Adding falco script from install docs

Signed-off-by: Kris Nova <kris@nivenly.com>
2026-03-31 09:02:43 +00:00 · 2020-02-20 07:43:47 -08:00
53 changed files with 626 additions and 684 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -32,38 +32,6 @@ jobs:
            pushd build
            make tests
            popd
  # Debug build using ubuntu LTS
  # This build is dynamic, most dependencies are taken from the OS
  "build/ubuntu-bionic-debug":
    docker:
      - image: ubuntu:bionic
    steps:
      - checkout
      - run:
          name: Update base image
          command: apt update -y
      - run:
          name: Install dependencies
          command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
      - run:
          name: Prepare project
          command: |
            mkdir build
            pushd build
            cmake -DCMAKE_BUILD_TYPE=debug ..
            popd
      - run:
          name: Build
          command: |
            pushd build
            make -j4 all
            popd
      - run:
          name: Run unit tests
          command: |
            pushd build
            make tests
            popd
  # Build using our own builder base image using centos 7
  # This build is static, dependencies are bundled in the falco binary
  "build/centos7":
@@ -101,28 +69,6 @@ jobs:
      - store_artifacts:
          path: /tmp/packages
          destination: /packages
  # Debug build using our own builder base image using centos 7
  # This build is static, dependencies are bundled in the falco binary
  "build/centos7-debug":
    docker:
      - image: falcosecurity/falco-builder:latest
        environment:
          BUILD_TYPE: "debug"
    steps:
      - checkout:
          path: /source/falco
      - run:
          name: Prepare project
          command: /usr/bin/entrypoint cmake
      - run:
          name: Build
          command: /usr/bin/entrypoint all
      - run:
          name: Run unit tests
          command: /usr/bin/entrypoint tests
      - run:
          name: Build packages
          command: /usr/bin/entrypoint package
  # Execute integration tests based on the build results coming from the "build/centos7" job
  "tests/integration":
    docker:
@@ -138,224 +84,12 @@ jobs:
      - run:
          name: Execute integration tests
          command: /usr/bin/entrypoint test
  # Sign rpm packages
  "rpm/sign":
    docker:
      - image: falcosecurity/falco-builder:latest
    steps:
      - attach_workspace:
          at: /
      - run:
          name: Install rpmsign
          command: |
            yum update -y
            yum install rpm-sign -y
      - run:
          name: Sign rpm
          command: |
            echo "%_signature gpg" > ~/.rpmmacros
            echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
            cd /build/release/
            echo '#!/usr/bin/expect -f' > sign
            echo 'spawn rpmsign --addsign {*}$argv' >> sign
            echo 'expect -exact "Enter pass phrase: "' >> sign
            echo 'send -- "\n"' >> sign
            echo 'expect eof' >> sign
            chmod +x sign
            echo $GPG_KEY | base64 -d | gpg --import
            ./sign *.rpm
            test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0
      - persist_to_workspace:
          root: /
          paths:
            - build/release/*.rpm
  # Publish the packages
  "publish/packages-dev":
    docker:
      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
    steps:
      - attach_workspace:
          at: /
      - run:
          name: Create versions
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
            jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
            jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
      - run:
          name: Publish deb-dev
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish
      - run:
          name: Publish rpm-dev
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish
      - run:
          name: Publish tgz-dev
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish
  # Publish docker packages
  "publish/docker-dev":
    docker:
      - image: docker:stable
    steps:
      - attach_workspace:
          at: /
      - checkout
      - setup_remote_docker
      - run:
          name: Build and publish slim-dev
          command: |
            docker build --build-arg VERSION_BUCKET=deb-dev -t falcosecurity/falco:master-slim docker/slim
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push falcosecurity/falco:master-slim
      - run:
          name: Build and publish minimal-dev
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-minimal docker/minimal
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push falcosecurity/falco:master-minimal
      - run:
          name: Build and publish dev
          command: |
            docker build --build-arg VERSION_BUCKET=deb-dev -t falcosecurity/falco:master docker/stable
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push falcosecurity/falco:master
  # Publish the packages
  "publish/packages":
    docker:
      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
    steps:
      - attach_workspace:
          at: /
      - run:
          name: Create versions
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
            jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
            jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
      - run:
          name: Publish deb
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish
      - run:
          name: Publish rpm
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish
      - run:
          name: Publish tgz
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish
  # Publish docker packages
  "publish/docker":
    docker:
      - image: docker:stable
    steps:
      - attach_workspace:
          at: /
      - checkout
      - setup_remote_docker
      - run:
          name: Build and publish slim
          command: |
            docker build --build-arg VERSION_BUCKET=deb -t "falcosecurity/falco:${CIRCLE_TAG}-slim" docker/slim
            docker tag "falcosecurity/falco:${CIRCLE_TAG}-slim" falcosecurity/falco:latest-slim
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
            docker push "falcosecurity/falco:latest-slim"
      - run:
          name: Build and publish minimal
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${FALCO_VERSION} -t "falcosecurity/falco:${CIRCLE_TAG}-minimal" docker/minimal
            docker tag "falcosecurity/falco:${CIRCLE_TAG}-minimal" falcosecurity/falco:latest-minimal
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push "falcosecurity/falco:${CIRCLE_TAG}-minimal"
            docker push "falcosecurity/falco:latest-minimal"
      - run:
          name: Build and publish stable
          command: |
            docker build --build-arg VERSION_BUCKET=deb -t "falcosecurity/falco:${CIRCLE_TAG}" docker/stable
            docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push "falcosecurity/falco:${CIRCLE_TAG}"
            docker push "falcosecurity/falco:latest"
 workflows:
  version: 2
  build_and_test:
    jobs:
      - "build/ubuntu-bionic"
      - "build/ubuntu-bionic-debug"
      - "build/centos7"
      - "build/centos7-debug"
      - "tests/integration":
          requires:
            - "build/centos7"
      - "rpm/sign":
          context: falco
          filters:
            branches:
              only:
                - master
          requires:
            - "tests/integration"
      - "publish/packages-dev":
          context: falco
          filters:
            branches:
              only:
                - master
          requires:
            - "rpm/sign"
      - "publish/docker-dev":
          context: falco
          filters:
            branches:
              only:
                - master
          requires:
            - "publish/packages-dev"
  release:
    jobs:
      - "build/centos7":
          filters:
            tags:
              only: /.*/
            branches:
              ignore: /.*/
      - "rpm/sign":
          context: falco
          requires:
            - "build/centos7"
          filters:
            tags:
              only: /.*/
            branches:
              ignore: /.*/
      - "publish/packages":
          context: falco
          requires:
            - "rpm/sign"
          filters:
            tags:
              only: /.*/
            branches:
              ignore: /.*/
      - "publish/docker":
          context: falco
          requires:
            - "publish/packages"
          filters:
            tags:
              only: /.*/
            branches:
              ignore: /.*/
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,71 +2,6 @@
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 ## v0.21.0
 Released on 2020-03-17
 ### Major Changes
 * BREAKING CHANGE: the SYSDIG_BPF_PROBE environment variable is now just FALCO_BPF_PROBE (please update your systemd scripts or kubernetes deployments. [[#1050](https://github.com/falcosecurity/falco/pull/1050)]
 * new: automatically publish deb packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
 * new: automatically publish rpm packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
 * new: automatically release deb packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
 * new: automatically release rpm packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
 * new: automatically publish docker images from master (master, master-slim, master-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
 * new: automatically publish docker images from git tag (tag, tag-slim, tag-master, latest, latest-slim, latest-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
 * new: sign packages with falcosecurity gpg key [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
 ### Minor Changes
 * new: falco_version_prerelease contains the number of commits since last tag on the master [[#1086](https://github.com/falcosecurity/falco/pull/1086)]
 * docs: update branding [[#1074](https://github.com/falcosecurity/falco/pull/1074)]
 * new(docker/event-generator): add example k8s resource files that allow running the event generator in a k8s cluster. [[#1088](https://github.com/falcosecurity/falco/pull/1088)]
 * update: creating *-dev docker images using build arguments at build time [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
 * update: docker images use packages from the new repositories [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
 * update: docker image downloads old deb dependencies (gcc-6, gcc-5, binutils-2.30) from a new open repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
 ### Bug Fixes
 * fix(docker): updating `stable` and `local` images to run from `debian:stable` [[#1018](https://github.com/falcosecurity/falco/pull/1018)]
 * fix(event-generator): the image used by the event generator deployment to `latest`. [[#1091](https://github.com/falcosecurity/falco/pull/1091)]
 * fix: -t (to disable rules by certain tag) or -t (to only run rules with a certain tag) work now [[#1081](https://github.com/falcosecurity/falco/pull/1081)]
 * fix: the falco driver now compiles on >= 5.4 kernels [[#1080](https://github.com/falcosecurity/falco/pull/1080)]
 * fix: download falco packages which url contains character to encode - eg, `+` [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
 * fix(docker): use base name in docker-entrypoint.sh [[#981](https://github.com/falcosecurity/falco/pull/981)]
 ### Rule Changes
 * rule(detect outbound connections to common miner pool ports): disabled by default [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
 * rule(macro net_miner_pool): add localhost and rfc1918 addresses as exception in the rule. [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
 * rule(change thread namespace): modify condition to detect suspicious container activity [[#974](https://github.com/falcosecurity/falco/pull/974)]
 ## v0.20.0
 Released on 2020-02-24
 ### Major Changes
 * fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [[#1041](https://github.com/falcosecurity/falco/pull/1041)]
 * new: grpc version api [[#872](https://github.com/falcosecurity/falco/pull/872)]
 ### Bug Fixes
 * fix: the base64 output format (-b) now works with both json and normal output. [[#1033](https://github.com/falcosecurity/falco/pull/1033)]
 * fix: version follows semver 2 bnf [[#872](https://github.com/falcosecurity/falco/pull/872)]
 ### Rule Changes
 * rule(write below etc): add "dsc_host" as a ms oms program [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(write below etc): let mcafee write to /etc/cma.d  [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(write below etc): let avinetworks supervisor write some ssh cfg [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(write below etc): alow writes to /etc/pki from openshift secrets dir [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(write below root): let runc write to /exec.fifo [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(change thread namespace): let cilium-cni change namespaces [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(run shell untrusted): let puma reactor spawn shells [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 ## v0.19.0
 Released on 2020-01-23
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -48,7 +48,6 @@ else()
  set(CMAKE_BUILD_TYPE "release")
  set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
@@ -71,6 +70,7 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 include(GetFalcoVersion)
 set(PACKAGE_NAME "falco")
 set(PROBE_VERSION "${FALCO_VERSION}")
 set(PROBE_NAME "falco-probe")
 set(PROBE_DEVICE_NAME "falco")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@
 #### Latest release
-**v0.21.0**
+**v0.19.0**
 Read the [change log](CHANGELOG.md)
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
--- a/brand/README.md
+++ b/brand/README.md
@@ -28,7 +28,7 @@ The CNCF now owns The Falco Project.
 ### What is Runtime Security?
 Runtime security refers to an approach to preventing unwanted activity on a computer system. 
-With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
+With runtime security an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
 Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
 Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
@@ -124,9 +124,9 @@ Used to describe the `.ko` object that would be loaded into the kernel as a pote
 This is one option used to pass kernel events up to userspace for Falco to consume.
 Sometimes this word is incorrectly used to refer to a `probe`.
-#### Driver 
+#### Driver (deprecated)
-The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
+An older, more generalized term for a `module` or `probe`. We discourage the use of this word as a project.
 #### Falco
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -1,12 +1,9 @@
 set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
 set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
-set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
+set(CPACK_PACKAGE_CONTACT "opensource@sysdig.com") # todo: change this once we've got @falco.org addresses
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
 set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
 set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
 set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
 set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
 set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
 set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
 set(CPACK_STRIP_FILES "ON")
--- a/cmake/modules/GetFalcoVersion.cmake
+++ b/cmake/modules/GetFalcoVersion.cmake
@@ -1,5 +1,6 @@
 # Retrieve git ref and commit hash
 include(GetGitRevisionDescription)
 get_git_head_revision(FALCO_REF FALCO_HASH)
 # Create the falco version variable according to git index
 if(NOT FALCO_VERSION)
@@ -8,13 +9,25 @@ if(NOT FALCO_VERSION)
  git_get_exact_tag(FALCO_TAG)
  if(NOT FALCO_TAG)
    # Obtain the closest tag
-    git_describe(FALCO_VERSION "--always" "--tags")
+    git_describe(FALCO_VERSION "--abbrev=0" "--tags") # suppress the long format
    # Fallback version
    if(FALCO_VERSION MATCHES "NOTFOUND$")
      set(FALCO_VERSION "0.0.0")
    endif()
-    # Format FALCO_VERSION to be semver with prerelease and build part
+    # TODO(leodido) > Construct the prerelease part (semver 2) Construct the Build metadata part (semver 2)
-    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+    if(NOT FALCO_HASH MATCHES "NOTFOUND$")
      string(SUBSTRING "${FALCO_HASH}" 0 7 FALCO_VERSION_BUILD)
      # Check whether there are uncommitted changes or not
      git_local_changes(FALCO_CHANGES)
      if(FALCO_CHANGES STREQUAL "DIRTY")
        string(TOLOWER "${FALCO_CHANGES}" FALCO_CHANGES)
        set(FALCO_VERSION_BUILD "${FALCO_VERSION_BUILD}.${FALCO_CHANGES}")
      endif()
    endif()
    # Append the build metadata part (semver 2)
    if(FALCO_VERSION_BUILD)
      set(FALCO_VERSION "${FALCO_VERSION}+${FALCO_VERSION_BUILD}")
    endif()
  else()
    # A tag has been found: use it as the Falco version
    set(FALCO_VERSION "${FALCO_TAG}")
@@ -29,8 +42,8 @@ if(NOT FALCO_VERSION)
  string(
    REGEX
    REPLACE
-      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
+      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)*).*"
-      "\\5"
+      "\\4"
      FALCO_VERSION_PRERELEASE
      "${FALCO_VERSION}")
  if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
--- a/cmake/modules/sysdig-repo/CMakeLists.txt
+++ b/cmake/modules/sysdig-repo/CMakeLists.txt
@@ -15,14 +15,20 @@ cmake_minimum_required(VERSION 3.5.1)
 project(sysdig-repo NONE)
 include(ExternalProject)
-message(STATUS "Driver version: ${SYSDIG_VERSION}")
+
 # The sysdig git reference (branch name, commit hash, or tag)
 # To update sysdig version for the next release, change the default below
 # In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
  set(SYSDIG_VERSION "146a431edf95829ac11bfd9c85ba3ef08789bffe")
 endif()
 ExternalProject_Add(
  sysdig
  URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
-  URL_HASH "${SYSDIG_CHECKSUM}"
+  # URL_HASH SHA256=bd09607aa8beb863db07e695863f7dc543e2d39e7153005759d26a340ff66fa5
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND ""
-  TEST_COMMAND ""
+  TEST_COMMAND "")
  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
--- a/cmake/modules/sysdig-repo/patch/libscap.patch
+++ b/cmake/modules/sysdig-repo/patch/libscap.patch
@@ -1,22 +0,0 @@
 diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
 index 59b04e0a..bdc311cb 100644
 --- a/userspace/libscap/scap.c
 +++ b/userspace/libscap/scap.c
@@ -52,7 +52,7 @@ limitations under the License.
 //#define NDEBUG
 #include <assert.h>
 -static const char *SYSDIG_BPF_PROBE_ENV = "SYSDIG_BPF_PROBE";
 +static const char *SYSDIG_BPF_PROBE_ENV = "FALCO_BPF_PROBE";
 //
 // Probe version string size
@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
 				return NULL;
 			}
 -			snprintf(buf, sizeof(buf), "%s/.sysdig/%s-bpf.o", home, PROBE_NAME);
 +			snprintf(buf, sizeof(buf), "%s/.falco/%s-bpf.o", home, PROBE_NAME);
 			bpf_probe = buf;
 		}
 	}
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -21,19 +21,8 @@ if(USE_BUNDLED_DEPS)
 endif()
 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # The sysdig git reference (branch name, commit hash, or tag)
 # To update sysdig version for the next release, change the default below
 # In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
  set(SYSDIG_VERSION "be1ea2d9482d0e6e2cb14a0fd7e08cbecf517f94")
  set(SYSDIG_CHECKSUM "SHA256=1c69363e4c36cdaeed413c2ef557af53bfc4bf1109fbcb6d6e18dc40fe6ddec8")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+execute_process(COMMAND "${CMAKE_COMMAND}" ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
--- a/docker/builder/Dockerfile
+++ b/docker/builder/Dockerfile
@@ -2,7 +2,7 @@ FROM centos:7
 LABEL name="falcosecurity/falco-builder"
 LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 ARG BUILD_TYPE=release
 ARG BUILD_DRIVER=OFF
--- a/docker/dev/Dockerfile
+++ b/docker/dev/Dockerfile
@@ -0,0 +1,110 @@
 FROM debian:unstable
 LABEL maintainer="opensource@sysdig.com"
 ENV FALCO_REPOSITORY dev
 LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 ENV HOST_ROOT /host
 ENV HOME /root
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
 	bc \
 	clang-7 \
 	ca-certificates \
 	curl \
 	dkms \
 	gnupg2 \
 	gcc \
 	gdb \
 	jq \
 	libc6-dev \
 	libelf-dev \
 	llvm-7 \
 	netcat \
 	xz-utils \
 	&& rm -rf /var/lib/apt/lists/*
 # gcc 6 is no longer included in debian unstable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
 	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
 	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
 	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
 	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
 	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
 	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
 	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
 	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
 # gcc 5 is no longer included in debian unstable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
 	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
 	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
 	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
 	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
 	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
 	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 RUN rm -rf /usr/bin/clang \
 	&& rm -rf /usr/bin/llc \
 	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc
 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
 	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
 	&& apt-get update \
 	&& apt-get install -y --no-install-recommends falco \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 # Change the falco config within the container to enable ISO 8601
 # output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
 	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 # debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
 RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
 	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
 	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
 	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 COPY ./docker-entrypoint.sh /
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/dev/docker-entrypoint.sh
+++ b/docker/dev/docker-entrypoint.sh
@@ -0,0 +1,34 @@
 #!/usr/bin/env bash
 #
 # Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # set -e
 # Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
 if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
    echo "* Setting up /usr/src links from host"
    for i in "$HOST_ROOT/usr/src"/*
    do
        ln -s "$i" "/usr/src/$i"
    done
    /usr/bin/falco-probe-loader
 fi
 exec "$@"
--- a/docker/event-generator/Dockerfile
+++ b/docker/event-generator/Dockerfile
@@ -1,5 +1,5 @@
 FROM alpine:latest
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 RUN apk add --no-cache bash g++ curl
 COPY ./event_generator.cpp /usr/local/bin
 COPY ./docker-entrypoint.sh ./k8s_event_generator.sh /
--- a/docker/event-generator/event-generator-k8saudit-deployment.yaml
+++ b/docker/event-generator/event-generator-k8saudit-deployment.yaml
@@ -1,23 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: falco-event-generator-k8saudit
  labels:
    app: falco-event-generator-k8saudit
  namespace: falco-event-generator
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: falco-event-generator-k8saudit
  template:
    metadata:
      labels:
        app: falco-event-generator-k8saudit
    spec:
      serviceAccount: falco-event-generator
      containers:
      - name: falco-event-generator
        image: falcosecurity/falco-event-generator
        imagePullPolicy: Always
        args: ["k8s_audit"]
--- a/docker/event-generator/event-generator-role-rolebinding-serviceaccount.yaml
+++ b/docker/event-generator/event-generator-role-rolebinding-serviceaccount.yaml
@@ -1,71 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: falco-event-generator
 rules:
 - apiGroups:
  - ""
  resources:
  - configmaps
  - services
  - serviceaccounts
  - pods
  verbs:
  - list
  - get
  - create
  - delete
 - apiGroups:
  - apps
  - extensions
  resources:
  - deployments
  verbs:
  - list
  - get
  - create
  - delete
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - roles
  - rolebindings
  verbs:
  - get
  - list
  - create
  - delete
 # These are only so the event generator can create roles that have these properties.
 # It will result in a falco alert for the rules "ClusterRole With Wildcard Created", "ClusterRole With Pod Exec Created"
 - apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: falco-event-generator
  namespace: falco-eg-sandbox
 subjects:
  - kind: ServiceAccount
    name: falco-event-generator
    namespace: falco-event-generator
 roleRef:
  kind: ClusterRole
  name: falco-event-generator
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: falco-event-generator
  namespace: falco-event-generator
--- a/docker/event-generator/event-generator-syscall-daemonset.yaml
+++ b/docker/event-generator/event-generator-syscall-daemonset.yaml
@@ -1,20 +0,0 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: falco-event-generator-syscall
  labels:
    app: falco-event-generator-syscall
  namespace: falco-event-generator
 spec:
  selector:
    matchLabels:
      name: falco-event-generator-syscall
  template:
    metadata:
      labels:
        name: falco-event-generator-syscall
    spec:
      containers:
      - name: falco-event-generator
        image: falcosecurity/falco-event-generator
        args: ["syscall"]
--- a/docker/event-generator/k8s_event_generator.sh
+++ b/docker/event-generator/k8s_event_generator.sh
@@ -17,18 +17,15 @@ kubectl version --short
 while true; do
-    # Delete all resources in the falco-eg-sandbox namespace
+    RET=$(kubectl get namespaces --output=name | grep falco-event-generator || true)
    echo "***Deleting all resources in falco-eg-sandbox namespace..."
    kubectl delete --all configmaps -n falco-eg-sandbox
    kubectl delete --all deployments -n falco-eg-sandbox
    kubectl delete --all services -n falco-eg-sandbox
    kubectl delete --all roles -n falco-eg-sandbox
    kubectl delete --all serviceaccounts -n falco-eg-sandbox
-    # We don't delete all rolebindings in the falco-eg-sandbox
+    if [[ "$RET" == *falco-event-generator* ]]; then
-    # namespace, as that would also delete the rolebinding for the
+	echo "***Deleting existing falco-event-generator namespace..."
-    # event generator itself.
+	kubectl delete namespace falco-event-generator
-    kubectl delete rolebinding vanilla-role-binding -n falco-eg-sandbox || true
+    fi
    echo "***Creating falco-event-generator namespace..."
    kubectl create namespace falco-event-generator
    for file in yaml/*.yaml; do
@@ -51,7 +48,7 @@ while true; do
 	    RULES=$(echo "$RULES" | tr '-' ' '| tr '.' '/' | sed -e 's/ *//' | sed  -e 's/,$//')
 	    echo "***$MESSAGES (Rule(s) $RULES)..."
-	    kubectl apply -f $file -n falco-eg-sandbox
+	    kubectl apply -f $file
 	    sleep 2
 	fi
    done
--- a/docker/event-generator/yaml/configmap-private-creds.yaml
+++ b/docker/event-generator/yaml/configmap-private-creds.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: private-creds-configmap
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: private-creds-configmap
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/disallowed-pod-deployment.yaml
+++ b/docker/event-generator/yaml/disallowed-pod-deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: disallowed-pod-deployment
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: disallowed-pod-deployment
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/hostnetwork-deployment.yaml
+++ b/docker/event-generator/yaml/hostnetwork-deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: hostnetwork-deployment
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: hostnetwork-deployment
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/nodeport-service.yaml
+++ b/docker/event-generator/yaml/nodeport-service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: nodeport-service
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: nodeport-service
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/privileged-deployment.yaml
+++ b/docker/event-generator/yaml/privileged-deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: privileged-deployment
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: privileged-deployment
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/role-pod-exec.yaml
+++ b/docker/event-generator/yaml/role-pod-exec.yaml
@@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: pod-exec-role
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: pod-exec-role
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/role-wildcard-resources.yaml
+++ b/docker/event-generator/yaml/role-wildcard-resources.yaml
@@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: wildcard-resources-role
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: wildcard-resources-role
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/role-write-privileges.yaml
+++ b/docker/event-generator/yaml/role-write-privileges.yaml
@@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: write-privileges-role
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: write-privileges-role
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/sensitive-mount-deployment.yaml
+++ b/docker/event-generator/yaml/sensitive-mount-deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: sensitive-mount-deployment
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: sensitive-mount-deployment
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/vanilla-configmap.yaml
+++ b/docker/event-generator/yaml/vanilla-configmap.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: vanilla-configmap
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-configmap
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/vanilla-deployment.yaml
+++ b/docker/event-generator/yaml/vanilla-deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: vanilla-deployment
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-deployment
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml
+++ b/docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml
@@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: vanilla-role
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-role
    app.kubernetes.io/part-of: falco-event-generator
@@ -19,6 +20,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: vanilla-role-binding
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-role-binding
    app.kubernetes.io/part-of: falco-event-generator
@@ -36,6 +38,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vanilla-serviceaccount
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-serviceaccount
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/event-generator/yaml/vanilla-service.yaml
+++ b/docker/event-generator/yaml/vanilla-service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: vanilla-service
  namespace: falco-event-generator
  labels:
    app.kubernetes.io/name: vanilla-service
    app.kubernetes.io/part-of: falco-event-generator
--- a/docker/kernel/linuxkit/Dockerfile
+++ b/docker/kernel/linuxkit/Dockerfile
@@ -1,13 +1,13 @@
 ARG ALPINE_VERSION=3.10
 ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.21.0
+ARG FALCO_VERSION=0.19.0
 FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc
 FROM falcosecurity/falco:${FALCO_VERSION}-minimal as falco
 FROM alpine:${ALPINE_VERSION} AS probe-build
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.21.0
+ARG FALCO_VERSION=0.19.0
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV KERNEL_VERSION=${KERNEL_VERSION}
@@ -32,7 +32,7 @@ RUN apk add --no-cache --update \
  autoconf
 FROM alpine:${ALPINE_VERSION}
-ARG FALCO_VERSION=0.21.0
+ARG FALCO_VERSION=0.19.0
 ENV FALCO_VERSION=${FALCO_VERSION}
 COPY --from=probe-build /usr/src/falco-${FALCO_VERSION}/falco-probe.ko /
 CMD ["insmod","/falco-probe.ko"]
--- a/docker/kernel/probeloader/Dockerfile
+++ b/docker/kernel/probeloader/Dockerfile
@@ -12,7 +12,7 @@ RUN go mod vendor
 RUN CGO_ENABLED=0 GOOS=linux go build -a -o falcoctl -ldflags '-extldflags "-static"' .
 FROM scratch
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=build /falcoctl/falcoctl /falcoctl
 CMD ["/falcoctl", "install", "probe"]
--- a/docker/local/Dockerfile
+++ b/docker/local/Dockerfile
@@ -1,7 +1,7 @@
-FROM debian:stable
+FROM debian:unstable
 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
@@ -13,6 +13,8 @@ ENV HOME /root
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 RUN apt-get update \
    && apt-get install -y --no-install-recommends \
    bash-completion \
@@ -42,36 +44,36 @@ RUN apt-get update \
    libcc1-0 \
    && rm -rf /var/lib/apt/lists/*
-# gcc 6 is no longer included in debian stable, but we need it to
+# gcc 6 is no longer included in debian unstable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
+    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
+    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
+    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
-# gcc 5 is no longer included in debian stable, but we need it to
+# gcc 5 is no longer included in debian unstable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+    && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
+    && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
+    && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+    && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
+    && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+    && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
    && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
    && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
@@ -98,13 +100,13 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-# debian:stable head contains binutils 2.31, which generates
+# debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
+    && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+    && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+    && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
    && dpkg -i *binutils*.deb \
    && rm -f *binutils*.deb
--- a/docker/local/docker-entrypoint.sh
+++ b/docker/local/docker-entrypoint.sh
@@ -25,8 +25,7 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
    for i in "$HOST_ROOT/usr/src"/*
    do
-        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$i"
        ln -s "$i" "/usr/src/$base"
    done
    /usr/bin/falco-probe-loader
--- a/docker/minimal/Dockerfile
+++ b/docker/minimal/Dockerfile
@@ -1,20 +1,20 @@
 FROM ubuntu:18.04 as ubuntu
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
-ARG FALCO_VERSION
+ARG FALCO_VERSION=0.19.0
 ARG VERSION_BUCKET=bin
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 WORKDIR /
-ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
+ADD https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
-RUN apt-get update -y && \
+# ADD will download from URL and unntar
 RUN apt-get update && \
    apt-get install -y libyaml-0-2 binutils && \
-    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    # curl -O https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz && \
    tar xfzv falco-${FALCO_VERSION}-x86_64.tar.gz && \
    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
    mv falco-${FALCO_VERSION}-x86_64 falco && \
    strip falco/usr/bin/falco && \
--- a/docker/rhel/Dockerfile
+++ b/docker/rhel/Dockerfile
@@ -1,22 +1,22 @@
 FROM registry.access.redhat.com/rhel7
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
-## Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
+### Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
-LABEL name="falco"
+LABEL name="falco" \
-LABEL vendor="falcosecurity"
+    vendor="falcosecurity" \
-LABEL url="http://falco.org"
+    url="http://falco.org/" \
-LABEL summary="Cloud Native Runtime Security"
+    summary="Container native runtime security" \
-LABEL description="Falco is an open-source project for intrusion and abnormality detection for Cloud Native platforms."
+    description="Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms." \
-LABEL run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m <image>'
+    run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco'
 COPY help.md /tmp/
 ENV HOST_ROOT /host
 ENV HOME /root
-ADD https://falco.org/repo/falcosecurity-rpm.repo /etc/yum.repos.d/falcosecurity.repo
+ADD http://download.draios.com/stable/rpm/draios.repo /etc/yum.repos.d/draios.repo
-RUN rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc && \
+RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public && \
    rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
    yum clean all && \
    REPOLIST=rhel-7-server-rpms,rhel-7-server-optional-rpms,epel,draios \
@@ -24,9 +24,9 @@ RUN rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc && \
    yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \
    --security --sec-severity=Important --sec-severity=Critical && \
    yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    ## help file markdown to man conversion
+    ### help file markdown to man conversion
    go-md2man -in /tmp/help.md -out /help.1 && \
-    ## we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
+    ### we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
    rm -fr /usr/src/kernels && \
    rm -df /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules && \
    yum clean all
--- a/docker/rhel/docker-entrypoint.sh
+++ b/docker/rhel/docker-entrypoint.sh
@@ -25,8 +25,7 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
    for i in "$HOST_ROOT/usr/src"/*
    do
-        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$i"
        ln -s "$i" "/usr/src/$base"
    done
    /usr/bin/falco-probe-loader
--- a/docker/slim-dev/Dockerfile
+++ b/docker/slim-dev/Dockerfile
@@ -1,20 +1,19 @@
 FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name <name> <image>"
+ENV FALCO_REPOSITORY dev
-ARG FALCO_VERSION=latest
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 ARG VERSION_BUCKET=deb
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 ENV HOST_ROOT /host
 ENV HOME /root
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 RUN apt-get update \
  && apt-get install -y --no-install-recommends \
  # 	bash-completion \
@@ -27,10 +26,10 @@ RUN apt-get update \
  # 	xz-utils \
  && rm -rf /var/lib/apt/lists/*
-RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-  && echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-  && apt-get update -y \
+  && apt-get update \
-  && if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+  && apt-get install -y --no-install-recommends falco \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
@@ -45,4 +44,7 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
  && ln -s $HOST_ROOT/lib/modules /lib/modules
 #COPY ./entrypoint.sh /
 # ENTRYPOINT ["/entrypoint.sh"]
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/slim-stable/Dockerfile
+++ b/docker/slim-stable/Dockerfile
@@ -0,0 +1,50 @@
 FROM ubuntu:18.04
 LABEL maintainer="opensource@sysdig.com"
 ENV FALCO_REPOSITORY stable
 LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 ENV HOST_ROOT /host
 ENV HOME /root
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 RUN apt-get update \
  && apt-get install -y --no-install-recommends \
  # 	bash-completion \
  # 	bc \
  ca-certificates \
  curl \
  gnupg2 \
  jq \
  # 	netcat \
  # 	xz-utils \
  && rm -rf /var/lib/apt/lists/*
 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
  && apt-get update \
  && apt-get install -y --no-install-recommends falco \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 # Change the falco config within the container to enable ISO 8601
 # output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
  && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
  && ln -s $HOST_ROOT/lib/modules /lib/modules
 #COPY ./entrypoint.sh /
 # ENTRYPOINT ["/entrypoint.sh"]
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/stable/Dockerfile
+++ b/docker/stable/Dockerfile
@@ -1,19 +1,19 @@
-FROM debian:stable
+FROM debian:unstable
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+ENV FALCO_REPOSITORY stable
-ARG FALCO_VERSION=latest
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 ARG VERSION_BUCKET=deb
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV HOST_ROOT /host
 ENV HOME /root
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
@@ -33,36 +33,36 @@ RUN apt-get update \
 	xz-utils \
 	&& rm -rf /var/lib/apt/lists/*
-# gcc 6 is no longer included in debian stable, but we need it to
+# gcc 6 is no longer included in debian unstable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
-# gcc 5 is no longer included in debian stable, but we need it to
+# gcc 5 is no longer included in debian unstable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
@@ -75,10 +75,10 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc
-RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-	&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-	&& apt-get update -y \
+	&& apt-get update \
-	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+	&& apt-get install -y --no-install-recommends falco \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
@@ -93,13 +93,13 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
-# debian:stable head contains binutils 2.31, which generates
+# debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
--- a/docker/stable/docker-entrypoint.sh
+++ b/docker/stable/docker-entrypoint.sh
@@ -25,8 +25,7 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
    for i in "$HOST_ROOT/usr/src"/*
    do
-        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$i"
        ln -s "$i" "/usr/src/$base"
    done
    /usr/bin/falco-probe-loader
--- a/docker/tester/Dockerfile
+++ b/docker/tester/Dockerfile
@@ -2,7 +2,7 @@ FROM fedora:31
 LABEL name="falcosecurity/falco-tester"
 LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release
--- a/docker/tester/root/runners/deb.Dockerfile
+++ b/docker/tester/root/runners/deb.Dockerfile
@@ -1,5 +1,5 @@
 FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
--- a/docker/tester/root/runners/rpm.Dockerfile
+++ b/docker/tester/root/runners/rpm.Dockerfile
@@ -1,6 +1,6 @@
 FROM centos:7
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
--- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml
+++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml
@@ -20,7 +20,7 @@ spec:
            privileged: true
          #env:
          #  - name: FALCOCTL_FALCO_VERSION
-          #    value: 0.21.0
+          #    value: 0.19.0
          #  - name: FALCOCTL_FALCO_PROBE_URL
          #    value:
          #  - name: FALCOCTL_FALCO_PROBE_REPO
@@ -31,7 +31,7 @@ spec:
              readOnly: true
      containers:
        - name: falco
-          image: falcosecurity/falco:0.21.0-slim
+          image: falcosecurity/falco:0.19.0-slim
          securityContext:
            privileged: true
 # Uncomment the 3 lines below to enable eBPF support for Falco.
@@ -39,7 +39,7 @@ spec:
 # Leave blank for the default probe location, or set to the path
 # of a precompiled probe.
 #          env:
-#          - name: FALCO_BPF_PROBE
+#          - name: BPF_PROBE
 #            value: ""
          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
          volumeMounts:
--- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml
+++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml
@@ -23,7 +23,7 @@ spec:
 # Leave blank for the default probe location, or set to the path
 # of a precompiled probe.
 #          env:
-#          - name: FALCO_BPF_PROBE
+#          - name: BPF_PROBE
 #            value: ""
          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
          volumeMounts:
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -450,7 +450,7 @@
    a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
  priority:
    WARNING
-  tags: [file, mitre_persistence]
+  tag: [file, mitre_persistence]
 # This rule is not enabled by default, as there are many legitimate
 # readers of shell config files. If you want to enable it, modify the
@@ -472,7 +472,7 @@
    a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
  priority:
    WARNING
-  tags: [file, mitre_discovery]
+  tag: [file, mitre_discovery]
 - macro: consider_all_cron_jobs
  condition: (never_true)
@@ -488,7 +488,7 @@
    file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority:
    NOTICE
-  tags: [file, mitre_persistence]
+  tag: [file, mitre_persistence]
 # Use this to test whether the event occurred within a container.
@@ -1544,13 +1544,13 @@
    an attempt to change a program/thread\'s namespace (commonly done
    as a part of creating a container) by calling setns.
  condition: >
-    evt.type=setns and evt.dir=<
+    evt.type = setns
-    and not (container.id=host and proc.name in (docker_binaries, k8s_binaries, lxd_binaries, nsenter))
+    and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries,
-    and not proc.name in (sysdigcloud_binaries, sysdig, calico, oci-umount, cilium-cni, network_plugin_binaries)
+                          sysdig, nsenter, calico, oci-umount, cilium-cni, network_plugin_binaries)
    and not proc.name in (user_known_change_thread_namespace_binaries)
    and not proc.name startswith "runc"
    and not proc.cmdline startswith "containerd"
-    and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet)
+    and not proc.pname in (sysdigcloud_binaries)
    and not python_running_sdchecks
    and not java_running_sdjagent
    and not kubelet_running_loopback
@@ -1561,9 +1561,9 @@
    and not user_known_change_thread_namespace_activities
  output: >
    Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
-    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
+    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository)
  priority: NOTICE
-  tags: [process, mitre_privilege_escalation, mitre_lateral_movement]
+  tags: [process]
 # The binaries in this list and their descendents are *not* allowed
 # spawn shells. This includes the binaries spawning shells directly as
@@ -2480,7 +2480,7 @@
    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
  priority:
    WARNING
-  tags: [process, mitre_defense_evation]
+  tag: [process, mitre_defense_evation]
 # This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
 # Rule Delete or rename shell history is the preferred rule to use now.
@@ -2493,7 +2493,7 @@
    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
  priority:
    WARNING
-  tags: [process, mitre_defense_evation]
+  tag: [process, mitre_defense_evation]
 - macro: consider_all_chmods
  condition: (always_true)
@@ -2515,7 +2515,7 @@
    command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority:
    NOTICE
-  tags: [process, mitre_persistence]
+  tag: [process, mitre_persistence]
 - list: exclude_hidden_directories
  items: [/root/.cassandra]
@@ -2537,7 +2537,7 @@
    file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
  priority:
    NOTICE
-  tags: [file, mitre_persistence]
+  tag: [file, mitre_persistence]
 - list: remote_file_copy_binaries
  items: [rsync, scp, sftp, dcp]
@@ -2645,14 +2645,11 @@
  condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))
 - macro: net_miner_pool
-  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
+  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 # The rule is disabled by default. 
 # Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment.
 - rule: Detect outbound connections to common miner pool ports
  desc: Miners typically connect to miner pools on common ports.
  condition: net_miner_pool
  enabled: false
  output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
  priority: CRITICAL
  tags: [network, mitre_execution]
--- a/scripts/debian/falco
+++ b/scripts/debian/falco
@@ -26,7 +26,7 @@
 #                    driven by system calls with support for containers.
 ### END INIT INFO
-# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>
+# Author: The Falco Authors <opensource@sysdig.com>
 # Do NOT "set -e"
--- a/scripts/falco-probe-loader
+++ b/scripts/falco-probe-loader
@@ -350,7 +350,7 @@ load_bpf_probe() {
 			echo "**********************************************************"
 		fi
-		echo "* BPF probe located, it's now possible to start falco"
+		echo "* BPF probe located, it's now possible to start sysdig"
 		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${BPF_PROBE_NAME}.o"
 		exit $?
@@ -402,7 +402,7 @@ if ! hash curl > /dev/null 2>&1; then
 	exit 1
 fi
-if [ -v FALCO_BPF_PROBE ] || [ "${1}" = "bpf" ]; then
+if [ -v BPF_PROBE ] || [ "${1}" = "bpf" ]; then
 	load_bpf_probe
 else
 	load_kernel_probe
--- a/scripts/install-falco.sh
+++ b/scripts/install-falco.sh
@@ -0,0 +1,200 @@
 #!/bin/bash
 #
 # Copyright (C) 2013-2018 Draios Inc dba Sysdig.
 #
 # This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 set -e
 function install_rpm {
 	if ! hash curl > /dev/null 2>&1; then
 		echo "* Installing curl"
 		yum -q -y install curl
 	fi
 	if ! yum -q list dkms > /dev/null 2>&1; then
 		echo "* Installing EPEL repository (for DKMS)"
 		if [ $VERSION -eq 8 ]; then
 			rpm --quiet -i https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
 		elif [ $VERSION -eq 7 ]; then
 			rpm --quiet -i https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
 		else
 			rpm --quiet -i https://mirrors.kernel.org/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
 		fi
 	fi
 	echo "* Installing falco public key"
 	rpm --quiet --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public
 	echo "* Installing falco repository"
 	curl -s -o /etc/yum.repos.d/draios.repo https://s3.amazonaws.com/download.draios.com/stable/rpm/draios.repo
 	echo "* Installing kernel headers"
 	KERNEL_VERSION=$(uname -r)
 	if [[ $KERNEL_VERSION == *PAE* ]]; then
 		yum -q -y install kernel-PAE-devel-${KERNEL_VERSION%.PAE} || kernel_warning
 	elif [[ $KERNEL_VERSION == *stab* ]]; then
 		# It's OpenVZ kernel and we should install another package
 		yum -q -y install vzkernel-devel-$KERNEL_VERSION || kernel_warning
 	elif [[ $KERNEL_VERSION == *uek* ]]; then
 		yum -q -y install kernel-uek-devel-$KERNEL_VERSION || kernel_warning
 	else
 		yum -q -y install kernel-devel-$KERNEL_VERSION || kernel_warning
 	fi
 	echo "* Installing falco"
 	yum -q -y install falco
 }
 function install_deb {
 	export DEBIAN_FRONTEND=noninteractive
 	if ! hash curl > /dev/null 2>&1; then
 		echo "* Installing curl"
 		apt-get -qq -y install curl < /dev/null
 	fi
 	echo "* Installing Sysdig public key"
 	curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -
 	echo "* Installing falco repository"
 	curl -s -o /etc/apt/sources.list.d/draios.list https://s3.amazonaws.com/download.draios.com/stable/deb/draios.list
 	apt-get -qq update < /dev/null
 	echo "* Installing kernel headers"
 	apt-get -qq -y install linux-headers-$(uname -r) < /dev/null || kernel_warning
 	echo "* Installing falco"
 	apt-get -qq -y install falco < /dev/null
 }
 function unsupported {
 	echo 'Unsupported operating system. Please consider writing to the mailing list at'
 	echo 'https://groups.google.com/forum/#!forum/sysdig or trying the manual'
 	echo 'installation.'
 	exit 1
 }
 function kernel_warning {
 	echo "Unable to find kernel development files for the current kernel version" $(uname -r)
 	echo "This usually means that your system is not up-to-date or you installed a custom kernel version."
 	echo "The installation will continue but you'll need to install these yourself in order to use falco."
 	echo 'Please write to the mailing list at https://groups.google.com/forum/#!forum/sysdig'
 	echo "if you need further assistance."
 }
 if [ $(id -u) != 0 ]; then
 	echo "Installer must be run as root (or with sudo)."
 	exit 1
 fi
 echo "* Detecting operating system"
 ARCH=$(uname -m)
 if [[ ! $ARCH = *86 ]] && [ ! $ARCH = "x86_64" ] && [ ! $ARCH = "s390x" ]; then
 	unsupported
 fi
 if [ $ARCH = "s390x" ]; then
 	echo "------------"
 	echo "WARNING: A Docker container is the only officially supported platform on s390x"
 	echo "------------"
 fi
 if [ -f /etc/debian_version ]; then
 	if [ -f /etc/lsb-release ]; then
 		. /etc/lsb-release
 		DISTRO=$DISTRIB_ID
 		VERSION=${DISTRIB_RELEASE%%.*}
 	else
 		DISTRO="Debian"
 		VERSION=$(cat /etc/debian_version | cut -d'.' -f1)
 	fi
 	case "$DISTRO" in
 		"Ubuntu")
 			if [ $VERSION -ge 10 ]; then
 				install_deb
 			else
 				unsupported
 			fi
 			;;
 		"LinuxMint")
 			if [ $VERSION -ge 9 ]; then
 				install_deb
 			else
 				unsupported
 			fi
 			;;
 		"Debian")
 			if [ $VERSION -ge 6 ]; then
 				install_deb
 			elif [[ $VERSION == *sid* ]]; then
 				install_deb
 			else
 				unsupported
 			fi
 			;;
 		*)
 			unsupported
 			;;
 	esac
 elif [ -f /etc/system-release-cpe ]; then
 	DISTRO=$(cat /etc/system-release-cpe | cut -d':' -f3)
 	# New Amazon Linux 2 distro
 	if [[ -f /etc/image-id ]]; then
 		AMZ_AMI_VERSION=$(cat /etc/image-id | grep 'image_name' | cut -d"=" -f2 | tr -d "\"")
 	fi
 	if [[ "${DISTRO}" == "o" ]] && [[ ${AMZ_AMI_VERSION} = *"amzn2"* ]]; then
 		DISTRO=$(cat /etc/system-release-cpe | cut -d':' -f4)
 	fi
 	VERSION=$(cat /etc/system-release-cpe | cut -d':' -f5 | cut -d'.' -f1 | sed 's/[^0-9]*//g')
 	case "$DISTRO" in
 		"oracle" | "centos" | "redhat")
 			if [ $VERSION -ge 6 ]; then
 				install_rpm
 			else
 				unsupported
 			fi
 			;;
 		"amazon")
 			install_rpm
 			;;
 		"fedoraproject")
 			if [ $VERSION -ge 13 ]; then
 				install_rpm
 			else
 				unsupported
 			fi
 			;;
 		*)
 			unsupported
 			;;
 	esac
 else
 	unsupported
 fi
 modprobe -r falco_probe
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -689,7 +689,7 @@ trace_files: !mux
      - "Non sudo setuid": 1
      - "Create files below dev": 1
      - "Modify binary dirs": 2
-      - "Change thread namespace": 1
+      - "Change thread namespace": 2
  disabled_tags_a:
    detect: True
--- a/test/falco_traces.yaml.in
+++ b/test/falco_traces.yaml.in
@@ -26,7 +26,7 @@ traces: !mux
    detect: True
    detect_level: NOTICE
    detect_counts:
-      - "Change thread namespace": 1
+      - "Change thread namespace": 2
  container-privileged:
    trace_file: traces-positive/container-privileged.scap
@@ -73,7 +73,7 @@ traces: !mux
      - "Non sudo setuid": 1
      - "Create files below dev": 1
      - "Modify binary dirs": 2
-      - "Change thread namespace": 1
+      - "Change thread namespace": 2
  mkdir-binary-dirs:
    trace_file: traces-positive/mkdir-binary-dirs.scap