docs: changelog for 0.22.1

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>

.circleci/config.yml

@@ -180,24 +180,24 @@ jobs:
           name: Create versions
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
       - run:
           name: Publish deb-dev
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
       - run:
           name: Publish rpm-dev
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
       - run:
           name: Publish tgz-dev
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
   # Publish docker packages
   "publish/docker-dev":
     docker:
@@ -210,7 +210,8 @@ jobs:
       - run:
           name: Build and publish slim-dev
           command: |
-            docker build --build-arg VERSION_BUCKET=deb-dev -t falcosecurity/falco:master-slim docker/slim
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-slim docker/slim
             echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
             docker push falcosecurity/falco:master-slim
       - run:
@@ -223,7 +224,8 @@ jobs:
       - run:
           name: Build and publish dev
           command: |
-            docker build --build-arg VERSION_BUCKET=deb-dev -t falcosecurity/falco:master docker/stable
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/stable
             echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
             docker push falcosecurity/falco:master
   # Publish the packages
@@ -237,24 +239,24 @@ jobs:
           name: Create versions
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
       - run:
           name: Publish deb
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
       - run:
           name: Publish rpm
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
       - run:
           name: Publish tgz
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
   # Publish docker packages
   "publish/docker":
     docker:
@@ -267,7 +269,7 @@ jobs:
       - run:
           name: Build and publish slim
           command: |
-            docker build --build-arg VERSION_BUCKET=deb -t "falcosecurity/falco:${CIRCLE_TAG}-slim" docker/slim
+            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}-slim" docker/slim
             docker tag "falcosecurity/falco:${CIRCLE_TAG}-slim" falcosecurity/falco:latest-slim
             echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
             docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
@@ -284,7 +286,7 @@ jobs:
       - run:
           name: Build and publish stable
           command: |
-            docker build --build-arg VERSION_BUCKET=deb -t "falcosecurity/falco:${CIRCLE_TAG}" docker/stable
+            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/stable
             docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
             echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
             docker push "falcosecurity/falco:${CIRCLE_TAG}"
@@ -303,25 +305,28 @@ workflows:
       - "rpm/sign":
           context: falco
           filters:
+            tags:
+              ignore: /.*/
             branches:
-              only:
-                - master
+              only: master
           requires:
             - "tests/integration"
       - "publish/packages-dev":
           context: falco
           filters:
+            tags:
+              ignore: /.*/
             branches:
-              only:
-                - master
+              only: master
           requires:
             - "rpm/sign"
       - "publish/docker-dev":
           context: falco
           filters:
+            tags:
+              ignore: /.*/
             branches:
-              only:
-                - master
+              only: master
           requires:
             - "publish/packages-dev"
   release:

CHANGELOG.md

@@ -2,6 +2,73 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
+## v0.22.1
+
+Released on 2020-17-04
+
+### Major Changes
+
+* Same as v0.22.0
+
+### Minor Changes
+
+* Same as v0.22.0
+
+### Bug Fixes
+
+* fix: correct driver path (/usr/src/falco-%driver_version%) for RPM package [[#1148](https://github.com/falcosecurity/falco/pull/1148)]
+
+### Rule Changes
+
+* Same as v0.22.0
+
+## v0.22.0
+
+Released on 2020-16-04
+
+### Major Changes
+
+* new: falco version and driver version are distinct and not coupled anymore [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+* new: flag to disable asynchronous container metadata (CRI) fetch `--disable-cri-async` [[#1099](https://github.com/falcosecurity/falco/pull/1099)]
+
+
+### Minor Changes
+
+* docs(integrations): update API resource versions to Kubernetes 1.16 [[#1044](https://github.com/falcosecurity/falco/pull/1044)]
+* docs: add new release archive to the `README.md` [[#1098](https://github.com/falcosecurity/falco/pull/1098)]
+* update: driver version a259b4bf49c3 [[#1138](https://github.com/falcosecurity/falco/pull/1138)]
+* docs(integrations/k8s-using-daemonset): --cri flag correct socket path [[#1140](https://github.com/falcosecurity/falco/pull/1140)]
+* update: bump driver version to cd3d10123e [[#1131](https://github.com/falcosecurity/falco/pull/1131)]
+* update(docker): remove RHEL, kernel/linuxkit, and kernel/probeloader images [[#1124](https://github.com/falcosecurity/falco/pull/1124)]
+* update: falco-probe-loader script is falco-driver-loader now [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+* update: using only sha256 hashes when pulling build dependencies [[#1118](https://github.com/falcosecurity/falco/pull/1118)]
+
+
+### Bug Fixes
+
+* fix(integrations/k8s-using-daemonset): added missing privileges for the apps Kubernetes API group in the falco-cluster-role when using RBAC [[#1136](https://github.com/falcosecurity/falco/pull/1136)]
+* fix: connect to docker works also with libcurl >= 7.69.0 [[#1138](https://github.com/falcosecurity/falco/pull/1138)]
+* fix: HOST_ROOT environment variable detection [[#1133](https://github.com/falcosecurity/falco/pull/1133)]
+* fix(driver/bpf): stricter conditionals while dealing with strings [[#1131](https://github.com/falcosecurity/falco/pull/1131)]
+* fix: `/usr/bin/falco-${DRIVER_VERSION}` driver directory [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+* fix: FALCO_VERSION env variable inside Falco containers contains the Falco version now (not the docker image tag) [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
+
+
+### Rule Changes
+
+* rule(macro user_expected_system_procs_network_activity_conditions): allow whitelisting system binaries using the network under specific conditions [[#1070](https://github.com/falcosecurity/falco/pull/1070)]
+* rule(Full K8s Administrative Access): detect any k8s operation by an administrator with full access [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Ingress Object without TLS Certificate Created): detect any attempt to create an ingress without TLS certification (rule enabled by default) [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Untrusted Node Successfully Joined the Cluster): detect a node successfully joined the cluster outside of the list of allowed nodes [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Untrusted Node Unsuccessfully Tried to Join the Cluster): detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Network Connection outside Local Subnet): detect traffic to image outside local subnet [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Outbound or Inbound Traffic not to Authorized Server Process and Port): detect traffic that is not to authorized server process and port [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
+* rule(Delete or rename shell history): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [[#1143](https://github.com/falcosecurity/falco/pull/1143)]
+* rule(Delete Bash History): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [[#1143](https://github.com/falcosecurity/falco/pull/1143)]
+* rule(Write below root): use pmatch to check against known root directories [[#1137](https://github.com/falcosecurity/falco/pull/1137)]
+* rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns [[#1115](https://github.com/falcosecurity/falco/pull/1115)]
+* rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success [[#1117](https://github.com/falcosecurity/falco/pull/1117)]
+
 ## v0.21.0
 
 Released on 2020-03-17
@@ -182,7 +249,7 @@ Released 2019-09-26
 
 * Same as v0.17.0
 
-##
+### Minor Changes
 
 * Same as v0.17.0
 

CMakeLists.txt

@@ -73,6 +73,7 @@ include(GetFalcoVersion)
 set(PACKAGE_NAME "falco")
 set(PROBE_NAME "falco-probe")
 set(PROBE_DEVICE_NAME "falco")
+set(DRIVER_LOOKUP_URL "https://s3.amazonaws.com/download.draios.com")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
   set(CMAKE_INSTALL_PREFIX
       /usr
@@ -93,7 +94,7 @@ set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
 ExternalProject_Add(
   njson
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/njson-3.3.0.tar.gz"
-  URL_MD5 "e26760e848656a5da400662e6c5d999a"
+  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
@@ -112,7 +113,7 @@ set(B64_LIB "${B64_SRC}/src/libb64.a")
 ExternalProject_Add(
   b64
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
-  URL_MD5 "a609809408327117e2c643bed91b76c5"
+  URL_HASH "SHA256=343d8d61c5cbe3d3407394f16a5390c06f8ff907bd8d614c16546310b689bfd3"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ${CMD_MAKE}
   BUILD_IN_SOURCE 1
@@ -135,7 +136,7 @@ set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 ExternalProject_Add(
   luajit
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
-  URL_MD5 "f14e9104be513913810cd59c8c658dc0"
+  URL_HASH "SHA256=55be6cb2d101ed38acca32c5b1f99ae345904b365b642203194c585d27bebd79"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ${CMD_MAKE}
   BUILD_IN_SOURCE 1
@@ -151,7 +152,7 @@ ExternalProject_Add(
   lpeg
   DEPENDS ${LPEG_DEPENDENCIES}
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
-  URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
+  URL_HASH "SHA256=10190ae758a22a16415429a9eb70344cf29cbda738a6962a9f94a732340abf8e"
   BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
   BUILD_IN_SOURCE 1
   CONFIGURE_COMMAND ""
@@ -175,14 +176,14 @@ ExternalProject_Add(
   lyaml
   DEPENDS ${LYAML_DEPENDENCIES}
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
-  URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
+  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
   BUILD_COMMAND ${CMD_MAKE}
   BUILD_IN_SOURCE 1
   CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
   INSTALL_COMMAND sh -c
                   "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
 
-# Intel TBB
+# One TBB
 set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
 
 message(STATUS "Using bundled tbb in '${TBB_SRC}'")
@@ -191,8 +192,8 @@ set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
 set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
 ExternalProject_Add(
   tbb
-  URL "https://github.com/intel/tbb/archive/2018_U5.tar.gz"
-  URL_MD5 "ff3ae09f8c23892fbc3008c39f78288f"
+  URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz"
+  URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
   BUILD_IN_SOURCE 1
@@ -207,7 +208,7 @@ message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
 ExternalProject_Add(
   civetweb
   URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-  URL_MD5 "b6d2175650a27924bccb747cbe084cd4"
+  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
   CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
   COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
   BUILD_IN_SOURCE 1

README.md

@@ -5,13 +5,18 @@
 
 # The Falco Project
 
-#### Latest release
-
-**v0.21.0**
-Read the [change log](CHANGELOG.md)
-
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
 
+#### Latest releases
+
+Read the [change log](CHANGELOG.md).
+
+|        | development                                                                                                                 | stable                                                                                                              |
+|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
+| rpm    | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
+| deb    | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
+| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |
+
 ---
 
 Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
@@ -32,7 +37,9 @@ Falco can detect and alert on any behavior that involves making Linux system cal
 
 ### Installing Falco
 
-A comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
+You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
+
+Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
 
 #### How do you compare Falco with other security tools?
 
@@ -68,3 +75,10 @@ A third party security audit was performed by Cure53, you can see the full repor
 
 ### Reporting security vulnerabilities
 Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
+
+[1]: https://dl.bintray.com/falcosecurity/rpm-dev
+[2]: https://dl.bintray.com/falcosecurity/rpm
+[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
+[4]: https://dl.bintray.com/falcosecurity/deb/stable
+[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
+[6]: https://dl.bintray.com/falcosecurity/bin/x86_64

cmake/modules/CPackConfig.cmake

@@ -19,15 +19,15 @@ set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
-    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
+    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )
 
 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
 set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
-set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postinstall")
-set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/preuninstall")
-set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postuninstall")
+set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
+set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
+set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
 set(CPACK_RPM_PACKAGE_VERSION "${FALCO_VERSION}")
 set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
     /usr/src

cmake/modules/DownloadCatch.cmake

@@ -15,7 +15,7 @@ include(ExternalProject)
 set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)
 
 set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.9.1.tar.gz URL_HASH
-                       MD5=4980778888fed635bf191d8a86f9f89c)
+                       SHA256=0b36488aca6265e7be14da2c2d0c748b4ddb9c70a1ea4da75736699c629f14ac)
 
 ExternalProject_Add(
   catch2

cmake/modules/DownloadFakeIt.cmake

@@ -15,7 +15,7 @@ include(ExternalProject)
 set(FAKEIT_INCLUDE ${CMAKE_BINARY_DIR}/fakeit-prefix/include)
 
 set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.5.tar.gz URL_HASH
-                        MD5=d3d21b909cebaea5b780af5500bf384e)
+                        SHA256=298539c773baca6ecbc28914306bba19d1008e098f8adc3ad3bb00e993ecdf15)
 
 ExternalProject_Add(
   fakeit-external

cmake/modules/OpenSSL.cmake

@@ -21,7 +21,7 @@ else()
     openssl
     # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
     URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
-    URL_MD5 "13bdc1b1d1ff39b6fd42a255e74676a4"
+    URL_HASH "SHA256=370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe"
     # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
     CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
     BUILD_COMMAND ${CMD_MAKE}

cmake/modules/cURL.cmake

@@ -32,7 +32,7 @@ else()
     DEPENDS openssl
     # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
     URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
-    URL_MD5 "31d0a9f48dc796a7db351898a1e5058a"
+    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
     # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
     CONFIGURE_COMMAND
       ./configure

cmake/modules/jq.cmake

@@ -26,7 +26,7 @@ else()
   ExternalProject_Add(
     jq
     URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
-    URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
+    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
     CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
     BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
     BUILD_IN_SOURCE 1

cmake/modules/sysdig-repo/patch/libscap.patch

@@ -1,5 +1,5 @@
 diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
-index 59b04e0a..bdc311cb 100644
+index e9faea51..a1b3b501 100644
 --- a/userspace/libscap/scap.c
 +++ b/userspace/libscap/scap.c
 @@ -52,7 +52,7 @@ limitations under the License.
@@ -20,3 +20,12 @@ index 59b04e0a..bdc311cb 100644
  			bpf_probe = buf;
  		}
  	}
+@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
+ 
+ const char* scap_get_host_root()
+ {
+-	char* p = getenv("SYSDIG_HOST_ROOT");
++	char* p = getenv("HOST_ROOT");
+ 	static char env_str[SCAP_MAX_PATH_SIZE + 1];
+ 	static bool inited = false;
+ 	if (! inited) {

cmake/modules/sysdig.cmake

@@ -26,8 +26,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # To update sysdig version for the next release, change the default below
 # In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "be1ea2d9482d0e6e2cb14a0fd7e08cbecf517f94")
-  set(SYSDIG_CHECKSUM "SHA256=1c69363e4c36cdaeed413c2ef557af53bfc4bf1109fbcb6d6e18dc40fe6ddec8")
+  set(SYSDIG_VERSION "a259b4bf49c3330d9ad6c3eed9eb1a31954259a6")
+  set(SYSDIG_CHECKSUM "SHA256=fdbeb8d182e6383fe89428e0934d521636068f62109c1b3ca11689d886458284")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
 

cmake/modules/yaml-cpp.cmake

@@ -26,7 +26,7 @@ else()
   ExternalProject_Add(
     yamlcpp
     URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
-    URL_MD5 "5b943e9af0060d0811148b037449ef82"
+    URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
     BUILD_IN_SOURCE 1
     INSTALL_COMMAND "")
 endif()

docker/README.md

@@ -2,29 +2,17 @@
 
 This directory contains the various ways to package Falco as a container. 
 
-## Currently Supported Containers
+## Currently Supported Images
 
-### `falcosecurity/falco` Dockerfiles
- - `./dev`: Builds a container image from the `dev` apt repo.
- - `./stable`: Builds a container image from the `stable` apt repo.
- - `./local`: Builds a container image from a locally provided Falco `dpkg` package.
+| Name | Directory | Description |
+|---|---|---|
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
+| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
+| [falcosecurity/falco:latest-minimal](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-minimal](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/minimal | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
+| [falcosecurity/falco-event-generator:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-event-generator) | docker/event-generator | Event generator tool to simulate events Falco catches. | 
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
 
-### Build & Testing Dockerfiles
- - `./builder`: `falcosecurity/falco-builder` - The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source.
- - `./tester`: `falcosecurity/falco-tester` - Container image for running the Falco test suite.
-
-## Alpha Release Containers
-
-These Dockerfiles (and resulting container images) are currently in `alpha`. We'd love for you to test these images and [report any feedback](https://github.com/falcosecurity/falco/issues/new/choose).
-
-### Slim and Minimal Dockerfiles
-The goal of these container images is to reduce the size of the underlying Falco container. 
- - `./slim-dev`: Like `./dev` above but removes build tools for older kernels.
- - `./slim-stable`: Like `./stable` above but removes build tools for older kernels.
- - `./minimal`: A minimal container image (~20mb), containing only the files required to run Falco.
-
-### Init Containers
-These container images allow for the delivery of the kernel module or eBPF probe either via HTTP or via a container image.
- - `kernel/linuxkit`: Multistage Dockerfile to build a Falco kernel module for Linuxkit (Docker Desktop). Generates an alpine based container image with the kernel module, and `insmod` as the container `CMD`.  
- - `kernel/probeloader`: Multistage Dockerfile to build a Go based application to download (via HTTPS) and load a Falco kernel module. The resulting container image can be ran as an `initContainer` to load the Falco module before Falco starts.
+> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
 

docker/kernel/linuxkit/Dockerfile

@@ -1,38 +0,0 @@
-ARG ALPINE_VERSION=3.10
-ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.21.0
-
-FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc
-FROM falcosecurity/falco:${FALCO_VERSION}-minimal as falco
-FROM alpine:${ALPINE_VERSION} AS probe-build
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.21.0
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV KERNEL_VERSION=${KERNEL_VERSION}
-
-COPY --from=ksrc /kernel-dev.tar /
-COPY --from=falco /usr/src/falco-${FALCO_VERSION} /usr/src/falco-${FALCO_VERSION}
-
-RUN apk add --no-cache --update \
-  build-base gcc abuild binutils \
-  bc \
-  autoconf && \
-  export KERNELVER=`uname -r  | cut -d '-' -f 1`  && \
-  export KERNELDIR=/usr/src/linux-headers-${KERNEL_VERSION}-linuxkit/ && \
-  tar xf /kernel-dev.tar && \
-  cd $KERNELDIR && \
-  zcat /proc/1/root/proc/config.gz > .config && \
-  make olddefconfig && \
-  cd /usr/src/falco-${FALCO_VERSION} && \
-  make && \
-  apk del \
-  build-base gcc abuild binutils \
-  bc \
-  autoconf
-
-FROM alpine:${ALPINE_VERSION}
-ARG FALCO_VERSION=0.21.0
-ENV FALCO_VERSION=${FALCO_VERSION}
-COPY --from=probe-build /usr/src/falco-${FALCO_VERSION}/falco-probe.ko /
-CMD ["insmod","/falco-probe.ko"]

docker/kernel/probeloader/Dockerfile

@@ -1,18 +0,0 @@
-FROM golang:1.13-alpine AS build
-ARG FALCOCTL_REF=2be3df92edbac668284fe5c165ccb5bd6bf4e869
-
-RUN apk --no-cache add build-base git gcc ca-certificates
-
-RUN git clone https://github.com/falcosecurity/falcoctl.git /falcoctl
-
-WORKDIR /falcoctl
-
-RUN git checkout ${FALCOCTL_REF}
-RUN go mod vendor
-RUN CGO_ENABLED=0 GOOS=linux go build -a -o falcoctl -ldflags '-extldflags "-static"' .
-
-FROM scratch
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY --from=build /falcoctl/falcoctl /falcoctl
-CMD ["/falcoctl", "install", "probe"]

docker/local/docker-entrypoint.sh

@@ -29,7 +29,7 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
         ln -s "$i" "/usr/src/$base"
     done
 
-    /usr/bin/falco-probe-loader
+    /usr/bin/falco-driver-loader
 fi
 
 exec "$@"

docker/rhel/Dockerfile

@@ -1,38 +0,0 @@
-FROM registry.access.redhat.com/rhel7
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-## Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
-LABEL name="falco"
-LABEL vendor="falcosecurity"
-LABEL url="http://falco.org"
-LABEL summary="Cloud Native Runtime Security"
-LABEL description="Falco is an open-source project for intrusion and abnormality detection for Cloud Native platforms."
-LABEL run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m <image>'
-
-COPY help.md /tmp/
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-ADD https://falco.org/repo/falcosecurity-rpm.repo /etc/yum.repos.d/falcosecurity.repo
-RUN rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc && \
-    rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
-    yum clean all && \
-    REPOLIST=rhel-7-server-rpms,rhel-7-server-optional-rpms,epel,draios \
-    INSTALL_PKGS="gcc dkms kernel-devel kernel-headers python golang-github-cpuguy83-go-md2man falco" && \
-    yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \
-    --security --sec-severity=Important --sec-severity=Critical && \
-    yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    ## help file markdown to man conversion
-    go-md2man -in /tmp/help.md -out /help.1 && \
-    ## we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
-    rm -fr /usr/src/kernels && \
-    rm -df /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules && \
-    yum clean all
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco"]

docker/rhel/docker-entrypoint.sh

@@ -1,35 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# set -e
-
-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
-
-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
-    done
-
-    /usr/bin/falco-probe-loader
-fi
-
-exec "$@"

docker/rhel/help.md

@@ -1,15 +0,0 @@
-% falco (1) Container Image Pages
-% Falco Team
-% June, 2017
-
-# NAME
-falco \- Container Native runtime security
-
-# DESCRIPTION
-Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms. See Falco website for more information: http://falco.org/
-
-# EXAMPLE
-    docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco
-
-# AUTHORS
-Falco Team

docker/stable/docker-entrypoint.sh

@@ -29,7 +29,7 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
         ln -s "$i" "/usr/src/$base"
     done
 
-    /usr/bin/falco-probe-loader
+    /usr/bin/falco-driver-loader
 fi
 
 exec "$@"

docker/tester/Dockerfile

@@ -7,10 +7,10 @@ LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release
 
-RUN dnf install -y python2-pip python2 docker findutils jq unzip && dnf clean all
+RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
-RUN pip2 install --user avocado-framework==69.0
-RUN pip2 install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
+RUN pip install --user avocado-framework==69.0
+RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
 
 COPY ./root /
 

docker/tester/root/usr/bin/entrypoint

@@ -47,7 +47,7 @@ case "$CMD" in
 "test")
     if [ -z "$FALCO_VERSION" ]; then
         echo "Automatically figuring out Falco version."
-        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | cut -d' ' -f3 | tr -d '\r')
+        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
         echo "Falco version: $FALCO_VERSION"
     fi
     if [ -z "$FALCO_VERSION" ]; then

docker/tester/root/usr/bin/usage

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
-pythonversion=$(python2 -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
-pipversion=$(pip2 --version | cut -d' ' -f 1,2,5,6)
+pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
+pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
 dockerversion=$(docker --version)
 avocadoversion=$(pip2 show avocado-framework | grep Version)
 avocadoversion=${avocadoversion#"Version: "}

integrations/k8s-using-daemonset/falco-event-generator-deployment.yaml

@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: falco-event-generator-deployment

integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml

@@ -7,7 +7,7 @@ metadata:
     role: security
 ---
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: falco-cluster-role
   labels:
@@ -17,11 +17,14 @@ rules:
   - apiGroups: ["extensions",""]
     resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]
     verbs: ["get","list","watch"]
+  - apiGroups: ["apps"]
+    resources: ["daemonsets","deployments","replicasets","statefulsets"]
+    verbs: ["get","list","watch"]
   - nonResourceURLs: ["/healthz", "/healthz/*"]
     verbs: ["get"]
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: falco-cluster-role-binding
   namespace: default

integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml

@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: falco-daemonset
@@ -6,6 +6,10 @@ metadata:
     app: falco-example
     role: security
 spec:
+  selector:
+    matchLabels:
+      app: falco-example
+      role: security
   template:
     metadata:
       labels:
@@ -41,7 +45,7 @@ spec:
 #          env:
 #          - name: FALCO_BPF_PROBE
 #            value: ""
-          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
+          args: [ "/usr/bin/falco", "--cri", "/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
           volumeMounts:
             - mountPath: /host/var/run/docker.sock
               name: docker-socket

integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml

@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: falco-daemonset
@@ -6,6 +6,10 @@ metadata:
     app: falco-example
     role: security
 spec:
+  selector:
+    matchLabels:
+      app: falco-example
+      role: security
   template:
     metadata:
       labels:
@@ -25,7 +29,7 @@ spec:
 #          env:
 #          - name: FALCO_BPF_PROBE
 #            value: ""
-          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
+          args: [ "/usr/bin/falco", "--cri", "/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
           volumeMounts:
             - mountPath: /host/var/run/docker.sock
               name: docker-socket

integrations/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml

@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: falco
@@ -6,6 +6,11 @@ metadata:
     name: falco-daemonset
     app: demo
 spec:
+  selector:
+    matchLabels:
+      name: falco
+      app: demo
+      role: security
   template:
     metadata:
       labels:
@@ -18,7 +23,7 @@ spec:
           image: falcosecurity/falco:latest
           securityContext:
             privileged: true
-          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
+          args: [ "/usr/bin/falco", "--cri", "/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
           volumeMounts:
             - mountPath: /host/var/run/docker.sock
               name: docker-socket

integrations/k8s-using-deployment/falco-event-generator-deployment.yaml

@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: falco-event-generator-deployment

integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-account.yaml

@@ -7,7 +7,7 @@ metadata:
     role: security
 ---
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: falco-cluster-role
   labels:
@@ -17,11 +17,14 @@ rules:
   - apiGroups: ["extensions",""]
     resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]
     verbs: ["get","list","watch"]
+  - apiGroups: ["apps"]
+    resources: ["daemonsets","deployments","replicasets","statefulsets"]
+    verbs: ["get","list","watch"]
   - nonResourceURLs: ["/healthz", "/healthz/*"]
     verbs: ["get"]
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: falco-cluster-role-binding
   namespace: default

integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-deployment.yaml

@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: falco-k8s-audit

rules/falco_rules.yaml

@@ -1361,7 +1361,7 @@
   condition: >
     root_dir and evt.dir = < and open_write
     and not fd.name in (known_root_files)
-    and not fd.directory in (known_root_directories)
+    and not fd.directory pmatch (known_root_directories)
     and not exe_running_docker_save
     and not gugent_writing_guestagent_log
     and not dse_writing_tmp
@@ -2007,14 +2007,27 @@
   condition: >
     (fd.sockfamily = ip and (system_procs or proc.name in (shell_binaries)))
     and (inbound_outbound)
-    and not proc.name in (systemd, hostid, id)
+    and not proc.name in (known_system_procs_network_activity_binaries)
     and not login_doing_dns_lookup
+    and not user_expected_system_procs_network_activity_conditions
   output: >
     Known system binary sent/received network traffic
     (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
+# This list allows easily whitelisting system proc names that are
+# expected to communicate on the network.
+- list: known_system_procs_network_activity_binaries
+  items: [systemd, hostid, id]
+
+# This macro allows specifying conditions under which a system binary
+# is allowed to communicate on the network. For instance, only specific
+# proc.cmdline values could be allowed to be more granular in what is
+# allowed.
+- macro: user_expected_system_procs_network_activity_conditions
+  condition: (never_true)
+
 # When filled in, this should look something like:
 # (proc.env contains "HTTP_PROXY=http://my.http.proxy.com ")
 # The trailing space is intentional so avoid matching on prefixes of
@@ -2480,7 +2493,7 @@
     Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
-  tags: [process, mitre_defense_evation]
+  tags: [process, mitre_defense_evasion]
 
 # This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
 # Rule Delete or rename shell history is the preferred rule to use now.
@@ -2493,7 +2506,7 @@
     Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
-  tags: [process, mitre_defense_evation]
+  tags: [process, mitre_defense_evasion]
 
 - macro: consider_all_chmods
   condition: (always_true)
@@ -2647,11 +2660,15 @@
 - macro: net_miner_pool
   condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 
+- macro: trusted_images_query_miner_domain_dns
+  condition: (container.image.repository endswith "sysdig/agent" or container.image.repository endswith "falcosecurity/falco")
+  append: false
+
 # The rule is disabled by default. 
 # Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment.
 - rule: Detect outbound connections to common miner pool ports
   desc: Miners typically connect to miner pools on common ports.
-  condition: net_miner_pool
+  condition: net_miner_pool and not trusted_images_query_miner_domain_dns
   enabled: false
   output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
   priority: CRITICAL
@@ -2696,6 +2713,89 @@
   priority: NOTICE
   tags: [network, mitre_discovery]
   
+# Change to (always_true) to enable rule 'Network connection outside local subnet'
+- macro: enabled_rule_network_only_subnet
+  condition: (never_true)
+
+# Images that are allowed to have outbound traffic
+- list: images_allow_network_outside_subnet
+  items: []
+
+# Namespaces where the rule is enforce
+- list: namespace_scope_network_only_subnet
+  items: [] 
+
+- macro: network_local_subnet
+  condition: >
+    fd.rnet in (rfc_1918_addresses) or
+    fd.ip = "0.0.0.0" or 
+    fd.net = "127.0.0.0/8"
+
+# # How to test:
+# # Change macro enabled_rule_network_only_subnet to condition: always_true
+# # Add 'default' to namespace_scope_network_only_subnet
+# # Run:
+# kubectl run --generator=run-pod/v1 -n default -i --tty busybox --image=busybox --rm -- wget google.com -O /var/google.html
+# # Check logs running  
+
+- rule: Network Connection outside Local Subnet
+  desc: Detect traffic to image outside local subnet.
+  condition: >
+    enabled_rule_network_only_subnet and
+    inbound_outbound and 
+    container and
+    not network_local_subnet and
+    k8s.ns.name in (namespace_scope_network_only_subnet)
+  output: >
+    Network connection outside local subnet
+    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id 
+    image=%container.image.repository namespace=%k8s.ns.name
+    fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
+  priority: WARNING
+  tags: [network]
+  
+
+
+- macro: allowed_port
+  condition: (never_true)
+
+- list: allowed_image
+  items: [] # add image to monitor, i.e.: bitnami/nginx
+
+- list: authorized_server_binaries
+  items: []  # add binary to allow, i.e.: nginx
+
+- list: authorized_server_port
+  items: [] # add port to allow, i.e.: 80
+
+# # How to test:
+# kubectl run --image=nginx nginx-app --port=80 --env="DOMAIN=cluster"
+# kubectl expose deployment nginx-app --port=80 --name=nginx-http --type=LoadBalancer
+# # On minikube:
+# minikube service nginx-http
+# # On general K8s:
+# kubectl get services
+# kubectl cluster-info
+# # Visit the Nginx service and port, should not fire.
+# # Change rule to different port, then different process name, and test again that it fires.
+
+- rule: Outbound or Inbound Traffic not to Authorized Server Process and Port
+  desc: Detect traffic that is not to authorized server process and port.
+  condition: >
+    allowed_port and
+    inbound_outbound and
+    container and
+    container.image.repository in (allowed_image) and
+    not proc.name in (authorized_server_binary) and
+    not fd.sport in (authorized_server_port)
+  output: >
+    Network connection outside authorized port and binary
+    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id 
+    image=%container.image.repository)
+  priority: WARNING
+  tags: [network]
+
+
 
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to

rules/k8s_audit_rules.yaml

@@ -225,7 +225,7 @@
 # Detect creating a service account in the kube-system/kube-public namespace
 - rule: Service Account Created in Kube Namespace
   desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
-  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public)
+  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful
   output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
   priority: WARNING
   source: k8s_audit
@@ -418,3 +418,118 @@
   priority: DEBUG
   source: k8s_audit
   tags: [k8s]
+
+
+# This macro disables following rule, change to k8s_audit_never_true to enable it
+- macro: allowed_full_admin_users
+  condition: (k8s_audit_always_true)
+
+# This list includes some of the default user names for an administrator in several K8s installations
+- list: full_admin_k8s_users
+  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
+
+# This rules detect an operation triggered by an user name that is 
+# included in the list of those that are default administrators upon 
+# cluster creation. This may signify a permission setting too broader. 
+# As we can't check for role of the user on a general ka.* event, this 
+# may or may not be an administrator. Customize the full_admin_k8s_users 
+# list to your needs, and activate at your discrection.
+
+# # How to test:
+# # Execute any kubectl command connected using default cluster user, as:
+# kubectl create namespace rule-test
+
+- rule: Full K8s Administrative Access
+  desc: Detect any k8s operation by a user name that may be an administrator with full access.
+  condition: >
+    kevt 
+    and non_system_user 
+    and ka.user.name in (admin_k8s_users) 
+    and not allowed_full_admin_users
+  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
+
+
+- macro: ingress
+  condition: ka.target.resource=ingresses
+
+- macro: ingress_tls
+  condition: (jevt.value[/requestObject/spec/tls] exists)
+
+# # How to test:
+# # Create an ingress.yaml file with content:
+# apiVersion: networking.k8s.io/v1beta1
+# kind: Ingress
+# metadata:
+#   name: test-ingress
+#   annotations:
+#     nginx.ingress.kubernetes.io/rewrite-target: /
+# spec:
+#   rules:
+#   - http:
+#       paths:
+#       - path: /testpath
+#         backend:
+#           serviceName: test
+#           servicePort: 80
+# # Execute: kubectl apply -f ingress.yaml
+
+- rule: Ingress Object without TLS Certificate Created
+  desc: Detect any attempt to create an ingress without TLS certification.
+  condition: >
+    (kactivity and kcreate and ingress and response_successful and not ingress_tls)
+  output: >
+    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
+    namespace=%ka.target.namespace)
+  source: k8s_audit    
+  priority: WARNING
+  tags: [k8s, network]
+
+
+
+- macro: node
+  condition: ka.target.resource=nodes
+
+- macro: allow_all_k8s_nodes
+  condition: (k8s_audit_always_true)
+
+- list: allowed_k8s_nodes
+  items: []
+
+# # How to test:
+# # Create a Falco monitored cluster with Kops
+# # Increase the number of minimum nodes with:
+# kops edit ig nodes
+# kops apply --yes
+
+- rule: Untrusted Node Successfully Joined the Cluster
+  desc: >
+    Detect a node successfully joined the cluster outside of the list of allowed nodes.
+  condition: >
+    kevt and node 
+    and kcreate 
+    and response_successful 
+    and not allow_all_k8s_nodes 
+    and not ka.target.name in (allowed_k8s_nodes)
+  output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
+  priority: ERROR
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: Untrusted Node Unsuccessfully Tried to Join the Cluster
+  desc: >
+    Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
+  condition: >
+    kevt and node 
+    and kcreate 
+    and not response_successful 
+    and not allow_all_k8s_nodes 
+    and not ka.target.name in (allowed_k8s_nodes)
+  output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+

scripts/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,16 +14,24 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+
 configure_file(debian/postinst.in debian/postinst)
+configure_file(debian/postrm.in debian/postrm)
 configure_file(debian/prerm.in debian/prerm)
 
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
 
+configure_file(rpm/postinstall.in rpm/postinstall)
+configure_file(rpm/postuninstall.in rpm/postuninstall)
+configure_file(rpm/preuninstall.in rpm/preuninstall)
+
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
 
+configure_file(falco-driver-loader falco-driver-loader @ONLY)
+
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-	install(PROGRAMS ${PROJECT_SOURCE_DIR}/scripts/falco-probe-loader
+	install(PROGRAMS ${PROJECT_BINARY_DIR}/scripts/falco-driver-loader
 		DESTINATION ${FALCO_BIN_DIR})
 endif()

scripts/debian/falco

@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/debian/postinst.in

@@ -43,6 +43,6 @@ case "$1" in
 esac
 
 if [ -x "/etc/init.d/$NAME" ]; then
-        update-rc.d $NAME defaults >/dev/null
+		update-rc.d $NAME defaults >/dev/null
 fi
 

scripts/falco-driver-loader

@@ -25,20 +25,20 @@
 #
 cos_version_greater()
 {
-	if [[ $cos_ver == $base_ver ]]; then
+	if [[ $cos_ver == "${base_ver}" ]]; then
 		return 0
 	fi
 
 	#
 	# COS build numbers are in the format x.y.z
 	#
-	a=`echo $cos_ver | cut -d. -f1`
-	b=`echo $cos_ver | cut -d. -f2`
-	c=`echo $cos_ver | cut -d. -f3`
+	a=$(echo "${cos_ver}" | cut -d. -f1)
+	b=$(echo "${cos_ver}" | cut -d. -f2)
+	c=$(echo "${cos_ver}" | cut -d. -f3)
 
-	d=`echo $base_ver | cut -d. -f1`
-	e=`echo $base_ver | cut -d. -f2`
-	f=`echo $base_ver | cut -d. -f3`
+	d=$(echo "${base_ver}" | cut -d. -f1)
+	e=$(echo "${base_ver}" | cut -d. -f2)
+	f=$(echo "${base_ver}" | cut -d. -f3)
 
 	# Test the first component
 	if [[ $a -gt $d ]]; then
@@ -74,16 +74,16 @@ get_kernel_config() {
 	elif [ -f "/boot/config-${KERNEL_RELEASE}" ]; then
 		echo "Found kernel config at /boot/config-${KERNEL_RELEASE}"
 		KERNEL_CONFIG_PATH=/boot/config-${KERNEL_RELEASE}
-	elif [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/boot/config-${KERNEL_RELEASE}" ]; then
+	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/boot/config-${KERNEL_RELEASE}" ]; then
 		echo "Found kernel config at ${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
 		KERNEL_CONFIG_PATH="${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
 	elif [ -f "/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
 		echo "Found kernel config at /usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
 		KERNEL_CONFIG_PATH="/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-	elif [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
+	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
 		echo "Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
 		KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-	elif [ -f /lib/modules/${KERNEL_RELEASE}/config ]; then
+	elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
 		# this code works both for native host and agent container assuming that
 		# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
 		echo "Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
@@ -96,13 +96,13 @@ get_kernel_config() {
 	fi
 
 	if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
-	    HASH=$(zcat "${KERNEL_CONFIG_PATH}" | md5sum - | cut -d' ' -f1)
+		HASH=$(zcat "${KERNEL_CONFIG_PATH}" | md5sum - | cut -d' ' -f1)
 	else
-	    HASH=$(md5sum "${KERNEL_CONFIG_PATH}" | cut -d' ' -f1)
+		HASH=$(md5sum "${KERNEL_CONFIG_PATH}" | cut -d' ' -f1)
 	fi
 }
 
-load_kernel_probe() {
+load_kernel_module() {
 	if ! hash lsmod > /dev/null 2>&1; then
 		echo "This program requires lsmod"
 		exit 1
@@ -122,13 +122,13 @@ load_kernel_probe() {
 	rmmod "${PROBE_NAME}" 2>/dev/null
 	WAIT_TIME=0
 	KMOD_NAME=$(echo "${PROBE_NAME}" | tr "-" "_")
-	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt $MAX_RMMOD_WAIT ]; do
+	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
 		if rmmod "${PROBE_NAME}" 2>/dev/null; then
 			echo "* Unloading ${PROBE_NAME} succeeded after ${WAIT_TIME}s"
 			break
 		fi
 		((++WAIT_TIME))
-		if (( $WAIT_TIME % 5 == 0 )); then
+		if (( WAIT_TIME % 5 == 0 )); then
 			echo "* ${PROBE_NAME} still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)"
 		fi
 		sleep 1
@@ -144,20 +144,20 @@ load_kernel_probe() {
 		echo "* Skipping dkms install for UEK host"
 	else
 		echo "* Running dkms install for ${PACKAGE_NAME}"
-		if dkms install -m "${PACKAGE_NAME}" -v "${FALCO_VERSION}" -k "${KERNEL_RELEASE}"; then
+		if dkms install -m "${PACKAGE_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}"; then
 			echo "* Trying to load a dkms ${PROBE_NAME}, if present"
 
-			if insmod "/var/lib/dkms/${PACKAGE_NAME}/${FALCO_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko" > /dev/null 2>&1; then
+			if insmod "/var/lib/dkms/${PACKAGE_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko" > /dev/null 2>&1; then
 				echo "${PROBE_NAME} found and loaded in dkms"
 				exit 0
-			elif insmod "/var/lib/dkms/${PACKAGE_NAME}/${FALCO_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko.xz" > /dev/null 2>&1; then
+			elif insmod "/var/lib/dkms/${PACKAGE_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko.xz" > /dev/null 2>&1; then
 				echo "${PROBE_NAME} found and loaded in dkms (xz)"
 				exit 0
 			else
 				echo "* Unable to insmod"
 			fi
 		else
-			DKMS_LOG="/var/lib/dkms/${PACKAGE_NAME}/${FALCO_VERSION}/build/make.log"
+			DKMS_LOG="/var/lib/dkms/${PACKAGE_NAME}/${DRIVER_VERSION}/build/make.log"
 			if [ -f "${DKMS_LOG}" ]; then
 				echo "* Running dkms build failed, dumping ${DKMS_LOG}"
 				cat "${DKMS_LOG}"
@@ -178,7 +178,7 @@ load_kernel_probe() {
 
 	get_kernel_config
 
-	local FALCO_PROBE_FILENAME="${PROBE_NAME}-${FALCO_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.ko"
+	local FALCO_PROBE_FILENAME="${PROBE_NAME}-${DRIVER_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.ko"
 
 	if [ -f "${HOME}/.falco/${FALCO_PROBE_FILENAME}" ]; then
 		echo "Found precompiled module at ~/.falco/${FALCO_PROBE_FILENAME}, loading module"
@@ -209,7 +209,8 @@ load_bpf_probe() {
 
 	get_kernel_config
 
-	if [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
+	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
+		# shellcheck source=/dev/null
 		. "${HOST_ROOT}/etc/os-release"
 
 		if [ "${ID}" == "cos" ]; then
@@ -217,24 +218,24 @@ load_bpf_probe() {
 		fi
 	fi
 
-	if [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
+	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
 		MINIKUBE=1
-		MINIKUBE_VERSION="$(cat ${HOST_ROOT}/etc/VERSION)"
+		MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
 	fi
 
-	local BPF_PROBE_FILENAME="${BPF_PROBE_NAME}-${FALCO_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.o"
+	local BPF_PROBE_FILENAME="${BPF_PROBE_NAME}-${DRIVER_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.o"
 
 	if [ ! -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
 
-	        local BPF_KERNEL_SOURCES_URL=""
+		local BPF_KERNEL_SOURCES_URL=""
 		local STRIP_COMPONENTS=1
 
-	        customize_kernel_build() {
-		    if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
+		customize_kernel_build() {
+			if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
 			sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
-		    fi
-		    make olddefconfig > /dev/null
-		    make modules_prepare > /dev/null
+			fi
+			make olddefconfig > /dev/null
+			make modules_prepare > /dev/null
 		}
 
 		if [ -n "${COS}" ]; then
@@ -245,35 +246,37 @@ load_bpf_probe() {
 			STRIP_COMPONENTS=0
 
 			customize_kernel_build() {
-			    pushd usr/src/* > /dev/null
+				pushd usr/src/* > /dev/null || exit
 
-			    # Note: this overrides the KERNELDIR set while untarring the tarball
-			    export KERNELDIR=`pwd`
+				# Note: this overrides the KERNELDIR set while untarring the tarball
+				KERNELDIR=$(pwd)
+				export KERNELDIR
 
-			    sed -i '/^#define randomized_struct_fields_start	struct {$/d' include/linux/compiler-clang.h
-			    sed -i '/^#define randomized_struct_fields_end	};$/d' include/linux/compiler-clang.h
+				sed -i '/^#define randomized_struct_fields_start	struct {$/d' include/linux/compiler-clang.h
+				sed -i '/^#define randomized_struct_fields_end	};$/d' include/linux/compiler-clang.h
 
-			    popd > /dev/null
+				popd > /dev/null || exit
 
-			    # Might need to configure our own sources depending on COS version
-			    cos_ver=${BUILD_ID}
-			    base_ver=11553.0.0
+				# Might need to configure our own sources depending on COS version
+				cos_ver=${BUILD_ID}
+				base_ver=11553.0.0
 
-			    cos_version_greater
-			    greater_ret=$?
+				cos_version_greater
+				greater_ret=$?
 
-			    if [[ greater_ret -eq 1 ]]; then
+				if [[ greater_ret -eq 1 ]]; then
 				export KBUILD_EXTRA_CPPFLAGS=-DCOS_73_WORKAROUND
-			    fi
-                        }
+				fi
+						}
 		fi
 
 		if [ -n "${MINIKUBE}" ]; then
 			echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
-			local kernel_version=$(uname -r)
-			local -r kernel_version_major=$(echo ${kernel_version} | cut -d. -f1)
-			local -r kernel_version_minor=$(echo ${kernel_version} | cut -d. -f2)
-			local -r kernel_version_patch=$(echo ${kernel_version} | cut -d. -f3)
+			local kernel_version
+			kernel_version=$(uname -r)
+			local -r kernel_version_major=$(echo "${kernel_version}" | cut -d. -f1)
+			local -r kernel_version_minor=$(echo "${kernel_version}" | cut -d. -f2)
+			local -r kernel_version_patch=$(echo "${kernel_version}" | cut -d. -f3)
 
 			if [ "${kernel_version_patch}" == "0" ]; then
 				kernel_version="${kernel_version_major}.${kernel_version_minor}"
@@ -283,7 +286,7 @@ load_bpf_probe() {
 		fi
 
 		if [ -n "${BPF_USE_LOCAL_KERNEL_SOURCES}" ]; then
-		        local -r kernel_version_major=$(uname -r | cut -d. -f1)
+			local -r kernel_version_major=$(uname -r | cut -d. -f1)
 			local -r kernel_version=$(uname -r | cut -d- -f1)
 			KERNEL_EXTRA_VERSION="-$(uname -r | cut -d- -f2)"
 
@@ -296,8 +299,8 @@ load_bpf_probe() {
 			echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
 
 			mkdir -p /tmp/kernel
-			cd /tmp/kernel
-			cd `mktemp -d -p /tmp/kernel`
+			cd /tmp/kernel || exit
+			cd "$(mktemp -d -p /tmp/kernel)" || exit
 			if ! curl -o kernel-sources.tgz --create-dirs "${FALCO_PROBE_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
 				exit 1;
 			fi
@@ -306,13 +309,14 @@ load_bpf_probe() {
 
 			mkdir kernel-sources && tar xf kernel-sources.tgz -C kernel-sources --strip-components "${STRIP_COMPONENTS}"
 
-			cd kernel-sources
-			export KERNELDIR=`pwd`
+			cd kernel-sources || exit
+			KERNELDIR=$(pwd)
+			export KERNELDIR
 
 			if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
-			    zcat "${KERNEL_CONFIG_PATH}" > .config
+				zcat "${KERNEL_CONFIG_PATH}" > .config
 			else
-			    cat "${KERNEL_CONFIG_PATH}" > .config
+				cat "${KERNEL_CONFIG_PATH}" > .config
 			fi
 
 			echo "* Configuring kernel"
@@ -321,10 +325,10 @@ load_bpf_probe() {
 
 		echo "* Trying to compile BPF probe ${BPF_PROBE_NAME} (${BPF_PROBE_FILENAME})"
 
-		make -C "/usr/src/${PACKAGE_NAME}-${FALCO_VERSION}/bpf" > /dev/null
+		make -C "/usr/src/${PACKAGE_NAME}-${DRIVER_VERSION}/bpf" > /dev/null
 
 		mkdir -p ~/.falco
-		mv "/usr/src/${PACKAGE_NAME}-${FALCO_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"
+		mv "/usr/src/${PACKAGE_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"
 
 		if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
 			rm -r /tmp/kernel
@@ -363,7 +367,7 @@ load_bpf_probe() {
 ARCH=$(uname -m)
 KERNEL_RELEASE=$(uname -r)
 SCRIPT_NAME=$(basename "${0}")
-PROBE_URL=${PROBE_URL:-https://s3.amazonaws.com/download.draios.com}
+PROBE_URL=${PROBE_URL:-"@DRIVER_LOOKUP_URL@"}
 if [ -n "$PROBE_INSECURE_DOWNLOAD" ]
 then
 	FALCO_PROBE_CURL_OPTIONS=-fsSk
@@ -380,15 +384,13 @@ if [ -z "${PACKAGES_REPOSITORY}" ]; then
 	PACKAGES_REPOSITORY="stable"
 fi
 
-if [ "${SCRIPT_NAME}" = "falco-probe-loader" ]; then
-        if [ -z "$FALCO_VERSION" ]; then
-	    FALCO_VERSION=$(falco --version | cut -d' ' -f3)
-	fi
-	PROBE_NAME="falco-probe"
-	BPF_PROBE_NAME="falco-probe-bpf"
-	PACKAGE_NAME="falco"
+if [ "${SCRIPT_NAME}" = "falco-driver-loader" ]; then
+	DRIVER_VERSION="@PROBE_VERSION@"
+	PROBE_NAME="@PROBE_NAME@"
+	BPF_PROBE_NAME="@PROBE_NAME@-bpf"
+	PACKAGE_NAME="@PACKAGE_NAME@"
 else
-	echo "This script must be called as falco-probe-loader"
+	echo "This script must be called as falco-driver-loader"
 	exit 1
 fi
 
@@ -405,5 +407,5 @@ fi
 if [ -v FALCO_BPF_PROBE ] || [ "${1}" = "bpf" ]; then
 	load_bpf_probe
 else
-	load_kernel_probe
+	load_kernel_module
 fi

scripts/rpm/postinstall.in

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,8 +14,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-rpm_v=%{version}
-mod_version=${rpm_v//_/-}
+
+mod_version="@PROBE_VERSION@"
 dkms add -m falco -v $mod_version --rpm_safe_upgrade
 if [ `uname -r | grep -c "BOOT"` -eq 0 ] && [ -e /lib/modules/`uname -r`/build/include ]; then
 	dkms build -m falco -v $mod_version

scripts/rpm/preuninstall.in

@@ -19,6 +19,6 @@ if [ $1 = 0 ]; then
 	/sbin/service falco stop > /dev/null 2>&1
 	/sbin/chkconfig --del falco
 fi
-rpm_v=%{version}
-mod_version=${rpm_v//_/-}
+
+mod_version="@PROBE_VERSION@"
 dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade

test/README.md

@@ -0,0 +1,6 @@
+# Falco Regression tests
+
+This folder contains the Regression tests suite for Falco.
+
+You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).
+

test/falco_test.py

@@ -18,17 +18,16 @@
 import os
 import re
 import json
-import sets
 import glob
 import shutil
 import stat
 import subprocess
 import sys
-import urllib
+import urllib.request
 
 from avocado import Test
+from avocado import main
 from avocado.utils import process
-from avocado.utils import linux_modules
 
 class FalcoTest(Test):
 
@@ -142,15 +141,15 @@ class FalcoTest(Test):
         else:
             detect_counts = {}
             for item in self.detect_counts:
-                for key, value in item.items():
+                for key, value in list(item.items()):
                     detect_counts[key] = value
             self.detect_counts = detect_counts
 
         self.rules_warning = self.params.get('rules_warning', '*', default=False)
         if self.rules_warning == False:
-            self.rules_warning = sets.Set()
+            self.rules_warning = set()
         else:
-            self.rules_warning = sets.Set(self.rules_warning)
+            self.rules_warning = set(self.rules_warning)
 
         # Maps from rule name to set of evttypes
         self.rules_events = self.params.get('rules_events', '*', default=False)
@@ -160,7 +159,7 @@ class FalcoTest(Test):
             events = {}
             for item in self.rules_events:
                 for item2 in item:
-                    events[item2[0]] = sets.Set(item2[1])
+                    events[item2[0]] = set(item2[1])
             self.rules_events = events
 
         if self.should_detect:
@@ -176,7 +175,7 @@ class FalcoTest(Test):
         self.copy_local_driver = self.params.get('copy_local_driver', '*', default=False)
 
         # Used by possibly_copy_local_driver as well as docker run
-        self.module_dir = os.path.expanduser("~/.sysdig")
+        self.module_dir = os.path.expanduser("~/.falco")
 
         self.outputs = self.params.get('outputs', '*', default='')
 
@@ -185,7 +184,7 @@ class FalcoTest(Test):
         else:
             outputs = []
             for item in self.outputs:
-                for key, value in item.items():
+                for key, value in list(item.items()):
                     output = {}
                     output['file'] = key
                     output['line'] = value
@@ -214,9 +213,9 @@ class FalcoTest(Test):
 
     def check_rules_warnings(self, res):
 
-        found_warning = sets.Set()
+        found_warning = set()
 
-        for match in re.finditer('Rule ([^:]+): warning \(([^)]+)\):', res.stderr):
+        for match in re.finditer('Rule ([^:]+): warning \(([^)]+)\):', res.stderr.decode("utf-8")):
             rule = match.group(1)
             warning = match.group(2)
             found_warning.add(rule)
@@ -231,21 +230,21 @@ class FalcoTest(Test):
 
         found_events = {}
 
-        for match in re.finditer('Event types for rule ([^:]+): (\S+)', res.stderr):
+        for match in re.finditer('Event types for rule ([^:]+): (\S+)', res.stderr.decode("utf-8")):
             rule = match.group(1)
-            events = sets.Set(match.group(2).split(","))
+            events = set(match.group(2).split(","))
             found_events[rule] = events
 
         self.log.debug("Expected events for rules: {}".format(self.rules_events))
         self.log.debug("Actual events for rules: {}".format(found_events))
 
-        for rule in found_events.keys():
+        for rule in list(found_events.keys()):
             if found_events.get(rule) != self.rules_events.get(rule):
                 self.fail("rule {}: expected events {} differs from actual events {}".format(rule, self.rules_events.get(rule), found_events.get(rule)))
 
     def check_detections(self, res):
         # Get the number of events detected.
-        match = re.search('Events detected: (\d+)', res.stdout)
+        match = re.search('Events detected: (\d+)', res.stdout.decode("utf-8"))
         if match is None:
             self.fail("Could not find a line 'Events detected: <count>' in falco output")
 
@@ -260,7 +259,7 @@ class FalcoTest(Test):
 
             for level in self.detect_level:
                 level_line = '(?i){}: (\d+)'.format(level)
-                match = re.search(level_line, res.stdout)
+                match = re.search(level_line, res.stdout.decode("utf-8"))
 
                 if match is None:
                     self.fail("Could not find a line '{}: <count>' in falco output".format(level))
@@ -272,13 +271,13 @@ class FalcoTest(Test):
 
     def check_detections_by_rule(self, res):
         # Get the number of events detected for each rule. Must match the expected counts.
-        match = re.search('Triggered rules by rule name:(.*)', res.stdout, re.DOTALL)
+        match = re.search('Triggered rules by rule name:(.*)', res.stdout.decode("utf-8"), re.DOTALL)
         if match is None:
             self.fail("Could not find a block 'Triggered rules by rule name: ...' in falco output")
 
         triggered_rules = match.group(1)
 
-        for rule, count in self.detect_counts.iteritems():
+        for rule, count in list(self.detect_counts.items()):
             expected = '\s{}: (\d+)'.format(re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
             match = re.search(expected, triggered_rules)
 
@@ -313,7 +312,7 @@ class FalcoTest(Test):
         if self.json_output:
             # Just verify that any lines starting with '{' are valid json objects.
             # Doesn't do any deep inspection of the contents.
-            for line in res.stdout.splitlines():
+            for line in res.stdout.decode("utf-8").splitlines():
                 if line.startswith('{'):
                     obj = json.loads(line)
                     if self.json_include_output_property:
@@ -336,7 +335,7 @@ class FalcoTest(Test):
             self.falco_binary_path = "docker run --rm --name falco-test --privileged " \
                                      "-v /var/run/docker.sock:/host/var/run/docker.sock " \
                                      "-v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro " \
-                                     "-v /lib/modules:/host/lib/modules:ro -v {}:/root/.sysdig:ro " \
+                                     "-v /lib/modules:/host/lib/modules:ro -v {}:/root/.falco:ro " \
                                      "-v /usr:/host/usr:ro {} {} falco".format(
                                          self.module_dir, self.addl_docker_run_args, image)
 
@@ -388,8 +387,7 @@ class FalcoTest(Test):
             res = process.run(cmdline, timeout=120, sudo=True)
 
     def possibly_copy_driver(self):
-        # Remove the contents of ~/.sysdig regardless of
-        # copy_local_driver.
+        # Remove the contents of ~/.falco regardless of copy_local_driver.
         self.log.debug("Checking for module dir {}".format(self.module_dir))
         if os.path.isdir(self.module_dir):
             self.log.info("Removing files below directory {}".format(self.module_dir))
@@ -398,7 +396,8 @@ class FalcoTest(Test):
                 os.remove(rmfile)
 
         if self.copy_local_driver:
-            verstr = subprocess.check_output([self.falco_binary_path, "--version"]).rstrip()
+            verlines = [str.strip() for str in subprocess.check_output([self.falco_binary_path, "--version"]).splitlines()]
+            verstr = verlines[0].decode("utf-8")
             self.log.info("verstr {}".format(verstr))
             falco_version = verstr.split(" ")[2]
             self.log.info("falco_version {}".format(falco_version))
@@ -407,7 +406,7 @@ class FalcoTest(Test):
             kernel_release = subprocess.check_output(["uname", "-r"]).rstrip()
             self.log.info("kernel release {}".format(kernel_release))
 
-            # falco-probe-loader has a more comprehensive set of ways to
+            # falco-driver-loader has a more comprehensive set of ways to
             # find the config hash. We only look at /boot/config-<kernel release>
             md5_output = subprocess.check_output(["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
             config_hash = md5_output.split(" ")[0]
@@ -440,7 +439,7 @@ class FalcoTest(Test):
             if not os.path.isfile(self.psp_conv_path):
                 self.log.info("Downloading {} to {}".format(self.psp_conv_url, self.psp_conv_path))
 
-                urllib.urlretrieve(self.psp_conv_url, self.psp_conv_path)
+                urllib.request.urlretrieve(self.psp_conv_url, self.psp_conv_path)
                 os.chmod(self.psp_conv_path, stat.S_IEXEC)
 
             conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
@@ -484,32 +483,32 @@ class FalcoTest(Test):
 
         if self.stdout_is != '':
             print(self.stdout_is)
-            if self.stdout_is != res.stdout:
+            if self.stdout_is != res.stdout.decode("utf-8"):
                 self.fail("Stdout was not exactly {}".format(self.stdout_is))
 
         if self.stderr_is != '':
-            if self.stderr_is != res.stdout:
+            if self.stderr_is != res.stdout.decode("utf-8"):
                 self.fail("Stdout was not exactly {}".format(self.stderr_is))
 
         for pattern in self.stderr_contains:
-            match = re.search(pattern, res.stderr)
+            match = re.search(pattern, res.stderr.decode("utf-8"))
             if match is None:
                 self.fail("Stderr of falco process did not contain content matching {}".format(pattern))
 
         for pattern in self.stdout_contains:
-            match = re.search(pattern, res.stdout)
+            match = re.search(pattern, res.stdout.decode("utf-8"))
             if match is None:
-                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout, pattern))
+                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout.decode("utf-8"), pattern))
 
         for pattern in self.stderr_not_contains:
-            match = re.search(pattern, res.stderr)
+            match = re.search(pattern, res.stderr.decode("utf-8"))
             if match is not None:
                 self.fail("Stderr of falco process contained content matching {} when it should have not".format(pattern))
 
         for pattern in self.stdout_not_contains:
-            match = re.search(pattern, res.stdout)
+            match = re.search(pattern, res.stdout.decode("utf-8"))
             if match is not None:
-                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(res.stdout, pattern))
+                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(res.stdout.decode("utf-8"), pattern))
 
         if res.exit_status != self.exit_status:
             self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(

userspace/falco/config_falco.h.in

@@ -31,4 +31,5 @@ limitations under the License.
 #define FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml"
 #define FALCO_SOURCE_LUA_DIR "${PROJECT_SOURCE_DIR}/userspace/falco/lua/"
 
-#define PROBE_NAME "${PROBE_NAME}"
+#define PROBE_NAME "@PROBE_NAME@"
+#define DRIVER_VERSION "@PROBE_VERSION@"

userspace/falco/falco.cpp

@@ -89,6 +89,12 @@ static void usage()
 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
 	   "                               Use the specified socket to fetch data from a CRI-compatible runtime.\n"
 	   " -d, --daemon                  Run as a daemon.\n"
+	   " --disable-cri-async           Disable asynchronous CRI metadata fetching.\n"
+	   "                               This is useful to let the input event wait for the container metadata fetch\n"
+	   "                               to finish before moving forward. Async fetching, in some environments leads\n"
+	   "                               to empty fields for container metadata when the fetch is not fast enough to be\n"
+	   "                               completed asynchronously. This can have a performance penalty on your environment\n"
+	   "                               depending on the number of containers and the frequency at which they are created/started/stopped\n"
 	   " --disable-source <event_source>\n"
 	   "                               Disable a specific event source.\n"
 	   "                               Available event sources are: syscall, k8s_audit.\n"
@@ -433,6 +439,7 @@ int falco_init(int argc, char **argv)
 	string list_flds_source = "";
 	bool print_support = false;
 	string cri_socket_path;
+	bool cri_async = true;
 	set<string> disable_sources;
 	bool disable_syscall = false;
 	bool disable_k8s_audit = false;
@@ -459,6 +466,7 @@ int falco_init(int argc, char **argv)
 	{
 		{"cri", required_argument, 0},
         {"daemon", no_argument, 0, 'd'},
+        {"disable-cri-async", no_argument, 0, 0},
         {"disable-source", required_argument, 0},
         {"help", no_argument, 0, 'h'},
         {"ignored-events", no_argument, 0, 'i'},
@@ -616,6 +624,7 @@ int falco_init(int argc, char **argv)
 				if(string(long_options[long_index].name) == "version")
 				{
 					printf("Falco version: %s\n", FALCO_VERSION);
+					printf("Driver version: %s\n", DRIVER_VERSION);
 					return EXIT_SUCCESS;
 				}
 				else if (string(long_options[long_index].name) == "cri")
@@ -625,6 +634,10 @@ int falco_init(int argc, char **argv)
 						cri_socket_path = optarg;
 					}
 				}
+				else if (string(long_options[long_index].name) == "disable-cri-async")
+				{
+				  cri_async = false;
+				}
 				else if (string(long_options[long_index].name) == "list")
 				{
 					list_flds = true;
@@ -665,6 +678,9 @@ int falco_init(int argc, char **argv)
 			inspector->set_cri_socket_path(cri_socket_path);
 		}
 
+		// Decide wether to do sync or async for CRI metadata fetch
+		inspector->set_cri_async(cri_async);
+
 		//
 		// If required, set the snaplen
 		//