+							m_filter_by_event_tag[etag] = NULL;
+						}
 					}
 				}
 			}
 		}
 	}
+
+	if(removed)
+	{
+		m_num_filters--;
+	}
 }
 
+uint64_t falco_ruleset::ruleset_filters::num_filters()
+{
+	return m_num_filters;
+}
 
 bool falco_ruleset::ruleset_filters::run(gen_event *evt, uint32_t etag)
 {
@@ -176,7 +204,16 @@ void falco_ruleset::add(string &name,
 
 void falco_ruleset::enable(const string &pattern, bool enabled, uint16_t ruleset)
 {
-	regex re(pattern);
+	regex re;
+	bool match_using_regex = true;
+
+	try {
+		re.assign(pattern);
+	}
+	catch (std::regex_error e)
+	{
+		match_using_regex = false;
+	}
 
 	while (m_rulesets.size() < (size_t) ruleset + 1)
 	{
@@ -185,7 +222,16 @@ void falco_ruleset::enable(const string &pattern, bool enabled, uint16_t ruleset
 
 	for(const auto &val : m_filters)
 	{
-		if (regex_match(val.first, re))
+		bool matches;
+		if(match_using_regex)
+		{
+			matches = regex_match(val.first, re);
+		}
+		else
+		{
+			matches = (val.first.find(pattern) != string::npos);
+		}
+		if (matches)
 		{
 			if(enabled)
 			{
@@ -222,6 +268,16 @@ void falco_ruleset::enable_tags(const set<string> &tags, bool enabled, uint16_t
 	}
 }
 
+uint64_t falco_ruleset::num_rules_for_ruleset(uint16_t ruleset)
+{
+	while (m_rulesets.size() < (size_t) ruleset + 1)
+	{
+		m_rulesets.push_back(new ruleset_filters());
+	}
+
+	return m_rulesets[ruleset]->num_filters();
+}
+
 bool falco_ruleset::run(gen_event *evt, uint32_t etag, uint16_t ruleset)
 {
 	if(m_rulesets.size() < (size_t) ruleset + 1)

userspace/engine/ruleset.h

@@ -61,6 +61,10 @@ public:
 	// enable_tags.
 	void enable_tags(const std::set<std::string> &tags, bool enabled, uint16_t ruleset = 0);
 
+
+	// Return the number of falco rules enabled for the provided ruleset
+	uint64_t num_rules_for_ruleset(uint16_t ruleset = 0);
+
 	// Match all filters against the provided event.
 	bool run(gen_event *evt, uint32_t etag, uint16_t ruleset = 0);
 
@@ -89,11 +93,15 @@ private:
 		void add_filter(filter_wrapper *wrap);
 		void remove_filter(filter_wrapper *wrap);
 
+		uint64_t num_filters();
+
 		bool run(gen_event *evt, uint32_t etag);
 
 		void event_tags_for_ruleset(std::vector<bool> &event_tags);
 
 	private:
+		uint64_t m_num_filters;
+
 		// Maps from event tag to a list of filters. There can
 		// be multiple filters for a given event tag.
 		std::vector<std::list<filter_wrapper *> *> m_filter_by_event_tag;

userspace/falco/CMakeLists.txt

@@ -23,6 +23,7 @@ include_directories("${PROJECT_SOURCE_DIR}/../sysdig/userspace/libsinsp")
 include_directories("${PROJECT_SOURCE_DIR}/../sysdig/userspace/sysdig")
 include_directories("${PROJECT_SOURCE_DIR}/userspace/engine")
 include_directories("${PROJECT_BINARY_DIR}/userspace/falco")
+include_directories("${PROJECT_BINARY_DIR}/driver/src")
 include_directories("${CURL_INCLUDE_DIR}")
 include_directories("${TBB_INCLUDE_DIR}")
 include_directories("${NJSON_INCLUDE}")

userspace/falco/falco.cpp

@@ -856,7 +856,6 @@ int falco_init(int argc, char **argv)
 		if(!all_events)
 		{
 			inspector->set_drop_event_flags(EF_DROP_FALCO);
-			inspector->start_dropping_mode(1);
 		}
 
 		if (describe_all_rules)
@@ -964,6 +963,12 @@ int falco_init(int argc, char **argv)
 			}
 		}
 
+		// This must be done after the open
+		if(!all_events)
+		{
+			inspector->start_dropping_mode(1);
+		}
+
 		// If daemonizing, do it here so any init errors will
 		// be returned in the foreground process.
 		if (daemon && !g_daemonized) {