update(userspace/falco): access peer from context method

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>

.circleci/config.yml

@@ -32,38 +32,6 @@ jobs:
             pushd build
             make tests
             popd
-  # Debug build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-bionic-debug":
-    docker:
-      - image: ubuntu:bionic
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DCMAKE_BUILD_TYPE=debug ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
   # Build using our own builder base image using centos 7
   # This build is static, dependencies are bundled in the falco binary
   "build/centos7":
@@ -101,28 +69,6 @@ jobs:
       - store_artifacts:
           path: /tmp/packages
           destination: /packages
-  # Debug build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
-  "build/centos7-debug":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "debug"
-    steps:
-      - checkout:
-          path: /source/falco
-      - run:
-          name: Prepare project
-          command: /usr/bin/entrypoint cmake
-      - run:
-          name: Build
-          command: /usr/bin/entrypoint all
-      - run:
-          name: Run unit tests
-          command: /usr/bin/entrypoint tests
-      - run:
-          name: Build packages
-          command: /usr/bin/entrypoint package
   # Execute integration tests based on the build results coming from the "build/centos7" job
   "tests/integration":
     docker:
@@ -138,224 +84,12 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
-  # Sign rpm packages
-  "rpm/sign":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Install rpmsign
-          command: |
-            yum update -y
-            yum install rpm-sign -y
-      - run:
-          name: Sign rpm
-          command: |
-            echo "%_signature gpg" > ~/.rpmmacros
-            echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
-            cd /build/release/
-            echo '#!/usr/bin/expect -f' > sign
-            echo 'spawn rpmsign --addsign {*}$argv' >> sign
-            echo 'expect -exact "Enter pass phrase: "' >> sign
-            echo 'send -- "\n"' >> sign
-            echo 'expect eof' >> sign
-            chmod +x sign
-            echo $GPG_KEY | base64 -d | gpg --import
-            ./sign *.rpm
-            test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build/release/*.rpm
-  # Publish the packages
-  "publish/packages-dev":
-    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Create versions
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish
-      - run:
-          name: Publish rpm-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish
-      - run:
-          name: Publish tgz-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish
-  # Publish docker packages
-  "publish/docker-dev":
-    docker:
-      - image: docker:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - checkout
-      - setup_remote_docker
-      - run:
-          name: Build and publish slim-dev
-          command: |
-            docker build --build-arg VERSION_BUCKET=deb-dev -t falcosecurity/falco:master-slim docker/slim
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco:master-slim
-      - run:
-          name: Build and publish minimal-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-minimal docker/minimal
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco:master-minimal
-      - run:
-          name: Build and publish dev
-          command: |
-            docker build --build-arg VERSION_BUCKET=deb-dev -t falcosecurity/falco:master docker/stable
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco:master
-  # Publish the packages
-  "publish/packages":
-    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Create versions
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish
-      - run:
-          name: Publish rpm
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish
-      - run:
-          name: Publish tgz
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish
-  # Publish docker packages
-  "publish/docker":
-    docker:
-      - image: docker:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - checkout
-      - setup_remote_docker
-      - run:
-          name: Build and publish slim
-          command: |
-            docker build --build-arg VERSION_BUCKET=deb -t "falcosecurity/falco:${CIRCLE_TAG}-slim" docker/slim
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}-slim" falcosecurity/falco:latest-slim
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
-            docker push "falcosecurity/falco:latest-slim"
-      - run:
-          name: Build and publish minimal
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${FALCO_VERSION} -t "falcosecurity/falco:${CIRCLE_TAG}-minimal" docker/minimal
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}-minimal" falcosecurity/falco:latest-minimal
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco:${CIRCLE_TAG}-minimal"
-            docker push "falcosecurity/falco:latest-minimal"
-      - run:
-          name: Build and publish stable
-          command: |
-            docker build --build-arg VERSION_BUCKET=deb -t "falcosecurity/falco:${CIRCLE_TAG}" docker/stable
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco:${CIRCLE_TAG}"
-            docker push "falcosecurity/falco:latest"
 workflows:
   version: 2
   build_and_test:
     jobs:
       - "build/ubuntu-bionic"
-      - "build/ubuntu-bionic-debug"
       - "build/centos7"
-      - "build/centos7-debug"
       - "tests/integration":
           requires:
             - "build/centos7"
-      - "rpm/sign":
-          context: falco
-          filters:
-            branches:
-              only:
-                - master
-          requires:
-            - "tests/integration"
-      - "publish/packages-dev":
-          context: falco
-          filters:
-            branches:
-              only:
-                - master
-          requires:
-            - "rpm/sign"
-      - "publish/docker-dev":
-          context: falco
-          filters:
-            branches:
-              only:
-                - master
-          requires:
-            - "publish/packages-dev"
-  release:
-    jobs:
-      - "build/centos7":
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "rpm/sign":
-          context: falco
-          requires:
-            - "build/centos7"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish/packages":
-          context: falco
-          requires:
-            - "rpm/sign"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish/docker":
-          context: falco
-          requires:
-            - "publish/packages"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/

CHANGELOG.md

@@ -2,71 +2,6 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
-## v0.21.0
-
-Released on 2020-03-17
-
-### Major Changes
-
-* BREAKING CHANGE: the SYSDIG_BPF_PROBE environment variable is now just FALCO_BPF_PROBE (please update your systemd scripts or kubernetes deployments. [[#1050](https://github.com/falcosecurity/falco/pull/1050)]
-* new: automatically publish deb packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically publish rpm packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically release deb packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically release rpm packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically publish docker images from master (master, master-slim, master-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically publish docker images from git tag (tag, tag-slim, tag-master, latest, latest-slim, latest-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: sign packages with falcosecurity gpg key [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-
-### Minor Changes
-
-* new: falco_version_prerelease contains the number of commits since last tag on the master [[#1086](https://github.com/falcosecurity/falco/pull/1086)]
-* docs: update branding [[#1074](https://github.com/falcosecurity/falco/pull/1074)]
-* new(docker/event-generator): add example k8s resource files that allow running the event generator in a k8s cluster. [[#1088](https://github.com/falcosecurity/falco/pull/1088)]
-* update: creating *-dev docker images using build arguments at build time [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* update: docker images use packages from the new repositories [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* update: docker image downloads old deb dependencies (gcc-6, gcc-5, binutils-2.30) from a new open repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-
-### Bug Fixes
-
-* fix(docker): updating `stable` and `local` images to run from `debian:stable` [[#1018](https://github.com/falcosecurity/falco/pull/1018)]
-* fix(event-generator): the image used by the event generator deployment to `latest`. [[#1091](https://github.com/falcosecurity/falco/pull/1091)]
-* fix: -t (to disable rules by certain tag) or -t (to only run rules with a certain tag) work now [[#1081](https://github.com/falcosecurity/falco/pull/1081)]
-* fix: the falco driver now compiles on >= 5.4 kernels [[#1080](https://github.com/falcosecurity/falco/pull/1080)]
-* fix: download falco packages which url contains character to encode - eg, `+` [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* fix(docker): use base name in docker-entrypoint.sh [[#981](https://github.com/falcosecurity/falco/pull/981)]
-
-### Rule Changes
-
-* rule(detect outbound connections to common miner pool ports): disabled by default [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
-* rule(macro net_miner_pool): add localhost and rfc1918 addresses as exception in the rule. [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
-* rule(change thread namespace): modify condition to detect suspicious container activity [[#974](https://github.com/falcosecurity/falco/pull/974)]
-
-## v0.20.0
-
-Released on 2020-02-24
-
-### Major Changes
-
-* fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [[#1041](https://github.com/falcosecurity/falco/pull/1041)]
-* new: grpc version api [[#872](https://github.com/falcosecurity/falco/pull/872)]
-
-
-### Bug Fixes
-
-* fix: the base64 output format (-b) now works with both json and normal output. [[#1033](https://github.com/falcosecurity/falco/pull/1033)]
-* fix: version follows semver 2 bnf [[#872](https://github.com/falcosecurity/falco/pull/872)]
-
-### Rule Changes
-
-* rule(write below etc): add "dsc_host" as a ms oms program [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below etc): let mcafee write to /etc/cma.d  [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below etc): let avinetworks supervisor write some ssh cfg [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below etc): alow writes to /etc/pki from openshift secrets dir [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below root): let runc write to /exec.fifo [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(change thread namespace): let cilium-cni change namespaces [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(run shell untrusted): let puma reactor spawn shells [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-
-
 ## v0.19.0
 
 Released on 2020-01-23

CMakeLists.txt

@@ -18,7 +18,8 @@ option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary"
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
 
 # Elapsed time
-# set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
+# TODO(fntlnz, leodido): add a flag to enable this
+# set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time")
 
 # Make flag for parallel processing
 include(ProcessorCount)
@@ -71,6 +72,7 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 include(GetFalcoVersion)
 
 set(PACKAGE_NAME "falco")
+set(PROBE_VERSION "${FALCO_VERSION}")
 set(PROBE_NAME "falco-probe")
 set(PROBE_DEVICE_NAME "falco")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)

CONTRIBUTING.md

@@ -9,8 +9,6 @@
   - [Pull Requests](#pull-requests)
     - [Commit convention](#commit-convention)
       - [Rule type](#rule-type)
-  - [Coding Guidelines](#coding-guidelines)
-    - [C++](#c)
   - [Developer Certificate Of Origin](#developer-certificate-of-origin)
 
 ## Code of Conduct
@@ -122,13 +120,6 @@ If you are changing only a macro, the commit will look like this:
 rule(macro user_known_write_monitored_dir_conditions): make sure conditions are great
 ```
 
-## Coding Guidelines
-
-### C++
-
-* File `userspace/engine/banned.h` defines some functions as invalid tokens. These functions are not allowed to be used in the codebase. Whenever creating a new cpp file, include the `"banned.h"` headers. This ensures that the banned functions are not compiled.
-
-  A complete list of banned functions can be found [here](./userspace/engine/banned.h).
 
 ## Developer Certificate Of Origin
 

README.md

@@ -7,7 +7,7 @@
 
 #### Latest release
 
-**v0.21.0**
+**v0.19.0**
 Read the [change log](CHANGELOG.md)
 
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)

brand/README.md

@@ -28,7 +28,7 @@ The CNCF now owns The Falco Project.
 ### What is Runtime Security?
 
 Runtime security refers to an approach to preventing unwanted activity on a computer system. 
-With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
+With runtime security an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
 Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
 Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
 
@@ -124,9 +124,9 @@ Used to describe the `.ko` object that would be loaded into the kernel as a pote
 This is one option used to pass kernel events up to userspace for Falco to consume.
 Sometimes this word is incorrectly used to refer to a `probe`.
 
-#### Driver 
+#### Driver (deprecated)
 
-The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
+An older, more generalized term for a `module` or `probe`. We discourage the use of this word as a project.
 
 #### Falco
 

cmake/modules/CPackConfig.cmake

@@ -1,12 +1,9 @@
 set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
 set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
-set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
+set(CPACK_PACKAGE_CONTACT "opensource@sysdig.com") # todo: change this once we've got @falco.org addresses
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
 set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
 set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
-set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
-set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
-set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
 set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
 set(CPACK_STRIP_FILES "ON")

cmake/modules/GetFalcoVersion.cmake

@@ -1,5 +1,6 @@
 # Retrieve git ref and commit hash
 include(GetGitRevisionDescription)
+get_git_head_revision(FALCO_REF FALCO_HASH)
 
 # Create the falco version variable according to git index
 if(NOT FALCO_VERSION)
@@ -8,13 +9,25 @@ if(NOT FALCO_VERSION)
   git_get_exact_tag(FALCO_TAG)
   if(NOT FALCO_TAG)
     # Obtain the closest tag
-    git_describe(FALCO_VERSION "--always" "--tags")
+    git_describe(FALCO_VERSION "--abbrev=0" "--tags") # suppress the long format
     # Fallback version
     if(FALCO_VERSION MATCHES "NOTFOUND$")
       set(FALCO_VERSION "0.0.0")
     endif()
-    # Format FALCO_VERSION to be semver with prerelease and build part
-    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+    # TODO(leodido) > Construct the prerelease part (semver 2) Construct the Build metadata part (semver 2)
+    if(NOT FALCO_HASH MATCHES "NOTFOUND$")
+      string(SUBSTRING "${FALCO_HASH}" 0 7 FALCO_VERSION_BUILD)
+      # Check whether there are uncommitted changes or not
+      git_local_changes(FALCO_CHANGES)
+      if(FALCO_CHANGES STREQUAL "DIRTY")
+        string(TOLOWER "${FALCO_CHANGES}" FALCO_CHANGES)
+        set(FALCO_VERSION_BUILD "${FALCO_VERSION_BUILD}.${FALCO_CHANGES}")
+      endif()
+    endif()
+    # Append the build metadata part (semver 2)
+    if(FALCO_VERSION_BUILD)
+      set(FALCO_VERSION "${FALCO_VERSION}+${FALCO_VERSION_BUILD}")
+    endif()
   else()
     # A tag has been found: use it as the Falco version
     set(FALCO_VERSION "${FALCO_TAG}")
@@ -29,8 +42,8 @@ if(NOT FALCO_VERSION)
   string(
     REGEX
     REPLACE
-      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
-      "\\5"
+      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)*).*"
+      "\\4"
       FALCO_VERSION_PRERELEASE
       "${FALCO_VERSION}")
   if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")

cmake/modules/sysdig-repo/CMakeLists.txt

@@ -15,14 +15,20 @@ cmake_minimum_required(VERSION 3.5.1)
 project(sysdig-repo NONE)
 
 include(ExternalProject)
-message(STATUS "Driver version: ${SYSDIG_VERSION}")
+
+# The sysdig git reference (branch name, commit hash, or tag)
+
+# To update sysdig version for the next release, change the default below
+# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
+if(NOT SYSDIG_VERSION)
+  set(SYSDIG_VERSION "146a431edf95829ac11bfd9c85ba3ef08789bffe")
+endif()
 
 ExternalProject_Add(
   sysdig
   URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
-  URL_HASH "${SYSDIG_CHECKSUM}"
+  # URL_HASH SHA256=bd09607aa8beb863db07e695863f7dc543e2d39e7153005759d26a340ff66fa5
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND ""
-  TEST_COMMAND ""
-  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
+  TEST_COMMAND "")

cmake/modules/sysdig-repo/patch/libscap.patch

@@ -1,22 +0,0 @@
-diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
-index 59b04e0a..bdc311cb 100644
---- a/userspace/libscap/scap.c
-+++ b/userspace/libscap/scap.c
-@@ -52,7 +52,7 @@ limitations under the License.
- //#define NDEBUG
- #include <assert.h>
- 
--static const char *SYSDIG_BPF_PROBE_ENV = "SYSDIG_BPF_PROBE";
-+static const char *SYSDIG_BPF_PROBE_ENV = "FALCO_BPF_PROBE";
- 
- //
- // Probe version string size
-@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
- 				return NULL;
- 			}
- 
--			snprintf(buf, sizeof(buf), "%s/.sysdig/%s-bpf.o", home, PROBE_NAME);
-+			snprintf(buf, sizeof(buf), "%s/.falco/%s-bpf.o", home, PROBE_NAME);
- 			bpf_probe = buf;
- 		}
- 	}

cmake/modules/sysdig.cmake

@@ -16,24 +16,13 @@ set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
 
 # this needs to be here at the top
 if(USE_BUNDLED_DEPS)
-  # explicitly force this dependency to use the system OpenSSL
+  # explicitly force this dependency to use the bundled OpenSSL
   set(USE_BUNDLED_OPENSSL ON)
 endif()
 
 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
-# The sysdig git reference (branch name, commit hash, or tag)
-# To update sysdig version for the next release, change the default below
-# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
-if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "be1ea2d9482d0e6e2cb14a0fd7e08cbecf517f94")
-  set(SYSDIG_CHECKSUM "SHA256=1c69363e4c36cdaeed413c2ef557af53bfc4bf1109fbcb6d6e18dc40fe6ddec8")
-endif()
-set(PROBE_VERSION "${SYSDIG_VERSION}")
-
 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
+execute_process(COMMAND "${CMAKE_COMMAND}" ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 
 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
 

docker/builder/Dockerfile

@@ -2,7 +2,7 @@ FROM centos:7
 
 LABEL name="falcosecurity/falco-builder"
 LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG BUILD_TYPE=release
 ARG BUILD_DRIVER=OFF

docker/dev/Dockerfile

@@ -0,0 +1,110 @@
+FROM debian:unstable
+
+LABEL maintainer="opensource@sysdig.com"
+
+ENV FALCO_REPOSITORY dev
+
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	clang-7 \
+	ca-certificates \
+	curl \
+	dkms \
+	gnupg2 \
+	gcc \
+	gdb \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	llvm-7 \
+	netcat \
+	xz-utils \
+	&& rm -rf /var/lib/apt/lists/*
+
+# gcc 6 is no longer included in debian unstable, but we need it to
+# build kernel modules on the default debian-based ami used by
+# kops. So grab copies we've saved from debian snapshots with the
+# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
+# or so.
+
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
+	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+
+# gcc 5 is no longer included in debian unstable, but we need it to
+# build centos kernels, which are 3.x based and explicitly want a gcc
+# version 3, 4, or 5 compiler. So grab copies we've saved from debian
+# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
+
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
+	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
+
+RUN rm -rf /usr/bin/clang \
+	&& rm -rf /usr/bin/llc \
+	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
+	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+	&& apt-get update \
+	&& apt-get install -y --no-install-recommends falco \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+
+# debian:unstable head contains binutils 2.31, which generates
+# binaries that are incompatible with kernels < 4.16. So manually
+# forcibly install binutils 2.30-22 instead.
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+	&& dpkg -i *binutils*.deb \
+	&& rm -f *binutils*.deb
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/dev/docker-entrypoint.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# set -e
+
+# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+
+if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* Setting up /usr/src links from host"
+
+    for i in "$HOST_ROOT/usr/src"/*
+    do
+        ln -s "$i" "/usr/src/$i"
+    done
+
+    /usr/bin/falco-probe-loader
+fi
+
+exec "$@"

docker/event-generator/Dockerfile

@@ -1,5 +1,5 @@
 FROM alpine:latest
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 RUN apk add --no-cache bash g++ curl
 COPY ./event_generator.cpp /usr/local/bin
 COPY ./docker-entrypoint.sh ./k8s_event_generator.sh /

docker/event-generator/event-generator-k8saudit-deployment.yaml

@@ -1,23 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: falco-event-generator-k8saudit
-  labels:
-    app: falco-event-generator-k8saudit
-  namespace: falco-event-generator
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: falco-event-generator-k8saudit
-  template:
-    metadata:
-      labels:
-        app: falco-event-generator-k8saudit
-    spec:
-      serviceAccount: falco-event-generator
-      containers:
-      - name: falco-event-generator
-        image: falcosecurity/falco-event-generator
-        imagePullPolicy: Always
-        args: ["k8s_audit"]

docker/event-generator/event-generator-role-rolebinding-serviceaccount.yaml

@@ -1,71 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: falco-event-generator
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - services
-  - serviceaccounts
-  - pods
-  verbs:
-  - list
-  - get
-  - create
-  - delete
-- apiGroups:
-  - apps
-  - extensions
-  resources:
-  - deployments
-  verbs:
-  - list
-  - get
-  - create
-  - delete
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - roles
-  - rolebindings
-  verbs:
-  - get
-  - list
-  - create
-  - delete
-# These are only so the event generator can create roles that have these properties.
-# It will result in a falco alert for the rules "ClusterRole With Wildcard Created", "ClusterRole With Pod Exec Created"
-- apiGroups:
-  - ""
-  resources:
-  - pods/exec
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - '*'
-  verbs:
-  - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: falco-event-generator
-  namespace: falco-eg-sandbox
-subjects:
-  - kind: ServiceAccount
-    name: falco-event-generator
-    namespace: falco-event-generator
-roleRef:
-  kind: ClusterRole
-  name: falco-event-generator
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: falco-event-generator
-  namespace: falco-event-generator

docker/event-generator/event-generator-syscall-daemonset.yaml

@@ -1,20 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: falco-event-generator-syscall
-  labels:
-    app: falco-event-generator-syscall
-  namespace: falco-event-generator
-spec:
-  selector:
-    matchLabels:
-      name: falco-event-generator-syscall
-  template:
-    metadata:
-      labels:
-        name: falco-event-generator-syscall
-    spec:
-      containers:
-      - name: falco-event-generator
-        image: falcosecurity/falco-event-generator
-        args: ["syscall"]

docker/event-generator/k8s_event_generator.sh

@@ -17,18 +17,15 @@ kubectl version --short
 
 while true; do
 
-    # Delete all resources in the falco-eg-sandbox namespace
-    echo "***Deleting all resources in falco-eg-sandbox namespace..."
-    kubectl delete --all configmaps -n falco-eg-sandbox
-    kubectl delete --all deployments -n falco-eg-sandbox
-    kubectl delete --all services -n falco-eg-sandbox
-    kubectl delete --all roles -n falco-eg-sandbox
-    kubectl delete --all serviceaccounts -n falco-eg-sandbox
+    RET=$(kubectl get namespaces --output=name | grep falco-event-generator || true)
 
-    # We don't delete all rolebindings in the falco-eg-sandbox
-    # namespace, as that would also delete the rolebinding for the
-    # event generator itself.
-    kubectl delete rolebinding vanilla-role-binding -n falco-eg-sandbox || true
+    if [[ "$RET" == *falco-event-generator* ]]; then
+	echo "***Deleting existing falco-event-generator namespace..."
+	kubectl delete namespace falco-event-generator
+    fi
+
+    echo "***Creating falco-event-generator namespace..."
+    kubectl create namespace falco-event-generator
 
     for file in yaml/*.yaml; do
 
@@ -51,7 +48,7 @@ while true; do
 	    RULES=$(echo "$RULES" | tr '-' ' '| tr '.' '/' | sed -e 's/ *//' | sed  -e 's/,$//')
 
 	    echo "***$MESSAGES (Rule(s) $RULES)..."
-	    kubectl apply -f $file -n falco-eg-sandbox
+	    kubectl apply -f $file
 	    sleep 2
 	fi
     done

docker/event-generator/yaml/configmap-private-creds.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: private-creds-configmap
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: private-creds-configmap
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/disallowed-pod-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: disallowed-pod-deployment
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: disallowed-pod-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/hostnetwork-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: hostnetwork-deployment
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: hostnetwork-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/nodeport-service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: nodeport-service
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: nodeport-service
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/privileged-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: privileged-deployment
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: privileged-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/role-pod-exec.yaml

@@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: pod-exec-role
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: pod-exec-role
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/role-wildcard-resources.yaml

@@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: wildcard-resources-role
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: wildcard-resources-role
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/role-write-privileges.yaml

@@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: write-privileges-role
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: write-privileges-role
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/sensitive-mount-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: sensitive-mount-deployment
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: sensitive-mount-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-configmap.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: vanilla-configmap
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-configmap
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: vanilla-deployment
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml

@@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: vanilla-role
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-role
     app.kubernetes.io/part-of: falco-event-generator
@@ -19,6 +20,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: vanilla-role-binding
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-role-binding
     app.kubernetes.io/part-of: falco-event-generator
@@ -36,6 +38,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: vanilla-serviceaccount
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-serviceaccount
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: vanilla-service
+  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-service
     app.kubernetes.io/part-of: falco-event-generator

docker/kernel/linuxkit/Dockerfile

@@ -1,13 +1,13 @@
 ARG ALPINE_VERSION=3.10
 ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.21.0
+ARG FALCO_VERSION=0.19.0
 
 FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc
 FROM falcosecurity/falco:${FALCO_VERSION}-minimal as falco
 FROM alpine:${ALPINE_VERSION} AS probe-build
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.21.0
+ARG FALCO_VERSION=0.19.0
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV KERNEL_VERSION=${KERNEL_VERSION}
 
@@ -32,7 +32,7 @@ RUN apk add --no-cache --update \
   autoconf
 
 FROM alpine:${ALPINE_VERSION}
-ARG FALCO_VERSION=0.21.0
+ARG FALCO_VERSION=0.19.0
 ENV FALCO_VERSION=${FALCO_VERSION}
 COPY --from=probe-build /usr/src/falco-${FALCO_VERSION}/falco-probe.ko /
 CMD ["insmod","/falco-probe.ko"]

docker/kernel/probeloader/Dockerfile

@@ -12,7 +12,7 @@ RUN go mod vendor
 RUN CGO_ENABLED=0 GOOS=linux go build -a -o falcoctl -ldflags '-extldflags "-static"' .
 
 FROM scratch
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=build /falcoctl/falcoctl /falcoctl
 CMD ["/falcoctl", "install", "probe"]

docker/local/Dockerfile

@@ -1,7 +1,7 @@
-FROM debian:stable
+FROM debian:unstable
 
 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
@@ -13,82 +13,84 @@ ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
-RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
-	bash-completion \
-	bc \
-	clang-7 \
-	ca-certificates \
-	curl \
-	dkms \
-	gnupg2 \
-	gcc \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	libyaml-0-2 \
-	llvm-7 \
-	netcat \
-	xz-utils \
-	libmpc3 \
-	binutils \
-	libgomp1 \
-	libitm1 \
-	libatomic1 \
-	liblsan0 \
-	libtsan0 \
-	libmpx2 \
-	libquadmath0 \
-	libcc1-0 \
-	&& rm -rf /var/lib/apt/lists/*
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
-# gcc 6 is no longer included in debian stable, but we need it to
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+    bash-completion \
+    bc \
+    clang-7 \
+    ca-certificates \
+    curl \
+    dkms \
+    gnupg2 \
+    gcc \
+    jq \
+    libc6-dev \
+    libelf-dev \
+    libyaml-0-2 \
+    llvm-7 \
+    netcat \
+    xz-utils \
+    libmpc3 \
+    binutils \
+    libgomp1 \
+    libitm1 \
+    libatomic1 \
+    liblsan0 \
+    libtsan0 \
+    libmpx2 \
+    libquadmath0 \
+    libcc1-0 \
+    && rm -rf /var/lib/apt/lists/*
+
+# gcc 6 is no longer included in debian unstable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
+    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
 
-# gcc 5 is no longer included in debian stable, but we need it to
+# gcc 5 is no longer included in debian unstable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+    && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+    && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+    && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+    && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+    && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+    && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
+    && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+    && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+    && rm -rf /usr/bin/llc \
+    && ln -s /usr/bin/clang-7 /usr/bin/clang \
+    && ln -s /usr/bin/llc-7 /usr/bin/llc
 
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+    && ln -s $HOST_ROOT/lib/modules /lib/modules
 
 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
@@ -98,15 +100,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
     && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
 
-# debian:stable head contains binutils 2.31, which generates
+# debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
-	&& dpkg -i *binutils*.deb \
-	&& rm -f *binutils*.deb
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+    && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+    && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+    && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+    && dpkg -i *binutils*.deb \
+    && rm -f *binutils*.deb
 
 # The local container also copies some test trace files and
 # corresponding rules that are used when running regression tests.

docker/local/docker-entrypoint.sh

@@ -25,11 +25,10 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
 
     for i in "$HOST_ROOT/usr/src"/*
     do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
+        ln -s "$i" "/usr/src/$i"
     done
 
     /usr/bin/falco-probe-loader
 fi
 
-exec "$@"
+exec "$@"

docker/minimal/Dockerfile

@@ -1,20 +1,20 @@
 FROM ubuntu:18.04 as ubuntu
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
-ARG FALCO_VERSION
-ARG VERSION_BUCKET=bin
+ARG FALCO_VERSION=0.19.0
 
 ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
 
 WORKDIR /
 
-ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
+ADD https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
 
-RUN apt-get update -y && \
+# ADD will download from URL and unntar
+RUN apt-get update && \
     apt-get install -y libyaml-0-2 binutils && \
-    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    # curl -O https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    tar xfzv falco-${FALCO_VERSION}-x86_64.tar.gz && \
     rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
     mv falco-${FALCO_VERSION}-x86_64 falco && \
     strip falco/usr/bin/falco && \

docker/rhel/Dockerfile

@@ -1,22 +1,22 @@
 FROM registry.access.redhat.com/rhel7
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
-## Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
-LABEL name="falco"
-LABEL vendor="falcosecurity"
-LABEL url="http://falco.org"
-LABEL summary="Cloud Native Runtime Security"
-LABEL description="Falco is an open-source project for intrusion and abnormality detection for Cloud Native platforms."
-LABEL run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m <image>'
+### Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
+LABEL name="falco" \
+    vendor="falcosecurity" \
+    url="http://falco.org/" \
+    summary="Container native runtime security" \
+    description="Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms." \
+    run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco'
 
 COPY help.md /tmp/
 
 ENV HOST_ROOT /host
 ENV HOME /root
 
-ADD https://falco.org/repo/falcosecurity-rpm.repo /etc/yum.repos.d/falcosecurity.repo
-RUN rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc && \
+ADD http://download.draios.com/stable/rpm/draios.repo /etc/yum.repos.d/draios.repo
+RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public && \
     rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
     yum clean all && \
     REPOLIST=rhel-7-server-rpms,rhel-7-server-optional-rpms,epel,draios \
@@ -24,9 +24,9 @@ RUN rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc && \
     yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \
     --security --sec-severity=Important --sec-severity=Critical && \
     yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    ## help file markdown to man conversion
+    ### help file markdown to man conversion
     go-md2man -in /tmp/help.md -out /help.1 && \
-    ## we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
+    ### we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
     rm -fr /usr/src/kernels && \
     rm -df /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules && \
     yum clean all

docker/rhel/docker-entrypoint.sh

@@ -25,8 +25,7 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
 
     for i in "$HOST_ROOT/usr/src"/*
     do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
+        ln -s "$i" "/usr/src/$i"
     done
 
     /usr/bin/falco-probe-loader

docker/slim-dev/Dockerfile

@@ -1,36 +1,35 @@
 FROM ubuntu:18.04
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name <name> <image>"
+ENV FALCO_REPOSITORY dev
 
-ARG FALCO_VERSION=latest
-ARG VERSION_BUCKET=deb
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 
 ENV HOST_ROOT /host
+
 ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
-  # bash-completion \
-  # bc \
+  # 	bash-completion \
+  # 	bc \
   ca-certificates \
   curl \
   gnupg2 \
   jq \
-  # netcat \
-  # xz-utils \
+  # 	netcat \
+  # 	xz-utils \
   && rm -rf /var/lib/apt/lists/*
 
-RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
-  && echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
-  && apt-get update -y \
-  && if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends falco \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
@@ -45,4 +44,7 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
   && ln -s $HOST_ROOT/lib/modules /lib/modules
 
+#COPY ./entrypoint.sh /
+# ENTRYPOINT ["/entrypoint.sh"]
+
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/slim-stable/Dockerfile

@@ -0,0 +1,50 @@
+FROM ubuntu:18.04
+
+LABEL maintainer="opensource@sysdig.com"
+
+ENV FALCO_REPOSITORY stable
+
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+  # 	bash-completion \
+  # 	bc \
+  ca-certificates \
+  curl \
+  gnupg2 \
+  jq \
+  # 	netcat \
+  # 	xz-utils \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends falco \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+  && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+  && ln -s $HOST_ROOT/lib/modules /lib/modules
+
+#COPY ./entrypoint.sh /
+# ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/stable/Dockerfile

@@ -1,19 +1,19 @@
-FROM debian:stable
+FROM debian:unstable
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+ENV FALCO_REPOSITORY stable
 
-ARG FALCO_VERSION=latest
-ARG VERSION_BUCKET=deb
-ENV VERSION_BUCKET=${VERSION_BUCKET}
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 
-ENV FALCO_VERSION=${FALCO_VERSION}
 ENV HOST_ROOT /host
+
 ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
@@ -33,36 +33,36 @@ RUN apt-get update \
 	xz-utils \
 	&& rm -rf /var/lib/apt/lists/*
 
-# gcc 6 is no longer included in debian stable, but we need it to
+# gcc 6 is no longer included in debian unstable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
 
-# gcc 5 is no longer included in debian stable, but we need it to
+# gcc 5 is no longer included in debian unstable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
 
@@ -75,10 +75,10 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc
 
-RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
-	&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
-	&& apt-get update -y \
-	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+	&& apt-get update \
+	&& apt-get install -y --no-install-recommends falco \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 
@@ -93,13 +93,13 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
-# debian:stable head contains binutils 2.31, which generates
+# debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/stable/docker-entrypoint.sh

@@ -25,8 +25,7 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
 
     for i in "$HOST_ROOT/usr/src"/*
     do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
+        ln -s "$i" "/usr/src/$i"
     done
 
     /usr/bin/falco-probe-loader

docker/tester/Dockerfile

@@ -2,7 +2,7 @@ FROM fedora:31
 
 LABEL name="falcosecurity/falco-tester"
 LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release

docker/tester/root/runners/deb.Dockerfile

@@ -1,5 +1,5 @@
 FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION

docker/tester/root/runners/rpm.Dockerfile

@@ -1,6 +1,6 @@
 FROM centos:7
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION

integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml

@@ -20,7 +20,7 @@ spec:
             privileged: true
           #env:
           #  - name: FALCOCTL_FALCO_VERSION
-          #    value: 0.21.0
+          #    value: 0.19.0
           #  - name: FALCOCTL_FALCO_PROBE_URL
           #    value:
           #  - name: FALCOCTL_FALCO_PROBE_REPO
@@ -31,7 +31,7 @@ spec:
               readOnly: true
       containers:
         - name: falco
-          image: falcosecurity/falco:0.21.0-slim
+          image: falcosecurity/falco:0.19.0-slim
           securityContext:
             privileged: true
 # Uncomment the 3 lines below to enable eBPF support for Falco.
@@ -39,7 +39,7 @@ spec:
 # Leave blank for the default probe location, or set to the path
 # of a precompiled probe.
 #          env:
-#          - name: FALCO_BPF_PROBE
+#          - name: BPF_PROBE
 #            value: ""
           args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
           volumeMounts:

integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml

@@ -23,7 +23,7 @@ spec:
 # Leave blank for the default probe location, or set to the path
 # of a precompiled probe.
 #          env:
-#          - name: FALCO_BPF_PROBE
+#          - name: BPF_PROBE
 #            value: ""
           args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
           volumeMounts:

proposals/20190826-grpc-outputs.md

@@ -1,4 +1,4 @@
-# gRPC Falco Output
+# gRPC Falco Outputs
 
 <!-- toc -->
 
@@ -77,18 +77,18 @@ syntax = "proto3";
 import "google/protobuf/timestamp.proto";
 import "schema.proto";
 
-package falco.output;
+package falco.outputs;
 
-option go_package = "github.com/falcosecurity/client-go/pkg/api/output";
+option go_package = "github.com/falcosecurity/client-go/pkg/api/outputs";
 
-// The `subscribe` service defines the RPC call
+// The `outputs` service defines a server-streaming RPC call
 // to perform an output `request` which will lead to obtain an output `response`.
 service service {
-  rpc subscribe(request) returns (stream response);
+  rpc outputs(request) returns (stream response);
 }
 
 // The `request` message is the logical representation of the request model.
-// It is the input of the `subscribe` service.
+// It is the input of the `outputs` service.
 // It is used to configure the kind of subscription to the gRPC streaming server.
 message request {
   bool keepalive = 1;

rules/falco_rules.yaml

@@ -450,7 +450,7 @@
     a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
-  tags: [file, mitre_persistence]
+  tag: [file, mitre_persistence]
 
 # This rule is not enabled by default, as there are many legitimate
 # readers of shell config files. If you want to enable it, modify the
@@ -472,7 +472,7 @@
     a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
-  tags: [file, mitre_discovery]
+  tag: [file, mitre_discovery]
 
 - macro: consider_all_cron_jobs
   condition: (never_true)
@@ -488,7 +488,7 @@
     file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tags: [file, mitre_persistence]
+  tag: [file, mitre_persistence]
 
 # Use this to test whether the event occurred within a container.
 
@@ -1544,13 +1544,13 @@
     an attempt to change a program/thread\'s namespace (commonly done
     as a part of creating a container) by calling setns.
   condition: >
-    evt.type=setns and evt.dir=<
-    and not (container.id=host and proc.name in (docker_binaries, k8s_binaries, lxd_binaries, nsenter))
-    and not proc.name in (sysdigcloud_binaries, sysdig, calico, oci-umount, cilium-cni, network_plugin_binaries)
+    evt.type = setns
+    and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries,
+                          sysdig, nsenter, calico, oci-umount, cilium-cni, network_plugin_binaries)
     and not proc.name in (user_known_change_thread_namespace_binaries)
     and not proc.name startswith "runc"
     and not proc.cmdline startswith "containerd"
-    and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet)
+    and not proc.pname in (sysdigcloud_binaries)
     and not python_running_sdchecks
     and not java_running_sdjagent
     and not kubelet_running_loopback
@@ -1561,9 +1561,9 @@
     and not user_known_change_thread_namespace_activities
   output: >
     Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
-    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
+    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository)
   priority: NOTICE
-  tags: [process, mitre_privilege_escalation, mitre_lateral_movement]
+  tags: [process]
 
 # The binaries in this list and their descendents are *not* allowed
 # spawn shells. This includes the binaries spawning shells directly as
@@ -2480,7 +2480,7 @@
     Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
-  tags: [process, mitre_defense_evation]
+  tag: [process, mitre_defense_evation]
 
 # This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
 # Rule Delete or rename shell history is the preferred rule to use now.
@@ -2493,7 +2493,7 @@
     Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
-  tags: [process, mitre_defense_evation]
+  tag: [process, mitre_defense_evation]
 
 - macro: consider_all_chmods
   condition: (always_true)
@@ -2515,7 +2515,7 @@
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tags: [process, mitre_persistence]
+  tag: [process, mitre_persistence]
 
 - list: exclude_hidden_directories
   items: [/root/.cassandra]
@@ -2537,7 +2537,7 @@
     file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tags: [file, mitre_persistence]
+  tag: [file, mitre_persistence]
 
 - list: remote_file_copy_binaries
   items: [rsync, scp, sftp, dcp]
@@ -2645,14 +2645,11 @@
   condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))
 
 - macro: net_miner_pool
-  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
+  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 
-# The rule is disabled by default. 
-# Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment.
 - rule: Detect outbound connections to common miner pool ports
   desc: Miners typically connect to miner pools on common ports.
   condition: net_miner_pool
-  enabled: false
   output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
   priority: CRITICAL
   tags: [network, mitre_execution]

scripts/debian/falco

@@ -26,7 +26,7 @@
 #                    driven by system calls with support for containers.
 ### END INIT INFO
 
-# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>
+# Author: The Falco Authors <opensource@sysdig.com>
 
 # Do NOT "set -e"
 

scripts/falco-probe-loader

@@ -350,7 +350,7 @@ load_bpf_probe() {
 			echo "**********************************************************"
 		fi
 
-		echo "* BPF probe located, it's now possible to start falco"
+		echo "* BPF probe located, it's now possible to start sysdig"
 
 		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${BPF_PROBE_NAME}.o"
 		exit $?
@@ -402,7 +402,7 @@ if ! hash curl > /dev/null 2>&1; then
 	exit 1
 fi
 
-if [ -v FALCO_BPF_PROBE ] || [ "${1}" = "bpf" ]; then
+if [ -v BPF_PROBE ] || [ "${1}" = "bpf" ]; then
 	load_bpf_probe
 else
 	load_kernel_probe

test/falco_tests.yaml

@@ -689,7 +689,7 @@ trace_files: !mux
       - "Non sudo setuid": 1
       - "Create files below dev": 1
       - "Modify binary dirs": 2
-      - "Change thread namespace": 1
+      - "Change thread namespace": 2
 
   disabled_tags_a:
     detect: True

test/falco_traces.yaml.in

@@ -26,7 +26,7 @@ traces: !mux
     detect: True
     detect_level: NOTICE
     detect_counts:
-      - "Change thread namespace": 1
+      - "Change thread namespace": 2
 
   container-privileged:
     trace_file: traces-positive/container-privileged.scap
@@ -73,7 +73,7 @@ traces: !mux
       - "Non sudo setuid": 1
       - "Create files below dev": 1
       - "Modify binary dirs": 2
-      - "Change thread namespace": 1
+      - "Change thread namespace": 2
 
   mkdir-binary-dirs:
     trace_file: traces-positive/mkdir-binary-dirs.scap

userspace/engine/banned.h

@@ -21,30 +21,5 @@ limitations under the License.
 // function is used.
 #define BAN(function) using_##function##_is_banned
 
-// BAN_ALTERNATIVE is same as BAN but the message also provides an alternative
-// function that the user could use instead of the banned function.
-#define BAN_ALTERNATIVE(function, alternative) using_##function##_is_banned__use_##alternative##_instead
-
 #undef strcpy
 #define strcpy(a, b) BAN(strcpy)
-
-#undef vsprintf
-#define vsprintf(a, b, c) BAN_ALTERNATIVE(vsprintf, vsnprintf)
-
-#undef sprintf
-#define sprintf(a, b, ...) BAN_ALTERNATIVE(sprintf, snprintf)
-
-#undef strcat
-#define strcat(a, b) BAN(strcat)
-
-#undef strncat
-#define strncat(a, b, c) BAN(strncat)
-
-#undef strncpy
-#define strncpy(a, b, c) BAN(strncpy)
-
-#undef swprintf
-#define swprintf(a, b, c, ...) BAN_ALTERNATIVE(swprintf, snprintf)
-
-#undef vswprintf
-#define vswprintf(a, b, c, d) BAN_ALTERNATIVE(vswprintf, vsnprintf)

userspace/engine/falco_common.cpp

@@ -18,7 +18,7 @@ limitations under the License.
 
 #include "config_falco_engine.h"
 #include "falco_common.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 std::vector<std::string> falco_common::priority_names = {
 	"Emergency",

userspace/engine/falco_engine.cpp

@@ -32,7 +32,7 @@ extern "C" {
 }
 
 #include "utils.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 
 string lua_on_event = "on_event";

userspace/engine/falco_utils.cpp

@@ -18,7 +18,7 @@ limitations under the License.
 */
 
 #include "falco_utils.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 namespace falco
 {

userspace/engine/formats.cpp

@@ -18,7 +18,7 @@ limitations under the License.
 
 #include "formats.h"
 #include "falco_engine.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 
 sinsp* falco_formats::s_inspector = NULL;

userspace/engine/json_evt.cpp

@@ -21,7 +21,7 @@ limitations under the License.
 
 #include "falco_common.h"
 #include "json_evt.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 using json = nlohmann::json;
 using namespace std;

userspace/engine/rules.cpp

@@ -24,7 +24,7 @@ extern "C" {
 }
 
 #include "falco_engine.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 const static struct luaL_reg ll_falco_rules [] =
 {

userspace/engine/ruleset.cpp

@@ -15,7 +15,7 @@ limitations under the License.
 */
 
 #include "ruleset.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 using namespace std;
 

userspace/engine/token_bucket.cpp

@@ -20,7 +20,7 @@ limitations under the License.
 
 #include "token_bucket.h"
 #include "utils.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 token_bucket::token_bucket():
 	token_bucket(sinsp_utils::get_current_time_ns)

userspace/falco/CMakeLists.txt

@@ -19,24 +19,43 @@ add_custom_command(
     ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
     ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/output.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/output.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/inputs.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/inputs.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/inputs.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/inputs.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/event.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/event.pb.h
     ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
-  COMMENT "Generate gRPC version API"
+    ${CMAKE_CURRENT_BINARY_DIR}/grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/grpc.pb.h
+  COMMENT "Generate gRPC API"
+  # version API
   DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
   COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
   COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
           ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-  COMMENT "Generate gRPC outputs API"
-  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
+  # outputs API
+  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
           ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
   COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-          ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
-  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
+          ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+  # inputs API
+  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/inputs.proto ${CMAKE_CURRENT_SOURCE_DIR}/event.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/inputs.proto
+          ${CMAKE_CURRENT_SOURCE_DIR}/event.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+          ${CMAKE_CURRENT_SOURCE_DIR}/inputs.proto
+  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+  # context API
+  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/grpc.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/grpc.proto)
 
 add_executable(
   falco
@@ -55,9 +74,13 @@ add_executable(
   utils.cpp
   ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
   ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-  ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.cc
-  ${CMAKE_CURRENT_BINARY_DIR}/output.pb.cc
-  ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
+  ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/inputs.grpc.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/inputs.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/event.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/grpc.pb.cc)
 
 add_dependencies(falco civetweb)
 

userspace/falco/configuration.cpp

@@ -23,7 +23,7 @@ limitations under the License.
 
 #include "configuration.h"
 #include "logger.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 using namespace std;
 
@@ -170,9 +170,9 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		throw logic_error("Error reading config file (" + m_config_file + "): No outputs configured. Please configure at least one output file output enabled but no filename in configuration block");
 	}
 
-	string log_level = m_config->get_scalar<string>("log_level", "info");
+	m_log_level = m_config->get_scalar<string>("log_level", "info");
 
-	falco_logger::set_level(log_level);
+	falco_logger::set_level(m_log_level);
 
 	m_notifications_rate = m_config->get_scalar<uint32_t>("outputs", "rate", 1);
 	m_notifications_max_burst = m_config->get_scalar<uint32_t>("outputs", "max_burst", 1000);

userspace/falco/configuration.h

@@ -195,6 +195,7 @@ public:
 	std::list<std::string> m_rules_filenames;
 	bool m_json_output;
 	bool m_json_include_output_property;
+	std::string m_log_level;
 	std::vector<falco_outputs::output_config> m_outputs;
 	uint32_t m_notifications_rate;
 	uint32_t m_notifications_max_burst;

userspace/falco/event.proto

@@ -0,0 +1,159 @@
+syntax = "proto3";
+
+import "google/protobuf/timestamp.proto";
+
+package falco.event;
+
+// note > from ppm_events_public.h
+// (ppm_param_type)
+enum param_type {
+  PT_NONE = 0;
+  PT_INT8 = 1;
+  PT_INT16 = 2;
+  PT_INT32 = 3;
+  PT_INT64 = 4;
+  PT_UINT8 = 5;
+  PT_UINT16 = 6;
+  PT_UINT32 = 7;
+  PT_UINT64 = 8;
+  PT_CHARBUF = 9; // A printable buffer of bytes, NULL terminated
+  PT_BYTEBUF = 10; // A raw buffer of bytes not suitable for printing
+  PT_ERRNO = 11; // This is an INT4; but will be interpreted as an error code
+  PT_SOCKADDR = 12; // A sockaddr structure, 1byte family + data
+  PT_SOCKTUPLE = 13; // A sockaddr tuple,1byte family + 12byte data + 12byte data
+  PT_FD = 14;        // An fd, 64bit
+  PT_PID = 15;    // A pid/tid, 64bit
+  PT_FDLIST = 16; // A list of fds, 16bit count + count * (64bit fd + 16bit flags)
+  PT_FSPATH = 17; // A string containing a relative or absolute file system path, null terminated
+  PT_SYSCALLID = 18; // A 16bit system call ID that can be used as a key for the g_syscall_info_table table
+  PT_SIGTYPE = 19; // An 8bit signal number
+  PT_RELTIME = 20; // A relative time. Seconds * 10^9  + nanoseconds, 64bit
+  PT_ABSTIME = 21; // An absolute time interval. Seconds from epoch * 10^9 + nanoseconds, 64bit
+  PT_PORT = 22;   // A TCP/UDP port, 2 bytes
+  PT_L4PROTO = 23;    // A 1 byte IP protocol type
+  PT_SOCKFAMILY = 24; // A 1 byte socket family
+  PT_BOOL = 25;       // A boolean value, 4 bytes
+  PT_IPV4ADDR = 26;   // A 4 byte raw IPv4 address
+  PT_DYN = 27; // Type can vary depending on the context (used for filter fields like evt.rawarg)
+  PT_FLAGS8 = 28; // This is an UINT8; but will be interpreted as 8 bit flags
+  PT_FLAGS16 = 29;     // This is an UINT6; but will be interpreted as 16 bit flags
+  PT_FLAGS32 = 30;     // This is an UINT2; but will be interpreted as 32 bit flags
+  PT_UID = 31;         // This is an UINT2; MAX_UINT32 will be interpreted as no value
+  PT_GID = 32; // This is an UINT2; MAX_UINT32 will be interpreted as no value
+  PT_DOUBLE = 33; // This is a double precision floating point number
+  PT_SIGSET = 34; // sigset_t (only the lower UINT32 of it)
+  PT_CHARBUFARRAY = 35; // Pointer to an array of strings exported by the user events decoder, 64bit (internal use only)
+  PT_CHARBUF_PAIR_ARRAY = 36; // Pointer to an array of string pairs, exported by the user events decoder, 64bit (internal use only)
+  PT_IPV4NET = 37;           // An IPv4 network
+  PT_IPV6ADDR = 38; // A 16 byte raw IPv6 address
+  PT_IPV6NET = 39;  // An IPv6 network
+  PT_IPADDR = 40;   // Either an IPv4 or IPv6 address; the length indicateswhich one it is
+  PT_IPNET = 41; // Either an IPv4 or IPv6 network; the length indicates which one it is
+  PT_MODE = 42;      // A 32 bit bitmask to represent file modes
+  PT_MAX = 43; // Array size
+};
+
+// note > ppm_events_public.h
+// (ppm_event_flags)
+enum event_flags {
+  EF_NONE = 0;
+  EF_CREATES_FD = 1;            // this event creates an FD (e.g. open)
+  EF_DESTROYS_FD = 2;           // this event destroys an FD (e.g. close)
+  EF_USES_FD = 4;               // this event operates on an FD
+  EF_READS_FROM_FD = 8;         // this event reads data from an FD
+  EF_WRITES_TO_FD = 16;         // this event writes data to an FD
+  EF_MODIFIES_STATE = 32;       // this event causes the machine state to change and should not be dropped by the filtering engine
+  EF_UNUSED = 64;               // this event is not used
+  EF_WAITS = 128;               // this event reads data from an FD
+  EF_SKIPPARSERESET = 256;      // this event shouldn't pollute the parser lastevent state tracker
+  EF_OLD_VERSION = 512;         // this event is kept for backward compatibility
+  EF_DROP_SIMPLE_CONS = 1024;   // this event can be skipped by consumers that privilege low overhead to full event capture
+}
+
+// todo(leodido) > complete
+// https://github.com/draios/sysdig/blob/master/driver/ppm_events_public.h
+// (ppm_event_type)
+enum event_type {
+  PPME_GENERIC_E = 0;
+  PPME_GENERIC_X = 1;
+}
+
+// todo(leodido) > complete
+// https://github.com/draios/sysdig/blob/master/driver/ppm_events_public.h
+// (ppm_event_category)
+enum event_category {
+  EC_UNKNOWN = 0;
+  EC_OTHER = 1;
+  EC_FILE = 2;
+}
+
+message parameter {
+  string name = 1;
+  uint32 value = 2;
+}
+
+message parameter_info {
+  string name = 1;     // parameter name, e.g. 'size'
+  param_type type = 2; // parameter type, e.g. 'uint16', 'string'
+  // print_format fmt = 3;
+  // ? info = 4;
+}
+
+message ppm_event {
+  string name = 1;
+  event_category category = 2; // event category, e.g. 'file, 'net'
+  uint32 flags = 3;
+  uint32 nparams = 4;       // number of parameters in the parameters array
+  repeated parameter_info params = 5;
+}
+
+message scap_event {
+  google.protobuf.Timestamp ts = 1;
+  uint64 tid = 2;
+  event_type type = 3;
+  uint32 nparams = 4;
+}
+
+enum command_category {
+  CAT_NONE = 0;
+  CAT_CONTAINER = 1;
+  CAT_HEALTHCHECK = 2;
+  CAT_LIVENESS_PROBE = 3;
+  CAT_READINESS_PROBE = 4;
+}
+
+// note > threadinfo.h
+message thread_info {
+  uint64 tid = 1; // id of this thread
+  uint64 pid = 2; // id of the process containing this thread
+  uint64 ptid = 3; // id of the process that started this thread
+  uint64 sid = 4; // session id of the process containing this thread
+  string comm = 5; // name of the process containing this thread, e.g. "top"
+  string exe = 6; // name of the process containing this thread from argv[0], e.g. "/bin/top"
+  string exepath = 7; // full executable path of the process containing this thread, e.g. "/bin/top"
+  string cwd = 8; // working directory of the process containing this thread
+  repeated string env = 9; // values of all environment variables for the process containing this thread
+  repeated string args = 10; // command line arguments, e.g., -d1
+  // string container_id = 11;
+  // ...
+  command_category category = 12;
+}
+
+// note > event.h
+message event {
+  scap_event evt = 1;
+  uint32 cpuid = 2;
+  event_flags flags = 3; // fixme(leodido) > should this be a uint32?
+  ppm_event info = 4;
+  string params = 5;
+  thread_info tinfo = 6;
+  // fdinfo = 7
+  uint32 iosize = 8;
+
+
+  // bool fdinfo_name_changed = 9;
+  // int64 fd_num = 10;
+  // uint32 num_params = 11;
+  // map<uint32, string> param_name = 12;
+  // map<uint32, string> param_value = 13;
+}

userspace/falco/event_drops.cpp

@@ -15,7 +15,7 @@ limitations under the License.
 */
 
 #include "event_drops.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 syscall_evt_drop_mgr::syscall_evt_drop_mgr():
 	m_num_syscall_evt_drops(0),
@@ -76,7 +76,7 @@ bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
 
 		if(m_simulate_drops)
 		{
-			falco_logger::log(LOG_INFO, "Simulating syscall event drop");
+			falco_logger::log(LOG_INFO, "Simulating syscall event drop\n");
 			delta.n_drops++;
 		}
 
@@ -94,7 +94,7 @@ bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
 			}
 			else
 			{
-				falco_logger::log(LOG_DEBUG, "Syscall event drop but token bucket depleted, skipping actions");
+				falco_logger::log(LOG_DEBUG, "Syscall event drop but token bucket depleted, skipping actions\n");
 			}
 		}
 	}
@@ -156,7 +156,7 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now, scap_stats &delta, bool
 	if(should_exit)
 	{
 		falco_logger::log(LOG_CRIT, msg);
-		falco_logger::log(LOG_CRIT, "Exiting.");
+		falco_logger::log(LOG_CRIT, "Exiting.\n");
 		return false;
 	}
 

userspace/falco/falco.cpp

@@ -45,7 +45,7 @@ limitations under the License.
 #include "statsfilewriter.h"
 #include "webserver.h"
 #include "grpc_server.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 typedef function<void(sinsp* inspector)> open_t;
 
@@ -1192,7 +1192,7 @@ int falco_init(int argc, char **argv)
 		{
 			// TODO(fntlnz,leodido): when we want to spawn multiple threads we need to have a queue per thread, or implement
 			// different queuing mechanisms, round robin, fanout? What we want to achieve?
-			grpc_server.init(config.m_grpc_bind_address, config.m_grpc_threadiness, config.m_grpc_private_key, config.m_grpc_cert_chain, config.m_grpc_root_certs);
+			grpc_server.init(config.m_grpc_bind_address, config.m_grpc_private_key, config.m_grpc_cert_chain, config.m_grpc_root_certs, config.m_grpc_threadiness, config.m_log_level);
 			grpc_server_thread = std::thread([&grpc_server] {
 				grpc_server.run();
 			});

userspace/falco/falco_output_queue.h

@@ -16,12 +16,12 @@ limitations under the License.
 
 #pragma once
 
-#include "output.pb.h"
+#include "outputs.pb.h"
 #include "tbb/concurrent_queue.h"
 
 namespace falco
 {
-namespace output
+namespace outputs
 {
 typedef tbb::concurrent_queue<response> response_cq;
 

userspace/falco/falco_outputs.cpp

@@ -23,12 +23,11 @@ limitations under the License.
 #include "formats.h"
 #include "logger.h"
 #include "falco_output_queue.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 using namespace std;
-using namespace falco::output;
 
-const static struct luaL_reg ll_falco_outputs [] =
+const static struct luaL_reg ll_falco_outputs[] =
 {
 	{"handle_http", &falco_outputs::handle_http},
 	{"handle_grpc", &falco_outputs::handle_grpc},
@@ -57,7 +56,7 @@ falco_outputs::~falco_outputs()
 		lua_getglobal(m_ls, m_lua_output_cleanup.c_str());
 		if(!lua_isfunction(m_ls, -1))
 		{
-			falco_logger::log(LOG_ERR, std::string("No function ") + m_lua_output_cleanup + " found. ");
+			falco_logger::log(LOG_ERR, std::string("No function ") + m_lua_output_cleanup + " found.\n");
 			assert(nullptr == "Missing lua cleanup function in ~falco_outputs");
 		}
 
@@ -316,7 +315,7 @@ int falco_outputs::handle_grpc(lua_State *ls)
 		lua_error(ls);
 	}
 
-	response grpc_res = response();
+	falco::outputs::response grpc_res = falco::outputs::response();
 
 	// time
 	gen_event *evt = (gen_event *)lua_topointer(ls, 1);
@@ -366,7 +365,7 @@ int falco_outputs::handle_grpc(lua_State *ls)
 	auto host = grpc_res.mutable_hostname();
 	*host = (char *)lua_tostring(ls, 7);
 
-	falco::output::queue::get().push(grpc_res);
+	falco::outputs::queue::get().push(grpc_res);
 
 	return 1;
 }

userspace/falco/grpc.proto

@@ -0,0 +1,16 @@
+syntax = "proto3";
+
+package falco.grpc;
+
+enum stream_status {
+    STREAMING = 0;
+    SUCCESS = 1;
+    ERROR = 2;
+}
+
+enum request_state {
+    UNKNOWN = 0;
+    REQUEST = 1;
+    WRITE = 2;
+    FINISH = 3;
+}

userspace/falco/grpc_context.cpp

@@ -17,37 +17,34 @@ limitations under the License.
 #include <sstream>
 
 #include "grpc_context.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 falco::grpc::context::context(::grpc::ServerContext* ctx):
 	m_ctx(ctx)
 {
-	std::string session_id;
-	std::string request_id;
+	get_metadata(meta_session, m_session_id);
+	get_metadata(meta_request, m_request_id);
 
-	get_metadata(meta_session, session_id);
-	get_metadata(meta_request, request_id);
-
-	bool has_meta = false;
 	std::stringstream meta;
-	if(!session_id.empty())
+	if(!m_session_id.empty())
 	{
-		meta << "[sid=" << session_id << "]";
-		has_meta = true;
+		ctx->AddInitialMetadata(meta_session, m_session_id);
+		meta << "sid=" << m_session_id << "";
 	}
-	if(!request_id.empty())
+	if(!m_request_id.empty())
 	{
-		meta << "[rid=" << request_id << "]";
-		has_meta = true;
-	}
-	if(has_meta)
-	{
-		meta << " ";
+		ctx->AddInitialMetadata(meta_request, m_request_id);
+		meta << ", rid=" << m_request_id << "";
 	}
 	m_prefix = meta.str();
 }
 
-void falco::grpc::context::context::get_metadata(std::string key, std::string& val)
+std::string falco::grpc::context::peer() const
+{
+	return m_ctx->peer();
+}
+
+void falco::grpc::context::get_metadata(std::string key, std::string& val)
 {
 	const std::multimap<::grpc::string_ref, ::grpc::string_ref>& client_metadata = m_ctx->client_metadata();
 	auto it = client_metadata.find(key);
@@ -55,4 +52,4 @@ void falco::grpc::context::context::get_metadata(std::string key, std::string& v
 	{
 		val.assign(it->second.data(), it->second.size());
 	}
-}
+}

userspace/falco/grpc_context.h

@@ -24,6 +24,8 @@ limitations under the License.
 #include <grpc++/grpc++.h>
 #endif
 
+#include "grpc.pb.h"
+
 namespace falco
 {
 namespace grpc
@@ -39,10 +41,14 @@ public:
 	~context() = default;
 
 	void get_metadata(std::string key, std::string& val);
+	std::string peer() const;
+
+	std::string m_prefix; // todo(leodido) > making this read only?
 
 private:
+	std::string m_session_id;
+	std::string m_request_id;
 	::grpc::ServerContext* m_ctx = nullptr;
-	std::string m_prefix;
 };
 
 class stream_context : public context
@@ -52,14 +58,9 @@ public:
 		context(ctx){};
 	~stream_context() = default;
 
-	enum : char
-	{
-		STREAMING = 1,
-		SUCCESS,
-		ERROR
-	} m_status = STREAMING;
+	stream_status m_status = stream_status::STREAMING;
 
-	mutable void* m_stream = nullptr; // todo(fntlnz, leodido) > useful in the future
+	mutable void* m_stream = nullptr; // todo(fntlnz, leodido) > useful in the future (request-specific stream data)
 	mutable bool m_has_more = false;
 };
 

userspace/falco/grpc_request_context.cpp

@@ -24,37 +24,55 @@ namespace grpc
 {
 
 template<>
-void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::start(server* srv)
+void request_stream_context<falco::outputs::service, falco::outputs::request, falco::outputs::response>::start(server* srv)
 {
-	m_state = request_context_base::REQUEST;
+	m_state = request_state::REQUEST;
 	m_srv_ctx.reset(new ::grpc::ServerContext);
 	auto srvctx = m_srv_ctx.get();
-	m_res_writer.reset(new ::grpc::ServerAsyncWriter<output::response>(srvctx));
+	m_res_writer.reset(new ::grpc::ServerAsyncWriter<outputs::response>(srvctx));
 	m_stream_ctx.reset();
 	m_req.Clear();
 	auto cq = srv->m_completion_queue.get();
-	// todo(leodido) > log "calling m_request_func: tag=this, state=m_state"
-	(srv->m_output_svc.*m_request_func)(srvctx, &m_req, m_res_writer.get(), cq, cq, this);
+	// m_stream_ctx->m_stream = this; // todo(leodido) > save the tag - ie., this - into the stream?
+	gpr_log(
+		GPR_DEBUG,
+		"request_stream_context<outputs>::%s -> m_request_func: tag=%p, state=%s",
+		__func__,
+		this,
+		request_state_Name(m_state).c_str());
+	(srv->m_outputs_svc.*m_request_func)(srvctx, &m_req, m_res_writer.get(), cq, cq, this);
 }
 
 template<>
-void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::process(server* srv)
+void request_stream_context<falco::outputs::service, falco::outputs::request, falco::outputs::response>::process(server* srv)
 {
 	// When it is the 1st process call
-	if(m_state == request_context_base::REQUEST)
+	if(m_state == request_state::REQUEST)
 	{
-		m_state = request_context_base::WRITE;
+		m_state = request_state::WRITE;
 		m_stream_ctx.reset(new stream_context(m_srv_ctx.get()));
 	}
 
 	// Processing
-	output::response res;
-	(srv->*m_process_func)(*m_stream_ctx, m_req, res); // subscribe()
+	gpr_log(
+		GPR_DEBUG,
+		"request_stream_context<outputs>::%s -> m_process_func: tag=%p, state=%s",
+		__func__,
+		this,
+		request_state_Name(m_state).c_str());
+
+	outputs::response res;
+	(srv->*m_process_func)(*m_stream_ctx, m_req, res); // outputs_impl()
 
 	// When there are still more responses to stream
 	if(m_stream_ctx->m_has_more)
 	{
-		// todo(leodido) > log "write: tag=this, state=m_state"
+		gpr_log(
+			GPR_DEBUG,
+			"request_stream_context<outputs>::%s -> write: tag=%p, state=%s",
+			__func__,
+			this,
+			request_state_Name(m_state).c_str());
 		m_res_writer->Write(res, this);
 	}
 	// No more responses to stream
@@ -62,26 +80,37 @@ void request_stream_context<falco::output::service, falco::output::request, falc
 	{
 		// Communicate to the gRPC runtime that we have finished.
 		// The memory address of "this" instance uniquely identifies the event.
-		m_state = request_context_base::FINISH;
-		// todo(leodido) > log "finish: tag=this, state=m_state"
+		m_state = request_state::FINISH;
+		gpr_log(
+			GPR_DEBUG,
+			"request_stream_context<outputs>::%s -> finish: tag=%p, state=finish",
+			__func__,
+			this);
+
 		m_res_writer->Finish(::grpc::Status::OK, this);
 	}
 }
 
 template<>
-void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::end(server* srv, bool errored)
+void request_stream_context<falco::outputs::service, falco::outputs::request, falco::outputs::response>::end(server* srv, bool errored)
 {
 	if(m_stream_ctx)
 	{
 		if(errored)
 		{
-			// todo(leodido) > log error "error streaming: tag=this, state=m_state, stream=m_stream_ctx->m_stream"
+			gpr_log(
+				GPR_ERROR,
+				"request_stream_context<outputs>::%s -> error streaming: tag=%p, state=%s, stream=%p",
+				__func__,
+				this,
+				request_state_Name(m_state).c_str(),
+				m_stream_ctx->m_stream);
 		}
-		m_stream_ctx->m_status = errored ? stream_context::ERROR : stream_context::SUCCESS;
+		m_stream_ctx->m_status = errored ? stream_status::ERROR : stream_status::SUCCESS;
 
 		// Complete the processing
-		output::response res;
-		(srv->*m_process_func)(*m_stream_ctx, m_req, res); // subscribe()
+		outputs::response res;
+		(srv->*m_process_func)(*m_stream_ctx, m_req, res); // outputs()
 	}
 	else
 	{
@@ -90,7 +119,12 @@ void request_stream_context<falco::output::service, falco::output::request, falc
 		// So, `m_stream_ctx` is null because it is set into the `process()` function.
 		// The stream haven't started.
 
-		// todo(leodido) > log error "ending streaming: tag=this, state=m_state, stream=null"
+		gpr_log(
+			GPR_ERROR,
+			"%s -> ending streaming: tag=%p, state=%s, stream=never started",
+			__func__,
+			this,
+			request_state_Name(m_state).c_str());
 	}
 
 	// Ask to start processing requests
@@ -100,7 +134,7 @@ void request_stream_context<falco::output::service, falco::output::request, falc
 template<>
 void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::start(server* srv)
 {
-	m_state = request_context_base::REQUEST;
+	m_state = request_state::REQUEST;
 	m_srv_ctx.reset(new ::grpc::ServerContext);
 	auto srvctx = m_srv_ctx.get();
 	m_res_writer.reset(new ::grpc::ServerAsyncResponseWriter<version::response>(srvctx));
@@ -109,17 +143,32 @@ void falco::grpc::request_context<falco::version::service, falco::version::reque
 	// Request to start processing given requests.
 	// Using "this" - ie., the memory address of this context - as the tag that uniquely identifies the request.
 	// In this way, different contexts can serve different requests concurrently.
+	gpr_log(
+		GPR_DEBUG,
+		"request_context<version>::%s -> m_request_func: tag=%p, state=%s",
+		__func__,
+		this,
+		request_state_Name(m_state).c_str());
 	(srv->m_version_svc.*m_request_func)(srvctx, &m_req, m_res_writer.get(), cq, cq, this);
 }
 
 template<>
 void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::process(server* srv)
 {
+	gpr_log(
+		GPR_DEBUG,
+		"request_context<version>::%s -> m_process_func: tag=%p, state=%s",
+		__func__,
+		this,
+		request_state_Name(m_state).c_str());
+
+	// Create empty response
 	version::response res;
+	// Call version service implementation
 	(srv->*m_process_func)(m_srv_ctx.get(), m_req, res);
 
 	// Notify the gRPC runtime that this processing is done
-	m_state = request_context_base::FINISH;
+	m_state = request_state::FINISH;
 	// Using "this"- ie., the memory address of this context - to uniquely identify the event.
 	m_res_writer->Finish(res, ::grpc::Status::OK, this);
 }
@@ -127,8 +176,73 @@ void falco::grpc::request_context<falco::version::service, falco::version::reque
 template<>
 void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::end(server* srv, bool errored)
 {
-	// todo(leodido) > handle processing errors here
-	
+	if(errored)
+	{
+		gpr_log(
+			GPR_ERROR,
+			"request_context<version>::%s -> error replying: tag=%p, state=%s",
+			__func__,
+			this,
+			request_state_Name(m_state).c_str());
+	}
+
+	// Ask to start processing requests
+	start(srv);
+}
+
+template<>
+void falco::grpc::request_context<falco::inputs::service, falco::inputs::request, falco::inputs::response>::start(server* srv)
+{
+	m_state = request_state::REQUEST;
+	m_srv_ctx.reset(new ::grpc::ServerContext);
+	auto srvctx = m_srv_ctx.get();
+	m_res_writer.reset(new ::grpc::ServerAsyncResponseWriter<inputs::response>(srvctx));
+	m_req.Clear();
+	auto cq = srv->m_completion_queue.get();
+	// Request to start processing given requests.
+	// Using "this" - ie., the memory address of this context - as the tag that uniquely identifies the request.
+	// In this way, different contexts can serve different requests concurrently.
+	gpr_log(
+		GPR_DEBUG,
+		"request_context<inputs>::%s -> m_request_func: tag=%p, state=%s",
+		__func__,
+		this,
+		request_state_Name(m_state).c_str());
+	(srv->m_inputs_svc.*m_request_func)(srvctx, &m_req, m_res_writer.get(), cq, cq, this);
+}
+
+template<>
+void falco::grpc::request_context<falco::inputs::service, falco::inputs::request, falco::inputs::response>::process(server* srv)
+{
+	gpr_log(
+		GPR_DEBUG,
+		"request_context<inputs>::%s -> m_process_func: tag=%p, state=%s",
+		__func__,
+		this,
+		request_state_Name(m_state).c_str());
+
+	inputs::response res;
+	(srv->*m_process_func)(m_srv_ctx.get(), m_req, res);
+
+	// Notify the gRPC runtime that this processing is done
+	m_state = request_state::FINISH;
+	// Using "this"- ie., the memory address of this context - to uniquely identify the event.
+	m_res_writer->Finish(res, ::grpc::Status::OK, this);
+}
+
+template<>
+void falco::grpc::request_context<falco::inputs::service, falco::inputs::request, falco::inputs::response>::end(server* srv, bool errored)
+{
+	if(errored)
+	{
+		gpr_log(
+			GPR_ERROR,
+			"request_context<inputs>::%s -> error replying: tag=%p, state=%s",
+			__func__,
+			this,
+			request_state_Name(m_state).c_str());
+	}
+
 	// Ask to start processing requests
 	start(srv);
 }

userspace/falco/grpc_request_context.h

@@ -32,13 +32,8 @@ public:
 	~request_context_base() = default;
 
 	std::unique_ptr<::grpc::ServerContext> m_srv_ctx;
-	enum : char
-	{
-		UNKNOWN = 0,
-		REQUEST,
-		WRITE,
-		FINISH
-	} m_state = UNKNOWN;
+	request_state m_state = request_state::UNKNOWN;
+
 	virtual void start(server* srv) = 0;
 	virtual void process(server* srv) = 0;
 	virtual void end(server* srv, bool isError) = 0;

userspace/falco/grpc_server.cpp

@@ -14,17 +14,18 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+#include <unistd.h>
+
 #ifdef GRPC_INCLUDE_IS_GRPCPP
 #include <grpcpp/grpcpp.h>
 #else
 #include <grpc++/grpc++.h>
 #endif
 
-#include "logger.h"
 #include "grpc_server.h"
 #include "grpc_request_context.h"
 #include "utils.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 #define REGISTER_STREAM(req, res, svc, rpc, impl, num)                          \
 	std::vector<request_stream_context<svc, req, res>> rpc##_contexts(num); \
@@ -52,21 +53,34 @@ void falco::grpc::server::thread_process(int thread_index)
 	{
 		if(tag == nullptr)
 		{
-			// todo(leodido) > log error "server completion queue error: empty tag"
+			gpr_log(
+				GPR_ERROR,
+				"server::%s -> server completion queue error: tag=(empty)",
+				__func__);
 			continue;
 		}
 
 		// Obtain the context for a given tag
 		request_context_base* ctx = static_cast<request_context_base*>(tag);
 
-		// todo(leodido) > log "next event: tag=tag, read_success=event_read_success, state=ctx->m_state"
+		gpr_log(
+			GPR_DEBUG,
+			"server::%s -> next event: tag=%p, read success=%s, state=%s",
+			__func__,
+			tag,
+			event_read_success ? "true" : "false",
+			request_state_Name(ctx->m_state).c_str());
 
 		// When event has not been read successfully
 		if(!event_read_success)
 		{
-			if(ctx->m_state != request_context_base::REQUEST)
+			if(ctx->m_state != request_state::REQUEST)
 			{
-				// todo(leodido) > log error "server completion queue failing to read: tag=tag"
+				gpr_log(
+					GPR_ERROR,
+					"server::%s -> server completion queue failing to read: tag=%p",
+					__func__,
+					tag);
 
 				// End the context with error
 				ctx->end(this, true);
@@ -77,39 +91,71 @@ void falco::grpc::server::thread_process(int thread_index)
 		// Process the event
 		switch(ctx->m_state)
 		{
-		case request_context_base::REQUEST:
+		case request_state::REQUEST:
 			// Completion of m_request_func
-		case request_context_base::WRITE:
+		case request_state::WRITE:
 			// Completion of Write()
 			ctx->process(this);
 			break;
-		case request_context_base::FINISH:
+		case request_state::FINISH:
 			// Completion of Finish()
 			ctx->end(this, false);
 			break;
 		default:
-			// todo(leodido) > log error "unkown completion queue event: tag=tag, state=ctx->m_state"
+			gpr_log(
+				GPR_ERROR,
+				"server::%s -> unkown completion queue event: tag=%p, state=%s",
+				__func__,
+				tag,
+				request_state_Name(ctx->m_state).c_str());
 			break;
 		}
 
-		// todo(leodido) > log "thread completed: index=thread_index"
+		gpr_log(
+			GPR_DEBUG,
+			"server::%s -> thread completed: tag=%p, index=%d",
+			__func__,
+			tag,
+			thread_index);
 	}
 }
 
-void falco::grpc::server::init(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs)
+void falco::grpc::server::init(std::string server_addr, std::string private_key, std::string cert_chain, std::string root_certs, int threadiness, std::string log_level)
 {
 	m_server_addr = server_addr;
 	m_threadiness = threadiness;
 	m_private_key = private_key;
 	m_cert_chain = cert_chain;
 	m_root_certs = root_certs;
+
+	falco::schema::priority logging_level = falco::schema::INFORMATIONAL;
+	falco::schema::priority_Parse(log_level, &logging_level);
+	switch(logging_level)
+	{
+	case falco::schema::ERROR:
+		gpr_set_log_verbosity(GPR_LOG_SEVERITY_ERROR);
+		break;
+	case falco::schema::DEBUG:
+		gpr_set_log_verbosity(GPR_LOG_SEVERITY_DEBUG);
+		break;
+	case falco::schema::INFORMATIONAL:
+	default:
+		// note > info will always enter here since it is != from "informational"
+		gpr_set_log_verbosity(GPR_LOG_SEVERITY_INFO);
+		break;
+	}
+
+	// gpr_set_log_function(custom_log);
+	gpr_log_verbosity_init();
 }
 
+// static void custom_log(gpr_log_func_args* args){};
+
 void falco::grpc::server::run()
 {
-	string private_key;
-	string cert_chain;
-	string root_certs;
+	std::string private_key;
+	std::string cert_chain;
+	std::string root_certs;
 
 	falco::utils::read(m_cert_chain, cert_chain);
 	falco::utils::read(m_private_key, private_key);
@@ -123,12 +169,13 @@ void falco::grpc::server::run()
 
 	::grpc::ServerBuilder builder;
 	builder.AddListeningPort(m_server_addr, ::grpc::SslServerCredentials(ssl_opts));
-	builder.RegisterService(&m_output_svc);
+	builder.RegisterService(&m_outputs_svc);
 	builder.RegisterService(&m_version_svc);
+	builder.RegisterService(&m_inputs_svc);
 
 	m_completion_queue = builder.AddCompletionQueue();
 	m_server = builder.BuildAndStart();
-	falco_logger::log(LOG_INFO, "Starting gRPC server at " + m_server_addr + "\n");
+	gpr_log(GPR_INFO, "gRPC server starting: address=%s", m_server_addr.c_str());
 
 	// The number of contexts is multiple of the number of threads
 	// This defines the number of simultaneous completion queue requests of the same type (service::AsyncService::Request##RPC)
@@ -136,8 +183,9 @@ void falco::grpc::server::run()
 	int context_num = m_threadiness * 10;
 	// todo(leodido) > take a look at thread_stress_test.cc into grpc repository
 
-	REGISTER_UNARY(version::request, version::response, version::service, version, version, context_num)
-	REGISTER_STREAM(output::request, output::response, output::service, subscribe, subscribe, context_num)
+	REGISTER_UNARY(version::request, version::response, version::service, version, version_impl, context_num)
+	REGISTER_UNARY(inputs::request, inputs::response, inputs::service, input, input_impl, context_num)
+	REGISTER_STREAM(outputs::request, outputs::response, outputs::service, outputs, outputs_impl, context_num)
 
 	m_threads.resize(m_threadiness);
 	int thread_idx = 0;
@@ -145,23 +193,23 @@ void falco::grpc::server::run()
 	{
 		thread = std::thread(&server::thread_process, this, thread_idx++);
 	}
-	// todo(leodido) > log "gRPC server running: threadiness=m_threads.size()"
+	gpr_log(GPR_INFO, "gRPC server running: threadiness=%zu", m_threads.size());
 
 	while(server_impl::is_running())
 	{
 		sleep(1);
 	}
-	// todo(leodido) > log "stopping gRPC server"
+	gpr_log(GPR_INFO, "gRPC server stopping");
 	stop();
 }
 
 void falco::grpc::server::stop()
 {
-	falco_logger::log(LOG_INFO, "Shutting down gRPC server. Waiting until external connections are closed by clients\n");
+	gpr_log(GPR_INFO, "gRPC server shutting down");
 	m_server->Shutdown();
 	m_completion_queue->Shutdown();
 
-	falco_logger::log(LOG_INFO, "Waiting for the gRPC threads to complete\n");
+	gpr_log(GPR_DEBUG, "gRPC server shutting down: waiting for the gRPC threads to complete");
 	for(std::thread& t : m_threads)
 	{
 		if(t.joinable())
@@ -171,7 +219,7 @@ void falco::grpc::server::stop()
 	}
 	m_threads.clear();
 
-	falco_logger::log(LOG_INFO, "Draining all the remaining gRPC events\n");
+	gpr_log(GPR_DEBUG, "gRPC server shutting down: draining all the remaining gRPC events");
 	// Ignore remaining events
 	void* ignore_tag = nullptr;
 	bool ignore_ok = false;
@@ -179,5 +227,5 @@ void falco::grpc::server::stop()
 	{
 	}
 
-	falco_logger::log(LOG_INFO, "Shutting down gRPC server complete\n");
+	gpr_log(GPR_INFO, "gRPC server shutting down: done");
 }

userspace/falco/grpc_server.h

@@ -29,26 +29,17 @@ namespace grpc
 class server : public server_impl
 {
 public:
-	server()
-	{
-	}
-	server(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs):
-		m_server_addr(server_addr),
-		m_threadiness(threadiness),
-		m_private_key(private_key),
-		m_cert_chain(cert_chain),
-		m_root_certs(root_certs)
-	{
-	}
+	server() = default;
 	virtual ~server() = default;
 
-	void init(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs);
+	void init(std::string server_addr, std::string private_key, std::string cert_chain, std::string root_certs, int threadiness, std::string log_level);
 	void thread_process(int thread_index);
 	void run();
 	void stop();
 
-	output::service::AsyncService m_output_svc;
+	outputs::service::AsyncService m_outputs_svc;
 	version::service::AsyncService m_version_svc;
+	inputs::service::AsyncService m_inputs_svc;
 
 	std::unique_ptr<::grpc::ServerCompletionQueue> m_completion_queue;
 

userspace/falco/grpc_server_impl.cpp

@@ -17,7 +17,7 @@ limitations under the License.
 #include "config_falco.h"
 #include "grpc_server_impl.h"
 #include "falco_output_queue.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 bool falco::grpc::server_impl::is_running()
 {
@@ -28,24 +28,42 @@ bool falco::grpc::server_impl::is_running()
 	return true;
 }
 
-void falco::grpc::server_impl::subscribe(const stream_context& ctx, const output::request& req, output::response& res)
+void falco::grpc::server_impl::outputs_impl(const stream_context& ctx, const outputs::request& req, outputs::response& res)
 {
-	if(ctx.m_status == stream_context::SUCCESS || ctx.m_status == stream_context::ERROR)
+	std::string client = ctx.peer();
+	if(ctx.m_status == stream_status::SUCCESS || ctx.m_status == stream_status::ERROR)
 	{
-		// todo(leodido) > log "status=ctx->m_status, stream=ctx->m_stream"
+		// Entering here when the streaming completed (request_context_base::FINISH)
+		// context m_status == stream_context::SUCCESS when the gRPC server shutdown the context
+		// context m_status == stream_context::ERROR when the gRPC client shutdown the context
+		gpr_log(
+			GPR_DEBUG,
+			"server_impl::%s -> streaming done: %s, client=%s, status=%s, stream=%p",
+			__func__,
+			ctx.m_prefix.c_str(),
+			client.c_str(),
+			stream_status_Name(ctx.m_status).c_str(),
+			ctx.m_stream);
 		ctx.m_stream = nullptr;
 	}
 	else
 	{
-		// Start or continue streaming
-		// todo(leodido) > check for m_status == stream_context::STREAMING?
-		// todo(leodido) > set m_stream
-		if(output::queue::get().try_pop(res) && !req.keepalive())
+		// Start or continue streaming (m_status == stream_context::STREAMING)
+		gpr_log(
+			GPR_DEBUG,
+			"server_impl::%s -> start or continue streaming: %s, client=%s, status=%s, stream=%p",
+			__func__,
+			ctx.m_prefix.c_str(),
+			client.c_str(),
+			stream_status_Name(ctx.m_status).c_str(),
+			ctx.m_stream);
+		// note(leodido) > set request-specific data on m_stream here, in case it is needed
+		if(outputs::queue::get().try_pop(res) && !req.keepalive())
 		{
 			ctx.m_has_more = true;
 			return;
 		}
-		while(is_running() && !output::queue::get().try_pop(res) && req.keepalive())
+		while(is_running() && !outputs::queue::get().try_pop(res) && req.keepalive())
 		{
 		}
 
@@ -53,8 +71,10 @@ void falco::grpc::server_impl::subscribe(const stream_context& ctx, const output
 	}
 }
 
-void falco::grpc::server_impl::version(const context& ctx, const version::request&, version::response& res)
+void falco::grpc::server_impl::version_impl(const context& ctx, const version::request& req, version::response& res)
 {
+	gpr_log(GPR_DEBUG, "server_impl::%s -> replying: %s, client=%s", __func__, ctx.m_prefix.c_str(), ctx.peer().c_str());
+
 	auto& build = *res.mutable_build();
 	build = FALCO_VERSION_BUILD;
 
@@ -69,6 +89,18 @@ void falco::grpc::server_impl::version(const context& ctx, const version::reques
 	res.set_patch(FALCO_VERSION_PATCH);
 }
 
+void falco::grpc::server_impl::input_impl(const context& ctx, const inputs::request& req, inputs::response& res)
+{
+	std::string client = ctx.peer();
+	gpr_log(GPR_DEBUG, "server_impl::%s -> replying: %s, client=%s", __func__, ctx.m_prefix.c_str(), client.c_str());
+	// todo(leodido) > implement
+	// retrieve metadata
+	// if type = K8S_AUDIT
+	// ...
+	// if type = SYSCALL
+	// ...
+}
+
 void falco::grpc::server_impl::shutdown()
 {
 	m_stop = true;

userspace/falco/grpc_server_impl.h

@@ -17,8 +17,9 @@ limitations under the License.
 #pragma once
 
 #include <atomic>
-#include "output.grpc.pb.h"
+#include "outputs.grpc.pb.h"
 #include "version.grpc.pb.h"
+#include "inputs.grpc.pb.h"
 #include "grpc_context.h"
 
 namespace falco
@@ -36,9 +37,11 @@ public:
 protected:
 	bool is_running();
 
-	void subscribe(const stream_context& ctx, const output::request& req, output::response& res);
+	void outputs_impl(const stream_context& ctx, const outputs::request& req, outputs::response& res);
 
-	void version(const context& ctx, const version::request& req, version::response& res);
+	void version_impl(const context& ctx, const version::request& req, version::response& res);
+
+	void input_impl(const context& ctx, const inputs::request& req, inputs::response& res);
 
 private:
 	std::atomic<bool> m_stop{false};

userspace/falco/inputs.proto

@@ -0,0 +1,21 @@
+syntax = "proto3";
+
+// import "event.proto";
+
+import "google/protobuf/any.proto";
+
+package falco.inputs;
+
+option go_package = "github.com/falcosecurity/client-go/pkg/api/inputs";
+
+// service service { rpc input(request) returns (response); }
+
+// message request { repeated falco.event.event data = 1; }
+
+// message response {};
+
+service service { rpc input(request) returns (response); }
+
+message request { repeated google.protobuf.Any events = 1; }
+
+message response {};

userspace/falco/logger.cpp

@@ -19,7 +19,7 @@ limitations under the License.
 #include "chisel_api.h"
 
 #include "falco_common.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 const static struct luaL_reg ll_falco [] =
 {
@@ -131,8 +131,12 @@ void falco_logger::log(int priority, const string msg)
 		{
 			char buf[sizeof "YYYY-MM-DDTHH:MM:SS-0000"];
 			struct tm *gtm = std::gmtime(&result);
-			if(gtm != NULL &&
-			   (strftime(buf, sizeof(buf), "%FT%T%z", gtm) != 0))
+			if(gtm == NULL ||
+			   (strftime(buf, sizeof(buf), "%FT%T%z", gtm) == 0))
+			{
+				sprintf(buf, "N/A");
+			}
+			else
 			{
 				fprintf(stderr, "%s: %s", buf, msg.c_str());
 			}

userspace/falco/outputs.proto

@@ -3,18 +3,18 @@ syntax = "proto3";
 import "google/protobuf/timestamp.proto";
 import "schema.proto";
 
-package falco.output;
+package falco.outputs;
 
-option go_package = "github.com/falcosecurity/client-go/pkg/api/output";
+option go_package = "github.com/falcosecurity/client-go/pkg/api/outputs";
 
-// The `subscribe` service defines the RPC call
+// The `outputs` service defines a server-streaming RPC call
 // to perform an output `request` which will lead to obtain an output `response`.
 service service {
-  rpc subscribe(request) returns (stream response);
+  rpc outputs(request) returns (stream response);
 }
 
 // The `request` message is the logical representation of the request model.
-// It is the input of the `subscribe` service.
+// It is the input of the `outputs` service.
 // It is used to configure the kind of subscription to the gRPC streaming server.
 //
 // By default the request asks to the server to only receive the accumulated events.

userspace/falco/statsfilewriter.cpp

@@ -18,7 +18,7 @@ limitations under the License.
 #include <signal.h>
 
 #include "statsfilewriter.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 using namespace std;
 

userspace/falco/utils.cpp

@@ -15,7 +15,7 @@ limitations under the License.
 */
 
 #include "utils.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 void falco::utils::read(const std::string& filename, std::string& data)
 {

userspace/falco/webserver.cpp

@@ -20,7 +20,7 @@ limitations under the License.
 #include "falco_common.h"
 #include "webserver.h"
 #include "json_evt.h"
-#include "banned.h" // This raises a compilation error when certain functions are used
+#include "banned.h"
 
 using json = nlohmann::json;
 using namespace std;