docs: CHANGELOG for 0.22.0

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
fix(falco-cluster-role): Add missing privileges for the apps Kubernetes API group
2026-03-22 20:52:27 +00:00 · 2020-04-17 10:56:48 +02:00 · 2020-04-16 13:18:56 +02:00 · 2020-04-16 12:50:35 +02:00 · 2020-04-16 12:50:35 +02:00 · 2020-04-16 12:50:35 +02:00
108 changed files with 1892 additions and 966 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -32,6 +32,38 @@ jobs:
            pushd build
            make tests
            popd
+  # Debug build using ubuntu LTS
+  # This build is dynamic, most dependencies are taken from the OS
+  "build/ubuntu-bionic-debug":
+    docker:
+      - image: ubuntu:bionic
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DCMAKE_BUILD_TYPE=debug ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
  # Build using our own builder base image using centos 7
  # This build is static, dependencies are bundled in the falco binary
  "build/centos7":
@@ -69,6 +101,28 @@ jobs:
      - store_artifacts:
          path: /tmp/packages
          destination: /packages
+  # Debug build using our own builder base image using centos 7
+  # This build is static, dependencies are bundled in the falco binary
+  "build/centos7-debug":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "debug"
+    steps:
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
+      - run:
+          name: Build
+          command: /usr/bin/entrypoint all
+      - run:
+          name: Run unit tests
+          command: /usr/bin/entrypoint tests
+      - run:
+          name: Build packages
+          command: /usr/bin/entrypoint package
  # Execute integration tests based on the build results coming from the "build/centos7" job
  "tests/integration":
    docker:
@@ -84,12 +138,229 @@ jobs:
      - run:
          name: Execute integration tests
          command: /usr/bin/entrypoint test
+  # Sign rpm packages
+  "rpm/sign":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Install rpmsign
+          command: |
+            yum update -y
+            yum install rpm-sign -y
+      - run:
+          name: Sign rpm
+          command: |
+            echo "%_signature gpg" > ~/.rpmmacros
+            echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
+            cd /build/release/
+            echo '#!/usr/bin/expect -f' > sign
+            echo 'spawn rpmsign --addsign {*}$argv' >> sign
+            echo 'expect -exact "Enter pass phrase: "' >> sign
+            echo 'send -- "\n"' >> sign
+            echo 'expect eof' >> sign
+            chmod +x sign
+            echo $GPG_KEY | base64 -d | gpg --import
+            ./sign *.rpm
+            test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0
+      - persist_to_workspace:
+          root: /
+          paths:
+            - build/release/*.rpm
+  # Publish the packages
+  "publish/packages-dev":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Create versions
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+      - run:
+          name: Publish deb-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish rpm-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish tgz-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+  # Publish docker packages
+  "publish/docker-dev":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish slim-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-slim docker/slim
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco:master-slim
+      - run:
+          name: Build and publish minimal-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-minimal docker/minimal
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco:master-minimal
+      - run:
+          name: Build and publish dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/stable
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco:master
+  # Publish the packages
+  "publish/packages":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Create versions
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+      - run:
+          name: Publish deb
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish rpm
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
+      - run:
+          name: Publish tgz
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+  # Publish docker packages
+  "publish/docker":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish slim
+          command: |
+            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}-slim" docker/slim
+            docker tag "falcosecurity/falco:${CIRCLE_TAG}-slim" falcosecurity/falco:latest-slim
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker push "falcosecurity/falco:latest-slim"
+      - run:
+          name: Build and publish minimal
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${FALCO_VERSION} -t "falcosecurity/falco:${CIRCLE_TAG}-minimal" docker/minimal
+            docker tag "falcosecurity/falco:${CIRCLE_TAG}-minimal" falcosecurity/falco:latest-minimal
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco:${CIRCLE_TAG}-minimal"
+            docker push "falcosecurity/falco:latest-minimal"
+      - run:
+          name: Build and publish stable
+          command: |
+            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/stable
+            docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco:${CIRCLE_TAG}"
+            docker push "falcosecurity/falco:latest"
 workflows:
  version: 2
  build_and_test:
    jobs:
      - "build/ubuntu-bionic"
+      - "build/ubuntu-bionic-debug"
      - "build/centos7"
+      - "build/centos7-debug"
      - "tests/integration":
          requires:
            - "build/centos7"
+      - "rpm/sign":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "tests/integration"
+      - "publish/packages-dev":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "rpm/sign"
+      - "publish/docker-dev":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "publish/packages-dev"
+  release:
+    jobs:
+      - "build/centos7":
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "rpm/sign":
+          context: falco
+          requires:
+            - "build/centos7"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "publish/packages":
+          context: falco
+          requires:
+            - "rpm/sign"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "publish/docker":
+          context: falco
+          requires:
+            - "publish/packages"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -4,6 +4,8 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.

+* [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
+
 * [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.

 * [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,118 @@

 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).

+## v0.22.0
+
+Released on 2020-16-04
+
+### Major Changes
+
+* new: falco version and driver version are distinct and not coupled anymore [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+* new: flag to disable asynchronous container metadata (CRI) fetch `--disable-cri-async` [[#1099](https://github.com/falcosecurity/falco/pull/1099)]
+
+
+### Minor Changes
+
+* docs(integrations): update API resource versions to Kubernetes 1.16 [[#1044](https://github.com/falcosecurity/falco/pull/1044)]
+* docs: add new release archive to the `README.md` [[#1098](https://github.com/falcosecurity/falco/pull/1098)]
+* update: driver version a259b4bf49c3 [[#1138](https://github.com/falcosecurity/falco/pull/1138)]
+* docs(integrations/k8s-using-daemonset): --cri flag correct socket path [[#1140](https://github.com/falcosecurity/falco/pull/1140)]
+* update: bump driver version to cd3d10123e [[#1131](https://github.com/falcosecurity/falco/pull/1131)]
+* update(docker): remove RHEL, kernel/linuxkit, and kernel/probeloader images [[#1124](https://github.com/falcosecurity/falco/pull/1124)]
+* update: falco-probe-loader script is falco-driver-loader now [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+* update: using only sha256 hashes when pulling build dependencies [[#1118](https://github.com/falcosecurity/falco/pull/1118)]
+
+
+### Bug Fixes
+
+* fix(integrations/k8s-using-daemonset): added missing privileges for the apps Kubernetes API group in the falco-cluster-role when using RBAC [[#1136](https://github.com/falcosecurity/falco/pull/1136)]
+* fix: connect to docker works also with libcurl >= 7.69.0 [[#1138](https://github.com/falcosecurity/falco/pull/1138)]
+* fix: HOST_ROOT environment variable detection [[#1133](https://github.com/falcosecurity/falco/pull/1133)]
+* fix(driver/bpf): stricter conditionals while dealing with strings [[#1131](https://github.com/falcosecurity/falco/pull/1131)]
+* fix: `/usr/bin/falco-${DRIVER_VERSION}` driver directory [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+* fix: FALCO_VERSION env variable inside Falco containers contains the Falco version now (not the docker image tag) [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+
+
+### Rule Changes
+
+* rule(macro user_expected_system_procs_network_activity_conditions): allow whitelisting system binaries using the network under specific conditions [[#1070](https://github.com/falcosecurity/falco/pull/1070)]
+* rule(Full K8s Administrative Access): detect any k8s operation by an administrator with full access [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Ingress Object without TLS Certificate Created): detect any attempt to create an ingress without TLS certification (rule enabled by default) [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Untrusted Node Successfully Joined the Cluster): detect a node successfully joined the cluster outside of the list of allowed nodes [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Untrusted Node Unsuccessfully Tried to Join the Cluster): detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Network Connection outside Local Subnet): detect traffic to image outside local subnet [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Outbound or Inbound Traffic not to Authorized Server Process and Port): detect traffic that is not to authorized server process and port [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Delete or rename shell history): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [[#1143](https://github.com/falcosecurity/falco/pull/1143)]
+* rule(Delete Bash History): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [[#1143](https://github.com/falcosecurity/falco/pull/1143)]
+* rule(Write below root): use pmatch to check against known root directories [[#1137](https://github.com/falcosecurity/falco/pull/1137)]
+* rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns [[#1115](https://github.com/falcosecurity/falco/pull/1115)]
+* rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success [[#1117](https://github.com/falcosecurity/falco/pull/1117)]
+
+## v0.21.0
+
+Released on 2020-03-17
+
+### Major Changes
+
+* BREAKING CHANGE: the SYSDIG_BPF_PROBE environment variable is now just FALCO_BPF_PROBE (please update your systemd scripts or kubernetes deployments. [[#1050](https://github.com/falcosecurity/falco/pull/1050)]
+* new: automatically publish deb packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically publish rpm packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically release deb packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically release rpm packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically publish docker images from master (master, master-slim, master-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically publish docker images from git tag (tag, tag-slim, tag-master, latest, latest-slim, latest-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: sign packages with falcosecurity gpg key [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+
+### Minor Changes
+
+* new: falco_version_prerelease contains the number of commits since last tag on the master [[#1086](https://github.com/falcosecurity/falco/pull/1086)]
+* docs: update branding [[#1074](https://github.com/falcosecurity/falco/pull/1074)]
+* new(docker/event-generator): add example k8s resource files that allow running the event generator in a k8s cluster. [[#1088](https://github.com/falcosecurity/falco/pull/1088)]
+* update: creating *-dev docker images using build arguments at build time [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* update: docker images use packages from the new repositories [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* update: docker image downloads old deb dependencies (gcc-6, gcc-5, binutils-2.30) from a new open repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+
+### Bug Fixes
+
+* fix(docker): updating `stable` and `local` images to run from `debian:stable` [[#1018](https://github.com/falcosecurity/falco/pull/1018)]
+* fix(event-generator): the image used by the event generator deployment to `latest`. [[#1091](https://github.com/falcosecurity/falco/pull/1091)]
+* fix: -t (to disable rules by certain tag) or -t (to only run rules with a certain tag) work now [[#1081](https://github.com/falcosecurity/falco/pull/1081)]
+* fix: the falco driver now compiles on >= 5.4 kernels [[#1080](https://github.com/falcosecurity/falco/pull/1080)]
+* fix: download falco packages which url contains character to encode - eg, `+` [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* fix(docker): use base name in docker-entrypoint.sh [[#981](https://github.com/falcosecurity/falco/pull/981)]
+
+### Rule Changes
+
+* rule(detect outbound connections to common miner pool ports): disabled by default [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
+* rule(macro net_miner_pool): add localhost and rfc1918 addresses as exception in the rule. [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
+* rule(change thread namespace): modify condition to detect suspicious container activity [[#974](https://github.com/falcosecurity/falco/pull/974)]
+
+## v0.20.0
+
+Released on 2020-02-24
+
+### Major Changes
+
+* fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [[#1041](https://github.com/falcosecurity/falco/pull/1041)]
+* new: grpc version api [[#872](https://github.com/falcosecurity/falco/pull/872)]
+
+
+### Bug Fixes
+
+* fix: the base64 output format (-b) now works with both json and normal output. [[#1033](https://github.com/falcosecurity/falco/pull/1033)]
+* fix: version follows semver 2 bnf [[#872](https://github.com/falcosecurity/falco/pull/872)]
+
+### Rule Changes
+
+* rule(write below etc): add "dsc_host" as a ms oms program [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below etc): let mcafee write to /etc/cma.d  [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below etc): let avinetworks supervisor write some ssh cfg [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below etc): alow writes to /etc/pki from openshift secrets dir [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below root): let runc write to /exec.fifo [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(change thread namespace): let cilium-cni change namespaces [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(run shell untrusted): let puma reactor spawn shells [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+
+
 ## v0.19.0

 Released on 2020-01-23
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -48,6 +48,7 @@ else()
  set(CMAKE_BUILD_TYPE "release")
  set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
 endif()
+message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")

 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")

@@ -67,29 +68,12 @@ set(CMAKE_CXX_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
 set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")

-# Create the falco version variable according to git index
-if(NOT FALCO_VERSION)
-  include(GetGitRevisionDescription)
-  git_get_exact_tag(FALCO_TAG)
-  if(NOT FALCO_TAG)
-    git_describe(FALCO_VERSION "--always")
-    git_local_changes(FALCO_CHANGES)
-    if(FALCO_CHANGES STREQUAL "DIRTY")
-      string(TOLOWER "${FALCO_CHANGES}" FALCO_CHANGES)
-      set(FALCO_VERSION "${FALCO_VERSION}.${FALCO_CHANGES}")
-    endif()
-    set(FALCO_VERSION "0.${FALCO_VERSION}")
-  else()
-    set(FALCO_VERSION "${FALCO_TAG}")
-    string(REGEX REPLACE "^v([0-9]+)(\\.[0-9]+)(\\.[0-9]+)?" "\\1\\2\\3" FALCO_VERSION ${FALCO_VERSION})
-  endif()
-endif()
-message(STATUS "Falco version: ${FALCO_VERSION}")
+include(GetFalcoVersion)

 set(PACKAGE_NAME "falco")
-set(PROBE_VERSION "${FALCO_VERSION}")
 set(PROBE_NAME "falco-probe")
 set(PROBE_DEVICE_NAME "falco")
+set(DRIVER_LOOKUP_URL "https://s3.amazonaws.com/download.draios.com")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
  set(CMAKE_INSTALL_PREFIX
      /usr
@@ -110,7 +94,7 @@ set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
 ExternalProject_Add(
  njson
  URL "https://s3.amazonaws.com/download.draios.com/dependencies/njson-3.3.0.tar.gz"
-  URL_MD5 "e26760e848656a5da400662e6c5d999a"
+  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")
@@ -129,7 +113,7 @@ set(B64_LIB "${B64_SRC}/src/libb64.a")
 ExternalProject_Add(
  b64
  URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
-  URL_MD5 "a609809408327117e2c643bed91b76c5"
+  URL_HASH "SHA256=343d8d61c5cbe3d3407394f16a5390c06f8ff907bd8d614c16546310b689bfd3"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
@@ -152,7 +136,7 @@ set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 ExternalProject_Add(
  luajit
  URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
-  URL_MD5 "f14e9104be513913810cd59c8c658dc0"
+  URL_HASH "SHA256=55be6cb2d101ed38acca32c5b1f99ae345904b365b642203194c585d27bebd79"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
@@ -168,7 +152,7 @@ ExternalProject_Add(
  lpeg
  DEPENDS ${LPEG_DEPENDENCIES}
  URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
-  URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
+  URL_HASH "SHA256=10190ae758a22a16415429a9eb70344cf29cbda738a6962a9f94a732340abf8e"
  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
  BUILD_IN_SOURCE 1
  CONFIGURE_COMMAND ""
@@ -192,14 +176,14 @@ ExternalProject_Add(
  lyaml
  DEPENDS ${LYAML_DEPENDENCIES}
  URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
-  URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
+  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
  CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
  INSTALL_COMMAND sh -c
                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")

-# Intel TBB
+# One TBB
 set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")

 message(STATUS "Using bundled tbb in '${TBB_SRC}'")
@@ -208,8 +192,8 @@ set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
 set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
 ExternalProject_Add(
  tbb
-  URL "https://github.com/intel/tbb/archive/2018_U5.tar.gz"
-  URL_MD5 "ff3ae09f8c23892fbc3008c39f78288f"
+  URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz"
+  URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
  BUILD_IN_SOURCE 1
@@ -224,7 +208,7 @@ message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
 ExternalProject_Add(
  civetweb
  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-  URL_MD5 "b6d2175650a27924bccb747cbe084cd4"
+  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
  BUILD_IN_SOURCE 1
@@ -240,6 +224,7 @@ include(sysdig)
 # Installation
 install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")

+# Coverage
 include(Coverage)

 # Tests
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -9,6 +9,8 @@
  - [Pull Requests](#pull-requests)
    - [Commit convention](#commit-convention)
      - [Rule type](#rule-type)
+  - [Coding Guidelines](#coding-guidelines)
+    - [C++](#c)
  - [Developer Certificate Of Origin](#developer-certificate-of-origin)

 ## Code of Conduct
@@ -120,6 +122,13 @@ If you are changing only a macro, the commit will look like this:
 rule(macro user_known_write_monitored_dir_conditions): make sure conditions are great
 ```

+## Coding Guidelines
+
+### C++
+
+* File `userspace/engine/banned.h` defines some functions as invalid tokens. These functions are not allowed to be used in the codebase. Whenever creating a new cpp file, include the `"banned.h"` headers. This ensures that the banned functions are not compiled.
+
+  A complete list of banned functions can be found [here](./userspace/engine/banned.h).

 ## Developer Certificate Of Origin

--- a/README.md
+++ b/README.md
@@ -1,16 +1,21 @@
-<p><img align="right" src="https://github.com/falcosecurity/falco-website/raw/master/themes/falco-fresh/static/images/favicon.png" width="64px"/></p>
-<p></p>
+<p align="center"><img src="https://raw.githubusercontent.com/falcosecurity/community/master/logo/primary-logo.png" width="360"></p>
+<p align="center"><b>Cloud Native Runtime Security.</b></p>

-# Falco
+<hr>

-#### Latest release
+# The Falco Project

-**v0.19.0**
-Read the [change log](https://github.com/falcosecurity/falco/blob/dev/CHANGELOG.md)
+[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)

-Dev Branch: [![Build Status](https://travis-ci.com/falcosecurity/falco.svg?branch=dev)](https://travis-ci.com/falcosecurity/falco)<br />
-Master Branch: [![Build Status](https://travis-ci.com/falcosecurity/falco.svg?branch=master)](https://travis-ci.com/falcosecurity/falco)<br />
-CII Best Practices: [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2317/badge)](https://bestpractices.coreinfrastructure.org/projects/2317)
+#### Latest releases
+
+Read the [change log](CHANGELOG.md).
+
+|        | development                                                                                                                 | stable                                                                                                              |
+|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
+| rpm    | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
+| deb    | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
+| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |

 ---

@@ -32,7 +37,9 @@ Falco can detect and alert on any behavior that involves making Linux system cal

 ### Installing Falco

-A comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
+You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
+
+Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.

 #### How do you compare Falco with other security tools?

@@ -47,27 +54,7 @@ See [Falco Documentation](https://falco.org/docs/) to quickly get started using
 Join the Community
 ---

-* [Join the mailing list](https://lists.cncf.io/g/cncf-falco-dev/) for news and a Google calendar invite for our Falco open source meetings. Note: this is the only way to get a calendar invite for our open meetings.
-* [Website](https://falco.org) for Falco.
-* Join our [Public Slack](https://slack.sysdig.com) channel for Falco announcements and discussions.
-
-Community call
---
-
-> Are you using Falco? Do you have have ideas for things to do with Falco? How can Falco be better?
-
-Falco has bi-weekly [community](https://github.com/falcosecurity/community) call which is an open call to discuss Falco from a user perspective. These happen on opposite weeks of Repo planning calls.
-
-[Wednesdays at 8am Pacific](https://lists.cncf.io/g/cncf-falco-dev/calendar) on [Zoom](https://sysdig.zoom.us/j/213235330).
-
-Repo planning
---
-
-> Do you want to contribute to Falco? Are you interested in working on Falco? Do you want to fix something or make something better?
-
-Falco has bi-weekly planning meetings which is an open call to discuss upcoming Falco releases, and assign open GitHub issues to engineers. These happen on opposite weeks of office hours calls.
-
-[Wednesdays at 8am Pacific](https://lists.cncf.io/g/cncf-falco-dev/calendar) on [Zoom](https://sysdig.zoom.us/j/213235330).
+To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.

 License Terms
 ---
@@ -88,3 +75,10 @@ A third party security audit was performed by Cure53, you can see the full repor

 ### Reporting security vulnerabilities
 Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
+
+[1]: https://dl.bintray.com/falcosecurity/rpm-dev
+[2]: https://dl.bintray.com/falcosecurity/rpm
+[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
+[4]: https://dl.bintray.com/falcosecurity/deb/stable
+[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
+[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
--- a/brand/README.md
+++ b/brand/README.md
@@ -0,0 +1,142 @@
+<p align="center"><img src="primary-logo.png" width="360"></p>
+<p align="center"><b>Cloud Native Runtime Security.</b></p>
+
+# Falco Branding Guidelines
+
+This document describes The Falco Project's branding guidelines, language, and message.
+
+Content in this document can be used to publically share about Falco.
+
+
+
+### Logo
+
+There are 3 logos available for use in this directory. Use the primary logo unless required otherwise due to background issues, or printing.
+
+The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
+
+### Slogan
+
+> Cloud Native Runtime Security
+
+### What is Falco?
+
+Falco is a runtime security project originally created by Sysdig, Inc.
+Falco was contributed to the CNCF in October 2018.
+The CNCF now owns The Falco Project.
+
+### What is Runtime Security?
+
+Runtime security refers to an approach to preventing unwanted activity on a computer system. 
+With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
+Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
+Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
+
+### What does Falco do?
+
+Falco consumes signals from the Linux kernel, and container management tools such as Docker and Kubernetes.
+Falco parses the signals and asserts them against security rules.
+If a rule has been violated, Falco triggers an alert. 
+
+### How does Falco work?
+
+Falco traces kernel events and reports information about the system calls being executed at runtime.
+Falco leverages the extended berkley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
+Falco enriches these kernel events with information about containers running on the system.
+Falco also can consume signals from other input streams such as the containerd socket, the Kubernetes API server and the Kubernetes audit log.
+At runtime, Falco will reason about these events and assert them against configured security rules.
+Based on the severity of a violation an alert is triggered.
+These alerts are configurable and extensible, for instance sending a notification or [plumbing through to other projects like Prometheus](https://github.com/falcosecurity/falco-exporter). 
+
+### Benefits of using Falco
+
+ - **Strengthen Security** Create security rules driven by a context-rich and flexible engine to define unexpected application behavior.
+ - **Reduce Risk** Immediately respond to policy violation alerts by plugging Falco into your current security response workflows and processes.
+ - **Leverage up-to-date Rules** Alert using community-sourced detections of malicious activity and CVE exploits.
+    
+### Falco and securing Kubernetes
+
+Securing Kubernetes requires putting controls in place to detect unexpected behavior that could be malicious or harmful to a cluster or application(s). 
+
+Examples of malicious behavior include: 
+
+ - Exploits of unpatched and new vulnerabilities in applications or Kubernetes itself. 
+ - Insecure configurations in applications or Kubernetes itself. 
+ - Leaked or weak credentials or secret material.
+ - Insider threats from adjacent applications running at the same layer. 
+
+Falco is capable of [consuming the Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/falco/#use-falco-to-collect-audit-events).
+By adding Kubernetes application context, and Kubernetes audit logs teams can understand who did what.
+                                 
+### Writing about Falco
+
+##### Yes
+
+Notice the capitalization of the following terms.
+
+ - The Falco Project
+ - Falco
+
+##### No
+
+ - falco
+ - the falco project
+ - the Falco project
+
+### Encouraged Phrasing
+
+Below are phrases that the project has reviewed, and found to be effective ways of messaging Falco's value add.
+Even when processes are in place for vulnerability scanning and implementing pod security and network policies, not every risk will be addressed. You still need mechanisms to confirm these security barriers are effective, help configure them, and provide with a last line of defense when they fail.
+
+##### Falco as a factory
+
+This term refers to the concept that Falco is a stateless processing engine. A large amount of data comes into the engine, but meticulously crafted security alerts come out.
+
+##### The engine that powers...
+
+Falco ultimately is a security engine. It reasons about signals coming from a system at runtime, and can alert if an anomaly is detected.
+
+##### Anomaly detection
+
+This refers to an event that occurs with something unsual, concerning, or odd occurs.
+We can associate anomalies with unwanted behavior, and alert in their presence.
+
+##### Detection tooling
+
+Falco does not prevent unwanted behavior.
+Falco however alerts when unusual behavior occurs.
+This is commonly referred to as **detection** or **forensics**.
+
+
+---
+
+# Glossary 
+
+#### Probe
+
+Used to describe the `.o` object that would be dynamically loaded into the kernel as a secure and stable (e)BPF probe. 
+This is one option used to pass kernel events up to userspace for Falco to consume.
+Sometimes this word is incorrectly used to refer to a `module`.
+
+#### Module
+
+Used to describe the `.ko` object that would be loaded into the kernel as a potentially risky kernel module.
+This is one option used to pass kernel events up to userspace for Falco to consume.
+Sometimes this word is incorrectly used to refer to a `probe`.
+
+#### Driver 
+
+The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
+
+#### Falco
+
+The name of the project, and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.
+
+#### Sysdig, Inc
+
+The name of the company that originally created The Falco Project, and later donated to the CNCF.
+
+#### sysdig 
+
+A [CLI tool](https://github.com/draios/sysdig) used to evaluate kernel system events at runtime. 
+
--- a/brand/primary-logo.png
+++ b/brand/primary-logo.png
--- a/brand/teal-logo.png
+++ b/brand/teal-logo.png
@@ -0,0 +1 @@
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 708.41 374.92"><defs><style>.cls-1{fill:#00b4c8;}</style></defs><title>Falco horizontal logo_teal2</title><g id="fqqZXT"><path class="cls-1" d="M204.69,154.4Q151.5,208,98,261.25a48.42,48.42,0,0,1-5.27,4.87c-2.55,1.89-5.34,2-7.65-.45s-1.51-5,.41-7.06c4.6-4.94,9.35-9.74,14.13-14.5q52.56-52.31,105.14-104.59c3.35-3.34,18.05,7.52,21.58,11.1"/><path class="cls-1" d="M215.06,171.36c-.15,2.14-1.54,3.55-2.93,4.94l-87.82,87.79c-2.75,2.74-6,5.42-9.46,1.68-3.15-3.39-.5-6.44,2.06-9q43.44-43.44,86.89-86.87c2.21-2.22,4.58-4.23,8-3A4.61,4.61,0,0,1,215.06,171.36Z"/><path class="cls-1" d="M70.93,71c2.42-.09,4.09,1.31,5.64,2.87q41.82,41.79,83.61,83.59c2.6,2.61,5,5.74,1.69,9s-6.41,1-9-1.66Q111,123,69.25,81.2c-2.09-2.1-3.72-4.39-2.45-7.53A4.34,4.34,0,0,1,70.93,71Z"/><path class="cls-1" d="M203.42,268c-5,1-8.9-1.34-12.45-5-6.35-6.61-12.87-13-19.41-19.46-3.85-3.8-4-7.41-.14-11.28,11.14-11.07,22.21-22.21,33.35-33.29,2.45-2.44,5.43-4.49,8.55-1.55,3.48,3.29,1.19,6.41-1.39,9-8.74,8.84-17.44,17.73-26.4,26.35-3.4,3.27-3.93,5.72-.19,9.06,4.22,3.78,8.13,7.91,12,12,2.54,2.68,5.35,4.25,9.18,4.11s8.28-.12,8.16,5.09c-.12,5-4.74,4.8-8.4,5.14A21,21,0,0,1,203.42,268Z"/><path class="cls-1" d="M148.7,178.36c-.75,3.49-2.68,5.6-6.43,4.36a13,13,0,0,1-4.74-3.31q-30.11-30-60.1-60a23.14,23.14,0,0,1-2.56-3c-1.72-2.42-1.88-5,.3-7.11s4.84-1.76,7,.26c3.65,3.42,7.17,7,10.71,10.53q25.65,25.64,51.28,51.3C146.12,173.37,148.49,175.13,148.7,178.36Z"/><path class="cls-1" d="M133.74,192.93a4.9,4.9,0,0,1-2.53,4.29,5.37,5.37,0,0,1-6.63-.95c-3.35-3.1-6.57-6.34-9.8-9.57q-14.34-14.3-28.61-28.63a34.27,34.27,0,0,1-4.17-5,4.57,4.57,0,0,1,.36-6,5,5,0,0,1,6-1.12,11.65,11.65,0,0,1,3.7,2.58q19.44,19.33,38.79,38.76C132.4,188.85,133.77,190.54,133.74,192.93Z"/></g><path class="cls-1" d="M413.15,190.86a25.57,25.57,0,0,0-10.35-6.63,46.78,46.78,0,0,0-16-2.37A83.35,83.35,0,0,0,372,183.12a75.16,75.16,0,0,0-10.58,2.53l2.37,15.48a53.47,53.47,0,0,1,9-2.21A72.44,72.44,0,0,1,385,198a22.61,22.61,0,0,1,8.13,1.26,13,13,0,0,1,5.22,3.56,13.23,13.23,0,0,1,2.76,5.29,24.6,24.6,0,0,1,.79,6.32v3.16a61.65,61.65,0,0,0-7.42-1.34,57.43,57.43,0,0,0-6.64-.4,61.45,61.45,0,0,0-13,1.35,32.26,32.26,0,0,0-11,4.42,22.7,22.7,0,0,0-7.51,8,24.09,24.09,0,0,0-2.76,12A28.39,28.39,0,0,0,356,254.05a21.6,21.6,0,0,0,6.79,8.22,28.56,28.56,0,0,0,10.51,4.58,60.24,60.24,0,0,0,13.58,1.42A137.25,137.25,0,0,0,407,266.93c5.94-.9,10.4-1.66,13.35-2.29V214.56a50.84,50.84,0,0,0-1.66-13.35A24.93,24.93,0,0,0,413.15,190.86Zm-11.3,61.3a71.4,71.4,0,0,1-13.43.94q-7.26,0-11.53-2.6t-4.26-9.4a10,10,0,0,1,1.57-5.77,10.67,10.67,0,0,1,4.19-3.55,20.18,20.18,0,0,1,5.85-1.74,43.43,43.43,0,0,1,6.39-.47,42.23,42.23,0,0,1,6.64.47,37,37,0,0,1,4.58,1Z"/><path class="cls-1" d="M461.38,248.44a9.27,9.27,0,0,1-2-4,26.17,26.17,0,0,1-.55-5.85V143.94l-19.12,3.16v95.1a40.74,40.74,0,0,0,1.35,11,17.57,17.57,0,0,0,4.66,8.06,21.71,21.71,0,0,0,8.92,5,52,52,0,0,0,14.14,1.89l2.69-15.8a29.78,29.78,0,0,1-6.24-1.34A8.76,8.76,0,0,1,461.38,248.44Z"/><path class="cls-1" d="M532.2,251.05a49.24,49.24,0,0,1-9.64.95q-13.11,0-18.64-7.19t-5.53-19.51q0-12.8,5.85-19.83t17.06-7a40.4,40.4,0,0,1,8.92.95,43.38,43.38,0,0,1,7.51,2.37l4.1-15.64a57.88,57.88,0,0,0-22.11-4.26,42.15,42.15,0,0,0-17.06,3.31,37.35,37.35,0,0,0-12.88,9.17,40.64,40.64,0,0,0-8.14,13.82,50.82,50.82,0,0,0-2.84,17.14,56.83,56.83,0,0,0,2.53,17.3A37.22,37.22,0,0,0,489,256.34a34.82,34.82,0,0,0,13,9,47.83,47.83,0,0,0,18.4,3.24,68.05,68.05,0,0,0,13.19-1.27,39.84,39.84,0,0,0,9.56-2.84l-2.69-15.8A45,45,0,0,1,532.2,251.05Z"/><path class="cls-1" d="M625.77,207.37a40.7,40.7,0,0,0-8.14-13.67,35.23,35.23,0,0,0-12.56-8.76,40.93,40.93,0,0,0-16-3.08,40.34,40.34,0,0,0-16,3.08,36.32,36.32,0,0,0-12.56,8.76,39.88,39.88,0,0,0-8.21,13.67,51.31,51.31,0,0,0-2.93,17.77A52,52,0,0,0,552.31,243a40.47,40.47,0,0,0,8.13,13.75,36.57,36.57,0,0,0,12.48,8.85A40.14,40.14,0,0,0,589,268.74a40.69,40.69,0,0,0,16.19-3.15,36.32,36.32,0,0,0,12.56-8.85A39.7,39.7,0,0,0,625.85,243a53.47,53.47,0,0,0,2.84-17.85A51.55,51.55,0,0,0,625.77,207.37Zm-22,37.52q-5.29,7.28-14.77,7.27t-14.77-7.27q-5.29-7.26-5.3-19.75,0-12.31,5.3-19.51T589,198.44q9.48,0,14.77,7.19t5.29,19.51Q609.1,237.62,603.81,244.89Z"/><path class="cls-1" d="M347.24,218h-47.8v50.57H279.65V150h75.89v15.88h-56.1v36.23h47.8Z"/></svg>
--- a/brand/white-logo.png
+++ b/brand/white-logo.png
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -1,9 +1,12 @@
 set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
 set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
-set(CPACK_PACKAGE_CONTACT "opensource@sysdig.com") # todo: change this once we've got @falco.org addresses
+set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
 set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
 set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
+set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
+set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
+set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
 set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
 set(CPACK_STRIP_FILES "ON")
--- a/cmake/modules/DownloadCatch.cmake
+++ b/cmake/modules/DownloadCatch.cmake
@@ -15,7 +15,7 @@ include(ExternalProject)
 set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)

 set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.9.1.tar.gz URL_HASH
-                       MD5=4980778888fed635bf191d8a86f9f89c)
+                       SHA256=0b36488aca6265e7be14da2c2d0c748b4ddb9c70a1ea4da75736699c629f14ac)

 ExternalProject_Add(
  catch2
--- a/cmake/modules/DownloadFakeIt.cmake
+++ b/cmake/modules/DownloadFakeIt.cmake
@@ -15,7 +15,7 @@ include(ExternalProject)
 set(FAKEIT_INCLUDE ${CMAKE_BINARY_DIR}/fakeit-prefix/include)

 set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.5.tar.gz URL_HASH
-                        MD5=d3d21b909cebaea5b780af5500bf384e)
+                        SHA256=298539c773baca6ecbc28914306bba19d1008e098f8adc3ad3bb00e993ecdf15)

 ExternalProject_Add(
  fakeit-external
--- a/cmake/modules/GetFalcoVersion.cmake
+++ b/cmake/modules/GetFalcoVersion.cmake
@@ -0,0 +1,46 @@
+# Retrieve git ref and commit hash
+include(GetGitRevisionDescription)
+
+# Create the falco version variable according to git index
+if(NOT FALCO_VERSION)
+  string(STRIP "${FALCO_HASH}" FALCO_HASH)
+  # Try to obtain the exact git tag
+  git_get_exact_tag(FALCO_TAG)
+  if(NOT FALCO_TAG)
+    # Obtain the closest tag
+    git_describe(FALCO_VERSION "--always" "--tags")
+    # Fallback version
+    if(FALCO_VERSION MATCHES "NOTFOUND$")
+      set(FALCO_VERSION "0.0.0")
+    endif()
+    # Format FALCO_VERSION to be semver with prerelease and build part
+    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+  else()
+    # A tag has been found: use it as the Falco version
+    set(FALCO_VERSION "${FALCO_TAG}")
+    # Remove the starting "v" in case there is one
+    string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_TAG}")
+  endif()
+  # TODO(leodido) > ensure Falco version is semver before extracting parts Populate partial version variables
+  string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
+  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
+  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
+                       "${FALCO_VERSION}")
+  string(
+    REGEX
+    REPLACE
+      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
+      "\\5"
+      FALCO_VERSION_PRERELEASE
+      "${FALCO_VERSION}")
+  if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
+    set(FALCO_VERSION_PRERELEASE "")
+  endif()
+  if(NOT FALCO_VERSION_BUILD)
+    string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
+  endif()
+  if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
+    set(FALCO_VERSION_BUILD "")
+  endif()
+endif()
+message(STATUS "Falco version: ${FALCO_VERSION}")
--- a/cmake/modules/GetGitRevisionDescription.cmake
+++ b/cmake/modules/GetGitRevisionDescription.cmake
@@ -104,18 +104,19 @@ function(git_describe _var)
    return()
  endif()

-  # TODO sanitize if((${ARGN}" MATCHES "&&") OR (ARGN MATCHES "||") OR (ARGN MATCHES "\\;")) message("Please report the
-  # following error to the project!") message(FATAL_ERROR "Looks like someone's doing something nefarious with
-  # git_describe! Passed arguments ${ARGN}") endif()
-
-  # message(STATUS "Arguments to execute_process: ${ARGN}")
-
-  execute_process(
-    COMMAND "${GIT_EXECUTABLE}" describe ${hash} ${ARGN}
-    WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE res
-    OUTPUT_VARIABLE out
-    ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE)
+  execute_process(COMMAND
+    "${GIT_EXECUTABLE}"
+    describe
+    ${hash}
+    ${ARGN}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
  if(NOT res EQUAL 0)
    set(out "${out}-${res}-NOTFOUND")
  endif()
--- a/cmake/modules/OpenSSL.cmake
+++ b/cmake/modules/OpenSSL.cmake
@@ -21,7 +21,7 @@ else()
    openssl
    # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
    URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
-    URL_MD5 "13bdc1b1d1ff39b6fd42a255e74676a4"
+    URL_HASH "SHA256=370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe"
    # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
    CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
    BUILD_COMMAND ${CMD_MAKE}
--- a/cmake/modules/cURL.cmake
+++ b/cmake/modules/cURL.cmake
@@ -32,7 +32,7 @@ else()
    DEPENDS openssl
    # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
    URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
-    URL_MD5 "31d0a9f48dc796a7db351898a1e5058a"
+    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
    # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
    CONFIGURE_COMMAND
      ./configure
--- a/cmake/modules/jq.cmake
+++ b/cmake/modules/jq.cmake
@@ -26,7 +26,7 @@ else()
  ExternalProject_Add(
    jq
    URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
-    URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
+    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
    CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
    BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
    BUILD_IN_SOURCE 1
--- a/cmake/modules/sysdig-repo/CMakeLists.txt
+++ b/cmake/modules/sysdig-repo/CMakeLists.txt
@@ -15,20 +15,14 @@ cmake_minimum_required(VERSION 3.5.1)
 project(sysdig-repo NONE)

 include(ExternalProject)
-
-# The sysdig git reference (branch name, commit hash, or tag)
-
-# To update sysdig version for the next release, change the default below
-# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
-if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "146a431edf95829ac11bfd9c85ba3ef08789bffe")
-endif()
+message(STATUS "Driver version: ${SYSDIG_VERSION}")

 ExternalProject_Add(
  sysdig
  URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
-  # URL_HASH SHA256=bd09607aa8beb863db07e695863f7dc543e2d39e7153005759d26a340ff66fa5
+  URL_HASH "${SYSDIG_CHECKSUM}"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND ""
-  TEST_COMMAND "")
+  TEST_COMMAND ""
+  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
--- a/cmake/modules/sysdig-repo/patch/libscap.patch
+++ b/cmake/modules/sysdig-repo/patch/libscap.patch
@@ -0,0 +1,31 @@
+diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
+index e9faea51..a1b3b501 100644
+--- a/userspace/libscap/scap.c
+++ b/userspace/libscap/scap.c
+@@ -52,7 +52,7 @@ limitations under the License.
+ //#define NDEBUG
+ #include <assert.h>
+ 
+-static const char *SYSDIG_BPF_PROBE_ENV = "SYSDIG_BPF_PROBE";
+static const char *SYSDIG_BPF_PROBE_ENV = "FALCO_BPF_PROBE";
+ 
+ //
+ // Probe version string size
+@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+ 				return NULL;
+ 			}
+ 
+-			snprintf(buf, sizeof(buf), "%s/.sysdig/%s-bpf.o", home, PROBE_NAME);
+			snprintf(buf, sizeof(buf), "%s/.falco/%s-bpf.o", home, PROBE_NAME);
+ 			bpf_probe = buf;
+ 		}
+ 	}
+@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
+ 
+ const char* scap_get_host_root()
+ {
+-	char* p = getenv("SYSDIG_HOST_ROOT");
+	char* p = getenv("HOST_ROOT");
+ 	static char env_str[SCAP_MAX_PATH_SIZE + 1];
+ 	static bool inited = false;
+ 	if (! inited) {
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -21,8 +21,19 @@ if(USE_BUNDLED_DEPS)
 endif()

 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+
+# The sysdig git reference (branch name, commit hash, or tag)
+# To update sysdig version for the next release, change the default below
+# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
+if(NOT SYSDIG_VERSION)
+  set(SYSDIG_VERSION "a259b4bf49c3330d9ad6c3eed9eb1a31954259a6")
+  set(SYSDIG_CHECKSUM "SHA256=fdbeb8d182e6383fe89428e0934d521636068f62109c1b3ca11689d886458284")
+endif()
+set(PROBE_VERSION "${SYSDIG_VERSION}")
+
 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+

 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13

--- a/cmake/modules/yaml-cpp.cmake
+++ b/cmake/modules/yaml-cpp.cmake
@@ -26,7 +26,7 @@ else()
  ExternalProject_Add(
    yamlcpp
    URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
-    URL_MD5 "5b943e9af0060d0811148b037449ef82"
+    URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
    BUILD_IN_SOURCE 1
    INSTALL_COMMAND "")
 endif()
--- a/docker/README.md
+++ b/docker/README.md
@@ -2,29 +2,17 @@

 This directory contains the various ways to package Falco as a container. 

-## Currently Supported Containers
+## Currently Supported Images

-### `falcosecurity/falco` Dockerfiles
- - `./dev`: Builds a container image from the `dev` apt repo.
- - `./stable`: Builds a container image from the `stable` apt repo.
- - `./local`: Builds a container image from a locally provided Falco `dpkg` package.
+| Name | Directory | Description |
+|---|---|---|
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
+| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
+| [falcosecurity/falco:latest-minimal](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-minimal](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/minimal | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
+| [falcosecurity/falco-event-generator:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-event-generator) | docker/event-generator | Event generator tool to simulate events Falco catches. | 
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |

-### Build & Testing Dockerfiles
- - `./builder`: `falcosecurity/falco-builder` - The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source.
- - `./tester`: `falcosecurity/falco-tester` - Container image for running the Falco test suite.
-
-## Alpha Release Containers
-
-These Dockerfiles (and resulting container images) are currently in `alpha`. We'd love for you to test these images and [report any feedback](https://github.com/falcosecurity/falco/issues/new/choose).
-
-### Slim and Minimal Dockerfiles
-The goal of these container images is to reduce the size of the underlying Falco container. 
- - `./slim-dev`: Like `./dev` above but removes build tools for older kernels.
- - `./slim-stable`: Like `./stable` above but removes build tools for older kernels.
- - `./minimal`: A minimal container image (~20mb), containing only the files required to run Falco.
-
-### Init Containers
-These container images allow for the delivery of the kernel module or eBPF probe either via HTTP or via a container image.
- - `kernel/linuxkit`: Multistage Dockerfile to build a Falco kernel module for Linuxkit (Docker Desktop). Generates an alpine based container image with the kernel module, and `insmod` as the container `CMD`.  
- - `kernel/probeloader`: Multistage Dockerfile to build a Go based application to download (via HTTPS) and load a Falco kernel module. The resulting container image can be ran as an `initContainer` to load the Falco module before Falco starts.
+> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.

--- a/docker/builder/Dockerfile
+++ b/docker/builder/Dockerfile
@@ -2,7 +2,7 @@ FROM centos:7

 LABEL name="falcosecurity/falco-builder"
 LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"

 ARG BUILD_TYPE=release
 ARG BUILD_DRIVER=OFF
--- a/docker/dev/Dockerfile
+++ b/docker/dev/Dockerfile
@@ -1,110 +0,0 @@
-FROM debian:unstable
-
-LABEL maintainer="opensource@sysdig.com"
-
-ENV FALCO_REPOSITORY dev
-
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-
-ENV HOST_ROOT /host
-
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
-RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
-	bash-completion \
-	bc \
-	clang-7 \
-	ca-certificates \
-	curl \
-	dkms \
-	gnupg2 \
-	gcc \
-	gdb \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	llvm-7 \
-	netcat \
-	xz-utils \
-	&& rm -rf /var/lib/apt/lists/*
-
-# gcc 6 is no longer included in debian unstable, but we need it to
-# build kernel modules on the default debian-based ami used by
-# kops. So grab copies we've saved from debian snapshots with the
-# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
-# or so.
-
-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
-
-# gcc 5 is no longer included in debian unstable, but we need it to
-# build centos kernels, which are 3.x based and explicitly want a gcc
-# version 3, 4, or 5 compiler. So grab copies we've saved from debian
-# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-
-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
-
-# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
-# default to gcc-5.
-RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
-
-RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
-
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-	&& apt-get update \
-	&& apt-get install -y --no-install-recommends falco \
-	&& apt-get clean \
-	&& rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
-
-# debian:unstable head contains binutils 2.31, which generates
-# binaries that are incompatible with kernels < 4.16. So manually
-# forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
-	&& dpkg -i *binutils*.deb \
-	&& rm -f *binutils*.deb
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/dev/docker-entrypoint.sh
+++ b/docker/dev/docker-entrypoint.sh
@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# set -e
-
-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
-
-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        ln -s "$i" "/usr/src/$i"
-    done
-
-    /usr/bin/falco-probe-loader
-fi
-
-exec "$@"
--- a/docker/event-generator/Dockerfile
+++ b/docker/event-generator/Dockerfile
@@ -1,5 +1,5 @@
 FROM alpine:latest
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 RUN apk add --no-cache bash g++ curl
 COPY ./event_generator.cpp /usr/local/bin
 COPY ./docker-entrypoint.sh ./k8s_event_generator.sh /
--- a/docker/event-generator/event-generator-k8saudit-deployment.yaml
+++ b/docker/event-generator/event-generator-k8saudit-deployment.yaml
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: falco-event-generator-k8saudit
+  labels:
+    app: falco-event-generator-k8saudit
+  namespace: falco-event-generator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: falco-event-generator-k8saudit
+  template:
+    metadata:
+      labels:
+        app: falco-event-generator-k8saudit
+    spec:
+      serviceAccount: falco-event-generator
+      containers:
+      - name: falco-event-generator
+        image: falcosecurity/falco-event-generator
+        imagePullPolicy: Always
+        args: ["k8s_audit"]
--- a/docker/event-generator/event-generator-role-rolebinding-serviceaccount.yaml
+++ b/docker/event-generator/event-generator-role-rolebinding-serviceaccount.yaml
@@ -0,0 +1,71 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: falco-event-generator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - services
+  - serviceaccounts
+  - pods
+  verbs:
+  - list
+  - get
+  - create
+  - delete
+- apiGroups:
+  - apps
+  - extensions
+  resources:
+  - deployments
+  verbs:
+  - list
+  - get
+  - create
+  - delete
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
+  - get
+  - list
+  - create
+  - delete
+# These are only so the event generator can create roles that have these properties.
+# It will result in a falco alert for the rules "ClusterRole With Wildcard Created", "ClusterRole With Pod Exec Created"
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - '*'
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: falco-event-generator
+  namespace: falco-eg-sandbox
+subjects:
+  - kind: ServiceAccount
+    name: falco-event-generator
+    namespace: falco-event-generator
+roleRef:
+  kind: ClusterRole
+  name: falco-event-generator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: falco-event-generator
+  namespace: falco-event-generator
--- a/docker/event-generator/event-generator-syscall-daemonset.yaml
+++ b/docker/event-generator/event-generator-syscall-daemonset.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: falco-event-generator-syscall
+  labels:
+    app: falco-event-generator-syscall
+  namespace: falco-event-generator
+spec:
+  selector:
+    matchLabels:
+      name: falco-event-generator-syscall
+  template:
+    metadata:
+      labels:
+        name: falco-event-generator-syscall
+    spec:
+      containers:
+      - name: falco-event-generator
+        image: falcosecurity/falco-event-generator
+        args: ["syscall"]
--- a/docker/event-generator/k8s_event_generator.sh
+++ b/docker/event-generator/k8s_event_generator.sh
@@ -17,15 +17,18 @@ kubectl version --short

 while true; do

-    RET=$(kubectl get namespaces --output=name | grep falco-event-generator || true)
+    # Delete all resources in the falco-eg-sandbox namespace
+    echo "***Deleting all resources in falco-eg-sandbox namespace..."
+    kubectl delete --all configmaps -n falco-eg-sandbox
+    kubectl delete --all deployments -n falco-eg-sandbox
+    kubectl delete --all services -n falco-eg-sandbox
+    kubectl delete --all roles -n falco-eg-sandbox
+    kubectl delete --all serviceaccounts -n falco-eg-sandbox

-    if [[ "$RET" == *falco-event-generator* ]]; then
-	echo "***Deleting existing falco-event-generator namespace..."
-	kubectl delete namespace falco-event-generator
-    fi
-
-    echo "***Creating falco-event-generator namespace..."
-    kubectl create namespace falco-event-generator
+    # We don't delete all rolebindings in the falco-eg-sandbox
+    # namespace, as that would also delete the rolebinding for the
+    # event generator itself.
+    kubectl delete rolebinding vanilla-role-binding -n falco-eg-sandbox || true

    for file in yaml/*.yaml; do

@@ -48,7 +51,7 @@ while true; do
 	    RULES=$(echo "$RULES" | tr '-' ' '| tr '.' '/' | sed -e 's/ *//' | sed  -e 's/,$//')

 	    echo "***$MESSAGES (Rule(s) $RULES)..."
-	    kubectl apply -f $file
+	    kubectl apply -f $file -n falco-eg-sandbox
 	    sleep 2
 	fi
    done
--- a/docker/event-generator/yaml/configmap-private-creds.yaml
+++ b/docker/event-generator/yaml/configmap-private-creds.yaml
@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: private-creds-configmap
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: private-creds-configmap
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/disallowed-pod-deployment.yaml
+++ b/docker/event-generator/yaml/disallowed-pod-deployment.yaml
@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: disallowed-pod-deployment
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: disallowed-pod-deployment
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/hostnetwork-deployment.yaml
+++ b/docker/event-generator/yaml/hostnetwork-deployment.yaml
@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: hostnetwork-deployment
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: hostnetwork-deployment
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/nodeport-service.yaml
+++ b/docker/event-generator/yaml/nodeport-service.yaml
@@ -2,7 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
  name: nodeport-service
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: nodeport-service
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/privileged-deployment.yaml
+++ b/docker/event-generator/yaml/privileged-deployment.yaml
@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: privileged-deployment
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: privileged-deployment
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/role-pod-exec.yaml
+++ b/docker/event-generator/yaml/role-pod-exec.yaml
@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: pod-exec-role
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: pod-exec-role
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/role-wildcard-resources.yaml
+++ b/docker/event-generator/yaml/role-wildcard-resources.yaml
@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: wildcard-resources-role
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: wildcard-resources-role
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/role-write-privileges.yaml
+++ b/docker/event-generator/yaml/role-write-privileges.yaml
@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: write-privileges-role
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: write-privileges-role
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/sensitive-mount-deployment.yaml
+++ b/docker/event-generator/yaml/sensitive-mount-deployment.yaml
@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: sensitive-mount-deployment
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: sensitive-mount-deployment
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/vanilla-configmap.yaml
+++ b/docker/event-generator/yaml/vanilla-configmap.yaml
@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: vanilla-configmap
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-configmap
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/vanilla-deployment.yaml
+++ b/docker/event-generator/yaml/vanilla-deployment.yaml
@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: vanilla-deployment
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-deployment
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml
+++ b/docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml
@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: vanilla-role
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-role
    app.kubernetes.io/part-of: falco-event-generator
@@ -20,7 +19,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: vanilla-role-binding
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-role-binding
    app.kubernetes.io/part-of: falco-event-generator
@@ -38,7 +36,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vanilla-serviceaccount
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-serviceaccount
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/vanilla-service.yaml
+++ b/docker/event-generator/yaml/vanilla-service.yaml
@@ -2,7 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
  name: vanilla-service
-  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-service
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/kernel/linuxkit/Dockerfile
+++ b/docker/kernel/linuxkit/Dockerfile
@@ -1,38 +0,0 @@
-ARG ALPINE_VERSION=3.10
-ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.19.0
-
-FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc
-FROM falcosecurity/falco:${FALCO_VERSION}-minimal as falco
-FROM alpine:${ALPINE_VERSION} AS probe-build
-LABEL maintainer="opensource@sysdig.com"
-ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.19.0
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV KERNEL_VERSION=${KERNEL_VERSION}
-
-COPY --from=ksrc /kernel-dev.tar /
-COPY --from=falco /usr/src/falco-${FALCO_VERSION} /usr/src/falco-${FALCO_VERSION}
-
-RUN apk add --no-cache --update \
-  build-base gcc abuild binutils \
-  bc \
-  autoconf && \
-  export KERNELVER=`uname -r  | cut -d '-' -f 1`  && \
-  export KERNELDIR=/usr/src/linux-headers-${KERNEL_VERSION}-linuxkit/ && \
-  tar xf /kernel-dev.tar && \
-  cd $KERNELDIR && \
-  zcat /proc/1/root/proc/config.gz > .config && \
-  make olddefconfig && \
-  cd /usr/src/falco-${FALCO_VERSION} && \
-  make && \
-  apk del \
-  build-base gcc abuild binutils \
-  bc \
-  autoconf
-
-FROM alpine:${ALPINE_VERSION}
-ARG FALCO_VERSION=0.19.0
-ENV FALCO_VERSION=${FALCO_VERSION}
-COPY --from=probe-build /usr/src/falco-${FALCO_VERSION}/falco-probe.ko /
-CMD ["insmod","/falco-probe.ko"]
--- a/docker/kernel/probeloader/Dockerfile
+++ b/docker/kernel/probeloader/Dockerfile
@@ -1,18 +0,0 @@
-FROM golang:1.13-alpine AS build
-ARG FALCOCTL_REF=2be3df92edbac668284fe5c165ccb5bd6bf4e869
-
-RUN apk --no-cache add build-base git gcc ca-certificates
-
-RUN git clone https://github.com/falcosecurity/falcoctl.git /falcoctl
-
-WORKDIR /falcoctl
-
-RUN git checkout ${FALCOCTL_REF}
-RUN go mod vendor
-RUN CGO_ENABLED=0 GOOS=linux go build -a -o falcoctl -ldflags '-extldflags "-static"' .
-
-FROM scratch
-LABEL maintainer="opensource@sysdig.com"
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY --from=build /falcoctl/falcoctl /falcoctl
-CMD ["/falcoctl", "install", "probe"]
--- a/docker/local/Dockerfile
+++ b/docker/local/Dockerfile
@@ -1,7 +1,7 @@
-FROM debian:unstable
+FROM debian:stable

 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"

 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
@@ -13,84 +13,82 @@ ENV HOME /root

 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root

-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    bash-completion \
-    bc \
-    clang-7 \
-    ca-certificates \
-    curl \
-    dkms \
-    gnupg2 \
-    gcc \
-    jq \
-    libc6-dev \
-    libelf-dev \
-    libyaml-0-2 \
-    llvm-7 \
-    netcat \
-    xz-utils \
-    libmpc3 \
-    binutils \
-    libgomp1 \
-    libitm1 \
-    libatomic1 \
-    liblsan0 \
-    libtsan0 \
-    libmpx2 \
-    libquadmath0 \
-    libcc1-0 \
-    && rm -rf /var/lib/apt/lists/*
+	&& apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	clang-7 \
+	ca-certificates \
+	curl \
+	dkms \
+	gnupg2 \
+	gcc \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	libyaml-0-2 \
+	llvm-7 \
+	netcat \
+	xz-utils \
+	libmpc3 \
+	binutils \
+	libgomp1 \
+	libitm1 \
+	libatomic1 \
+	liblsan0 \
+	libtsan0 \
+	libmpx2 \
+	libquadmath0 \
+	libcc1-0 \
+	&& rm -rf /var/lib/apt/lists/*

-# gcc 6 is no longer included in debian unstable, but we need it to
+# gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.

-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
-    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb

-# gcc 5 is no longer included in debian unstable, but we need it to
+# gcc 5 is no longer included in debian stable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.

-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
-    && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-    && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
-    && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
-    && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-    && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
-    && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
-    && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-    && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb

 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc

 RUN rm -rf /usr/bin/clang \
-    && rm -rf /usr/bin/llc \
-    && ln -s /usr/bin/clang-7 /usr/bin/clang \
-    && ln -s /usr/bin/llc-7 /usr/bin/llc
+	&& rm -rf /usr/bin/llc \
+	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
+	&& ln -s /usr/bin/llc-7 /usr/bin/llc

 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
-    && ln -s $HOST_ROOT/lib/modules /lib/modules
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules

 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
@@ -100,15 +98,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml

-# debian:unstable head contains binutils 2.31, which generates
+# debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
-    && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
-    && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-    && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
-    && dpkg -i *binutils*.deb \
-    && rm -f *binutils*.deb
+RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+	&& dpkg -i *binutils*.deb \
+	&& rm -f *binutils*.deb

 # The local container also copies some test trace files and
 # corresponding rules that are used when running regression tests.
--- a/docker/local/docker-entrypoint.sh
+++ b/docker/local/docker-entrypoint.sh
@@ -25,10 +25,11 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then

    for i in "$HOST_ROOT/usr/src"/*
    do
-        ln -s "$i" "/usr/src/$i"
+        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$base"
    done

-    /usr/bin/falco-probe-loader
+    /usr/bin/falco-driver-loader
 fi

-exec "$@"
+exec "$@"
--- a/docker/minimal/Dockerfile
+++ b/docker/minimal/Dockerfile
@@ -1,20 +1,20 @@
 FROM ubuntu:18.04 as ubuntu

-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"

-ARG FALCO_VERSION=0.19.0
+ARG FALCO_VERSION
+ARG VERSION_BUCKET=bin

 ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}

 WORKDIR /

-ADD https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
+ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /

-# ADD will download from URL and unntar
-RUN apt-get update && \
-    apt-get install -y  binutils && \
-    # curl -O https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    tar xfzv falco-${FALCO_VERSION}-x86_64.tar.gz && \
+RUN apt-get update -y && \
+    apt-get install -y libyaml-0-2 binutils && \
+    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
    mv falco-${FALCO_VERSION}-x86_64 falco && \
    strip falco/usr/bin/falco && \
@@ -24,17 +24,25 @@ RUN apt-get update && \
 FROM scratch

 COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
-    /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libdl.so.2 \
-    /lib/x86_64-linux-gnu/libgcc_s.so.1 /lib/x86_64-linux-gnu/libm.so.6 \
-    /lib/x86_64-linux-gnu/libnsl.so.1 /lib/x86_64-linux-gnu/libnss_compat.so.2 \
-    /lib/x86_64-linux-gnu/libnss_files.so.2 /lib/x86_64-linux-gnu/libnss_nis.so.2 \
-    /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/librt.so.1 \
+    /lib/x86_64-linux-gnu/libc.so.6 \
+    /lib/x86_64-linux-gnu/libdl.so.2 \
+    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
+    /lib/x86_64-linux-gnu/libm.so.6 \
+    /lib/x86_64-linux-gnu/libnsl.so.1 \
+    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
+    /lib/x86_64-linux-gnu/libnss_files.so.2 \
+    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
+    /lib/x86_64-linux-gnu/libpthread.so.0 \
+    /lib/x86_64-linux-gnu/librt.so.1 \
    /lib/x86_64-linux-gnu/libz.so.1 \
    /lib/x86_64-linux-gnu/

 COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
    /usr/lib/x86_64-linux-gnu/libstdc++.so.6

+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.5 \
+    /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
+
 COPY --from=ubuntu /etc/ld.so.cache \
    /etc/nsswitch.conf \
    /etc/ld.so.cache \
--- a/docker/rhel/Dockerfile
+++ b/docker/rhel/Dockerfile
@@ -1,38 +0,0 @@
-FROM registry.access.redhat.com/rhel7
-
-LABEL maintainer="opensource@sysdig.com"
-
-### Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
-LABEL name="falco" \
-    vendor="falcosecurity" \
-    url="http://falco.org/" \
-    summary="Container native runtime security" \
-    description="Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms." \
-    run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco'
-
-COPY help.md /tmp/
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-ADD http://download.draios.com/stable/rpm/draios.repo /etc/yum.repos.d/draios.repo
-RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public && \
-    rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
-    yum clean all && \
-    REPOLIST=rhel-7-server-rpms,rhel-7-server-optional-rpms,epel,draios \
-    INSTALL_PKGS="gcc dkms kernel-devel kernel-headers python golang-github-cpuguy83-go-md2man falco" && \
-    yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \
-    --security --sec-severity=Important --sec-severity=Critical && \
-    yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    ### help file markdown to man conversion
-    go-md2man -in /tmp/help.md -out /help.1 && \
-    ### we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
-    rm -fr /usr/src/kernels && \
-    rm -df /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules && \
-    yum clean all
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco"]
--- a/docker/rhel/docker-entrypoint.sh
+++ b/docker/rhel/docker-entrypoint.sh
@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# set -e
-
-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
-
-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        ln -s "$i" "/usr/src/$i"
-    done
-
-    /usr/bin/falco-probe-loader
-fi
-
-exec "$@"
--- a/docker/rhel/help.md
+++ b/docker/rhel/help.md
@@ -1,15 +0,0 @@
-% falco (1) Container Image Pages
-% Falco Team
-% June, 2017
-
-# NAME
-falco \- Container Native runtime security
-
-# DESCRIPTION
-Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms. See Falco website for more information: http://falco.org/
-
-# EXAMPLE
-    docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco
-
-# AUTHORS
-Falco Team
--- a/docker/slim-stable/Dockerfile
+++ b/docker/slim-stable/Dockerfile
@@ -1,50 +0,0 @@
-FROM ubuntu:18.04
-
-LABEL maintainer="opensource@sysdig.com"
-
-ENV FALCO_REPOSITORY stable
-
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-
-ENV HOST_ROOT /host
-
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
-RUN apt-get update \
-  && apt-get install -y --no-install-recommends \
-  # 	bash-completion \
-  # 	bc \
-  ca-certificates \
-  curl \
-  gnupg2 \
-  jq \
-  # 	netcat \
-  # 	xz-utils \
-  && rm -rf /var/lib/apt/lists/*
-
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-  && apt-get update \
-  && apt-get install -y --no-install-recommends falco \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-  && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-  && ln -s $HOST_ROOT/lib/modules /lib/modules
-
-#COPY ./entrypoint.sh /
-# ENTRYPOINT ["/entrypoint.sh"]
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/slim-dev/Dockerfile
+++ b/docker/slim-dev/Dockerfile
@@ -1,35 +1,36 @@
 FROM ubuntu:18.04

-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"

-ENV FALCO_REPOSITORY dev
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name <name> <image>"

-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+ARG FALCO_VERSION=latest
+ARG VERSION_BUCKET=deb
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}

 ENV HOST_ROOT /host
-
 ENV HOME /root

 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root

-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
 RUN apt-get update \
  && apt-get install -y --no-install-recommends \
-  # 	bash-completion \
-  # 	bc \
+  # bash-completion \
+  # bc \
  ca-certificates \
  curl \
  gnupg2 \
  jq \
-  # 	netcat \
-  # 	xz-utils \
+  # netcat \
+  # xz-utils \
  && rm -rf /var/lib/apt/lists/*

-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-  && apt-get update \
-  && apt-get install -y --no-install-recommends falco \
+RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
+  && echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+  && apt-get update -y \
+  && if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*

@@ -44,7 +45,4 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
  && ln -s $HOST_ROOT/lib/modules /lib/modules

-#COPY ./entrypoint.sh /
-# ENTRYPOINT ["/entrypoint.sh"]
-
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/stable/Dockerfile
+++ b/docker/stable/Dockerfile
@@ -1,19 +1,19 @@
-FROM debian:unstable
+FROM debian:stable

-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"

-ENV FALCO_REPOSITORY stable
+LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"

-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+ARG FALCO_VERSION=latest
+ARG VERSION_BUCKET=deb
+ENV VERSION_BUCKET=${VERSION_BUCKET}

+ENV FALCO_VERSION=${FALCO_VERSION}
 ENV HOST_ROOT /host
-
 ENV HOME /root

 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root

-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
@@ -33,36 +33,36 @@ RUN apt-get update \
 	xz-utils \
 	&& rm -rf /var/lib/apt/lists/*

-# gcc 6 is no longer included in debian unstable, but we need it to
+# gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.

-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb

-# gcc 5 is no longer included in debian unstable, but we need it to
+# gcc 5 is no longer included in debian stable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.

-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb

@@ -75,10 +75,10 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc

-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-	&& apt-get update \
-	&& apt-get install -y --no-install-recommends falco \
+RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
+	&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& apt-get update -y \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*

@@ -93,13 +93,13 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules

-# debian:unstable head contains binutils 2.31, which generates
+# debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb

--- a/docker/stable/docker-entrypoint.sh
+++ b/docker/stable/docker-entrypoint.sh
@@ -25,10 +25,11 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then

    for i in "$HOST_ROOT/usr/src"/*
    do
-        ln -s "$i" "/usr/src/$i"
+        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$base"
    done

-    /usr/bin/falco-probe-loader
+    /usr/bin/falco-driver-loader
 fi

 exec "$@"
--- a/docker/tester/Dockerfile
+++ b/docker/tester/Dockerfile
@@ -2,15 +2,15 @@ FROM fedora:31

 LABEL name="falcosecurity/falco-tester"
 LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"

 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release

-RUN dnf install -y python2-pip python2 docker findutils jq unzip && dnf clean all
+RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
-RUN pip2 install --user avocado-framework==69.0
-RUN pip2 install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
+RUN pip install --user avocado-framework==69.0
+RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0

 COPY ./root /

--- a/docker/tester/root/runners/deb.Dockerfile
+++ b/docker/tester/root/runners/deb.Dockerfile
@@ -1,5 +1,5 @@
 FROM ubuntu:18.04
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"

 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
--- a/docker/tester/root/runners/rpm.Dockerfile
+++ b/docker/tester/root/runners/rpm.Dockerfile
@@ -1,6 +1,6 @@
 FROM centos:7

-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"

 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
--- a/docker/tester/root/usr/bin/entrypoint
+++ b/docker/tester/root/usr/bin/entrypoint
@@ -47,7 +47,7 @@ case "$CMD" in
 "test")
    if [ -z "$FALCO_VERSION" ]; then
        echo "Automatically figuring out Falco version."
-        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | cut -d' ' -f3 | tr -d '\r')
+        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
        echo "Falco version: $FALCO_VERSION"
    fi
    if [ -z "$FALCO_VERSION" ]; then
--- a/docker/tester/root/usr/bin/usage
+++ b/docker/tester/root/usr/bin/usage
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash

-pythonversion=$(python2 -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
-pipversion=$(pip2 --version | cut -d' ' -f 1,2,5,6)
+pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
+pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
 dockerversion=$(docker --version)
 avocadoversion=$(pip2 show avocado-framework | grep Version)
 avocadoversion=${avocadoversion#"Version: "}
--- a/integrations/k8s-using-daemonset/falco-event-generator-deployment.yaml
+++ b/integrations/k8s-using-daemonset/falco-event-generator-deployment.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: falco-event-generator-deployment
--- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml
+++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml
@@ -7,7 +7,7 @@ metadata:
    role: security
 ---
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: falco-cluster-role
  labels:
@@ -17,11 +17,14 @@ rules:
  - apiGroups: ["extensions",""]
    resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]
    verbs: ["get","list","watch"]
+  - apiGroups: ["apps"]
+    resources: ["daemonsets","deployments","replicasets","statefulsets"]
+    verbs: ["get","list","watch"]
  - nonResourceURLs: ["/healthz", "/healthz/*"]
    verbs: ["get"]
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: falco-cluster-role-binding
  namespace: default
--- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml
+++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: falco-daemonset
@@ -6,6 +6,10 @@ metadata:
    app: falco-example
    role: security
 spec:
+  selector:
+    matchLabels:
+      app: falco-example
+      role: security
  template:
    metadata:
      labels:
@@ -20,7 +24,7 @@ spec:
            privileged: true
          #env:
          #  - name: FALCOCTL_FALCO_VERSION
-          #    value: 0.19.0
+          #    value: 0.21.0
          #  - name: FALCOCTL_FALCO_PROBE_URL
          #    value:
          #  - name: FALCOCTL_FALCO_PROBE_REPO
@@ -31,7 +35,7 @@ spec:
              readOnly: true
      containers:
        - name: falco
-          image: falcosecurity/falco:0.19.0-slim
+          image: falcosecurity/falco:0.21.0-slim
          securityContext:
            privileged: true
 # Uncomment the 3 lines below to enable eBPF support for Falco.
@@ -39,9 +43,9 @@ spec:
 # Leave blank for the default probe location, or set to the path
 # of a precompiled probe.
 #          env:
-#          - name: BPF_PROBE
+#          - name: FALCO_BPF_PROBE
 #            value: ""
-          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
+          args: [ "/usr/bin/falco", "--cri", "/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
          volumeMounts:
            - mountPath: /host/var/run/docker.sock
              name: docker-socket
--- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml
+++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: falco-daemonset
@@ -6,6 +6,10 @@ metadata:
    app: falco-example
    role: security
 spec:
+  selector:
+    matchLabels:
+      app: falco-example
+      role: security
  template:
    metadata:
      labels:
@@ -23,9 +27,9 @@ spec:
 # Leave blank for the default probe location, or set to the path
 # of a precompiled probe.
 #          env:
-#          - name: BPF_PROBE
+#          - name: FALCO_BPF_PROBE
 #            value: ""
-          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
+          args: [ "/usr/bin/falco", "--cri", "/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
          volumeMounts:
            - mountPath: /host/var/run/docker.sock
              name: docker-socket
--- a/integrations/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml
+++ b/integrations/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: falco
@@ -6,6 +6,11 @@ metadata:
    name: falco-daemonset
    app: demo
 spec:
+  selector:
+    matchLabels:
+      name: falco
+      app: demo
+      role: security
  template:
    metadata:
      labels:
@@ -18,7 +23,7 @@ spec:
          image: falcosecurity/falco:latest
          securityContext:
            privileged: true
-          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
+          args: [ "/usr/bin/falco", "--cri", "/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
          volumeMounts:
            - mountPath: /host/var/run/docker.sock
              name: docker-socket
--- a/integrations/k8s-using-deployment/falco-event-generator-deployment.yaml
+++ b/integrations/k8s-using-deployment/falco-event-generator-deployment.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: falco-event-generator-deployment
--- a/integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-account.yaml
+++ b/integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-account.yaml
@@ -7,7 +7,7 @@ metadata:
    role: security
 ---
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: falco-cluster-role
  labels:
@@ -17,11 +17,14 @@ rules:
  - apiGroups: ["extensions",""]
    resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]
    verbs: ["get","list","watch"]
+  - apiGroups: ["apps"]
+    resources: ["daemonsets","deployments","replicasets","statefulsets"]
+    verbs: ["get","list","watch"]
  - nonResourceURLs: ["/healthz", "/healthz/*"]
    verbs: ["get"]
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: falco-cluster-role-binding
  namespace: default
--- a/integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-deployment.yaml
+++ b/integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-deployment.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: falco-k8s-audit
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -450,7 +450,7 @@
    a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
  priority:
    WARNING
-  tag: [file, mitre_persistence]
+  tags: [file, mitre_persistence]

 # This rule is not enabled by default, as there are many legitimate
 # readers of shell config files. If you want to enable it, modify the
@@ -472,7 +472,7 @@
    a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
  priority:
    WARNING
-  tag: [file, mitre_discovery]
+  tags: [file, mitre_discovery]

 - macro: consider_all_cron_jobs
  condition: (never_true)
@@ -488,7 +488,7 @@
    file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority:
    NOTICE
-  tag: [file, mitre_persistence]
+  tags: [file, mitre_persistence]

 # Use this to test whether the event occurred within a container.

@@ -744,7 +744,7 @@

 - macro: ms_oms_writing_conf
  condition: >
-    ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor)
+    ((proc.name in (omiagent,omsagent,in_heartbeat_r*,omsadmin.sh,PerformInventor,dsc_host)
       or proc.pname in (ms_oms_binaries)
       or proc.aname[2] in (ms_oms_binaries))
     and (fd.name startswith /etc/opt/omi or fd.name startswith /etc/opt/microsoft/omsagent))
@@ -1156,6 +1156,16 @@
 - macro: automount_using_mtab
  condition: (proc.pname = automount and fd.name startswith /etc/mtab)

+- macro: mcafee_writing_cma_d
+  condition: (proc.name=macompatsvc and fd.directory=/etc/cma.d)
+
+- macro: avinetworks_supervisor_writing_ssh
+  condition: >
+    (proc.cmdline="se_supervisor.p /opt/avi/scripts/se_supervisor.py -d" and
+      (fd.name startswith /etc/ssh/known_host_ or
+       fd.name startswith /etc/ssh/ssh_monitor_config_ or
+       fd.name startswith /etc/ssh/ssh_config_))
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -1190,6 +1200,7 @@
                          qualys-cloud-ag, locales.postins, nomachine_binaries,
                          adclient, certutil, crlutil, pam-auth-update, parallels_insta,
                          openshift-launc, update-rc.d, puppet)
+    and not (container and proc.cmdline in ("cp /run/secrets/kubernetes.io/serviceaccount/ca.crt /etc/pki/ca-trust/source/anchors/openshift-ca.crt"))
    and not proc.pname in (sysdigcloud_binaries, mail_config_binaries, hddtemp.postins, sshkit_script_binaries, locales.postins, deb_binaries, dhcp_binaries)
    and not fd.name pmatch (safe_etc_dirs)
    and not fd.name in (/etc/container_environment.sh, /etc/container_environment.json, /etc/motd, /etc/motd.svc)
@@ -1273,6 +1284,8 @@
    and not etcd_manager_updating_dns
    and not user_known_write_below_etc_activities
    and not automount_using_mtab
+    and not mcafee_writing_cma_d
+    and not avinetworks_supervisor_writing_ssh

 - rule: Write below etc
  desc: an attempt to write to any file below /etc
@@ -1340,12 +1353,15 @@
 - macro: user_known_write_below_root_activities
  condition: (never_true)

+- macro: runc_writing_exec_fifo
+  condition: (proc.cmdline="runc:[1:CHILD] init" and fd.name=/exec.fifo)
+
 - rule: Write below root
  desc: an attempt to write to any file directly below / or /root
  condition: >
    root_dir and evt.dir = < and open_write
    and not fd.name in (known_root_files)
-    and not fd.directory in (known_root_directories)
+    and not fd.directory pmatch (known_root_directories)
    and not exe_running_docker_save
    and not gugent_writing_guestagent_log
    and not dse_writing_tmp
@@ -1359,6 +1375,7 @@
    and not galley_writing_state
    and not calico_writing_state
    and not rancher_writing_root
+    and not runc_writing_exec_fifo
    and not known_root_conditions
    and not user_known_write_root_conditions
    and not user_known_write_below_root_activities
@@ -1527,13 +1544,13 @@
    an attempt to change a program/thread\'s namespace (commonly done
    as a part of creating a container) by calling setns.
  condition: >
-    evt.type = setns
-    and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries,
-                          sysdig, nsenter, calico, oci-umount, network_plugin_binaries)
+    evt.type=setns and evt.dir=<
+    and not (container.id=host and proc.name in (docker_binaries, k8s_binaries, lxd_binaries, nsenter))
+    and not proc.name in (sysdigcloud_binaries, sysdig, calico, oci-umount, cilium-cni, network_plugin_binaries)
    and not proc.name in (user_known_change_thread_namespace_binaries)
    and not proc.name startswith "runc"
    and not proc.cmdline startswith "containerd"
-    and not proc.pname in (sysdigcloud_binaries)
+    and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet)
    and not python_running_sdchecks
    and not java_running_sdjagent
    and not kubelet_running_loopback
@@ -1544,9 +1561,9 @@
    and not user_known_change_thread_namespace_activities
  output: >
    Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
-    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository)
+    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
  priority: NOTICE
-  tags: [process]
+  tags: [process, mitre_privilege_escalation, mitre_lateral_movement]

 # The binaries in this list and their descendents are *not* allowed
 # spawn shells. This includes the binaries spawning shells directly as
@@ -1668,7 +1685,8 @@
                           mesos_shell_binaries,
                           erl_child_setup, exechealthz,
                           PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf,
-                           lb-controller, nvidia-installe, runsv, statsite, erlexec)
+                           lb-controller, nvidia-installe, runsv, statsite, erlexec, calico-node,
+                           "puma reactor")
    and not proc.cmdline in (known_shell_spawn_cmdlines)
    and not proc.aname in (unicorn_launche)
    and not consul_running_net_scripts
@@ -1989,14 +2007,27 @@
  condition: >
    (fd.sockfamily = ip and (system_procs or proc.name in (shell_binaries)))
    and (inbound_outbound)
-    and not proc.name in (systemd, hostid, id)
+    and not proc.name in (known_system_procs_network_activity_binaries)
    and not login_doing_dns_lookup
+    and not user_expected_system_procs_network_activity_conditions
  output: >
    Known system binary sent/received network traffic
    (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
  priority: NOTICE
  tags: [network, mitre_exfiltration]

+# This list allows easily whitelisting system proc names that are
+# expected to communicate on the network.
+- list: known_system_procs_network_activity_binaries
+  items: [systemd, hostid, id]
+
+# This macro allows specifying conditions under which a system binary
+# is allowed to communicate on the network. For instance, only specific
+# proc.cmdline values could be allowed to be more granular in what is
+# allowed.
+- macro: user_expected_system_procs_network_activity_conditions
+  condition: (never_true)
+
 # When filled in, this should look something like:
 # (proc.env contains "HTTP_PROXY=http://my.http.proxy.com ")
 # The trailing space is intentional so avoid matching on prefixes of
@@ -2462,7 +2493,7 @@
    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
  priority:
    WARNING
-  tag: [process, mitre_defense_evation]
+  tags: [process, mitre_defense_evasion]

 # This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
 # Rule Delete or rename shell history is the preferred rule to use now.
@@ -2475,7 +2506,7 @@
    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
  priority:
    WARNING
-  tag: [process, mitre_defense_evation]
+  tags: [process, mitre_defense_evasion]

 - macro: consider_all_chmods
  condition: (always_true)
@@ -2497,7 +2528,7 @@
    command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority:
    NOTICE
-  tag: [process, mitre_persistence]
+  tags: [process, mitre_persistence]

 - list: exclude_hidden_directories
  items: [/root/.cassandra]
@@ -2519,7 +2550,7 @@
    file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority:
    NOTICE
-  tag: [file, mitre_persistence]
+  tags: [file, mitre_persistence]

 - list: remote_file_copy_binaries
  items: [rsync, scp, sftp, dcp]
@@ -2627,11 +2658,18 @@
  condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))

 - macro: net_miner_pool
-  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
+  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))

+- macro: trusted_images_query_miner_domain_dns
+  condition: (container.image.repository endswith "sysdig/agent" or container.image.repository endswith "falcosecurity/falco")
+  append: false
+
+# The rule is disabled by default. 
+# Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment.
 - rule: Detect outbound connections to common miner pool ports
  desc: Miners typically connect to miner pools on common ports.
-  condition: net_miner_pool
+  condition: net_miner_pool and not trusted_images_query_miner_domain_dns
+  enabled: false
  output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
  priority: CRITICAL
  tags: [network, mitre_execution]
@@ -2675,6 +2713,89 @@
  priority: NOTICE
  tags: [network, mitre_discovery]
  
+# Change to (always_true) to enable rule 'Network connection outside local subnet'
+- macro: enabled_rule_network_only_subnet
+  condition: (never_true)
+
+# Images that are allowed to have outbound traffic
+- list: images_allow_network_outside_subnet
+  items: []
+
+# Namespaces where the rule is enforce
+- list: namespace_scope_network_only_subnet
+  items: [] 
+
+- macro: network_local_subnet
+  condition: >
+    fd.rnet in (rfc_1918_addresses) or
+    fd.ip = "0.0.0.0" or 
+    fd.net = "127.0.0.0/8"
+
+# # How to test:
+# # Change macro enabled_rule_network_only_subnet to condition: always_true
+# # Add 'default' to namespace_scope_network_only_subnet
+# # Run:
+# kubectl run --generator=run-pod/v1 -n default -i --tty busybox --image=busybox --rm -- wget google.com -O /var/google.html
+# # Check logs running  
+
+- rule: Network Connection outside Local Subnet
+  desc: Detect traffic to image outside local subnet.
+  condition: >
+    enabled_rule_network_only_subnet and
+    inbound_outbound and 
+    container and
+    not network_local_subnet and
+    k8s.ns.name in (namespace_scope_network_only_subnet)
+  output: >
+    Network connection outside local subnet
+    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id 
+    image=%container.image.repository namespace=%k8s.ns.name
+    fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
+  priority: WARNING
+  tags: [network]
+  
+
+
+- macro: allowed_port
+  condition: (never_true)
+
+- list: allowed_image
+  items: [] # add image to monitor, i.e.: bitnami/nginx
+
+- list: authorized_server_binaries
+  items: []  # add binary to allow, i.e.: nginx
+
+- list: authorized_server_port
+  items: [] # add port to allow, i.e.: 80
+
+# # How to test:
+# kubectl run --image=nginx nginx-app --port=80 --env="DOMAIN=cluster"
+# kubectl expose deployment nginx-app --port=80 --name=nginx-http --type=LoadBalancer
+# # On minikube:
+# minikube service nginx-http
+# # On general K8s:
+# kubectl get services
+# kubectl cluster-info
+# # Visit the Nginx service and port, should not fire.
+# # Change rule to different port, then different process name, and test again that it fires.
+
+- rule: Outbound or Inbound Traffic not to Authorized Server Process and Port
+  desc: Detect traffic that is not to authorized server process and port.
+  condition: >
+    allowed_port and
+    inbound_outbound and
+    container and
+    container.image.repository in (allowed_image) and
+    not proc.name in (authorized_server_binary) and
+    not fd.sport in (authorized_server_port)
+  output: >
+    Network connection outside authorized port and binary
+    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id 
+    image=%container.image.repository)
+  priority: WARNING
+  tags: [network]
+
+

 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -225,7 +225,7 @@
 # Detect creating a service account in the kube-system/kube-public namespace
 - rule: Service Account Created in Kube Namespace
  desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
-  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public)
+  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful
  output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
  priority: WARNING
  source: k8s_audit
@@ -418,3 +418,118 @@
  priority: DEBUG
  source: k8s_audit
  tags: [k8s]
+
+
+# This macro disables following rule, change to k8s_audit_never_true to enable it
+- macro: allowed_full_admin_users
+  condition: (k8s_audit_always_true)
+
+# This list includes some of the default user names for an administrator in several K8s installations
+- list: full_admin_k8s_users
+  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
+
+# This rules detect an operation triggered by an user name that is 
+# included in the list of those that are default administrators upon 
+# cluster creation. This may signify a permission setting too broader. 
+# As we can't check for role of the user on a general ka.* event, this 
+# may or may not be an administrator. Customize the full_admin_k8s_users 
+# list to your needs, and activate at your discrection.
+
+# # How to test:
+# # Execute any kubectl command connected using default cluster user, as:
+# kubectl create namespace rule-test
+
+- rule: Full K8s Administrative Access
+  desc: Detect any k8s operation by a user name that may be an administrator with full access.
+  condition: >
+    kevt 
+    and non_system_user 
+    and ka.user.name in (admin_k8s_users) 
+    and not allowed_full_admin_users
+  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+
+
+- macro: ingress
+  condition: ka.target.resource=ingresses
+
+- macro: ingress_tls
+  condition: (jevt.value[/requestObject/spec/tls] exists)
+
+# # How to test:
+# # Create an ingress.yaml file with content:
+# apiVersion: networking.k8s.io/v1beta1
+# kind: Ingress
+# metadata:
+#   name: test-ingress
+#   annotations:
+#     nginx.ingress.kubernetes.io/rewrite-target: /
+# spec:
+#   rules:
+#   - http:
+#       paths:
+#       - path: /testpath
+#         backend:
+#           serviceName: test
+#           servicePort: 80
+# # Execute: kubectl apply -f ingress.yaml
+
+- rule: Ingress Object without TLS Certificate Created
+  desc: Detect any attempt to create an ingress without TLS certification.
+  condition: >
+    (kactivity and kcreate and ingress and response_successful and not ingress_tls)
+  output: >
+    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
+    namespace=%ka.target.namespace)
+  source: k8s_audit    
+  priority: WARNING
+  tags: [k8s, network]
+
+
+
+- macro: node
+  condition: ka.target.resource=nodes
+
+- macro: allow_all_k8s_nodes
+  condition: (k8s_audit_always_true)
+
+- list: allowed_k8s_nodes
+  items: []
+
+# # How to test:
+# # Create a Falco monitored cluster with Kops
+# # Increase the number of minimum nodes with:
+# kops edit ig nodes
+# kops apply --yes
+
+- rule: Untrusted Node Successfully Joined the Cluster
+  desc: >
+    Detect a node successfully joined the cluster outside of the list of allowed nodes.
+  condition: >
+    kevt and node 
+    and kcreate 
+    and response_successful 
+    and not allow_all_k8s_nodes 
+    and not ka.target.name in (allowed_k8s_nodes)
+  output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
+  priority: ERROR
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: Untrusted Node Unsuccessfully Tried to Join the Cluster
+  desc: >
+    Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
+  condition: >
+    kevt and node 
+    and kcreate 
+    and not response_successful 
+    and not allow_all_k8s_nodes 
+    and not ka.target.name in (allowed_k8s_nodes)
+  output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -23,7 +23,9 @@ file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco"
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")

+configure_file(falco-driver-loader falco-driver-loader @ONLY)
+
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-	install(PROGRAMS ${PROJECT_SOURCE_DIR}/scripts/falco-probe-loader
+	install(PROGRAMS ${PROJECT_BINARY_DIR}/scripts/falco-driver-loader
 		DESTINATION ${FALCO_BIN_DIR})
 endif()
--- a/scripts/debian/falco
+++ b/scripts/debian/falco
@@ -26,7 +26,7 @@
 #                    driven by system calls with support for containers.
 ### END INIT INFO

-# Author: The Falco Authors <opensource@sysdig.com>
+# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>

 # Do NOT "set -e"

--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -25,20 +25,20 @@
 #
 cos_version_greater()
 {
-	if [[ $cos_ver == $base_ver ]]; then
+	if [[ $cos_ver == "${base_ver}" ]]; then
 		return 0
 	fi

 	#
 	# COS build numbers are in the format x.y.z
 	#
-	a=`echo $cos_ver | cut -d. -f1`
-	b=`echo $cos_ver | cut -d. -f2`
-	c=`echo $cos_ver | cut -d. -f3`
+	a=$(echo "${cos_ver}" | cut -d. -f1)
+	b=$(echo "${cos_ver}" | cut -d. -f2)
+	c=$(echo "${cos_ver}" | cut -d. -f3)

-	d=`echo $base_ver | cut -d. -f1`
-	e=`echo $base_ver | cut -d. -f2`
-	f=`echo $base_ver | cut -d. -f3`
+	d=$(echo "${base_ver}" | cut -d. -f1)
+	e=$(echo "${base_ver}" | cut -d. -f2)
+	f=$(echo "${base_ver}" | cut -d. -f3)

 	# Test the first component
 	if [[ $a -gt $d ]]; then
@@ -74,16 +74,16 @@ get_kernel_config() {
 	elif [ -f "/boot/config-${KERNEL_RELEASE}" ]; then
 		echo "Found kernel config at /boot/config-${KERNEL_RELEASE}"
 		KERNEL_CONFIG_PATH=/boot/config-${KERNEL_RELEASE}
-	elif [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/boot/config-${KERNEL_RELEASE}" ]; then
+	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/boot/config-${KERNEL_RELEASE}" ]; then
 		echo "Found kernel config at ${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
 		KERNEL_CONFIG_PATH="${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
 	elif [ -f "/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
 		echo "Found kernel config at /usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
 		KERNEL_CONFIG_PATH="/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-	elif [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
+	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
 		echo "Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
 		KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-	elif [ -f /lib/modules/${KERNEL_RELEASE}/config ]; then
+	elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
 		# this code works both for native host and agent container assuming that
 		# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
 		echo "Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
@@ -96,13 +96,13 @@ get_kernel_config() {
 	fi

 	if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
-	    HASH=$(zcat "${KERNEL_CONFIG_PATH}" | md5sum - | cut -d' ' -f1)
+		HASH=$(zcat "${KERNEL_CONFIG_PATH}" | md5sum - | cut -d' ' -f1)
 	else
-	    HASH=$(md5sum "${KERNEL_CONFIG_PATH}" | cut -d' ' -f1)
+		HASH=$(md5sum "${KERNEL_CONFIG_PATH}" | cut -d' ' -f1)
 	fi
 }

-load_kernel_probe() {
+load_kernel_module() {
 	if ! hash lsmod > /dev/null 2>&1; then
 		echo "This program requires lsmod"
 		exit 1
@@ -122,13 +122,13 @@ load_kernel_probe() {
 	rmmod "${PROBE_NAME}" 2>/dev/null
 	WAIT_TIME=0
 	KMOD_NAME=$(echo "${PROBE_NAME}" | tr "-" "_")
-	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt $MAX_RMMOD_WAIT ]; do
+	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
 		if rmmod "${PROBE_NAME}" 2>/dev/null; then
 			echo "* Unloading ${PROBE_NAME} succeeded after ${WAIT_TIME}s"
 			break
 		fi
 		((++WAIT_TIME))
-		if (( $WAIT_TIME % 5 == 0 )); then
+		if (( WAIT_TIME % 5 == 0 )); then
 			echo "* ${PROBE_NAME} still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)"
 		fi
 		sleep 1
@@ -144,20 +144,20 @@ load_kernel_probe() {
 		echo "* Skipping dkms install for UEK host"
 	else
 		echo "* Running dkms install for ${PACKAGE_NAME}"
-		if dkms install -m "${PACKAGE_NAME}" -v "${FALCO_VERSION}" -k "${KERNEL_RELEASE}"; then
+		if dkms install -m "${PACKAGE_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}"; then
 			echo "* Trying to load a dkms ${PROBE_NAME}, if present"

-			if insmod "/var/lib/dkms/${PACKAGE_NAME}/${FALCO_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko" > /dev/null 2>&1; then
+			if insmod "/var/lib/dkms/${PACKAGE_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko" > /dev/null 2>&1; then
 				echo "${PROBE_NAME} found and loaded in dkms"
 				exit 0
-			elif insmod "/var/lib/dkms/${PACKAGE_NAME}/${FALCO_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko.xz" > /dev/null 2>&1; then
+			elif insmod "/var/lib/dkms/${PACKAGE_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko.xz" > /dev/null 2>&1; then
 				echo "${PROBE_NAME} found and loaded in dkms (xz)"
 				exit 0
 			else
 				echo "* Unable to insmod"
 			fi
 		else
-			DKMS_LOG="/var/lib/dkms/${PACKAGE_NAME}/${FALCO_VERSION}/build/make.log"
+			DKMS_LOG="/var/lib/dkms/${PACKAGE_NAME}/${DRIVER_VERSION}/build/make.log"
 			if [ -f "${DKMS_LOG}" ]; then
 				echo "* Running dkms build failed, dumping ${DKMS_LOG}"
 				cat "${DKMS_LOG}"
@@ -178,7 +178,7 @@ load_kernel_probe() {

 	get_kernel_config

-	local FALCO_PROBE_FILENAME="${PROBE_NAME}-${FALCO_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.ko"
+	local FALCO_PROBE_FILENAME="${PROBE_NAME}-${DRIVER_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.ko"

 	if [ -f "${HOME}/.falco/${FALCO_PROBE_FILENAME}" ]; then
 		echo "Found precompiled module at ~/.falco/${FALCO_PROBE_FILENAME}, loading module"
@@ -209,7 +209,8 @@ load_bpf_probe() {

 	get_kernel_config

-	if [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
+	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
+		# shellcheck source=/dev/null
 		. "${HOST_ROOT}/etc/os-release"

 		if [ "${ID}" == "cos" ]; then
@@ -217,24 +218,24 @@ load_bpf_probe() {
 		fi
 	fi

-	if [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
+	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
 		MINIKUBE=1
-		MINIKUBE_VERSION="$(cat ${HOST_ROOT}/etc/VERSION)"
+		MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
 	fi

-	local BPF_PROBE_FILENAME="${BPF_PROBE_NAME}-${FALCO_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.o"
+	local BPF_PROBE_FILENAME="${BPF_PROBE_NAME}-${DRIVER_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.o"

 	if [ ! -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then

-	        local BPF_KERNEL_SOURCES_URL=""
+		local BPF_KERNEL_SOURCES_URL=""
 		local STRIP_COMPONENTS=1

-	        customize_kernel_build() {
-		    if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
+		customize_kernel_build() {
+			if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
 			sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
-		    fi
-		    make olddefconfig > /dev/null
-		    make modules_prepare > /dev/null
+			fi
+			make olddefconfig > /dev/null
+			make modules_prepare > /dev/null
 		}

 		if [ -n "${COS}" ]; then
@@ -245,35 +246,37 @@ load_bpf_probe() {
 			STRIP_COMPONENTS=0

 			customize_kernel_build() {
-			    pushd usr/src/* > /dev/null
+				pushd usr/src/* > /dev/null || exit

-			    # Note: this overrides the KERNELDIR set while untarring the tarball
-			    export KERNELDIR=`pwd`
+				# Note: this overrides the KERNELDIR set while untarring the tarball
+				KERNELDIR=$(pwd)
+				export KERNELDIR

-			    sed -i '/^#define randomized_struct_fields_start	struct {$/d' include/linux/compiler-clang.h
-			    sed -i '/^#define randomized_struct_fields_end	};$/d' include/linux/compiler-clang.h
+				sed -i '/^#define randomized_struct_fields_start	struct {$/d' include/linux/compiler-clang.h
+				sed -i '/^#define randomized_struct_fields_end	};$/d' include/linux/compiler-clang.h

-			    popd > /dev/null
+				popd > /dev/null || exit

-			    # Might need to configure our own sources depending on COS version
-			    cos_ver=${BUILD_ID}
-			    base_ver=11553.0.0
+				# Might need to configure our own sources depending on COS version
+				cos_ver=${BUILD_ID}
+				base_ver=11553.0.0

-			    cos_version_greater
-			    greater_ret=$?
+				cos_version_greater
+				greater_ret=$?

-			    if [[ greater_ret -eq 1 ]]; then
+				if [[ greater_ret -eq 1 ]]; then
 				export KBUILD_EXTRA_CPPFLAGS=-DCOS_73_WORKAROUND
-			    fi
-                        }
+				fi
+						}
 		fi

 		if [ -n "${MINIKUBE}" ]; then
 			echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
-			local kernel_version=$(uname -r)
-			local -r kernel_version_major=$(echo ${kernel_version} | cut -d. -f1)
-			local -r kernel_version_minor=$(echo ${kernel_version} | cut -d. -f2)
-			local -r kernel_version_patch=$(echo ${kernel_version} | cut -d. -f3)
+			local kernel_version
+			kernel_version=$(uname -r)
+			local -r kernel_version_major=$(echo "${kernel_version}" | cut -d. -f1)
+			local -r kernel_version_minor=$(echo "${kernel_version}" | cut -d. -f2)
+			local -r kernel_version_patch=$(echo "${kernel_version}" | cut -d. -f3)

 			if [ "${kernel_version_patch}" == "0" ]; then
 				kernel_version="${kernel_version_major}.${kernel_version_minor}"
@@ -283,7 +286,7 @@ load_bpf_probe() {
 		fi

 		if [ -n "${BPF_USE_LOCAL_KERNEL_SOURCES}" ]; then
-		        local -r kernel_version_major=$(uname -r | cut -d. -f1)
+			local -r kernel_version_major=$(uname -r | cut -d. -f1)
 			local -r kernel_version=$(uname -r | cut -d- -f1)
 			KERNEL_EXTRA_VERSION="-$(uname -r | cut -d- -f2)"

@@ -296,8 +299,8 @@ load_bpf_probe() {
 			echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"

 			mkdir -p /tmp/kernel
-			cd /tmp/kernel
-			cd `mktemp -d -p /tmp/kernel`
+			cd /tmp/kernel || exit
+			cd "$(mktemp -d -p /tmp/kernel)" || exit
 			if ! curl -o kernel-sources.tgz --create-dirs "${FALCO_PROBE_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
 				exit 1;
 			fi
@@ -306,13 +309,14 @@ load_bpf_probe() {

 			mkdir kernel-sources && tar xf kernel-sources.tgz -C kernel-sources --strip-components "${STRIP_COMPONENTS}"

-			cd kernel-sources
-			export KERNELDIR=`pwd`
+			cd kernel-sources || exit
+			KERNELDIR=$(pwd)
+			export KERNELDIR

 			if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
-			    zcat "${KERNEL_CONFIG_PATH}" > .config
+				zcat "${KERNEL_CONFIG_PATH}" > .config
 			else
-			    cat "${KERNEL_CONFIG_PATH}" > .config
+				cat "${KERNEL_CONFIG_PATH}" > .config
 			fi

 			echo "* Configuring kernel"
@@ -321,10 +325,10 @@ load_bpf_probe() {

 		echo "* Trying to compile BPF probe ${BPF_PROBE_NAME} (${BPF_PROBE_FILENAME})"

-		make -C "/usr/src/${PACKAGE_NAME}-${FALCO_VERSION}/bpf" > /dev/null
+		make -C "/usr/src/${PACKAGE_NAME}-${DRIVER_VERSION}/bpf" > /dev/null

 		mkdir -p ~/.falco
-		mv "/usr/src/${PACKAGE_NAME}-${FALCO_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"
+		mv "/usr/src/${PACKAGE_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"

 		if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
 			rm -r /tmp/kernel
@@ -350,7 +354,7 @@ load_bpf_probe() {
 			echo "**********************************************************"
 		fi

-		echo "* BPF probe located, it's now possible to start sysdig"
+		echo "* BPF probe located, it's now possible to start falco"

 		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${BPF_PROBE_NAME}.o"
 		exit $?
@@ -363,7 +367,7 @@ load_bpf_probe() {
 ARCH=$(uname -m)
 KERNEL_RELEASE=$(uname -r)
 SCRIPT_NAME=$(basename "${0}")
-PROBE_URL=${PROBE_URL:-https://s3.amazonaws.com/download.draios.com}
+PROBE_URL=${PROBE_URL:-"@DRIVER_LOOKUP_URL@"}
 if [ -n "$PROBE_INSECURE_DOWNLOAD" ]
 then
 	FALCO_PROBE_CURL_OPTIONS=-fsSk
@@ -380,15 +384,13 @@ if [ -z "${PACKAGES_REPOSITORY}" ]; then
 	PACKAGES_REPOSITORY="stable"
 fi

-if [ "${SCRIPT_NAME}" = "falco-probe-loader" ]; then
-        if [ -z "$FALCO_VERSION" ]; then
-	    FALCO_VERSION=$(falco --version | cut -d' ' -f3)
-	fi
-	PROBE_NAME="falco-probe"
-	BPF_PROBE_NAME="falco-probe-bpf"
-	PACKAGE_NAME="falco"
+if [ "${SCRIPT_NAME}" = "falco-driver-loader" ]; then
+	DRIVER_VERSION="@PROBE_VERSION@"
+	PROBE_NAME="@PROBE_NAME@"
+	BPF_PROBE_NAME="@PROBE_NAME@-bpf"
+	PACKAGE_NAME="@PACKAGE_NAME@"
 else
-	echo "This script must be called as falco-probe-loader"
+	echo "This script must be called as falco-driver-loader"
 	exit 1
 fi

@@ -402,8 +404,8 @@ if ! hash curl > /dev/null 2>&1; then
 	exit 1
 fi

-if [ -v BPF_PROBE ] || [ "${1}" = "bpf" ]; then
+if [ -v FALCO_BPF_PROBE ] || [ "${1}" = "bpf" ]; then
 	load_bpf_probe
 else
-	load_kernel_probe
+	load_kernel_module
 fi
--- a/test/README.md
+++ b/test/README.md
@@ -0,0 +1,6 @@
+# Falco Regression tests
+
+This folder contains the Regression tests suite for Falco.
+
+You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).
+
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -18,17 +18,16 @@
 import os
 import re
 import json
-import sets
 import glob
 import shutil
 import stat
 import subprocess
 import sys
-import urllib
+import urllib.request

 from avocado import Test
+from avocado import main
 from avocado.utils import process
-from avocado.utils import linux_modules

 class FalcoTest(Test):

@@ -142,15 +141,15 @@ class FalcoTest(Test):
        else:
            detect_counts = {}
            for item in self.detect_counts:
-                for key, value in item.items():
+                for key, value in list(item.items()):
                    detect_counts[key] = value
            self.detect_counts = detect_counts

        self.rules_warning = self.params.get('rules_warning', '*', default=False)
        if self.rules_warning == False:
-            self.rules_warning = sets.Set()
+            self.rules_warning = set()
        else:
-            self.rules_warning = sets.Set(self.rules_warning)
+            self.rules_warning = set(self.rules_warning)

        # Maps from rule name to set of evttypes
        self.rules_events = self.params.get('rules_events', '*', default=False)
@@ -160,7 +159,7 @@ class FalcoTest(Test):
            events = {}
            for item in self.rules_events:
                for item2 in item:
-                    events[item2[0]] = sets.Set(item2[1])
+                    events[item2[0]] = set(item2[1])
            self.rules_events = events

        if self.should_detect:
@@ -176,7 +175,7 @@ class FalcoTest(Test):
        self.copy_local_driver = self.params.get('copy_local_driver', '*', default=False)

        # Used by possibly_copy_local_driver as well as docker run
-        self.module_dir = os.path.expanduser("~/.sysdig")
+        self.module_dir = os.path.expanduser("~/.falco")

        self.outputs = self.params.get('outputs', '*', default='')

@@ -185,7 +184,7 @@ class FalcoTest(Test):
        else:
            outputs = []
            for item in self.outputs:
-                for key, value in item.items():
+                for key, value in list(item.items()):
                    output = {}
                    output['file'] = key
                    output['line'] = value
@@ -214,9 +213,9 @@ class FalcoTest(Test):

    def check_rules_warnings(self, res):

-        found_warning = sets.Set()
+        found_warning = set()

-        for match in re.finditer('Rule ([^:]+): warning \(([^)]+)\):', res.stderr):
+        for match in re.finditer('Rule ([^:]+): warning \(([^)]+)\):', res.stderr.decode("utf-8")):
            rule = match.group(1)
            warning = match.group(2)
            found_warning.add(rule)
@@ -231,21 +230,21 @@ class FalcoTest(Test):

        found_events = {}

-        for match in re.finditer('Event types for rule ([^:]+): (\S+)', res.stderr):
+        for match in re.finditer('Event types for rule ([^:]+): (\S+)', res.stderr.decode("utf-8")):
            rule = match.group(1)
-            events = sets.Set(match.group(2).split(","))
+            events = set(match.group(2).split(","))
            found_events[rule] = events

        self.log.debug("Expected events for rules: {}".format(self.rules_events))
        self.log.debug("Actual events for rules: {}".format(found_events))

-        for rule in found_events.keys():
+        for rule in list(found_events.keys()):
            if found_events.get(rule) != self.rules_events.get(rule):
                self.fail("rule {}: expected events {} differs from actual events {}".format(rule, self.rules_events.get(rule), found_events.get(rule)))

    def check_detections(self, res):
        # Get the number of events detected.
-        match = re.search('Events detected: (\d+)', res.stdout)
+        match = re.search('Events detected: (\d+)', res.stdout.decode("utf-8"))
        if match is None:
            self.fail("Could not find a line 'Events detected: <count>' in falco output")

@@ -260,7 +259,7 @@ class FalcoTest(Test):

            for level in self.detect_level:
                level_line = '(?i){}: (\d+)'.format(level)
-                match = re.search(level_line, res.stdout)
+                match = re.search(level_line, res.stdout.decode("utf-8"))

                if match is None:
                    self.fail("Could not find a line '{}: <count>' in falco output".format(level))
@@ -272,13 +271,13 @@ class FalcoTest(Test):

    def check_detections_by_rule(self, res):
        # Get the number of events detected for each rule. Must match the expected counts.
-        match = re.search('Triggered rules by rule name:(.*)', res.stdout, re.DOTALL)
+        match = re.search('Triggered rules by rule name:(.*)', res.stdout.decode("utf-8"), re.DOTALL)
        if match is None:
            self.fail("Could not find a block 'Triggered rules by rule name: ...' in falco output")

        triggered_rules = match.group(1)

-        for rule, count in self.detect_counts.iteritems():
+        for rule, count in list(self.detect_counts.items()):
            expected = '\s{}: (\d+)'.format(re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
            match = re.search(expected, triggered_rules)

@@ -313,7 +312,7 @@ class FalcoTest(Test):
        if self.json_output:
            # Just verify that any lines starting with '{' are valid json objects.
            # Doesn't do any deep inspection of the contents.
-            for line in res.stdout.splitlines():
+            for line in res.stdout.decode("utf-8").splitlines():
                if line.startswith('{'):
                    obj = json.loads(line)
                    if self.json_include_output_property:
@@ -336,7 +335,7 @@ class FalcoTest(Test):
            self.falco_binary_path = "docker run --rm --name falco-test --privileged " \
                                     "-v /var/run/docker.sock:/host/var/run/docker.sock " \
                                     "-v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro " \
-                                     "-v /lib/modules:/host/lib/modules:ro -v {}:/root/.sysdig:ro " \
+                                     "-v /lib/modules:/host/lib/modules:ro -v {}:/root/.falco:ro " \
                                     "-v /usr:/host/usr:ro {} {} falco".format(
                                         self.module_dir, self.addl_docker_run_args, image)

@@ -388,8 +387,7 @@ class FalcoTest(Test):
            res = process.run(cmdline, timeout=120, sudo=True)

    def possibly_copy_driver(self):
-        # Remove the contents of ~/.sysdig regardless of
-        # copy_local_driver.
+        # Remove the contents of ~/.falco regardless of copy_local_driver.
        self.log.debug("Checking for module dir {}".format(self.module_dir))
        if os.path.isdir(self.module_dir):
            self.log.info("Removing files below directory {}".format(self.module_dir))
@@ -398,7 +396,8 @@ class FalcoTest(Test):
                os.remove(rmfile)

        if self.copy_local_driver:
-            verstr = subprocess.check_output([self.falco_binary_path, "--version"]).rstrip()
+            verlines = [str.strip() for str in subprocess.check_output([self.falco_binary_path, "--version"]).splitlines()]
+            verstr = verlines[0].decode("utf-8")
            self.log.info("verstr {}".format(verstr))
            falco_version = verstr.split(" ")[2]
            self.log.info("falco_version {}".format(falco_version))
@@ -407,7 +406,7 @@ class FalcoTest(Test):
            kernel_release = subprocess.check_output(["uname", "-r"]).rstrip()
            self.log.info("kernel release {}".format(kernel_release))

-            # falco-probe-loader has a more comprehensive set of ways to
+            # falco-driver-loader has a more comprehensive set of ways to
            # find the config hash. We only look at /boot/config-<kernel release>
            md5_output = subprocess.check_output(["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
            config_hash = md5_output.split(" ")[0]
@@ -440,7 +439,7 @@ class FalcoTest(Test):
            if not os.path.isfile(self.psp_conv_path):
                self.log.info("Downloading {} to {}".format(self.psp_conv_url, self.psp_conv_path))

-                urllib.urlretrieve(self.psp_conv_url, self.psp_conv_path)
+                urllib.request.urlretrieve(self.psp_conv_url, self.psp_conv_path)
                os.chmod(self.psp_conv_path, stat.S_IEXEC)

            conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
@@ -484,32 +483,32 @@ class FalcoTest(Test):

        if self.stdout_is != '':
            print(self.stdout_is)
-            if self.stdout_is != res.stdout:
+            if self.stdout_is != res.stdout.decode("utf-8"):
                self.fail("Stdout was not exactly {}".format(self.stdout_is))

        if self.stderr_is != '':
-            if self.stderr_is != res.stdout:
+            if self.stderr_is != res.stdout.decode("utf-8"):
                self.fail("Stdout was not exactly {}".format(self.stderr_is))

        for pattern in self.stderr_contains:
-            match = re.search(pattern, res.stderr)
+            match = re.search(pattern, res.stderr.decode("utf-8"))
            if match is None:
                self.fail("Stderr of falco process did not contain content matching {}".format(pattern))

        for pattern in self.stdout_contains:
-            match = re.search(pattern, res.stdout)
+            match = re.search(pattern, res.stdout.decode("utf-8"))
            if match is None:
-                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout, pattern))
+                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout.decode("utf-8"), pattern))

        for pattern in self.stderr_not_contains:
-            match = re.search(pattern, res.stderr)
+            match = re.search(pattern, res.stderr.decode("utf-8"))
            if match is not None:
                self.fail("Stderr of falco process contained content matching {} when it should have not".format(pattern))

        for pattern in self.stdout_not_contains:
-            match = re.search(pattern, res.stdout)
+            match = re.search(pattern, res.stdout.decode("utf-8"))
            if match is not None:
-                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(res.stdout, pattern))
+                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(res.stdout.decode("utf-8"), pattern))

        if res.exit_status != self.exit_status:
            self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -689,7 +689,7 @@ trace_files: !mux
      - "Non sudo setuid": 1
      - "Create files below dev": 1
      - "Modify binary dirs": 2
-      - "Change thread namespace": 2
+      - "Change thread namespace": 1

  disabled_tags_a:
    detect: True
--- a/test/falco_traces.yaml.in
+++ b/test/falco_traces.yaml.in
@@ -26,7 +26,7 @@ traces: !mux
    detect: True
    detect_level: NOTICE
    detect_counts:
-      - "Change thread namespace": 2
+      - "Change thread namespace": 1

  container-privileged:
    trace_file: traces-positive/container-privileged.scap
@@ -73,7 +73,7 @@ traces: !mux
      - "Non sudo setuid": 1
      - "Create files below dev": 1
      - "Modify binary dirs": 2
-      - "Change thread namespace": 2
+      - "Change thread namespace": 1

  mkdir-binary-dirs:
    trace_file: traces-positive/mkdir-binary-dirs.scap
--- a/tests/falco/test_webserver.cpp
+++ b/tests/falco/test_webserver.cpp
@@ -13,7 +13,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-
 #include "webserver.h"
 #include <catch.hpp>

@@ -22,7 +21,7 @@ TEST_CASE("webserver must accept invalid data", "[!hide][webserver][k8s_audit_ha
 	// falco_engine* engine = new falco_engine();
 	// falco_outputs* outputs = new falco_outputs(engine);
 	// std::string errstr;
-    // std::string input("{\"kind\": 0}");
+	// std::string input("{\"kind\": 0}");
 	//k8s_audit_handler::accept_data(engine, outputs, input, errstr);

 	REQUIRE(1 == 1);
--- a/userspace/engine/banned.h
+++ b/userspace/engine/banned.h
@@ -0,0 +1,50 @@
+/*
+Copyright (C) 2019 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+// BAN macro defines `function` as an invalid token that says using
+// the function is banned. This throws a compile time error when the
+// function is used.
+#define BAN(function) using_##function##_is_banned
+
+// BAN_ALTERNATIVE is same as BAN but the message also provides an alternative
+// function that the user could use instead of the banned function.
+#define BAN_ALTERNATIVE(function, alternative) using_##function##_is_banned__use_##alternative##_instead
+
+#undef strcpy
+#define strcpy(a, b) BAN(strcpy)
+
+#undef vsprintf
+#define vsprintf(a, b, c) BAN_ALTERNATIVE(vsprintf, vsnprintf)
+
+#undef sprintf
+#define sprintf(a, b, ...) BAN_ALTERNATIVE(sprintf, snprintf)
+
+#undef strcat
+#define strcat(a, b) BAN(strcat)
+
+#undef strncat
+#define strncat(a, b, c) BAN(strncat)
+
+#undef strncpy
+#define strncpy(a, b, c) BAN(strncpy)
+
+#undef swprintf
+#define swprintf(a, b, c, ...) BAN_ALTERNATIVE(swprintf, snprintf)
+
+#undef vswprintf
+#define vswprintf(a, b, c, d) BAN_ALTERNATIVE(vswprintf, vsnprintf)
--- a/userspace/engine/falco_common.cpp
+++ b/userspace/engine/falco_common.cpp
@@ -18,6 +18,7 @@ limitations under the License.

 #include "config_falco_engine.h"
 #include "falco_common.h"
+#include "banned.h" // This raises a compilation error when certain functions are used

 std::vector<std::string> falco_common::priority_names = {
 	"Emergency",
@@ -117,4 +118,3 @@ void falco_common::add_lua_path(string &path)

 	lua_pop(m_ls, 1);
 }
-
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -32,6 +32,7 @@ extern "C" {
 }

 #include "utils.h"
+#include "banned.h" // This raises a compilation error when certain functions are used


 string lua_on_event = "on_event";
--- a/userspace/engine/falco_utils.cpp
+++ b/userspace/engine/falco_utils.cpp
@@ -18,6 +18,7 @@ limitations under the License.
 */

 #include "falco_utils.h"
+#include "banned.h" // This raises a compilation error when certain functions are used

 namespace falco
 {
--- a/userspace/engine/formats.cpp
+++ b/userspace/engine/formats.cpp
@@ -18,6 +18,7 @@ limitations under the License.

 #include "formats.h"
 #include "falco_engine.h"
+#include "banned.h" // This raises a compilation error when certain functions are used


 sinsp* falco_formats::s_inspector = NULL;
@@ -145,11 +146,13 @@ int falco_formats::format_event (lua_State *ls)
 	if(strcmp(source, "syscall") == 0)
 	{
 		try {
+			// This is "output"
 			s_formatters->tostring((sinsp_evt *) evt, sformat, &line);

 			if(s_json_output)
 			{
-				switch(s_inspector->get_buffer_format())
+				sinsp_evt::param_fmt cur_fmt = s_inspector->get_buffer_format();
+				switch(cur_fmt)
 				{
 					case sinsp_evt::PF_NORMAL:
 						s_inspector->set_buffer_format(sinsp_evt::PF_JSON);
@@ -170,6 +173,7 @@ int falco_formats::format_event (lua_State *ls)
 						// do nothing
 						break;
 				}
+				// This is output fields
 				s_formatters->tostring((sinsp_evt *) evt, sformat, &json_line);

 				// The formatted string might have a leading newline. If it does, remove it.
@@ -177,8 +181,7 @@ int falco_formats::format_event (lua_State *ls)
 				{
 					json_line.erase(0, 1);
 				}
-
-				s_inspector->set_buffer_format(sinsp_evt::PF_NORMAL);
+				s_inspector->set_buffer_format(cur_fmt);
 			}
 		}
 		catch (sinsp_exception& e)
--- a/userspace/engine/json_evt.cpp
+++ b/userspace/engine/json_evt.cpp
@@ -21,6 +21,7 @@ limitations under the License.

 #include "falco_common.h"
 #include "json_evt.h"
+#include "banned.h" // This raises a compilation error when certain functions are used

 using json = nlohmann::json;
 using namespace std;
@@ -511,31 +512,27 @@ const json_event_filter_check::values_t &json_event_filter_check::extracted_valu

 bool json_event_filter_check::compare(gen_event *evt)
 {
-	json_event *jevt = (json_event *)evt;
+	auto jevt = (json_event *)evt;

 	uint32_t len;

-	const extracted_values_t *evalues = (const extracted_values_t *) extract(jevt, &len);
+	auto evalues = (const extracted_values_t *) extract(jevt, &len);
 	values_set_t setvals;

 	switch(m_cmpop)
 	{
 	case CO_EQ:
 		return evalues->second == m_values;
-		break;
 	case CO_NE:
 		return evalues->second != m_values;
-		break;
 	case CO_STARTSWITH:
 		return (evalues->first.size() == 1 &&
 			m_values.size() == 1 &&
 			evalues->first.at(0).startswith(*(m_values.begin())));
-		break;
 	case CO_CONTAINS:
 		return (evalues->first.size() == 1 &&
 			m_values.size() == 1 &&
 			evalues->first.at(0).contains(*(m_values.begin())));
-		break;
 	case CO_IN:
 		for(auto &item : evalues->second)
 		{
@@ -545,7 +542,6 @@ bool json_event_filter_check::compare(gen_event *evt)
 			}
 		}
 		return true;
-		break;
 	case CO_PMATCH:
 		for(auto &item : evalues->second)
 		{
@@ -558,19 +554,16 @@ bool json_event_filter_check::compare(gen_event *evt)
 			}
 		}
 		return true;
-		break;
 	case CO_INTERSECTS:
 		std::set_intersection(evalues->second.begin(), evalues->second.end(),
 				      m_values.begin(), m_values.end(),
 				      std::inserter(setvals, setvals.begin()));
-		return (setvals.size() > 0);
-		break;
+		return (!setvals.empty());
 	case CO_LT:
 		return (evalues->first.size() == 1 &&
 			m_values.size() == 1 &&
 			evalues->first.at(0).ptype() == m_values.begin()->ptype() &&
 			evalues->first.at(0) < *(m_values.begin()));
-		break;
 	case CO_LE:
 		return (evalues->first.size() == 1 &&
 			m_values.size() == 1 &&
@@ -588,11 +581,9 @@ bool json_event_filter_check::compare(gen_event *evt)
 			evalues->first.at(0).ptype() == m_values.begin()->ptype() &&
 			(evalues->first.at(0) > *(m_values.begin()) ||
 			 evalues->first.at(0) == *(m_values.begin())));
-		break;
 	case CO_EXISTS:
 		return (evalues->first.size() == 1 &&
 			(evalues->first.at(0) != json_event_filter_check::no_value));
-		break;
 	default:
 		throw falco_exception("filter error: unsupported comparison operator");
 	}
--- a/userspace/engine/json_evt.h
+++ b/userspace/engine/json_evt.h
@@ -193,7 +193,6 @@ public:
 	const values_t &extracted_values();

 protected:
-
 	// Subclasses can override this method, calling
 	// add_extracted_value to add extracted values.
 	virtual bool extract_values(json_event *jevt);
@@ -282,7 +281,8 @@ private:

 	// If true, this filtercheck works on paths, which enables
 	// some extra bookkeeping to allow for path prefix searches.
-	bool m_uses_paths;
+	bool m_uses_paths = false;
+
 	path_prefix_search m_prefix_search;
 };

@@ -292,7 +292,7 @@ public:
 	jevt_filter_check();
 	virtual ~jevt_filter_check();

-        int32_t parse_field_name(const char* str, bool alloc_state, bool needed_for_filtering) final;
+	int32_t parse_field_name(const char* str, bool alloc_state, bool needed_for_filtering) final;

 	json_event_filter_check *allocate_new();

--- a/userspace/engine/rules.cpp
+++ b/userspace/engine/rules.cpp
@@ -24,6 +24,8 @@ extern "C" {
 }

 #include "falco_engine.h"
+#include "banned.h" // This raises a compilation error when certain functions are used
+
 const static struct luaL_reg ll_falco_rules [] =
 {
 	{"clear_filters", &falco_rules::clear_filters},
@@ -480,4 +482,3 @@ falco_rules::~falco_rules()
 	delete m_sinsp_lua_parser;
 	delete m_json_lua_parser;
 }
-
--- a/userspace/engine/ruleset.cpp
+++ b/userspace/engine/ruleset.cpp
@@ -15,6 +15,7 @@ limitations under the License.
 */

 #include "ruleset.h"
+#include "banned.h" // This raises a compilation error when certain functions are used

 using namespace std;

--- a/userspace/engine/token_bucket.cpp
+++ b/userspace/engine/token_bucket.cpp
@@ -20,6 +20,7 @@ limitations under the License.

 #include "token_bucket.h"
 #include "utils.h"
+#include "banned.h" // This raises a compilation error when certain functions are used

 token_bucket::token_bucket():
 	token_bucket(sinsp_utils::get_current_time_ns)
--- a/userspace/falco/CMakeLists.txt
+++ b/userspace/falco/CMakeLists.txt
@@ -15,10 +15,22 @@ configure_file("${SYSDIG_SOURCE_DIR}/userspace/sysdig/config_sysdig.h.in" config

 add_custom_command(
  OUTPUT
-    ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.cc ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/output.pb.cc ${CMAKE_CURRENT_BINARY_DIR}/output.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
-  COMMENT "Generate gRPC code"
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/output.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/output.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
+  COMMENT "Generate gRPC version API"
+  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+          ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+  COMMENT "Generate gRPC outputs API"
  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
          ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
@@ -38,8 +50,11 @@ add_executable(
  webserver.cpp
  grpc_context.cpp
  grpc_server_impl.cpp
+  grpc_request_context.cpp
  grpc_server.cpp
  utils.cpp
+  ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
  ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.cc
  ${CMAKE_CURRENT_BINARY_DIR}/output.pb.cc
  ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
@@ -47,7 +62,7 @@ add_executable(
 add_dependencies(falco civetweb)

 if(USE_BUNDLED_DEPS)
-add_dependencies(falco yamlcpp)
+  add_dependencies(falco yamlcpp)
 endif()

 target_include_directories(
--- a/userspace/falco/config_falco.h.in
+++ b/userspace/falco/config_falco.h.in
@@ -16,7 +16,14 @@ limitations under the License.

 #pragma once

+#define FALCO_BRANCH "@FALCO_REF@"
+#define FALCO_HASH "@FALCO_HASH@"
 #define FALCO_VERSION "@FALCO_VERSION@"
+#define FALCO_VERSION_MAJOR @FALCO_VERSION_MAJOR@
+#define FALCO_VERSION_MINOR @FALCO_VERSION_MINOR@
+#define FALCO_VERSION_PATCH @FALCO_VERSION_PATCH@
+#define FALCO_VERSION_PRERELEASE "@FALCO_VERSION_PRERELEASE@"
+#define FALCO_VERSION_BUILD "@FALCO_VERSION_BUILD@"

 #define FALCO_LUA_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}/lua/"
 #define FALCO_SOURCE_DIR "${PROJECT_SOURCE_DIR}"
@@ -24,4 +31,5 @@ limitations under the License.
 #define FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml"
 #define FALCO_SOURCE_LUA_DIR "${PROJECT_SOURCE_DIR}/userspace/falco/lua/"

-#define PROBE_NAME "${PROBE_NAME}"
+#define PROBE_NAME "@PROBE_NAME@"
+#define DRIVER_VERSION "@PROBE_VERSION@"
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -23,6 +23,7 @@ limitations under the License.

 #include "configuration.h"
 #include "logger.h"
+#include "banned.h" // This raises a compilation error when certain functions are used

 using namespace std;

@@ -87,7 +88,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		filename = m_config->get_scalar<string>("file_output", "filename", "");
 		if(filename == string(""))
 		{
-			throw invalid_argument("Error reading config file (" + m_config_file + "): file output enabled but no filename in configuration block");
+			throw logic_error("Error reading config file (" + m_config_file + "): file output enabled but no filename in configuration block");
 		}
 		file_output.options["filename"] = filename;

@@ -119,7 +120,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		program = m_config->get_scalar<string>("program_output", "program", "");
 		if(program == string(""))
 		{
-			throw sinsp_exception("Error reading config file (" + m_config_file + "): program output enabled but no program in configuration block");
+			throw logic_error("Error reading config file (" + m_config_file + "): program output enabled but no program in configuration block");
 		}
 		program_output.options["program"] = program;

@@ -138,7 +139,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio

 		if(url == string(""))
 		{
-			throw sinsp_exception("Error reading config file (" + m_config_file + "): http output enabled but no url in configuration block");
+			throw logic_error("Error reading config file (" + m_config_file + "): http output enabled but no url in configuration block");
 		}
 		http_output.options["url"] = url;

@@ -148,6 +149,10 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 	m_grpc_enabled = m_config->get_scalar<bool>("grpc", "enabled", false);
 	m_grpc_bind_address = m_config->get_scalar<string>("grpc", "bind_address", "0.0.0.0:5060");
 	m_grpc_threadiness = m_config->get_scalar<uint32_t>("grpc", "threadiness", 8); // todo > limit it to avoid overshubscription? std::thread::hardware_concurrency()
+	if(m_grpc_threadiness == 0)
+	{
+		throw logic_error("error reading config file (" + m_config_file +"): gRPC threadiness must be greater than 0");
+	}
 	m_grpc_private_key = m_config->get_scalar<string>("grpc", "private_key", "/etc/falco/certs/server.key");
 	m_grpc_cert_chain = m_config->get_scalar<string>("grpc", "cert_chain", "/etc/falco/certs/server.crt");
 	m_grpc_root_certs = m_config->get_scalar<string>("grpc", "root_certs", "/etc/falco/certs/ca.crt");
@@ -162,7 +167,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio

 	if(m_outputs.size() == 0)
 	{
-		throw invalid_argument("Error reading config file (" + m_config_file + "): No outputs configured. Please configure at least one output file output enabled but no filename in configuration block");
+		throw logic_error("Error reading config file (" + m_config_file + "): No outputs configured. Please configure at least one output file output enabled but no filename in configuration block");
 	}

 	string log_level = m_config->get_scalar<string>("log_level", "info");
@@ -181,7 +186,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio

 	if((it = std::find_if(falco_common::priority_names.begin(), falco_common::priority_names.end(), comp)) == falco_common::priority_names.end())
 	{
-		throw invalid_argument("Unknown priority \"" + priority + "\"--must be one of emergency, alert, critical, error, warning, notice, informational, debug");
+		throw logic_error("Unknown priority \"" + priority + "\"--must be one of emergency, alert, critical, error, warning, notice, informational, debug");
 	}
 	m_min_priority = (falco_common::priority_type)(it - falco_common::priority_names.begin());

@@ -220,7 +225,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		}
 		else
 		{
-			throw invalid_argument("Error reading config file (" + m_config_file + "): syscall event drop action " + act + " must be one of \"ignore\", \"log\", \"alert\", or \"exit\"");
+			throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action " + act + " must be one of \"ignore\", \"log\", \"alert\", or \"exit\"");
 		}
 	}

@@ -328,7 +333,7 @@ void falco_configuration::set_cmdline_option(const string &opt)

 	if(!split(opt, '=', keyval))
 	{
-		throw invalid_argument("Error parsing config option \"" + opt + "\". Must be of the form key=val or key.subkey=val");
+		throw logic_error("Error parsing config option \"" + opt + "\". Must be of the form key=val or key.subkey=val");
 	}

 	if(split(keyval.first, '.', subkey))
--- a/userspace/falco/event_drops.cpp
+++ b/userspace/falco/event_drops.cpp
@@ -15,6 +15,7 @@ limitations under the License.
 */

 #include "event_drops.h"
+#include "banned.h" // This raises a compilation error when certain functions are used

 syscall_evt_drop_mgr::syscall_evt_drop_mgr():
 	m_num_syscall_evt_drops(0),
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -45,6 +45,7 @@ limitations under the License.
 #include "statsfilewriter.h"
 #include "webserver.h"
 #include "grpc_server.h"
+#include "banned.h" // This raises a compilation error when certain functions are used

 typedef function<void(sinsp* inspector)> open_t;

@@ -88,6 +89,12 @@ static void usage()
 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
 	   "                               Use the specified socket to fetch data from a CRI-compatible runtime.\n"
 	   " -d, --daemon                  Run as a daemon.\n"
+	   " --disable-cri-async           Disable asynchronous CRI metadata fetching.\n"
+	   "                               This is useful to let the input event wait for the container metadata fetch\n"
+	   "                               to finish before moving forward. Async fetching, in some environments leads\n"
+	   "                               to empty fields for container metadata when the fetch is not fast enough to be\n"
+	   "                               completed asynchronously. This can have a performance penalty on your environment\n"
+	   "                               depending on the number of containers and the frequency at which they are created/started/stopped\n"
 	   " --disable-source <event_source>\n"
 	   "                               Disable a specific event source.\n"
 	   "                               Available event sources are: syscall, k8s_audit.\n"
@@ -432,6 +439,7 @@ int falco_init(int argc, char **argv)
 	string list_flds_source = "";
 	bool print_support = false;
 	string cri_socket_path;
+	bool cri_async = true;
 	set<string> disable_sources;
 	bool disable_syscall = false;
 	bool disable_k8s_audit = false;
@@ -458,6 +466,7 @@ int falco_init(int argc, char **argv)
 	{
 		{"cri", required_argument, 0},
        {"daemon", no_argument, 0, 'd'},
+        {"disable-cri-async", no_argument, 0, 0},
        {"disable-source", required_argument, 0},
        {"help", no_argument, 0, 'h'},
        {"ignored-events", no_argument, 0, 'i'},
@@ -615,6 +624,7 @@ int falco_init(int argc, char **argv)
 				if(string(long_options[long_index].name) == "version")
 				{
 					printf("Falco version: %s\n", FALCO_VERSION);
+					printf("Driver version: %s\n", DRIVER_VERSION);
 					return EXIT_SUCCESS;
 				}
 				else if (string(long_options[long_index].name) == "cri")
@@ -624,6 +634,10 @@ int falco_init(int argc, char **argv)
 						cri_socket_path = optarg;
 					}
 				}
+				else if (string(long_options[long_index].name) == "disable-cri-async")
+				{
+				  cri_async = false;
+				}
 				else if (string(long_options[long_index].name) == "list")
 				{
 					list_flds = true;
@@ -664,6 +678,9 @@ int falco_init(int argc, char **argv)
 			inspector->set_cri_socket_path(cri_socket_path);
 		}

+		// Decide wether to do sync or async for CRI metadata fetch
+		inspector->set_cri_async(cri_async);
+
 		//
 		// If required, set the snaplen
 		//
@@ -895,7 +912,7 @@ int falco_init(int argc, char **argv)
 			printf("%s\n", support.dump().c_str());
 			goto exit;
 		}
-		
+
 		// read hostname
 		string hostname;
 		if(char* env_hostname = getenv("FALCO_GRPC_HOSTNAME"))
--- a/userspace/falco/falco_outputs.cpp
+++ b/userspace/falco/falco_outputs.cpp
@@ -23,6 +23,7 @@ limitations under the License.
 #include "formats.h"
 #include "logger.h"
 #include "falco_output_queue.h"
+#include "banned.h" // This raises a compilation error when certain functions are used

 using namespace std;
 using namespace falco::output;
@@ -31,18 +32,17 @@ const static struct luaL_reg ll_falco_outputs [] =
 {
 	{"handle_http", &falco_outputs::handle_http},
 	{"handle_grpc", &falco_outputs::handle_grpc},
-	{NULL,NULL}
+	{NULL, NULL}
 };

-falco_outputs::falco_outputs(falco_engine *engine)
-	: m_falco_engine(engine),
-	  m_initialized(false),
-	  m_buffered(true),
-	  m_json_output(false),
-	  m_time_format_iso_8601(false),
-	  m_hostname("")
+falco_outputs::falco_outputs(falco_engine *engine):
+	m_falco_engine(engine),
+	m_initialized(false),
+	m_buffered(true),
+	m_json_output(false),
+	m_time_format_iso_8601(false),
+	m_hostname("")
 {
-
 }

 falco_outputs::~falco_outputs()
@@ -63,7 +63,7 @@ falco_outputs::~falco_outputs()

 		if(lua_pcall(m_ls, 0, 0, 0) != 0)
 		{
-			const char* lerr = lua_tostring(m_ls, -1);
+			const char *lerr = lua_tostring(m_ls, -1);
 			falco_logger::log(LOG_ERR, std::string("lua_pcall failed, err: ") + lerr);
 			assert(nullptr == "lua_pcall failed in ~falco_outputs");
 		}
@@ -76,7 +76,7 @@ void falco_outputs::init(bool json_output,
 			 bool time_format_iso_8601, string hostname)
 {
 	// The engine must have been given an inspector by now.
-	if(! m_inspector)
+	if(!m_inspector)
 	{
 		throw falco_exception("No inspector provided");
 	}
@@ -117,12 +117,12 @@ void falco_outputs::add_output(output_config oc)
 	lua_pushnumber(m_ls, (m_time_format_iso_8601 ? 1 : 0));

 	// If we have options, build up a lua table containing them
-	if (oc.options.size())
+	if(oc.options.size())
 	{
 		nargs = 4;
 		lua_createtable(m_ls, 0, oc.options.size());

-		for (auto it = oc.options.cbegin(); it != oc.options.cend(); ++it)
+		for(auto it = oc.options.cbegin(); it != oc.options.cend(); ++it)
 		{
 			lua_pushstring(m_ls, (*it).second.c_str());
 			lua_setfield(m_ls, -2, (*it).first.c_str());
@@ -131,10 +131,9 @@ void falco_outputs::add_output(output_config oc)

 	if(lua_pcall(m_ls, nargs, 0, 0) != 0)
 	{
-		const char* lerr = lua_tostring(m_ls, -1);
+		const char *lerr = lua_tostring(m_ls, -1);
 		throw falco_exception(string(lerr));
 	}
-
 }

 void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,
@@ -161,7 +160,7 @@ void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,

 		if(lua_pcall(m_ls, 7, 0, 0) != 0)
 		{
-			const char* lerr = lua_tostring(m_ls, -1);
+			const char *lerr = lua_tostring(m_ls, -1);
 			string err = "Error invoking function output: " + string(lerr);
 			throw falco_exception(err);
 		}
@@ -176,7 +175,7 @@ void falco_outputs::handle_msg(uint64_t now,
 			       falco_common::priority_type priority,
 			       std::string &msg,
 			       std::string &rule,
-			       std::map<std::string,std::string> &output_fields)
+			       std::map<std::string, std::string> &output_fields)
 {
 	std::string full_msg;

@@ -185,9 +184,9 @@ void falco_outputs::handle_msg(uint64_t now,
 		nlohmann::json jmsg;

 		// Convert the time-as-nanoseconds to a more json-friendly ISO8601.
-		time_t evttime = now/1000000000;
+		time_t evttime = now / 1000000000;
 		char time_sec[20]; // sizeof "YYYY-MM-DDTHH:MM:SS"
-		char time_ns[12]; // sizeof ".sssssssssZ"
+		char time_ns[12];  // sizeof ".sssssssssZ"
 		string iso8601evttime;

 		strftime(time_sec, sizeof(time_sec), "%FT%T", gmtime(&evttime));
@@ -235,7 +234,7 @@ void falco_outputs::handle_msg(uint64_t now,

 		if(lua_pcall(m_ls, 3, 0, 0) != 0)
 		{
-			const char* lerr = lua_tostring(m_ls, -1);
+			const char *lerr = lua_tostring(m_ls, -1);
 			string err = "Error invoking function output: " + string(lerr);
 			throw falco_exception(err);
 		}
@@ -244,7 +243,6 @@ void falco_outputs::handle_msg(uint64_t now,
 	{
 		throw falco_exception("No function " + m_lua_output_msg + " found in lua compiler module");
 	}
-
 }

 void falco_outputs::reopen_outputs()
@@ -257,7 +255,7 @@ void falco_outputs::reopen_outputs()

 	if(lua_pcall(m_ls, 0, 0, 0) != 0)
 	{
-		const char* lerr = lua_tostring(m_ls, -1);
+		const char *lerr = lua_tostring(m_ls, -1);
 		throw falco_exception(string(lerr));
 	}
 }
@@ -276,8 +274,8 @@ int falco_outputs::handle_http(lua_State *ls)
 		lua_error(ls);
 	}

-	string url = (char *) lua_tostring(ls, 1);
-	string msg = (char *) lua_tostring(ls, 2);
+	string url = (char *)lua_tostring(ls, 1);
+	string msg = (char *)lua_tostring(ls, 2);

 	curl = curl_easy_init();
 	if(curl)
@@ -290,8 +288,9 @@ int falco_outputs::handle_http(lua_State *ls)

 		res = curl_easy_perform(curl);

-		if(res != CURLE_OK) {
-			falco_logger::log(LOG_ERR,"libcurl error: " + string(curl_easy_strerror(res)));
+		if(res != CURLE_OK)
+		{
+			falco_logger::log(LOG_ERR, "libcurl error: " + string(curl_easy_strerror(res)));
 		}
 		curl_easy_cleanup(curl);
 		curl = NULL;
@@ -320,12 +319,13 @@ int falco_outputs::handle_grpc(lua_State *ls)
 	response grpc_res = response();

 	// time
-	gen_event* evt = (gen_event*)lua_topointer(ls, 1);
-	auto& timestamp = *grpc_res.mutable_time();
-	timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(evt->get_ts());
+	gen_event *evt = (gen_event *)lua_topointer(ls, 1);
+	auto timestamp = grpc_res.mutable_time();
+	*timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(evt->get_ts());

 	// rule
-	grpc_res.set_rule((char *)lua_tostring(ls, 2));
+	auto rule = grpc_res.mutable_rule();
+	*rule = (char *)lua_tostring(ls, 2);

 	// source
 	falco::schema::source s = falco::schema::source::SYSCALL;
@@ -348,20 +348,23 @@ int falco_outputs::handle_grpc(lua_State *ls)
 	grpc_res.set_priority(p);

 	// output
-	grpc_res.set_output((char *)lua_tostring(ls, 5));
+	auto output = grpc_res.mutable_output();
+	*output = (char *)lua_tostring(ls, 5);

 	// output fields
-	auto& fields = *grpc_res.mutable_output_fields();
+	auto &fields = *grpc_res.mutable_output_fields();

 	lua_pushnil(ls); // so that lua_next removes it from stack and puts (k, v) on it
-	while (lua_next(ls, 6) != 0) {
+	while(lua_next(ls, 6) != 0)
+	{
 		fields[lua_tostring(ls, -2)] = lua_tostring(ls, -1);
 		lua_pop(ls, 1); // remove value, keep key for lua_next
 	}
 	lua_pop(ls, 1); // pop table

 	// hostname
-	grpc_res.set_hostname((char* )lua_tostring(ls, 7));
+	auto host = grpc_res.mutable_hostname();
+	*host = (char *)lua_tostring(ls, 7);

 	falco::output::queue::get().push(grpc_res);

--- a/userspace/falco/grpc_context.cpp
+++ b/userspace/falco/grpc_context.cpp
@@ -17,6 +17,7 @@ limitations under the License.
 #include <sstream>

 #include "grpc_context.h"
+#include "banned.h" // This raises a compilation error when certain functions are used

 falco::grpc::context::context(::grpc::ServerContext* ctx):
 	m_ctx(ctx)
--- a/userspace/falco/grpc_context.h
+++ b/userspace/falco/grpc_context.h
@@ -62,5 +62,6 @@ public:
 	mutable void* m_stream = nullptr; // todo(fntlnz, leodido) > useful in the future
 	mutable bool m_has_more = false;
 };
+
 } // namespace grpc
 } // namespace falco
--- a/userspace/falco/grpc_request_context.cpp
+++ b/userspace/falco/grpc_request_context.cpp
@@ -0,0 +1,137 @@
+/*
+Copyright (C) 2016-2019 The Falco Authors
+
+This file is part of falco.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "grpc_request_context.h"
+
+namespace falco
+{
+namespace grpc
+{
+
+template<>
+void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::start(server* srv)
+{
+	m_state = request_context_base::REQUEST;
+	m_srv_ctx.reset(new ::grpc::ServerContext);
+	auto srvctx = m_srv_ctx.get();
+	m_res_writer.reset(new ::grpc::ServerAsyncWriter<output::response>(srvctx));
+	m_stream_ctx.reset();
+	m_req.Clear();
+	auto cq = srv->m_completion_queue.get();
+	// todo(leodido) > log "calling m_request_func: tag=this, state=m_state"
+	(srv->m_output_svc.*m_request_func)(srvctx, &m_req, m_res_writer.get(), cq, cq, this);
+}
+
+template<>
+void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::process(server* srv)
+{
+	// When it is the 1st process call
+	if(m_state == request_context_base::REQUEST)
+	{
+		m_state = request_context_base::WRITE;
+		m_stream_ctx.reset(new stream_context(m_srv_ctx.get()));
+	}
+
+	// Processing
+	output::response res;
+	(srv->*m_process_func)(*m_stream_ctx, m_req, res); // subscribe()
+
+	// When there are still more responses to stream
+	if(m_stream_ctx->m_has_more)
+	{
+		// todo(leodido) > log "write: tag=this, state=m_state"
+		m_res_writer->Write(res, this);
+	}
+	// No more responses to stream
+	else
+	{
+		// Communicate to the gRPC runtime that we have finished.
+		// The memory address of "this" instance uniquely identifies the event.
+		m_state = request_context_base::FINISH;
+		// todo(leodido) > log "finish: tag=this, state=m_state"
+		m_res_writer->Finish(::grpc::Status::OK, this);
+	}
+}
+
+template<>
+void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::end(server* srv, bool errored)
+{
+	if(m_stream_ctx)
+	{
+		if(errored)
+		{
+			// todo(leodido) > log error "error streaming: tag=this, state=m_state, stream=m_stream_ctx->m_stream"
+		}
+		m_stream_ctx->m_status = errored ? stream_context::ERROR : stream_context::SUCCESS;
+
+		// Complete the processing
+		output::response res;
+		(srv->*m_process_func)(*m_stream_ctx, m_req, res); // subscribe()
+	}
+	else
+	{
+		// Flow enters here when the processing of "m_request_func" fails.
+		// Since this happens into the `start()` function, the processing does not advance to the `process()` function.
+		// So, `m_stream_ctx` is null because it is set into the `process()` function.
+		// The stream haven't started.
+
+		// todo(leodido) > log error "ending streaming: tag=this, state=m_state, stream=null"
+	}
+
+	// Ask to start processing requests
+	start(srv);
+}
+
+template<>
+void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::start(server* srv)
+{
+	m_state = request_context_base::REQUEST;
+	m_srv_ctx.reset(new ::grpc::ServerContext);
+	auto srvctx = m_srv_ctx.get();
+	m_res_writer.reset(new ::grpc::ServerAsyncResponseWriter<version::response>(srvctx));
+	m_req.Clear();
+	auto cq = srv->m_completion_queue.get();
+	// Request to start processing given requests.
+	// Using "this" - ie., the memory address of this context - as the tag that uniquely identifies the request.
+	// In this way, different contexts can serve different requests concurrently.
+	(srv->m_version_svc.*m_request_func)(srvctx, &m_req, m_res_writer.get(), cq, cq, this);
+}
+
+template<>
+void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::process(server* srv)
+{
+	version::response res;
+	(srv->*m_process_func)(m_srv_ctx.get(), m_req, res);
+
+	// Notify the gRPC runtime that this processing is done
+	m_state = request_context_base::FINISH;
+	// Using "this"- ie., the memory address of this context - to uniquely identify the event.
+	m_res_writer->Finish(res, ::grpc::Status::OK, this);
+}
+
+template<>
+void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::end(server* srv, bool errored)
+{
+	// todo(leodido) > handle processing errors here
+	
+	// Ask to start processing requests
+	start(srv);
+}
+
+} // namespace grpc
+} // namespace falco
--- a/userspace/falco/grpc_request_context.h
+++ b/userspace/falco/grpc_request_context.h
@@ -0,0 +1,100 @@
+/*
+Copyright (C) 2016-2019 The Falco Authors
+
+This file is part of falco.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "grpc_server.h"
+
+namespace falco
+{
+namespace grpc
+{
+
+class request_context_base
+{
+public:
+	request_context_base() = default;
+	~request_context_base() = default;
+
+	std::unique_ptr<::grpc::ServerContext> m_srv_ctx;
+	enum : char
+	{
+		UNKNOWN = 0,
+		REQUEST,
+		WRITE,
+		FINISH
+	} m_state = UNKNOWN;
+	virtual void start(server* srv) = 0;
+	virtual void process(server* srv) = 0;
+	virtual void end(server* srv, bool isError) = 0;
+};
+
+// The responsibility of `request_stream_context` template class
+// is to handle streaming responses.
+template<class Service, class Request, class Response>
+class request_stream_context : public request_context_base
+{
+public:
+	request_stream_context():
+		m_process_func(nullptr),
+		m_request_func(nullptr){};
+	~request_stream_context() = default;
+
+	// Pointer to function that does actual processing
+	void (server::*m_process_func)(const stream_context&, const Request&, Response&);
+
+	// Pointer to function that requests the system to start processing given requests
+	void (Service::AsyncService::*m_request_func)(::grpc::ServerContext*, Request*, ::grpc::ServerAsyncWriter<Response>*, ::grpc::CompletionQueue*, ::grpc::ServerCompletionQueue*, void*);
+
+	void start(server* srv);
+	void process(server* srv);
+	void end(server* srv, bool isError);
+
+private:
+	std::unique_ptr<::grpc::ServerAsyncWriter<Response>> m_res_writer;
+	std::unique_ptr<stream_context> m_stream_ctx;
+	Request m_req;
+};
+
+// The responsibility of `request_context` template class
+// is to handle unary responses.
+template<class Service, class Request, class Response>
+class request_context : public request_context_base
+{
+public:
+	request_context():
+		m_process_func(nullptr),
+		m_request_func(nullptr){};
+	~request_context() = default;
+
+	// Pointer to function that does actual processing
+	void (server::*m_process_func)(const context&, const Request&, Response&);
+
+	// Pointer to function that requests the system to start processing given requests
+	void (Service::AsyncService::*m_request_func)(::grpc::ServerContext*, Request*, ::grpc::ServerAsyncResponseWriter<Response>*, ::grpc::CompletionQueue*, ::grpc::ServerCompletionQueue*, void*);
+
+	void start(server* srv);
+	void process(server* srv);
+	void end(server* srv, bool isError);
+
+private:
+	std::unique_ptr<::grpc::ServerAsyncResponseWriter<Response>> m_res_writer;
+	Request m_req;
+};
+} // namespace grpc
+} // namespace falco
--- a/userspace/falco/grpc_server.cpp
+++ b/userspace/falco/grpc_server.cpp
@@ -22,82 +22,28 @@ limitations under the License.

 #include "logger.h"
 #include "grpc_server.h"
-#include "grpc_context.h"
+#include "grpc_request_context.h"
 #include "utils.h"
+#include "banned.h" // This raises a compilation error when certain functions are used

-#define REGISTER_STREAM(req, res, svc, rpc, impl, num)                                  \
-	std::vector<request_stream_context<req, res>> rpc##_contexts(num);         \
-	for(request_stream_context<req, res> & ctx : rpc##_contexts)               \
-	{                                                                          \
-		ctx.m_process_func = &server::impl;                                \
-		ctx.m_request_func = &svc::AsyncService::Request##rpc; \
-		ctx.start(this);                                                   \
+#define REGISTER_STREAM(req, res, svc, rpc, impl, num)                          \
+	std::vector<request_stream_context<svc, req, res>> rpc##_contexts(num); \
+	for(request_stream_context<svc, req, res> & c : rpc##_contexts)         \
+	{                                                                       \
+		c.m_process_func = &server::impl;                               \
+		c.m_request_func = &svc::AsyncService::Request##rpc;            \
+		c.start(this);                                                  \
 	}

-namespace falco
-{
-namespace grpc
-{
-
-template<>
-void request_stream_context<falco::output::request, falco::output::response>::start(server* srv)
-{
-	m_state = request_context_base::REQUEST;
-	m_srv_ctx.reset(new ::grpc::ServerContext);
-	auto srvctx = m_srv_ctx.get();
-	m_res_writer.reset(new ::grpc::ServerAsyncWriter<output::response>(srvctx));
-	m_stream_ctx.reset();
-	m_req.Clear();
-	auto cq = srv->m_completion_queue.get();
-	(srv->m_svc.*m_request_func)(srvctx, &m_req, m_res_writer.get(), cq, cq, this);
-}
-
-template<>
-void request_stream_context<falco::output::request, falco::output::response>::process(server* srv)
-{
-	// When it is the 1st process call
-	if(m_state == request_context_base::REQUEST)
-	{
-		m_state = request_context_base::WRITE;
-		m_stream_ctx.reset(new stream_context(m_srv_ctx.get()));
+#define REGISTER_UNARY(req, res, svc, rpc, impl, num)                    \
+	std::vector<request_context<svc, req, res>> rpc##_contexts(num); \
+	for(request_context<svc, req, res> & c : rpc##_contexts)         \
+	{                                                                \
+		c.m_process_func = &server::impl;                        \
+		c.m_request_func = &svc::AsyncService::Request##rpc;     \
+		c.start(this);                                           \
 	}

-	// Processing
-	output::response res;
-	(srv->*m_process_func)(*m_stream_ctx, m_req, res); // subscribe()
-
-	// When there still are more responses to stream
-	if(m_stream_ctx->m_has_more)
-	{
-		m_res_writer->Write(res, this);
-	}
-	// No more responses to stream
-	else
-	{
-		// Communicate to the gRPC runtime that we have finished.
-		// The memory address of `this` instance uniquely identifies the event.
-		m_state = request_context_base::FINISH;
-		m_res_writer->Finish(::grpc::Status::OK, this);
-	}
-}
-
-template<>
-void request_stream_context<falco::output::request, falco::output::response>::end(server* srv, bool errored)
-{
-	if(m_stream_ctx)
-	{
-		m_stream_ctx->m_status = errored ? stream_context::ERROR : stream_context::SUCCESS;
-
-		// Complete the processing
-		output::response res;
-		(srv->*m_process_func)(*m_stream_ctx, m_req, res); // subscribe()
-	}
-
-	start(srv);
-}
-} // namespace grpc
-} // namespace falco
-
 void falco::grpc::server::thread_process(int thread_index)
 {
 	void* tag = nullptr;
@@ -106,17 +52,22 @@ void falco::grpc::server::thread_process(int thread_index)
 	{
 		if(tag == nullptr)
 		{
+			// todo(leodido) > log error "server completion queue error: empty tag"
 			continue;
 		}

 		// Obtain the context for a given tag
 		request_context_base* ctx = static_cast<request_context_base*>(tag);

+		// todo(leodido) > log "next event: tag=tag, read_success=event_read_success, state=ctx->m_state"
+
 		// When event has not been read successfully
 		if(!event_read_success)
 		{
 			if(ctx->m_state != request_context_base::REQUEST)
 			{
+				// todo(leodido) > log error "server completion queue failing to read: tag=tag"
+
 				// End the context with error
 				ctx->end(this, true);
 			}
@@ -129,17 +80,19 @@ void falco::grpc::server::thread_process(int thread_index)
 		case request_context_base::REQUEST:
 			// Completion of m_request_func
 		case request_context_base::WRITE:
-			// Completion of ServerAsyncWriter::Write()
+			// Completion of Write()
 			ctx->process(this);
 			break;
 		case request_context_base::FINISH:
-			// Completion of ServerAsyncWriter::Finish()
+			// Completion of Finish()
 			ctx->end(this, false);
 			break;
 		default:
-			// todo > log "unkown completion queue event"
+			// todo(leodido) > log error "unkown completion queue event: tag=tag, state=ctx->m_state"
 			break;
 		}
+
+		// todo(leodido) > log "thread completed: index=thread_index"
 	}
 }

@@ -170,7 +123,8 @@ void falco::grpc::server::run()

 	::grpc::ServerBuilder builder;
 	builder.AddListeningPort(m_server_addr, ::grpc::SslServerCredentials(ssl_opts));
-	builder.RegisterService(&m_svc);
+	builder.RegisterService(&m_output_svc);
+	builder.RegisterService(&m_version_svc);

 	m_completion_queue = builder.AddCompletionQueue();
 	m_server = builder.BuildAndStart();
@@ -180,9 +134,10 @@ void falco::grpc::server::run()
 	// This defines the number of simultaneous completion queue requests of the same type (service::AsyncService::Request##RPC)
 	// For this approach to be sufficient server::IMPL have to be fast
 	int context_num = m_threadiness * 10;
-	REGISTER_STREAM(output::request, output::response, output::service, subscribe, subscribe, context_num)
+	// todo(leodido) > take a look at thread_stress_test.cc into grpc repository

-	// register_stream<output::request, output::response>(subscribe, context_num)
+	REGISTER_UNARY(version::request, version::response, version::service, version, version, context_num)
+	REGISTER_STREAM(output::request, output::response, output::service, subscribe, subscribe, context_num)

 	m_threads.resize(m_threadiness);
 	int thread_idx = 0;
@@ -190,11 +145,13 @@ void falco::grpc::server::run()
 	{
 		thread = std::thread(&server::thread_process, this, thread_idx++);
 	}
+	// todo(leodido) > log "gRPC server running: threadiness=m_threads.size()"

 	while(server_impl::is_running())
 	{
 		sleep(1);
 	}
+	// todo(leodido) > log "stopping gRPC server"
 	stop();
 }

@@ -214,7 +171,7 @@ void falco::grpc::server::stop()
 	}
 	m_threads.clear();

-	falco_logger::log(LOG_INFO, "Ignoring all the remaining gRPC events\n");
+	falco_logger::log(LOG_INFO, "Draining all the remaining gRPC events\n");
 	// Ignore remaining events
 	void* ignore_tag = nullptr;
 	bool ignore_ok = false;
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 708.41 374.92"><defs><style>.cls-1{fill:#00b4c8;}</style></defs><title>Falco horizontal logo_teal2</title><g id="fqqZXT"><path class="cls-1" d="M204.69,154.4Q151.5,208,98,261.25a48.42,48.42,0,0,1-5.27,4.87c-2.55,1.89-5.34,2-7.65-.45s-1.51-5,.41-7.06c4.6-4.94,9.35-9.74,14.13-14.5q52.56-52.31,105.14-104.59c3.35-3.34,18.05,7.52,21.58,11.1"/><path class="cls-1" d="M215.06,171.36c-.15,2.14-1.54,3.55-2.93,4.94l-87.82,87.79c-2.75,2.74-6,5.42-9.46,1.68-3.15-3.39-.5-6.44,2.06-9q43.44-43.44,86.89-86.87c2.21-2.22,4.58-4.23,8-3A4.61,4.61,0,0,1,215.06,171.36Z"/><path class="cls-1" d="M70.93,71c2.42-.09,4.09,1.31,5.64,2.87q41.82,41.79,83.61,83.59c2.6,2.61,5,5.74,1.69,9s-6.41,1-9-1.66Q111,123,69.25,81.2c-2.09-2.1-3.72-4.39-2.45-7.53A4.34,4.34,0,0,1,70.93,71Z"/><path class="cls-1" d="M203.42,268c-5,1-8.9-1.34-12.45-5-6.35-6.61-12.87-13-19.41-19.46-3.85-3.8-4-7.41-.14-11.28,11.14-11.07,22.21-22.21,33.35-33.29,2.45-2.44,5.43-4.49,8.55-1.55,3.48,3.29,1.19,6.41-1.39,9-8.74,8.84-17.44,17.73-26.4,26.35-3.4,3.27-3.93,5.72-.19,9.06,4.22,3.78,8.13,7.91,12,12,2.54,2.68,5.35,4.25,9.18,4.11s8.28-.12,8.16,5.09c-.12,5-4.74,4.8-8.4,5.14A21,21,0,0,1,203.42,268Z"/><path class="cls-1" d="M148.7,178.36c-.75,3.49-2.68,5.6-6.43,4.36a13,13,0,0,1-4.74-3.31q-30.11-30-60.1-60a23.14,23.14,0,0,1-2.56-3c-1.72-2.42-1.88-5,.3-7.11s4.84-1.76,7,.26c3.65,3.42,7.17,7,10.71,10.53q25.65,25.64,51.28,51.3C146.12,173.37,148.49,175.13,148.7,178.36Z"/><path class="cls-1" d="M133.74,192.93a4.9,4.9,0,0,1-2.53,4.29,5.37,5.37,0,0,1-6.63-.95c-3.35-3.1-6.57-6.34-9.8-9.57q-14.34-14.3-28.61-28.63a34.27,34.27,0,0,1-4.17-5,4.57,4.57,0,0,1,.36-6,5,5,0,0,1,6-1.12,11.65,11.65,0,0,1,3.7,2.58q19.44,19.33,38.79,38.76C132.4,188.85,133.77,190.54,133.74,192.93Z"/></g><path class="cls-1" d="M413.15,190.86a25.57,25.57,0,0,0-10.35-6.63,46.78,46.78,0,0,0-16-2.37A83.35,83.35,0,0,0,372,183.12a75.16,75.16,0,0,0-10.58,2.53l2.37,15.48a53.47,53.47,0,0,1,9-2.21A72.44,72.44,0,0,1,385,198a22.61,22.61,0,0,1,8.13,1.26,13,13,0,0,1,5.22,3.56,13.23,13.23,0,0,1,2.76,5.29,24.6,24.6,0,0,1,.79,6.32v3.16a61.65,61.65,0,0,0-7.42-1.34,57.43,57.43,0,0,0-6.64-.4,61.45,61.45,0,0,0-13,1.35,32.26,32.26,0,0,0-11,4.42,22.7,22.7,0,0,0-7.51,8,24.09,24.09,0,0,0-2.76,12A28.39,28.39,0,0,0,356,254.05a21.6,21.6,0,0,0,6.79,8.22,28.56,28.56,0,0,0,10.51,4.58,60.24,60.24,0,0,0,13.58,1.42A137.25,137.25,0,0,0,407,266.93c5.94-.9,10.4-1.66,13.35-2.29V214.56a50.84,50.84,0,0,0-1.66-13.35A24.93,24.93,0,0,0,413.15,190.86Zm-11.3,61.3a71.4,71.4,0,0,1-13.43.94q-7.26,0-11.53-2.6t-4.26-9.4a10,10,0,0,1,1.57-5.77,10.67,10.67,0,0,1,4.19-3.55,20.18,20.18,0,0,1,5.85-1.74,43.43,43.43,0,0,1,6.39-.47,42.23,42.23,0,0,1,6.64.47,37,37,0,0,1,4.58,1Z"/><path class="cls-1" d="M461.38,248.44a9.27,9.27,0,0,1-2-4,26.17,26.17,0,0,1-.55-5.85V143.94l-19.12,3.16v95.1a40.74,40.74,0,0,0,1.35,11,17.57,17.57,0,0,0,4.66,8.06,21.71,21.71,0,0,0,8.92,5,52,52,0,0,0,14.14,1.89l2.69-15.8a29.78,29.78,0,0,1-6.24-1.34A8.76,8.76,0,0,1,461.38,248.44Z"/><path class="cls-1" d="M532.2,251.05a49.24,49.24,0,0,1-9.64.95q-13.11,0-18.64-7.19t-5.53-19.51q0-12.8,5.85-19.83t17.06-7a40.4,40.4,0,0,1,8.92.95,43.38,43.38,0,0,1,7.51,2.37l4.1-15.64a57.88,57.88,0,0,0-22.11-4.26,42.15,42.15,0,0,0-17.06,3.31,37.35,37.35,0,0,0-12.88,9.17,40.64,40.64,0,0,0-8.14,13.82,50.82,50.82,0,0,0-2.84,17.14,56.83,56.83,0,0,0,2.53,17.3A37.22,37.22,0,0,0,489,256.34a34.82,34.82,0,0,0,13,9,47.83,47.83,0,0,0,18.4,3.24,68.05,68.05,0,0,0,13.19-1.27,39.84,39.84,0,0,0,9.56-2.84l-2.69-15.8A45,45,0,0,1,532.2,251.05Z"/><path class="cls-1" d="M625.77,207.37a40.7,40.7,0,0,0-8.14-13.67,35.23,35.23,0,0,0-12.56-8.76,40.93,40.93,0,0,0-16-3.08,40.34,40.34,0,0,0-16,3.08,36.32,36.32,0,0,0-12.56,8.76,39.88,39.88,0,0,0-8.21,13.67,51.31,51.31,0,0,0-2.93,17.77A52,52,0,0,0,552.31,243a40.47,40.47,0,0,0,8.13,13.75,36.57,36.57,0,0,0,12.48,8.85A40.14,40.14,0,0,0,589,268.74a40.69,40.69,0,0,0,16.19-3.15,36.32,36.32,0,0,0,12.56-8.85A39.7,39.7,0,0,0,625.85,243a53.47,53.47,0,0,0,2.84-17.85A51.55,51.55,0,0,0,625.77,207.37Zm-22,37.52q-5.29,7.28-14.77,7.27t-14.77-7.27q-5.29-7.26-5.3-19.75,0-12.31,5.3-19.51T589,198.44q9.48,0,14.77,7.19t5.29,19.51Q609.1,237.62,603.81,244.89Z"/><path class="cls-1" d="M347.24,218h-47.8v50.57H279.65V150h75.89v15.88h-56.1v36.23h47.8Z"/></svg>