wip: pointer to pointer in hawk_engine rules_cb

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com> Signed-off-by: Lorenzo Fontana <lo@linux.com>
wip
2026-03-20 11:42:06 +00:00 · 2020-11-04 19:06:41 +01:00 · 2020-11-04 12:05:07 +00:00 · 2020-10-29 11:33:12 +00:00 · 2020-10-29 10:58:28 +00:00 · 2020-10-28 15:43:27 +01:00
123 changed files with 4518 additions and 2271 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,7 +1,151 @@
 version: 2
 jobs:
+  # Build a statically linked Falco release binary using musl
+  # This build is 100% static, there are no host dependencies
+  "build/musl":
+    docker:
+      - image: alpine:3.12
+    steps:
+      - checkout:
+          path: /source-static/falco
+      - run:
+          name: Update base image
+          command: apk update
+      - run:
+          name: Install build dependencies
+          command: apk add g++ gcc cmake cmake make ncurses-dev git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
+      - run:
+          name: Prepare project
+          command: |
+            mkdir -p /build-static/release
+            cd /build-static/release
+            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
+      - run:
+          name: Build
+          command: |
+            cd /build-static/release
+            make -j4 all
+      - run:
+          name: Package
+          command: |
+            cd /build-static/release
+            make -j4 package
+      - run:
+          name: Run unit tests
+          command: |
+            cd /build-static/release
+            make tests
+      - run:
+          name: Prepare artifacts
+          command: |
+            mkdir -p /tmp/packages
+            cp /build-static/release/*.tar.gz /tmp/packages
+      - store_artifacts:
+          path: /tmp/packages
+          destination: /packages
+      - persist_to_workspace:
+          root: /
+          paths:
+            - build-static/release
+            - source-static
+  # Build the minimal Falco
+  # This build only contains the Falco engine and the basic input/output.
+  "build/minimal":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libncurses-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build-minimal
+            pushd build-minimal
+            cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build-minimal
+            make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build-minimal
+            make tests
+            popd
  # Build using ubuntu LTS
  # This build is dynamic, most dependencies are taken from the OS
+  "build/ubuntu-focal":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DBUILD_BPF=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
+  # Debug build using ubuntu LTS
+  # This build is dynamic, most dependencies are taken from the OS
+  "build/ubuntu-focal-debug":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
+  # Build using Ubuntu Bionic Beaver (18.04)
+  # This build is static, dependencies are bundled in the Falco binary
  "build/ubuntu-bionic":
    docker:
      - image: ubuntu:bionic
@@ -12,19 +156,19 @@ jobs:
          command: apt update -y
      - run:
          name: Install dependencies
-          command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
+          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic libncurses-dev pkg-config autoconf libtool libelf-dev -y
      - run:
          name: Prepare project
          command: |
            mkdir build
            pushd build
-            cmake ..
+            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
            popd
      - run:
          name: Build
          command: |
            pushd build
-            make -j4 all
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
            popd
      - run:
          name: Run unit tests
@@ -32,31 +176,31 @@ jobs:
            pushd build
            make tests
            popd
-  # Debug build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-bionic-debug":
+  # Build using CentOS 8
+  # This build is static, dependencies are bundled in the Falco binary
+  "build/centos8":
    docker:
-      - image: ubuntu:bionic
+      - image: centos:8
    steps:
      - checkout
      - run:
          name: Update base image
-          command: apt update -y
+          command: dnf update -y
      - run:
          name: Install dependencies
-          command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
+          command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
      - run:
          name: Prepare project
          command: |
            mkdir build
            pushd build
-            cmake -DCMAKE_BUILD_TYPE=debug ..
+            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
            popd
      - run:
          name: Build
          command: |
            pushd build
-            make -j4 all
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
            popd
      - run:
          name: Run unit tests
@@ -65,7 +209,7 @@ jobs:
            make tests
            popd
  # Build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
+  # This build is static, dependencies are bundled in the Falco binary
  "build/centos7":
    docker:
      - image: falcosecurity/falco-builder:latest
@@ -102,7 +246,7 @@ jobs:
          path: /tmp/packages
          destination: /packages
  # Debug build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
+  # This build is static, dependencies are bundled in the Falco binary
  "build/centos7-debug":
    docker:
      - image: falcosecurity/falco-builder:latest
@@ -138,6 +282,21 @@ jobs:
      - run:
          name: Execute integration tests
          command: /usr/bin/entrypoint test
+  "tests/integration-static":
+    docker:
+      - image: falcosecurity/falco-tester:latest
+        environment:
+          SOURCE_DIR: "/source-static"
+          BUILD_DIR: "/build-static"
+          BUILD_TYPE: "release"
+          SKIP_PACKAGES_TESTS: "true"
+    steps:
+      - setup_remote_docker
+      - attach_workspace:
+          at: /
+      - run:
+          name: Execute integration tests
+          command: /usr/bin/entrypoint test
  "tests/driver-loader/integration":
    machine:
      image: ubuntu-1604:202004-01
@@ -147,6 +306,33 @@ jobs:
      - run:
          name: Execute driver-loader integration tests
          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
+  # Code quality
+  "quality/static-analysis":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "release"
+    steps:
+      - run:
+          name: Install cppcheck
+          command: |
+            yum update -y
+            yum install epel-release -y
+            yum install cppcheck cppcheck-htmlreport -y
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
+      - run:
+          name: cppcheck
+          command: /usr/bin/entrypoint cppcheck
+      - run:
+          name: cppcheck html report
+          command: /usr/bin/entrypoint cppcheck_htmlreport
+      - store_artifacts:
+          path: /build/release/static-analysis-reports
+          destination: /static-analysis-reports
  # Sign rpm packages
  "rpm/sign":
    docker:
@@ -203,10 +389,34 @@ jobs:
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
      - run:
-          name: Publish tgz-dev
+          name: Publish bin-dev
          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+  # Clenup the Falco development release packages
+  "cleanup/packages-dev":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare env
+          command: |
+            apk add --no-cache --update
+            apk add curl jq
+      - run:
+          name: Only keep the 10 most recent Falco development release tarballs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
+      - run:
+          name: Only keep the 50 most recent Falco development release RPMs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
+      - run:
+          name: Only keep the 50 most recent Falco development release DEBs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
  # Publish docker packages
  "publish/docker-dev":
    docker:
@@ -263,10 +473,10 @@ jobs:
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
      - run:
-          name: Publish tgz
+          name: Publish bin
          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
  # Publish docker packages
  "publish/docker":
    docker:
@@ -308,16 +518,23 @@ workflows:
  version: 2
  build_and_test:
    jobs:
+      - "build/musl"
+      - "build/minimal"
+      - "build/ubuntu-focal"
+      - "build/ubuntu-focal-debug"
      - "build/ubuntu-bionic"
-      - "build/ubuntu-bionic-debug"
+      - "build/centos8"
      - "build/centos7"
      - "build/centos7-debug"
      - "tests/integration":
          requires:
            - "build/centos7"
+      - "tests/integration-static":
+          requires:
+            - "build/musl"
      - "tests/driver-loader/integration":
          requires:
-              - "build/centos7"
+            - "build/centos7"
      - "rpm/sign":
          context: falco
          filters:
@@ -336,6 +553,16 @@ workflows:
              only: master
          requires:
            - "rpm/sign"
+            - "tests/integration-static"
+      - "cleanup/packages-dev":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "publish/packages-dev"
      - "publish/docker-dev":
          context: falco
          filters:
@@ -346,8 +573,15 @@ workflows:
          requires:
            - "publish/packages-dev"
            - "tests/driver-loader/integration"
+      - "quality/static-analysis"
  release:
    jobs:
+      - "build/musl":
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
      - "build/centos7":
          filters:
            tags:
@@ -366,6 +600,7 @@ workflows:
      - "publish/packages":
          context: falco
          requires:
+            - "build/musl"
            - "rpm/sign"
          filters:
            tags:
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -6,7 +6,6 @@ daysUntilClose: 7
 exemptLabels:
  - cncf
  - roadmap
-  - enhancement
  - "help wanted"
 # Label to use when marking an issue as stale
 staleLabel: wontfix
@@ -15,5 +14,7 @@ markComment: >
  This issue has been automatically marked as stale because it has not had
  recent activity. It will be closed if no further activity occurs. Thank you
  for your contributions.
+  Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed.
+  Please refer to a maintainer to get such label added if you think this should be kept open.
 # Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false
+closeComment: false
--- a/.gitignore
+++ b/.gitignore
@@ -11,8 +11,6 @@ test/.phoronix-test-suite
 test/results*.json.*
 test/build

-userspace/falco/lua/re.lua
-userspace/falco/lua/lpeg.so
 userspace/engine/lua/lyaml
 userspace/engine/lua/lyaml.lua

--- a/.luacheckrc
+++ b/.luacheckrc
@@ -1,7 +1,6 @@
 std = "min"
 cache = true
 include_files = {
-    "userspace/falco/lua/*.lua",
    "userspace/engine/lua/*.lua",
    "userspace/engine/lua/lyaml/*.lua",
    "*.luacheckrc"
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -8,8 +8,13 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.

+* [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.
+
 * [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.

+* [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
+  * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
+
 * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
  * https://hipaa.preferral.com/01-preferral_hipaa_compliance/

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,202 @@
 # Change Log

-This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
+## v0.26.1
+
+Released on 2020-10-01
+
+### Major Changes
+
+* new: CLI flag `--alternate-lua-dir` to load Lua files from arbitrary paths [[#1419](https://github.com/falcosecurity/falco/pull/1419)] - [@admiral0](https://github.com/admiral0)
+
+
+### Rule Changes
+
+* rule(Delete or rename shell history): fix warnings/FPs + container teardown [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
+* rule(Write below root): ensure proc_name_exists too [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
+
+
+## v0.26.0
+
+Released on 2020-24-09
+
+### Major Changes
+
+* new: address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)] - [@mstemm](https://github.com/mstemm)
+* new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)] - [@leogr](https://github.com/leogr)
+* new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)] - [@fntlnz](https://github.com/fntlnz)
+* new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
+
+
+### Minor Changes
+
+* update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
+* update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
+* update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
+* docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
+* docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
+
+
+### Rule Changes
+
+* rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)] - [@rung](https://github.com/rung)
+* rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
+* rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
+* rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)] - [@bgeesaman](https://github.com/bgeesaman)
+* rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)] - [@csschwe](https://github.com/csschwe)
+
+## v0.25.0
+
+Released on 2020-08-25
+
+### Major Changes
+
+* new(userspace/falco): print the Falco and driver versions at the very beginning of the output. [[#1303](https://github.com/falcosecurity/falco/pull/1303)] - [@leogr](https://github.com/leogr)
+* new: libyaml is now bundled in the release process. Users can now avoid installing libyaml directly when getting Falco from the official release. [[#1252](https://github.com/falcosecurity/falco/pull/1252)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Minor Changes
+
+* docs(test): step-by-step instructions to run integration tests locally [[#1313](https://github.com/falcosecurity/falco/pull/1313)] - [@leodido](https://github.com/leodido)
+* update: renameat2 syscall support [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
+* update: support for 5.8.x kernels [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): correct the fallback mechanism for loading the kernel module [[#1366](https://github.com/falcosecurity/falco/pull/1366)] - [@leogr](https://github.com/leogr)
+* fix(falco-driver-loader): script crashing when using arguments [[#1330](https://github.com/falcosecurity/falco/pull/1330)] - [@antoinedeschenes](https://github.com/antoinedeschenes)
+
+
+### Rule Changes
+
+* rule(macro user_trusted_containers): add `sysdig/node-image-analyzer` and `sysdig/agent-slim` [[#1321](https://github.com/falcosecurity/falco/pull/1321)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro falco_privileged_images): add `docker.io/falcosecurity/falco` [[#1326](https://github.com/falcosecurity/falco/pull/1326)] - [@nvanheuverzwijn](https://github.com/nvanheuverzwijn)
+* rule(EphemeralContainers Created): add new rule to detect ephemeral container created [[#1339](https://github.com/falcosecurity/falco/pull/1339)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_read_sensitive_file_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_trusted_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_privileged_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro falco_privileged_containers): append "/" to quay.io/sysdig [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list k8s_containers): prepend docker.io to images [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro exe_running_docker_save): add better support for centos [[#1350](https://github.com/falcosecurity/falco/pull/1350)] - [@admiral0](https://github.com/admiral0)
+* rule(macro rename): add `renameat2` syscall [[#1359](https://github.com/falcosecurity/falco/pull/1359)] - [@leogr](https://github.com/leogr)
+* rule(Read sensitive file untrusted): add trusted images into whitelist [[#1327](https://github.com/falcosecurity/falco/pull/1327)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Pod Created in Kube Namespace): add new list k8s_image_list as white list [[#1336](https://github.com/falcosecurity/falco/pull/1336)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list allowed_k8s_users): add "kubernetes-admin" user [[#1323](https://github.com/falcosecurity/falco/pull/1323)] - [@leogr](https://github.com/leogr)
+
+## v0.24.0
+
+Released on 2020-07-16
+
+### Major Changes
+
+* new: Falco now supports userspace instrumentation with the -u flag [[#1195](https://github.com/falcosecurity/falco/pull/1195)]
+* BREAKING CHANGE: --stats_interval is now --stats-interval [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
+* new: auto threadiness for gRPC server [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
+* BREAKING CHANGE: server streaming gRPC outputs method is now `falco.outputs.service/get` [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* new: new bi-directional async streaming gRPC outputs (`falco.outputs.service/sub`)  [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* new: unix socket for the gRPC server [[#1217](https://github.com/falcosecurity/falco/pull/1217)]
+
+
+### Minor Changes
+
+* update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [[#1305](https://github.com/falcosecurity/falco/pull/1305)]
+* update: `SKIP_MODULE_LOAD` renamed to `SKIP_DRIVER_LOADER` [[#1297](https://github.com/falcosecurity/falco/pull/1297)]
+* docs: add leogr to OWNERS [[#1300](https://github.com/falcosecurity/falco/pull/1300)]
+* update: default threadiness to 0 ("auto" behavior) [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
+* update: k8s audit endpoint now defaults to /k8s-audit everywhere [[#1292](https://github.com/falcosecurity/falco/pull/1292)]
+* update(falco.yaml): `webserver.k8s_audit_endpoint` default value changed from `/k8s_audit` to `/k8s-audit` [[#1261](https://github.com/falcosecurity/falco/pull/1261)]
+* docs(test): instructions to run regression test suites locally [[#1234](https://github.com/falcosecurity/falco/pull/1234)]
+
+
+### Bug Fixes
+
+* fix: --stats-interval correctly accepts values >= 999 (ms) [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
+* fix: make the eBPF driver build work on CentOS 8 [[#1301](https://github.com/falcosecurity/falco/pull/1301)]
+* fix(userspace/falco): correct options handling for `buffered_output: false` which was not honored for the `stdout` output [[#1296](https://github.com/falcosecurity/falco/pull/1296)]
+* fix(userspace/falco): honor -M also when using a trace file [[#1245](https://github.com/falcosecurity/falco/pull/1245)]
+* fix: high CPU usage when using server streaming gRPC outputs [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* fix: missing newline from some log messages (eg., token bucket depleted) [[#1257](https://github.com/falcosecurity/falco/pull/1257)]
+
+
+### Rule Changes
+
+* rule(Container Drift Detected (chmod)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
+* rule(Container Drift Detected (open+create)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
+* rule(Write below etc): allow snapd to write its unit files [[#1289](https://github.com/falcosecurity/falco/pull/1289)]
+* rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [[#1224](https://github.com/falcosecurity/falco/pull/1224)]
+* rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [[#1286](https://github.com/falcosecurity/falco/pull/1286)]
+* rule(Change thread namespace): Allow `protokube`, `dockerd`, `tini` and `aws` binaries to change thread namespace. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
+* rule(macro exe_running_docker_save): to filter out cmdlines containing `/var/run/docker`. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
+* rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs   [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Schedule Cron Jobs): exclude known cron jobs  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Update Package Registry): exclude known package registry update [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read ssh information): do not throw for activities known to read SSH info [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Write below rpm database): do not throw for activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(DB program spawned process): do not throw for processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Modify binary dirs): do not throw for activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_system_user_login): new macro to exclude known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(System user interactive): do not throw for known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(User mgmt binaries): do not throw for activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create files below dev): do not throw for activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro trusted_pod): defines trusted pods by an image list  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Pod Created in Kube Namespace): do not throw for trusted pods [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro trusted_sa): define trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(list network_tool_binaries): add zmap to the list [[#1284](https://github.com/falcosecurity/falco/pull/1284)]
+* rule(macro root_dir): correct macro to exactly match the `/root` dir and not other with just `/root` as a prefix [[#1279](https://github.com/falcosecurity/falco/pull/1279)]
+* rule(macro user_expected_terminal_shell_in_container_conditions): allow whitelisting terminals in containers under specific conditions [[#1154](https://github.com/falcosecurity/falco/pull/1154)]
+* rule(macro user_known_write_below_binary_dir_activities): allow writing to a binary dir in some conditions [[#1260](https://github.com/falcosecurity/falco/pull/1260)]
+* rule(macro trusted_logging_images): Add addl fluentd image [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro trusted_logging_images): Let azure-npm image write to /var/log [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro lvprogs_writing_conf): Add lvs as a lvm program [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(Anonymous Request Allowed): update to checking auth decision equals to allow [[#1267](https://github.com/falcosecurity/falco/pull/1267)]
+* rule(Container Drift Detected (chmod)): new rule to detect if an existing file get exec permissions in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
+* rule(Container Drift Detected (open+create)): new rule to detect if a new file with execution permission is created in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
+* rule(Mkdir binary dirs): correct condition in macro `bin_dir_mkdir` to catch `mkdirat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(Modify binary dirs): correct condition in macro `bin_dir_rename` to catch `rename`, `renameat`, and `unlinkat` syscalls [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(Create files below dev): correct condition to catch `openat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro [[#1213](https://github.com/falcosecurity/falco/pull/1213)]

 ## v0.23.0

-Released on 2020-18-05
+Released on 2020-05-18

 ### Major Changes

@@ -46,7 +238,7 @@ Released on 2020-18-05

 ## v0.22.1

-Released on 2020-17-04
+Released on 2020-04-17

 ### Major Changes

@@ -66,7 +258,7 @@ Released on 2020-17-04

 ## v0.22.0

-Released on 2020-16-04
+Released on 2020-04-16

 ### Major Changes

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -16,6 +16,8 @@ project(falco)

 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
+option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
+option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)

 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
@@ -50,7 +52,15 @@ else()
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")

-set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
+if(MINIMAL_BUILD)
+  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
+endif()
+
+if(MUSL_OPTIMIZED_BUILD)
+  set(MUSL_FLAGS "-static -Os")
+endif()
+
+set(CMAKE_COMMON_FLAGS "-Wall -pg -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")

 if(BUILD_WARNINGS_AS_ERRORS)
  set(CMAKE_SUPPRESSED_WARNINGS
@@ -93,7 +103,7 @@ message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
 set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
 ExternalProject_Add(
  njson
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/njson-3.3.0.tar.gz"
+  URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
@@ -106,14 +116,15 @@ find_package(Curses REQUIRED)
 message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")

 # libb64
+
 set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
 message(STATUS "Using bundled b64 in '${B64_SRC}'")
 set(B64_INCLUDE "${B64_SRC}/include")
 set(B64_LIB "${B64_SRC}/src/libb64.a")
 ExternalProject_Add(
  b64
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
-  URL_HASH "SHA256=343d8d61c5cbe3d3407394f16a5390c06f8ff907bd8d614c16546310b689bfd3"
+  URL "https://github.com/libb64/libb64/archive/ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0.tar.gz"
+  URL_HASH "SHA256=d07173e66f435e5c77dbf81bd9313f8d0e4a3b4edd4105a62f4f8132ba932811"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
@@ -122,11 +133,13 @@ ExternalProject_Add(
 # yaml-cpp
 include(yaml-cpp)

-# OpenSSL
-include(OpenSSL)
+if(NOT MINIMAL_BUILD)
+  # OpenSSL
+  include(OpenSSL)

-# libcurl
-include(cURL)
+  # libcurl
+  include(cURL)
+endif()

 # LuaJIT
 set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
@@ -135,8 +148,8 @@ set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
 set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 ExternalProject_Add(
  luajit
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
-  URL_HASH "SHA256=55be6cb2d101ed38acca32c5b1f99ae345904b365b642203194c585d27bebd79"
+  URL "https://github.com/LuaJIT/LuaJIT/archive/v2.0.3.tar.gz"
+  URL_HASH "SHA256=8da3d984495a11ba1bce9a833ba60e18b532ca0641e7d90d97fafe85ff014baa"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
@@ -151,35 +164,28 @@ list(APPEND LPEG_DEPENDENCIES "luajit")
 ExternalProject_Add(
  lpeg
  DEPENDS ${LPEG_DEPENDENCIES}
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
-  URL_HASH "SHA256=10190ae758a22a16415429a9eb70344cf29cbda738a6962a9f94a732340abf8e"
+  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
+  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
  BUILD_IN_SOURCE 1
  CONFIGURE_COMMAND ""
  INSTALL_COMMAND "")

 # libyaml
-find_library(LIBYAML_LIB NAMES libyaml.so)
-if(LIBYAML_LIB)
-  message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
-else()
-  message(FATAL_ERROR "Couldn't find system libyaml")
-endif()
+include(libyaml)

 # lyaml
 set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
 set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
 message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
-set(LYAML_DEPENDENCIES "")
-list(APPEND LYAML_DEPENDENCIES "luajit")
 ExternalProject_Add(
  lyaml
-  DEPENDS ${LYAML_DEPENDENCIES}
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
+  DEPENDS luajit libyaml
+  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
  BUILD_COMMAND ${CMD_MAKE}
  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
+  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
  INSTALL_COMMAND sh -c
                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")

@@ -200,23 +206,30 @@ ExternalProject_Add(
  BUILD_BYPRODUCTS ${TBB_LIB}
  INSTALL_COMMAND "")

-# civetweb
-set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-ExternalProject_Add(
-  civetweb
-  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
-  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
-  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
-  BUILD_IN_SOURCE 1
-  BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
-  INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
+if(NOT MINIMAL_BUILD)
+  # civetweb
+  set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
+  set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
+  set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
+  message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
+  ExternalProject_Add(
+    civetweb
+    URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
+    URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
+    CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
+    BUILD_IN_SOURCE 1
+    BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+    INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
+endif()

-# gRPC
-include(gRPC)
+#string-view-lite
+include(DownloadStringViewLite)
+
+if(NOT MINIMAL_BUILD)
+  # gRPC
+  include(gRPC)
+endif()

 # sysdig
 include(sysdig)
@@ -224,11 +237,13 @@ include(sysdig)
 # Installation
 install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")

-# Coverage
-include(Coverage)
+if(NOT MINIMAL_BUILD)
+  # Coverage
+  include(Coverage)

-# Tests
-add_subdirectory(test)
+  # Tests
+  add_subdirectory(test)
+endif()

 # Rules
 add_subdirectory(rules)
@@ -239,6 +254,9 @@ add_subdirectory(docker)
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)

+# Static analysis
+include(static-analysis)
+
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,38 +0,0 @@
-# CNCF Community Code of Conduct v1.0
-
-## Contributor Code of Conduct
-
-As contributors and maintainers of this project, and in the interest of fostering
-an open and welcoming community, we pledge to respect all people who contribute
-through reporting issues, posting feature requests, updating documentation,
-submitting pull requests or patches, and other activities.
-
-We are committed to making participation in this project a harassment-free experience for
-everyone, regardless of level of experience, gender, gender identity and expression,
-sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
-religion, or nationality.
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery
-* Personal attacks
-* Trolling or insulting/derogatory comments
-* Public or private harassment
-* Publishing other's private information, such as physical or electronic addresses,
- without explicit permission
-* Other unethical or unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are not
-aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
-commit themselves to fairly and consistently applying these principles to every aspect
-of managing this project. Project maintainers who do not follow or enforce the Code of
-Conduct may be permanently removed from the project team.
-
-This code of conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community.
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, [Sarah Novotny](mailto:sarahnovotny@google.com), and/or [Dan Kohn](mailto:dan@linuxfoundation.org).
-
-This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at
-http://contributor-covenant.org/version/1/2/0/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,150 +0,0 @@
-# Contributing to Falco
-
- [Contributing to Falco](#contributing-to-falco)
-  - [Code of Conduct](#code-of-conduct)
-  - [Issues](#issues)
-    - [Triage issues](#triage-issues)
-      - [More about labels](#more-about-labels)
-    - [Slack](#slack)
-  - [Pull Requests](#pull-requests)
-    - [Commit convention](#commit-convention)
-      - [Rule type](#rule-type)
-  - [Coding Guidelines](#coding-guidelines)
-    - [C++](#c)
-    - [Unit testing](/tests/README.md)
-  - [Developer Certificate Of Origin](#developer-certificate-of-origin)
-
-## Code of Conduct
-
-Falco has a
-[Code of Conduct](CODE_OF_CONDUCT.md)
-to which all contributors must adhere, please read it before interacting with the repository or the community in any way.
-
-## Issues
-
-Issues are the heartbeat ❤️ of the Falco project, there are mainly three kinds of issues you can open:
-
- Bug report: you believe you found a problem in Falco and you want to discuss and get it fixed,
-creating an issue with the **bug report template** is the best way to do so.
- Enhancement: any kind of new feature need to be discussed in this kind of issue, do you want a new rule or a new feature? This is the kind of issue you want to open. Be very good at explaining your intent, it's always important that others can understand what you mean in order to discuss, be open and collaborative in letting others help you getting this done!
- Failing tests: you noticed a flaky test or a problem with a build? This is the kind of issue to triage that!
-
-The best way to get **involved** in the project is through issues, you can help in many ways:
-
- Issues triaging: participating in the discussion and adding details to open issues is always a good thing,
-sometimes issues need to be verified, you could be the one writing a test case to fix a bug!
- Helping to resolve the issue: you can help in getting it fixed in many ways, more often by opening a pull request.
-
-### Triage issues
-
-We need help in categorizing issues. Thus any help is welcome!
-
-When you triage an issue, you:
-
-* assess whether it has merit or not
-
-* quickly close it by correctly answering a question
-
-* point the reporter to a resource or documentation answering the issue
-
-* tag it via labels, projects, or milestones
-
-* take ownership submitting a PR for it, in case you want 😇
-
-#### More about labels
-
-These guidelines are not set in stone and are subject to change.
-
-Anyway a `kind/*` label for any issue is mandatory.
-
-This is the current [label set](https://github.com/falcosecurity/falco/labels) we have.
-
-You can use commands - eg., `/label <some-label>` to add (or remove) labels or manually do it.
-
-The commands available are the following ones:
-
-```
-/[remove-](area|kind|priority|triage|label)
-```
-
-Some examples:
-
-* `/area rules`
-* `/remove-area rules`
-* `/kind kernel-module`
-* `/label good-first-issue`
-* `/triage duplicate`
-* `/triage unresolved`
-* `/triage not-reproducible`
-* `/triage support`
-* ...
-
-### Slack
-
-Other discussion, and **support requests** should go through the `#falco` channel in the open source slack, please join [here](https://slack.sysdig.com).
-
-## Pull Requests
-
-Thanks for taking time to make a [pull request](https://help.github.com/articles/about-pull-requests) (hereafter PR).
-
-In the PR body, feel free to add an area label if appropriate by typing `/area <AREA>`, PRs will also
-need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.
-
-The list of labels is [here](https://github.com/falcosecurity/falco/labels).
-
-Also feel free to suggest a reviewer with `/cc @theirname`, or to assign an assignee using `/assign @nickname`.
-
-Once your reviewer is happy, they will say `/lgtm` which will apply the
-`lgtm` label, and will apply the `approved` label if they are an
-[owner](/OWNERS).
-
-Your PR will be automatically merged once it has the `lgtm` and `approved`
-labels, does not have any `do-not-merge/*` labels, and all status checks (eg., rebase, tests, DCO) are positive.
-
-### Commit convention
-
-As commit convention, we adopt [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/), we have an history
-of commits that do not adopt the convention but any new commit must follow it to be eligible for merge.
-
-#### Rule type
-
-Besides the classic types, we adopt a type for rules, `rule(<scope>):`.
-Example:
-
-```
-rule(Write below monitored dir): make sure monitored dirs are monitored.
-```
-
-Each rule change must be on its own commit, if a change to a macro is done while changing a rule they can go together but only one rule per commit must happen.
-
-If you are changing only a macro, the commit will look like this:
-
-```
-rule(macro user_known_write_monitored_dir_conditions): make sure conditions are great
-```
-
-## Coding Guidelines
-
-### C++
-
-* File `userspace/engine/banned.h` defines some functions as invalid tokens. These functions are not allowed to be used in the codebase. Whenever creating a new cpp file, include the `"banned.h"` headers. This ensures that the banned functions are not compiled.
-
-  A complete list of banned functions can be found [here](./userspace/engine/banned.h).
-
-## Developer Certificate Of Origin
-
-The [Developer Certificate of Origin (DCO)](https://developercertificate.org/) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
-
-Contributors to the Falco project sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages.
-
-```
-This is my commit message
-
-Signed-off-by: John Poiana <jpoiana@falco.org>
-```
-
-Git even has a `-s` command line option to append this automatically to your commit message:
-
-```
-$ git commit -s -m 'This is my commit message'
-```
--- a/2
+++ b/2
@@ -3,6 +3,7 @@ approvers:
  - kris-nova
  - leodido
  - mstemm
+  - leogr
 reviewers:
  - fntlnz
  - kaizhe
@@ -10,3 +11,4 @@ reviewers:
  - leodido
  - mfdii
  - mstemm
+  - leogr
--- a/README.md
+++ b/README.md
@@ -3,8 +3,6 @@

 <hr>

-# The Falco Project
-
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)

 #### Latest releases
@@ -19,63 +17,78 @@ Read the [change log](CHANGELOG.md).

 ---

-Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
+The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
+Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
+Falco has a rich rule set of security rules specifically built for Kubernetes, Linux, and cloud-native.
+If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.

-Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the [Falco CNCF project proposal](https://github.com/cncf/toc/tree/master/proposals/falco.adoc).
+### Installing Falco

-#### What kind of behaviors can Falco detect?
+If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/installation/).

-Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
+##### Kubernetes

- A shell is running inside a container.
+| Tool     | Link                                                                                       | Note                                                               |
+|----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
+| Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
+| Minikube | [Tutorial](https://falco.org/docs/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
+| Kind     | [Tutorial](https://falco.org/docs/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
+| GKE      | [Tutorial](https://falco.org/docs/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
+
+### Developing
+
+Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
+
+Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/update-readme/userspace/falco/outputs.proto).
+The Falco Project supports various SDKs for this endpoint.
+
+##### SDKs
+
+| Language | Repository                                              |
+|----------|---------------------------------------------------------|
+| Go       | [client-go](https://github.com/falcosecurity/client-go) |
+| Rust     | [client-rs](https://github.com/falcosecurity/client-rs) |
+| Python   | [client-py](https://github.com/falcosecurity/client-py) |
+
+
+### What can Falco detect?
+
+Falco can detect and alert on any behavior that involves making Linux system calls.
+Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
+For example, Falco can easily detect incidents including but not limited to:
+
+- A shell is running inside a container or pod in Kubernetes.
 - A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
 - A server process is spawning a child process of an unexpected type.
 - Unexpected read of a sensitive file, such as `/etc/shadow`.
 - A non-device file is written to `/dev`.
 - A standard system binary, such as `ls`, is making an outbound network connection.

+### Documentation

-### Installing Falco
+The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco.

-You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
-
-Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
-
-#### How do you compare Falco with other security tools?
-
-One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco with other tools.
-
-
-Documentation
---
-
-See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.
-
-Join the Community
---
+### Join the Community

 To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.

-License Terms
---
+### Contributing

-Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
-
-Contributing
---
-
-See the [CONTRIBUTING.md](./CONTRIBUTING.md).
-
-Security
---
+See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).

 ### Security Audit

 A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).

 ### Reporting security vulnerabilities
+
 Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).

+### License Terms
+
+Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
+
+
 [1]: https://dl.bintray.com/falcosecurity/rpm-dev
 [2]: https://dl.bintray.com/falcosecurity/rpm
 [3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -2,39 +2,43 @@

 Our release process is mostly automated, but we still need some manual steps to initiate and complete it.

-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released. 
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.

-Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+A release happens every two months ([as per community discussion](https://github.com/falcosecurity/community/blob/master/meeting-notes/2020-09-30.md#agenda)), and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.

 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.

 ## Pre-Release Checklist

+Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
+
 ### 1. Release notes
- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
    - If the PR has no milestone, assign it to the milestone currently undergoing release
- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
+- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYY-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) filter) and add them to the milestone currently undergoing release
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, fix them

 ### 2. Milestones
+
 - Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
- Close the completed milestone
-    
+
 ### 3. Release PR

 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
    - If any, manually correct it then open an issue to automate version number bumping later
    - Versions table in the `README.md` update itself automatically
- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes) 
- Add the lastest changes on top the previous `CHANGELOG.md`
+- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
+    - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
+- Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
+- Close the completed milestone as soon as the PR is merged

 ## Release

-Let `x.y.z` the new version.
+Now assume `x.y.z` is the new version.

 ### 1. Create a tag

@@ -52,25 +56,50 @@ Let `x.y.z` the new version.
 - Wait for the CI to complete

 ### 2. Update the GitHub release
+
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
 - Use `x.y.z` both as tag version and release title
 - Use the following template to fill the release description:
    ```
+    <!-- Substitute x.y.z with the current release version -->
+
+    | Packages | Download                                                                                                                                               |
+    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm)        |
+    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
+    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
+
+    | Images                                                          |
+    | --------------------------------------------------------------- |
+    | `docker pull docker.io/falcosecurity/falco:_tag_`               |
+    | `docker pull docker.io/falcosecurity/falco-driver-loader:_tag_` |
+    | `docker pull docker.io/falcosecurity/falco-no-driver:_tag_`     |
+
    <!-- Copy the relevant part of the changelog here -->

    ### Statistics

-    | Merged PRs        | Number  |
-    |-------------------|---------|
-    | Not user-facing   | x       |
-    | Release note      | x       |
-    | Total             | x       |
+    | Merged PRs      | Number |
+    | --------------- | ------ |
+    | Not user-facing | x      |
+    | Release note    | x      |
+    | Total           | x      |

    <!-- Calculate stats and fill the above table -->
    ```

 - Finally, publish the release!

+### 3. Update the meeting notes
+
+For each release we archive the meeting notes in git for historical purposes.
+
+ - The notes from the Falco meetings can be [found here](https://hackmd.io/6sEAlInlSaGnLz2FnFz21A).
+    - Note: There may be other notes from working groups that can optionally be added as well as needed.
+ - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-x.y.z.md`
+ - Open up a pull request with the new change.
+
+
 ## Post-Release tasks

 Announce the new release to the world!
--- a/brand/README.md
+++ b/brand/README.md
@@ -15,6 +15,21 @@ There are 3 logos available for use in this directory. Use the primary logo unle

 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.

+### Colors
+
+| Name      | PMS  | RGB         |
+|-----------|------|-------------|
+| Teal      | 3125 |   0 174 199 |
+| Cool Gray |   11 |  83  86  90 |
+| Black     |      |   0   0   0 |
+| Blue-Gray | 7700 |  22 92 125  |
+| Gold      | 1375 | 255 158  27 |
+| Orange    |  171 | 255  92  57 |
+| Emerald   | 3278 |   0 155 119 |
+| Green     |  360 | 108 194  74 |
+
+The primary colors are those in the first two rows.
+
 ### Slogan

 > Cloud Native Runtime Security
--- a/brand/teal-logo.svg
+++ b/brand/teal-logo.svg
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -1,3 +1,16 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
 set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
 set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
 set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
@@ -12,19 +25,23 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")

-set(CPACK_GENERATOR DEB RPM TGZ)
+if(NOT CPACK_GENERATOR)
+    set(CPACK_GENERATOR DEB RPM TGZ)
+endif()
+
+message(STATUS "Using package generators: ${CPACK_GENERATOR}")

 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
 set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )

 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
--- a/cmake/modules/Coverage.cmake
+++ b/cmake/modules/Coverage.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
--- a/cmake/modules/DownloadCatch.cmake
+++ b/cmake/modules/DownloadCatch.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
--- a/cmake/modules/DownloadFakeIt.cmake
+++ b/cmake/modules/DownloadFakeIt.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
--- a/cmake/modules/DownloadStringViewLite.cmake
+++ b/cmake/modules/DownloadStringViewLite.cmake
@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+include(ExternalProject)
+
+set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
+set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
+message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}")
+
+ExternalProject_Add(
+  string-view-lite
+  PREFIX ${STRING_VIEW_LITE_PREFIX}
+  GIT_REPOSITORY "https://github.com/martinmoene/string-view-lite.git"
+  GIT_TAG "v1.4.0"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND
+    ${CMAKE_COMMAND} -E copy ${STRING_VIEW_LITE_PREFIX}/src/string-view-lite/include/nonstd/string_view.hpp
+    ${STRING_VIEW_LITE_INCLUDE}/nonstd/string_view.hpp)
--- a/cmake/modules/FindMakedev.cmake
+++ b/cmake/modules/FindMakedev.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
--- a/cmake/modules/GetFalcoVersion.cmake
+++ b/cmake/modules/GetFalcoVersion.cmake
@@ -1,3 +1,16 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
 # Retrieve git ref and commit hash
 include(GetGitRevisionDescription)

--- a/cmake/modules/OpenSSL.cmake
+++ b/cmake/modules/OpenSSL.cmake
@@ -1,3 +1,15 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
 if(NOT USE_BUNDLED_DEPS)
  find_package(OpenSSL REQUIRED)
  message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
@@ -20,10 +32,10 @@ else()
  ExternalProject_Add(
    openssl
    # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
-    URL_HASH "SHA256=370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe"
+    URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
+    URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
    # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
+    CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
    BUILD_COMMAND ${CMD_MAKE}
    BUILD_IN_SOURCE 1
    INSTALL_COMMAND ${CMD_MAKE} install)
--- a/cmake/modules/cURL.cmake
+++ b/cmake/modules/cURL.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -19,19 +19,15 @@ else()
  set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
  set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")

-  if(NOT USE_BUNDLED_OPENSSL)
-    set(CURL_SSL_OPTION "--with-ssl")
-  else()
-    set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-    message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-    message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
-  endif()
+  set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+  message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+  message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")

  externalproject_add(
    curl
    DEPENDS openssl
    # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-    URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
+    URL "https://github.com/curl/curl/releases/download/curl-7_61_0/curl-7.61.0.tar.bz2"
    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
    # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
    CONFIGURE_COMMAND
--- a/cmake/modules/gRPC.cmake
+++ b/cmake/modules/gRPC.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -96,12 +96,17 @@ else()
  # that zlib will be very outdated
  set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
  set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
+  # we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely
+  # that c-ares will be very outdated
+  set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares")
+  set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a")

  message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
  message(
    STATUS
      "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
  message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
+  message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}")
  message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")

  get_filename_component(PROTOC_DIR ${PROTOC} PATH)
@@ -110,8 +115,8 @@ else()
    grpc
    DEPENDS openssl
    GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.25.0
-    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares"
+    GIT_TAG v1.31.1
+    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
    BUILD_IN_SOURCE 1
    BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
    INSTALL_COMMAND ""
@@ -121,6 +126,8 @@ else()
      HAS_SYSTEM_ZLIB=false
      HAS_SYSTEM_PROTOBUF=false
      HAS_SYSTEM_CARES=false
+      HAS_EMBEDDED_OPENSSL_ALPN=false
+      HAS_SYSTEM_OPENSSL_ALPN=true
      PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
      PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
      PATH=${PROTOC_DIR}:$ENV{PATH}
--- a/cmake/modules/jq.cmake
+++ b/cmake/modules/jq.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -10,26 +10,44 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
-if(NOT USE_BUNDLED_DEPS)
-  find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-  find_library(JQ_LIB NAMES jq)
-  if(JQ_INCLUDE AND JQ_LIB)
-    message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system jq")
-  endif()
-else()
-  set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-  message(STATUS "Using bundled jq in '${JQ_SRC}'")
-  set(JQ_INCLUDE "${JQ_SRC}")
-  set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
-  ExternalProject_Add(
-    jq
-    URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
-    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
-    CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
-    BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
-    BUILD_IN_SOURCE 1
-    PATCH_COMMAND curl -L https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch | patch
-    INSTALL_COMMAND "")
-endif()
+if (NOT USE_BUNDLED_DEPS)
+    find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
+    find_library(JQ_LIB NAMES jq)
+    if (JQ_INCLUDE AND JQ_LIB)
+        message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+    else ()
+        message(FATAL_ERROR "Couldn't find system jq")
+    endif ()
+else ()
+    set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
+    message(STATUS "Using bundled jq in '${JQ_SRC}'")
+    set(JQ_INCLUDE "${JQ_SRC}/target/include")
+    set(JQ_INSTALL_DIR "${JQ_SRC}/target")
+    set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq.a")
+    set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig.a")
+    message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+
+    # Why we mirror jq here?
+    #
+    # In their readme, jq claims that you don't have
+    # to do autoreconf -fi when downloading a released tarball.
+    #
+    # However, they forgot to push the released makefiles
+    # into their release tarbal.
+    #
+    # For this reason, we have to mirror their release after
+    # doing the configuration ourselves.
+    #
+    # This is needed because many distros do not ship the right
+    # version of autoreconf, making virtually impossible to build Falco on them.
+    # Read more about it here:
+    #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
+    ExternalProject_Add(
+            jq
+            URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
+            URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
+            CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
+            BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
+            BUILD_IN_SOURCE 1
+            INSTALL_COMMAND ${CMD_MAKE} install)
+endif ()
--- a/cmake/modules/libyaml.cmake
+++ b/cmake/modules/libyaml.cmake
@@ -0,0 +1,26 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
+set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
+message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
+set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
+ExternalProject_Add(
+libyaml
+URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
+URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
+CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
+BUILD_COMMAND ${CMD_MAKE} 
+BUILD_IN_SOURCE 1
+INSTALL_COMMAND ${CMD_MAKE} install)
+
--- a/cmake/modules/static-analysis.cmake
+++ b/cmake/modules/static-analysis.cmake
@@ -0,0 +1,42 @@
+# create the reports folder
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
+
+# cppcheck
+find_program(CPPCHECK cppcheck)
+find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
+
+if(NOT CPPCHECK)
+  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
+else()
+  message(STATUS "cppcheck found at: ${CPPCHECK}")
+  # we are aware that cppcheck can be run
+  # along with the software compilation in a single step
+  # using the CMAKE_CXX_CPPCHECK variables.
+  # However, for practical needs we want to keep the
+  # two things separated and have a specific target for it.
+  # Our cppcheck target reads the compilation database produced by CMake
+  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
+  add_custom_target(
+      cppcheck
+      COMMAND ${CPPCHECK}
+      "--enable=all"
+      "--force"
+      "--inconclusive"
+      "--inline-suppr" # allows to specify suppressions directly in source code
+      "--project=${CMAKE_CURRENT_BINARY_DIR}/compile_commands.json" # use the compilation database as source
+      "--quiet"
+      "--xml" # we want to generate a report
+      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
+      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
+  )
+endif() # CPPCHECK
+
+if(NOT CPPCHECK_HTMLREPORT)
+  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
+else()
+  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
+  add_custom_target(
+    cppcheck_htmlreport
+    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
+endif() # CPPCHECK_HTMLREPORT
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -16,24 +16,27 @@ set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")

 # this needs to be here at the top
 if(USE_BUNDLED_DEPS)
-  # explicitly force this dependency to use the system OpenSSL
-  set(USE_BUNDLED_OPENSSL ON)
+  # explicitly force this dependency to use the bundled OpenSSL
+  if(NOT MINIMAL_BUILD)
+    set(USE_BUNDLED_OPENSSL ON)
+  endif()
+  set(USE_BUNDLED_JQ ON)
 endif()

 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})

-# The sysdig git reference (branch name, commit hash, or tag)
-# To update sysdig version for the next release, change the default below
-# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
+# The sysdig git reference (branch name, commit hash, or tag) To update sysdig version for the next release, change the
+# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
+# -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "96bd9bc560f67742738eb7255aeb4d03046b8045")
-  set(SYSDIG_CHECKSUM "SHA256=766e8952a36a4198fd976b9d848523e6abe4336612188e4fc911e217d8e8a00d")
+  set(SYSDIG_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2")
+  set(SYSDIG_CHECKSUM "SHA256=a737077543a6f3473ab306b424bcf7385d788149829ed1538252661b0f20d0f6")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")

 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
+execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM}
+                        ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})

 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13

@@ -54,6 +57,9 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
 # Add libscap directory
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
+if(MUSL_OPTIMIZED_BUILD)
+  add_definitions(-DMUSL_OPTIMIZED)
+endif()
 add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")

 # Add libsinsp directory
@@ -64,5 +70,8 @@ add_dependencies(sinsp tbb b64 luajit)
 set(CREATE_TEST_TARGETS OFF)

 if(USE_BUNDLED_DEPS)
-  add_dependencies(scap grpc curl jq)
+  add_dependencies(scap jq)
+  if(NOT MINIMAL_BUILD)
+    add_dependencies(scap curl grpc)
+  endif()
 endif()
--- a/cmake/modules/yaml-cpp.cmake
+++ b/cmake/modules/yaml-cpp.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
--- a/docker/builder/root/usr/bin/entrypoint
+++ b/docker/builder/root/usr/bin/entrypoint
@@ -34,6 +34,7 @@ case "$CMD" in
    -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DBUILD_DRIVER="$BUILD_DRIVER" \
+    -DMINIMAL_BUILD="$MINIMAL_BUILD" \
    -DBUILD_BPF="$BUILD_BPF" \
    -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
    -DFALCO_VERSION="$FALCO_VERSION" \
--- a/docker/falco/docker-entrypoint.sh
+++ b/docker/falco/docker-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,10 +16,14 @@
 # limitations under the License.
 #

+# todo(leogr): remove deprecation notice within a couple of releases
+if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
+fi

-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver

-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
    echo "* Setting up /usr/src links from host"

    for i in "$HOST_ROOT/usr/src"/*
--- a/docker/local/docker-entrypoint.sh
+++ b/docker/local/docker-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,9 +17,9 @@
 #


-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver

-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
    echo "* Setting up /usr/src links from host"

    for i in "$HOST_ROOT/usr/src"/*
--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -12,50 +12,16 @@ WORKDIR /

 ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /

-RUN apt-get update -y && \
-    apt-get install -y libyaml-0-2 binutils && \
-    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
+RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
    mv falco-${FALCO_VERSION}-x86_64 falco && \
-    strip falco/usr/bin/falco && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+    rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader

 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml

 FROM scratch

-COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
-    /lib/x86_64-linux-gnu/libc.so.6 \
-    /lib/x86_64-linux-gnu/libdl.so.2 \
-    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
-    /lib/x86_64-linux-gnu/libm.so.6 \
-    /lib/x86_64-linux-gnu/libnsl.so.1 \
-    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
-    /lib/x86_64-linux-gnu/libnss_files.so.2 \
-    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
-    /lib/x86_64-linux-gnu/libpthread.so.0 \
-    /lib/x86_64-linux-gnu/librt.so.1 \
-    /lib/x86_64-linux-gnu/libz.so.1 \
-    /lib/x86_64-linux-gnu/
-
-COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
-    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
-
-COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.5 \
-    /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
-
-COPY --from=ubuntu /etc/ld.so.cache \
-    /etc/nsswitch.conf \
-    /etc/ld.so.cache \
-    /etc/passwd \
-    /etc/group \
-    /etc/
-
-COPY --from=ubuntu /etc/default/nss /etc/default/nss
-COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
-
 COPY --from=ubuntu /falco /

 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/tester/Dockerfile
+++ b/docker/tester/Dockerfile
@@ -1,16 +1,20 @@
 FROM fedora:31

 LABEL name="falcosecurity/falco-tester"
-LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
+LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"

 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release

+ADD https://github.com/fullstorydev/grpcurl/releases/download/v1.6.0/grpcurl_1.6.0_linux_x86_64.tar.gz /
 RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
+RUN pip install --user watchdog==0.10.2
+RUN pip install --user pathtools==0.1.2
+RUN tar -C /usr/bin -xvf grpcurl_1.6.0_linux_x86_64.tar.gz

 COPY ./root /

--- a/docker/tester/root/runners/deb.Dockerfile
+++ b/docker/tester/root/runners/deb.Dockerfile
@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}

 RUN apt update -y
-RUN apt install dkms libyaml-0-2 -y
+RUN apt install dkms -y

 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
--- a/docker/tester/root/runners/tar.gz.Dockerfile
+++ b/docker/tester/root/runners/tar.gz.Dockerfile
@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}

 RUN apt update -y
-RUN apt install dkms libyaml-0-2 curl -y
+RUN apt install dkms curl -y

 ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
 RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
--- a/docker/tester/root/usr/bin/entrypoint
+++ b/docker/tester/root/usr/bin/entrypoint
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-set -eu -o pipefail
+BUILD_DIR=${BUILD_DIR:-/build}
+SOURCE_DIR=${SOURCE_DIR:-/source}
+SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}

-SOURCE_DIR=/source
-BUILD_DIR=/build
 CMD=${1:-test}
 shift

+# Stop the execution if a command in the pipeline has an error, from now on
+set -e -u -o pipefail
+
 # build type can be "debug" or "release", fallbacks to "release" by default
 BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
 case "$BUILD_TYPE" in
@@ -47,7 +50,8 @@ case "$CMD" in
 "test")
    if [ -z "$FALCO_VERSION" ]; then
        echo "Automatically figuring out Falco version."
-        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+        FALCO_VERSION_FULL=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version)
+        FALCO_VERSION=$(echo "$FALCO_VERSION_FULL" | head -n 1 | cut -d' ' -f3  | tr -d '\r')
        echo "Falco version: $FALCO_VERSION"
    fi
    if [ -z "$FALCO_VERSION" ]; then
@@ -56,9 +60,11 @@ case "$CMD" in
    fi

    # build docker images
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
+    fi

    # check that source directory contains Falco
    if [ ! -d "$SOURCE_DIR/falco/test" ]; then
@@ -69,12 +75,14 @@ case "$CMD" in
    # run tests
    echo "Running regression tests ..."
    cd "$SOURCE_DIR/falco/test"
-    ./run_regression_tests.sh "$BUILD_DIR/$BUILD_TYPE"
+    SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"

    # clean docker images
-    clean_image "deb"
-    clean_image "rpm"
-    clean_image "tar.gz"
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+        clean_image "deb"
+        clean_image "rpm"
+        clean_image "tar.gz"
+    fi
    ;;
 "bash")
    CMD=/bin/bash
--- a/docker/tester/root/usr/bin/usage
+++ b/docker/tester/root/usr/bin/usage
@@ -30,7 +30,7 @@ How to use.

 How to build.

-    * cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .
+    * cd docker/tester && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .

 Environment.

--- a/falco.yaml
+++ b/falco.yaml
@@ -28,10 +28,7 @@
 # The files will be read in the order presented here, so make sure if
 # you have overrides they appear in later files.
 rules_file:
-  - /etc/falco/falco_rules.yaml
-  - /etc/falco/falco_rules.local.yaml
-  - /etc/falco/k8s_audit_rules.yaml
-  - /etc/falco/rules.d
+  - /tmp/falco

 # If true, the times displayed in log messages and output messages
 # will be in ISO 8601. By default, times are displayed in the local
@@ -139,7 +136,7 @@ stdout_output:
 webserver:
  enabled: true
  listen_port: 8765
-  k8s_audit_endpoint: /k8s_audit
+  k8s_audit_endpoint: /k8s-audit
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem

@@ -167,21 +164,37 @@ http_output:
  enabled: false
  url: http://some.url

-# gRPC server configuration.
-# The gRPC server is secure by default (mutual TLS) so you need to generate certificates and update their paths here.
+# Falco supports running a gRPC server with two main binding types
+# 1. Over the network with mandatory mutual TLS authentication (mTLS)
+# 2. Over a local unix socket with no authentication
+# By default, the gRPC server is disabled, with no enabled services (see grpc_output)
+# please comment/uncomment and change accordingly the options below to configure it.
+# Important note: if Falco has any troubles creating the gRPC server
+# this information will be logged, however the main Falco daemon will not be stopped.
+# gRPC server over network with (mandatory) mutual TLS configuration.
+# This gRPC server is secure by default so you need to generate certificates and update their paths here.
 # By default the gRPC server is off.
 # You can configure the address to bind and expose it.
 # By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
+# grpc:
+#   enabled: true
+#   bind_address: "0.0.0.0:5060"
+#   # when threadiness is 0, Falco sets it by automatically figuring out the number of online cores
+#   threadiness: 0
+#   private_key: "/etc/falco/certs/server.key"
+#   cert_chain: "/etc/falco/certs/server.crt"
+#   root_certs: "/etc/falco/certs/ca.crt"
+
+# gRPC server using an unix socket
 grpc:
  enabled: false
-  bind_address: "0.0.0.0:5060"
-  threadiness: 8
-  private_key: "/etc/falco/certs/server.key"
-  cert_chain: "/etc/falco/certs/server.crt"
-  root_certs: "/etc/falco/certs/ca.crt"
+  bind_address: "unix:///var/run/falco.sock"
+  # when threadiness is 0, Falco automatically guesses it depending on the number of online cores
+  threadiness: 0

 # gRPC output service.
 # By default it is off.
 # By enabling this all the output events will be kept in memory until you read them with a gRPC client.
+# Make sure to have a consumer for them or leave this disabled.
 grpc_output:
  enabled: false
--- a/proposals/20190826-grpc-outputs.md
+++ b/proposals/20190826-grpc-outputs.md
@@ -1,4 +1,4 @@
-# gRPC Falco Output
+# Falco gRPC Outputs

 <!-- toc -->

@@ -25,7 +25,7 @@ An alert is an "output" when it goes over a transport, and it is emitted by Falc

 At the current moment, however, Falco can deliver alerts in a very basic way, for example by dumping them to standard output.

-For this reason, many Falco users asked, with issues - eg., [falco#528](https://github.com/falcosecurity/falco/issues/528) - or in the [slack channel](https://sysdig.slack.com) if we can find a more consumable way to implement Falco outputs in an extensible way.
+For this reason, many Falco users asked, with issues - eg., [falco#528](https://github.com/falcosecurity/falco/issues/528) - or in the [slack channel](https://slack.k8s.io) if we can find a more consumable way to implement Falco outputs in an extensible way.

 The motivation behind this proposal is to design a new output implementation that can meet our user's needs.

@@ -39,7 +39,10 @@ The motivation behind this proposal is to design a new output implementation tha
 - To continue supporting the old output formats by implementing their same interface
 - To be secure by default (**mutual TLS** authentication)
 - To be **asynchronous** and **non-blocking**
- To implement a Go SDK
+- To provide a connection over unix socket (no authentication)
+- To implement a Go client
+- To implement a Rust client
+- To implement a Python client

 ### Non-Goals

@@ -77,26 +80,25 @@ syntax = "proto3";
 import "google/protobuf/timestamp.proto";
 import "schema.proto";

-package falco.output;
+package falco.outputs;

-option go_package = "github.com/falcosecurity/client-go/pkg/api/output";
+option go_package = "github.com/falcosecurity/client-go/pkg/api/outputs";

-// The `subscribe` service defines the RPC call
-// to perform an output `request` which will lead to obtain an output `response`.
+// This service defines the RPC methods
+// to `request` a stream of output `response`s.
 service service {
-  rpc subscribe(request) returns (stream response);
+  // Subscribe to a stream of Falco outputs by sending a stream of requests.
+  rpc sub(stream request) returns (stream response);
+  // Get all the Falco outputs present in the system up to this call.
+  rpc get(request) returns (stream response);
 }

 // The `request` message is the logical representation of the request model.
-// It is the input of the `subscribe` service.
-// It is used to configure the kind of subscription to the gRPC streaming server.
+// It is the input of the `output.service` service.
 message request {
-  bool keepalive = 1;
-  // string duration = 2; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
-  // repeated string tags = 3; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
 }

-// The `response` message is the logical representation of the output model.
+// The `response` message is the representation of the output model.
 // It contains all the elements that Falco emits in an output along with the
 // definitions for priorities and source.
 message response {
@@ -106,7 +108,7 @@ message response {
  string rule = 4;
  string output = 5;
  map<string, string> output_fields = 6;
-  // repeated string tags = 7; // TODO(leodido,fntlnz): tags not supported yet, keeping for reference
+  string hostname = 7;
 }
 ```

--- a/proposals/20200506-artifacts-scope-part-1.md
+++ b/proposals/20200506-artifacts-scope-part-1.md
@@ -4,7 +4,7 @@ The **Falco Artifact Scope** proposal is divided in two parts:
 1. the Part 1 - *this document*: the State of Art of Falco artifacts
 2. the [Part 2](./20200506-artifacts-scope-part-2.md): the intended state moving forward

-## Summary 
+## Summary

 As a project we would like to support the following artifacts.

@@ -16,7 +16,7 @@ Inspired by many previous issues and many of the weekly community calls.

 ## Terms

-**falco** 
+**falco**

 *The Falco binary*

@@ -30,12 +30,12 @@ Inspired by many previous issues and many of the weekly community calls.

 **package**

-*An installable artifact that is operating system specific. All packages MUST be hosted on bintray.*
+*An installable artifact that is operating system specific. All packages MUST be hosted on [bintray](https://bintray.com/falcosecurity).*

 **image**

 *OCI compliant container image hosted on dockerhub with tags for every release and the current master branch.*
- 
+

 # Packages

@@ -52,11 +52,11 @@ List of currently official container images (for X86 64bits only):

 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
-| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. |
+| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. |
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). |
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |

 **Note**: `falco-builder`, `falco-tester` (and the `docker/local` image which it's built on the fly by the `falco-tester` one) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
@@ -76,7 +76,7 @@ This new [contrib](https://github.com/falcosecurity/contrib) repository will be

 ### repository

-"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository. 
+"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository.

 This is done as needed, and can best be measured by the need to cut a release and use the GitHub release features. Again, this is at the discretion of the Falco open source community.

@@ -92,7 +92,7 @@ The *Part 1* is mainly intended as a cleanup process.
 For each item not listed above, ask if it needs to be moved or deleted.
 After the cleanup process, all items will match the *Part 1* of this proposal.

-    
+
 ### Action Items

 Here are SOME of the items that would need to be done, for example:
--- a/proposals/20200818-artifacts-storage.md
+++ b/proposals/20200818-artifacts-storage.md
@@ -0,0 +1,83 @@
+# Falco Artifacts Storage
+
+This document reflects the way we store the Falco artifacts.
+
+## Terms & Definitions
+
+- [Falco artifacts](./20200506-artifacts-scope-part-1.md)
+- Bintray: artifacts distribution platform
+
+## Packages
+
+The Falco packages are **automatically** built and sent to [bintray](https://bintray.com/falcosecurity) in the following cases:
+
+- a pull request gets merged into the master branch (**Falco development releases**)
+- a new Falco release (git tag) happens on the master branch (**Falco stable releases**)
+
+The only prerequisite is that the specific Falco source code builds successfully and that the tests pass.
+
+As per [Falco Artifacts Scope (#1)](./20200506-artifacts-scope-part-1.md) proposal we provide three kind of Falco packages:
+
+- DEB
+- RPM
+- Tarball
+
+Thus, we have three repositories for the Falco stable releases:
+
+- https://bintray.com/falcosecurity/deb
+- https://bintray.com/falcosecurity/rpm
+- https://bintray.com/falcosecurity/bin
+
+And three repositories for the Falco development releases:
+
+- https://bintray.com/falcosecurity/deb-dev
+- https://bintray.com/falcosecurity/rpm-dev
+- https://bintray.com/falcosecurity/bin-dev
+
+## Drivers
+
+The process of publishing a set of prebuilt Falco drivers is implemented by the **Drivers Build Grid (DBG)** in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository (`driverkit` directory).
+
+This process is driven by the configuration files (YAML) present in the `driverkit/config` directory in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository.
+
+Each of these files represents a prebuilt driver (eventually two: kernel module and eBPF probe, when possible) that will be published on [bintray](https://bintray.com/falcosecurity) if it builds correctly.
+
+Every time the `driverkit/config` directory on the master branch has some changes from the previous commit the CI system, which you can find defined in the [.circleci/config.yml](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml) file, takes care of building and publishing all the drivers.
+
+The driver versions we ship prebuilt drivers for are:
+
+- the driver version associated with the last Falco stable version ([see here](https://github.com/falcosecurity/falco/blob/c4b7f17271d1a4ca533b2e672ecaaea5289ccdc5/cmake/modules/sysdig.cmake#L29))
+- the driver version associated with the penultimate Falco stable version
+
+The prebuilt drivers get published into [this](https://bintray.com/falcosecurity/driver) generic artifacts repository.
+
+You can also visualize the full list of prebuilt drivers by driver version visiting this [URL](https://dl.bintray.com/falcosecurity/driver).
+
+### Notice
+
+The generation of new prebuilt drivers takes usually place with a frequency of 1-2 weeks, on a **best-effort** basis.
+
+Thus, it can happen the list of available prebuilt drivers does not yet contain the driver version currently on Falco master.
+
+Nevertheless, this process is an open, auditable, and transparent one.
+
+So, by sending a pull-request towards [test-infra](https://github.com/falcosecurity/test-infra) repository containing the configuration YAML files you can help the Falco community stay on track.
+
+Some pull-requests you can look at to create your own are:
+
+- https://github.com/falcosecurity/test-infra/pull/165
+- https://github.com/falcosecurity/test-infra/pull/163
+- https://github.com/falcosecurity/test-infra/pull/162
+
+While, the documentation of the YAML configuration files can be found [here](https://github.com/falcosecurity/driverkit/blob/master/README.md).
+
+## Container images
+
+As per Falco packages, also the Falco official container images are **automatically** published to the [dockerhub](https://hub.docker.com/r/falcosecurity/falco).
+
+These images are built and published in two cases:
+
+- a pull request gets merged into the master branch (**Falco development releases**)
+- a new Falco release (git tag) happens (**Falco stable releases**)
+
+For a detailed explanation of the container images we build and ship look at the following [documentation](https://github.com/falcosecurity/falco/blob/master/docker/README.md).
--- a/proposals/20200901-artifacts-cleanup.md
+++ b/proposals/20200901-artifacts-cleanup.md
@@ -0,0 +1,102 @@
+# Falco Artifacts Cleanup
+
+This document reflects when and how we clean up the Falco artifacts from their storage location.
+
+## Motivation
+
+The [bintray](https://bintray.com/falcosecurity) open-source plan offers 10GB free space for storing artifacts.
+
+They also kindly granted us an additional 5GB of free space.
+
+## Goal
+
+Keep the storage space usage under 15GB by cleaning up the [Falco artifacts](./20200506-artifacts-scope-part-1.md) from the [storage](./20200818-artifacts-storage).
+
+## Status
+
+To be implemented.
+
+## Packages
+
+### Tarballs from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 50MB (maximum detected size) of storage space.
+
+Since, historically, the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository is the less used one, this document proposes to keep only the last 10 **Falco development releases** it contains.
+
+This means that the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository will take at maximum 500MB of storage space.
+
+### DEB from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 5.1MB (maximum detected size) of storage space.
+
+Historically, every Falco release is composed by less than 50 merges (upper limit).
+
+So, to theoretically retain all the **Falco development releases** that led to a Falco stable release, this document proposes to keep the last 50 Falco DEB packages.
+
+This means that the [deb-dev](https://bintray.com/falcosecurity/deb-dev) repository will take at maximum 255MB of storage space.
+
+### RPM from Falco master
+
+At the moment of writing this document, this kind of Falco package requires approx. 4.3MB (maximum detected size) of storage space.
+
+For the same exact reasons explained above this document proposes to keep the last 50 Falco RPM packages.
+
+This means that the [rpm-dev](https://bintray.com/falcosecurity/rpm-dev) repository will take at maximum 215MB of storage space.
+
+### Stable releases
+
+This document proposes to retain all the stable releases.
+
+This means that all the Falco packages present in the Falco stable release repositories will be kept.
+
+The [bin](https://bintray.com/falcosecurity/bin) repository contains a Falco tarball package for every release.
+This means it grows in space of ~50MB each month.
+
+The [deb](https://bintray.com/falcosecurity/deb) repository contains a Falco DEB package for every release.
+This means it grows in space of ~5MB each month.
+
+The [rpm](https://bintray.com/falcosecurity/rpm) repository contains a Falco RPM package for every release.
+This means it grows in space of ~4.3MB each month.
+
+### Considerations
+
+Assuming the size of the packages does not surpass the numbers listed in the above sections, the **Falco development releases** will always take less that 1GB of artifacts storage space.
+
+Assuming 12 stable releases at year, at the current size of packages, the **Falco stable releases** will take approx. 720MB of storage space every year.
+
+### Implementation
+
+The Falco CI will have a new CI job - called `cleanup/packages-dev` - responsible for removing the **Falco development releases** depending on the above plan.
+
+This job will be triggered after the `publish/packages-dev` completed successfully.
+
+## Drivers
+
+As explained in the [Artifacts Storage](./20200818-artifacts-storage) proposal, we build the drivers for the **last two driver versions** associated with **latest Falco stable releases**.
+Then, we store those drivers into a [generic bintray repository](https://bintray.com/falcosecurity/driver) from which the installation process automatically downloads them, if suitable.
+
+This document proposes to implement a cleanup mechanism that deletes all the other driver versions available.
+
+At the moment of writing, considering only the last two driver versions (**ae104eb**, **85c8895**) associated with the latest Falco stable releases, we ship ~340 eBPF drivers, each accounting for ~3.1MB of storage space, and 1512 kernel modules (~3.1MB size each, too).
+
+Thus, we obtain an estimate of approx. 2.875GB for **each** driver version.
+
+This document proposes to only store the last two driver versions associates with the latest Falco stable releases. And deleting the other ones.
+
+This way, assuming the number of prebuilt drivers does not skyrocket, we can reasonably estimate the storage space used by prebuilt drivers to be around 6GB.
+
+Notice that, in case a Falco stable release will not depend on a new driver version, this means the last two driver versions will, in this case, cover more than the two Falco stable releases.
+
+### Archivation
+
+Since the process of building drivers is time and resource consuming, this document also proposes to move the driver versions in other storage facilities.
+
+The candidate is an AWS S3 bucket responsible for holding the deleted driver version files.
+
+### Implementation
+
+The [test-infra](https://github.com/falcosecurity/test-infra) CI, specifically its part dedicated to run the **Drivers Build Grid** that runs every time it detects changes into the `driverkit` directory of the [test-infra](https://github.com/falcosecurity/test-infra) repository,
+will have a new job - called `drivers/cleanup` - responsible for removing all the Falco driver versions except the last two.
+
+This job will be triggered after the `drivers/publish` completed successfully on the master branch.
--- a/proposals/20201025-drivers-storage-s3.md
+++ b/proposals/20201025-drivers-storage-s3.md
@@ -0,0 +1,133 @@
+# Falco Drivers Storage S3
+
+## Introduction
+
+In the past days, as many people probably noticed, Bintray started rate-limiting our users, effectively preventing them from downloading any kernel module, rpm/deb package or any pre-built dependency we host there.
+
+This does not only interrupt the workflow of our users but also the workflow of the contributors, since without bintray most of our container images and CMake files can’t download the dependencies we mirror.
+
+### What is the cause?
+
+We had a spike in adoption apparently, either a user with many nodes or an increased number of users. We don’t know this detail specifically yet because bintray does not give us very fine-grained statistics on this.
+
+This is the 30-days history:
+
+![A spike on driver downloads the last ten days](20201025-drivers-storage-s3_downloads.png)
+
+As you can see, we can only see that they downloaded the latest kernel module driver version, however we can’t see if:
+
+* It’s a single source or many different users
+
+* What is the kernel/OS they are using
+
+### What do we host on Bintray?
+
+* RPM packages: high traffic but very manageable ~90k downloads a month
+
+* Deb packages:low traffic ~5k downloads a month
+
+* Pre-built image Dependencies: low traffic, will eventually disappear in the future
+
+* Kernel modules: very high traffic, 700k downloads in 10 days, this is what is causing the current problems. They are primarily used by users of our container images.
+
+* eBPF probes: low traffic ~5k downloads a month
+
+### Motivations to go to S3 instead of Bintray for the Drivers
+
+Bintray does an excellent service at building the rpm/deb structures for us, however we also use them for S3-like storage for the drivers. We have ten thousand files hosted there and the combinations are infinite.
+
+
+Before today, we had many issues with storage even without the spike in users we are seeing since the last ten days.
+
+## Context on AWS
+
+Amazon AWS, recently gave credits to the Falco project to operate some parts of the infrastructure on AWS. The CNCF is providing a sub-account we are already using for the migration of the other pieces (like Prow). 
+
+## Interactions with other teams and the CNCF
+
+* The setup on the AWS account side already done, this is all technical work.
+
+* We need to open a CNCF service account ticket for the download.falco.org subdomain to point to the S3 bucket we want to use
+
+## The Plan
+
+We want to propose to move the drivers and the container dependencies to S3.
+
+#### Moving means:
+
+* We create a public S3 bucket with[ stats enabled](https://docs.aws.amazon.com/AmazonS3/latest/dev/analytics-storage-class.html)
+
+* We attach the bucket to a cloudfront distribution behind the download.falco.org subdomain
+
+* We move the current content keeping the same web server directory structure
+
+* We change the Falco Dockerfiles and driver loader script accordingly
+
+* We update test-infra to push the drivers to S3
+
+* Once we have the drivers in S3, we can ask bintray to relax the limits for this month so that our users are able to download the other packages we keep there. Otherwise they will have to wait until November 1st. We only want to do that after the moving because otherwise we will hit the limits pretty quickly.
+
+#### The repositories we want to move are:
+
+* [https://bintray.com/falcosecurity/driver](https://bintray.com/falcosecurity/driver) will become https://download.falco.org/driver
+
+* [https://bintray.com/falcosecurity/dependencies](https://bintray.com/falcosecurity/dependencies) will become https://download.falco.org/dependencies
+
+#### Changes in Falco
+
+* [Search for bintray ](https://github.com/falcosecurity/falco/search?p=2&q=bintray)on the Falco repo and replace the URL for the CMake and Docker files.
+
+* It’s very important to change the DRIVERS_REPO environment variable [here](https://github.com/falcosecurity/falco/blob/0a33f555eb8e019806b46fea8b80a6302a935421/CMakeLists.txt#L86) - this is what updates the falco-driver-loader scripts that the users and container images use to fetch the module
+
+#### Changes in Test Infra
+
+* We need to use the S3 cli instead of jfrog cli to upload to the s3 bucket after building [here](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml)
+
+* We can probably remove jfrog from that repo since it only deals with drivers and drivers are being put on S3 now
+
+* Instructions on how to setup the S3 directory structure [here](https://falco.org/docs/installation/#install-driver)
+
+    * `/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]`
+
+#### Changes to Falco website
+
+* Changes should not be necessary, we are not updating the way people install Falco but only the driver. The driver is managed by a script we can change.
+
+## Mitigation and next steps for the users
+
+* **The average users should be good to go now, Bintray raised our limits and we have some room to do this without requiring manual steps on your end**
+
+* **Users that can’t wait for us to have the S3 setup done: **can setup an S3 as driver repo themselves, push the drivers they need to it after compiling them (they can use [Driverkit](https://github.com/falcosecurity/driverkit) for that) Instructions on how to setup the S3 directory structure [here](https://falco.org/docs/installation/#install-driver).
+
+* **Users that can’t wait but don’t want to setup a webserver themselves**: the falco-driver-loader script can also compile the module for you. Make sure to install the kernel-headers on your nodes.
+
+* **Users that can wait** we will approve this document and act on the plan described here by providing the DRIVERS_REPO at  [https://download.falco.org/driver](https://download.falco.org/driver) that then you can use
+
+### How to use an alternative DRIVERS_REPO ?
+
+**On bash:**
+
+export DRIVERS_REPO=https://your-url-here
+
+**Docker**
+
+Pass it as environment variable using the docker run flag -e - for example:
+
+docker run -e DRIVERS_REPO=[https://your-url-here](https://your-url-here) 
+
+**Kubernetes**
+
+spec:
+
+  containers:
+
+  - env:
+
+    - name: DRIVERS_REPO
+
+      value: https://your-url-here
+
+## Release
+
+Next release is on December 1st, we want to rollout a hotfix 0.26.2 release that only contains the updated script before that date so that users don’t get confused and we can just tell them "update Falco" to get the thing working again.
+
--- a/proposals/20201025-drivers-storage-s3_downloads.png
+++ b/proposals/20201025-drivers-storage-s3_downloads.png
--- a/rules/CMakeLists.txt
+++ b/rules/CMakeLists.txt
@@ -37,8 +37,7 @@ if(DEFINED FALCO_COMPONENT)
    COMPONENT "${FALCO_COMPONENT}"
    DESTINATION "${FALCO_ETC_DIR}"
    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-
-  # Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
+# Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
 else()
  install(
    FILES falco_rules.yaml
@@ -57,8 +56,8 @@ else()

  install(
    FILES application_rules.yaml
-    DESTINATION "/etc/falco/rules.available"
+    DESTINATION "${FALCO_ETC_DIR}/rules.available"
    RENAME "${FALCO_APP_RULES_DEST_FILENAME}")

-  install(DIRECTORY DESTINATION "/etc/falco/rules.d")
+  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
 endif()
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -40,8 +40,18 @@

 # If you wish to restrict activity to a specific set of users, override/append to this list.
 # users created by kops are included
+- list: vertical_pod_autoscaler_users
+  items: ["vpa-recommender", "vpa-updater"]
+
 - list: allowed_k8s_users
-  items: ["minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy"]
+  items: [
+    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
+    "kubernetes-admin",
+    vertical_pod_autoscaler_users,
+    cluster-autoscaler,
+    "system:addon-manager",
+    "cloud-controller-manager"
+    ]

 - rule: Disallowed K8s User
  desc: Detect any k8s operation by users outside of an allowed set of users.
@@ -149,10 +159,13 @@
  source: k8s_audit
  tags: [k8s]

+- macro: user_known_node_port_service
+  condition: (k8s_audit_never_true)
+
 - rule: Create NodePort Service
  desc: >
    Detect an attempt to start a service with a NodePort service type
-  condition: kevt and service and kcreate and ka.req.service.type=NodePort
+  condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
  output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
  priority: WARNING
  source: k8s_audit
@@ -180,7 +193,7 @@
 - rule: Anonymous Request Allowed
  desc: >
    Detect any request made by the anonymous user that was allowed
-  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision!=reject and not health_endpoint
+  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
  output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
  priority: WARNING
  source: k8s_audit
@@ -195,15 +208,31 @@
 # attach request was created privileged or not. For now, we have a
 # less severe rule that detects attaches/execs to any pod.

+- macro: user_known_exec_pod_activities
+  condition: (k8s_audit_never_true)
+
 - rule: Attach/Exec Pod
  desc: >
    Detect any attempt to attach/exec to a pod
-  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach)
+  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
  output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
  priority: NOTICE
  source: k8s_audit
  tags: [k8s]

+- macro: user_known_pod_debug_activities
+  condition: (k8s_audit_never_true)
+
+# Only works when feature gate EphemeralContainers is enabled
+- rule: EphemeralContainers Created
+  desc: >
+    Detect any ephemeral container created
+  condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
+  output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
+  priority: NOTICE
+  source: k8s_audit
+  tags: [k8s]
+
 # In a local/user rules fie, you can append to this list to add additional allowed namespaces
 - list: allowed_namespaces
  items: [kube-system, kube-public, default]
@@ -216,19 +245,63 @@
  source: k8s_audit
  tags: [k8s]

+# Only defined for backwards compatibility. Use the more specific
+# user_allowed_kube_namespace_image_list instead.
+- list: user_trusted_image_list
+  items: []
+
+- list: user_allowed_kube_namespace_image_list
+  items: [user_trusted_image_list]
+
+# Only defined for backwards compatibility. Use the more specific
+# allowed_kube_namespace_image_list instead.
+- list: k8s_image_list
+  items: []
+
+- list: allowed_kube_namespace_image_list
+  items: [
+    gcr.io/google-containers/prometheus-to-sd,
+    gcr.io/projectcalico-org/node,
+    gke.gcr.io/addon-resizer,
+    gke.gcr.io/heapster,
+    gke.gcr.io/gke-metadata-server,
+    k8s.gcr.io/ip-masq-agent-amd64,
+    k8s.gcr.io/kube-apiserver,
+    gke.gcr.io/kube-proxy,
+    gke.gcr.io/netd-amd64,
+    k8s.gcr.io/addon-resizer
+    k8s.gcr.io/prometheus-to-sd,
+    k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
+    k8s.gcr.io/k8s-dns-kube-dns-amd64,
+    k8s.gcr.io/k8s-dns-sidecar-amd64,
+    k8s.gcr.io/metrics-server-amd64,
+    kope/kube-apiserver-healthcheck,
+    k8s_image_list
+    ]
+
+- macro: allowed_kube_namespace_pods
+  condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
+              ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
+
 # Detect any new pod created in the kube-system namespace
 - rule: Pod Created in Kube Namespace
  desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
-  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
+  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]

+- list: user_known_sa_list
+  items: []
+
+- macro: trusted_sa
+  condition: (ka.target.name in (user_known_sa_list))
+
 # Detect creating a service account in the kube-system/kube-public namespace
 - rule: Service Account Created in Kube Namespace
  desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
-  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful
+  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
  output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
  priority: WARNING
  source: k8s_audit
@@ -239,7 +312,8 @@
 # normal operation.
 - rule: System ClusterRole Modified/Deleted
  desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
-  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and ka.target.name!="system:coredns"
+  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
+             not ka.target.name in (system:coredns, system:managed-certificate-controller)
  output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
  priority: WARNING
  source: k8s_audit
@@ -470,8 +544,6 @@
  source: k8s_audit
  tags: [k8s]

-
-
 - macro: ingress
  condition: ka.target.resource=ingresses

@@ -507,8 +579,6 @@
  priority: WARNING
  tags: [k8s, network]

-
-
 - macro: node
  condition: ka.target.resource=nodes

--- a/scripts/cleanup
+++ b/scripts/cleanup
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+usage() {
+    echo "usage: $0 -p 0987654321 -r <deb-dev|rpm-dev|bin-dev>"
+    exit 1
+}
+
+user=poiana
+
+# Get the versions to delete.
+#
+# $1: repository to lookup
+# $2: number of versions to skip.
+get_versions() {
+    # The API endpoint returns the Falco package versions sort by most recent.
+    IFS=$'\n' read -r -d '' -a all < <(curl -s --header "Content-Type: application/json" "https://api.bintray.com/packages/falcosecurity/$1/falco" | jq -r '.versions | .[]' | tail -n "+$2")
+}
+
+# Remove all the versions (${all[@]} array).
+#
+# $1: repository containing the versions.
+rem_versions() {
+    for i in "${!all[@]}";
+    do
+        JFROG_CLI_LOG_LEVEL=DEBUG jfrog bt vd --quiet --user "${user}" --key "${pass}" "falcosecurity/$1/falco/${all[$i]}"
+    done
+}
+
+while getopts ":p::r:" opt; do
+    case "${opt}" in
+        p )
+          pass=${OPTARG}
+          ;;
+        r )
+          repo="${OPTARG}"
+          [[ "${repo}" == "deb-dev" || "${repo}" == "rpm-dev" || "${repo}" == "bin-dev" ]] || usage
+          ;;
+        : )
+          echo "invalid option: ${OPTARG} requires an argument" 1>&2
+          exit 1
+          ;;
+        \?)
+          echo "invalid option: ${OPTARG}" 1>&2
+          exit 1
+          ;;
+    esac
+done
+shift $((OPTIND-1))
+
+if [ -z "${pass}" ] || [ -z "${repo}" ]; then
+    usage
+fi
+
+skip=51
+if [[ "${repo}" == "bin-dev" ]]; then
+    skip=11
+fi
+
+get_versions "${repo}" ${skip}
+echo "number of versions to delete: ${#all[@]}"
+rem_versions "${repo}"
--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -143,33 +143,41 @@ load_kernel_module_compile() {
 	# skip dkms on UEK hosts because it will always fail
 	if [[ $(uname -r) == *uek* ]]; then
 		echo "* Skipping dkms install for UEK host"
-	else
-		if hash dkms &>/dev/null; then
-				echo "* Trying to dkms install ${DRIVER_NAME} module"
-			if dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
-				echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
-				if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
-					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
-					exit 0
-				elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
-					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
-					exit 0
-				else
-					echo "* Unable to insmod ${DRIVER_NAME} module"
-				fi
+		return
+	fi
+
+	if ! hash dkms &>/dev/null; then
+		echo "* Skipping dkms install (dkms not found)"
+		return
+	fi
+
+	# try to compile using all the available gcc versions
+	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -r); do
+		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
+		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
+		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
+		chmod +x /tmp/falco-dkms-make
+		if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
+			echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
+			if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
+				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
+				exit 0
+			elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
+				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
+				exit 0
 			else
-				DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
-				if [ -f "${DKMS_LOG}" ]; then
-					echo "* Running dkms build failed, dumping ${DKMS_LOG}"
-					cat "${DKMS_LOG}"
-				else
-					echo "* Running dkms build failed, couldn't find ${DKMS_LOG}"
-				fi
+				echo "* Unable to insmod ${DRIVER_NAME} module"
 			fi
 		else
-			echo "* Skipping dkms install (dkms not found)"
+			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
+			if [ -f "${DKMS_LOG}" ]; then
+				echo "* Running dkms build failed, dumping ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
+				cat "${DKMS_LOG}"
+			else
+				echo "* Running dkms build failed, couldn't find ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
+			fi
 		fi
-	fi
+	done
 }

 load_kernel_module_download() {
@@ -473,9 +481,8 @@ else
 	FALCO_DRIVER_CURL_OPTIONS=-fsS
 fi

-MAX_RMMOD_WAIT=60
-if [[ $# -ge 1 ]]; then
-	MAX_RMMOD_WAIT=$1
+if [[ -z "$MAX_RMMOD_WAIT" ]]; then
+	MAX_RMMOD_WAIT=60
 fi

 DRIVER_VERSION="@PROBE_VERSION@"
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -1 +1,4 @@
 add_subdirectory(trace_files)
+
+add_custom_target(test-trace-files ALL)
+add_dependencies(test-trace-files trace-files-base-scap trace-files-psp trace-files-k8s-audit)
--- a/test/README.md
+++ b/test/README.md
@@ -1,6 +1,115 @@
-# Falco Regression tests
+# Falco regression tests

 This folder contains the Regression tests suite for Falco.

 You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).

+## Test suites
+
+- [falco_tests](./falco_tests.yaml)
+- [falco_traces](./falco_traces.yaml.in)
+- [falco_tests_package](./falco_tests_package.yaml)
+- [falco_k8s_audit_tests](./falco_k8s_audit_tests.yaml)
+- [falco_tests_psp](./falco_tests_psp.yaml)
+
+## Running locally
+
+This step assumes you already built Falco.
+
+Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
+
+Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
+
+```console
+make test-trace-files
+```
+
+It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
+
+Using `virtualenv` the steps to locally run a specific test suite are the following ones (from this directory):
+
+```console
+virtualenv venv
+source venv/bin/activate
+pip install -r requirements.txt
+BUILD_DIR="../build" avocado run --mux-yaml falco_tests.yaml --job-results-dir /tmp/job-results -- falco_test.py
+deactivate
+```
+
+The name of the specific test suite to run is `falco_tests.yaml` in this case. Change it to run others test suites.
+
+In case you want to only execute a specific test case, use the `--mux-filter-only` parameter as follows:
+
+```console
+BUILD_DIR="../build" avocado run --mux-yaml falco_tests.yaml --job-results-dir /tmp/job-results --mux-filter-only /run/trace_files/program_output -- falco_test.py
+```
+
+To obtain the path of all the available variants for a given test suite, execute:
+
+```console
+avocado variants --mux-yaml falco_tests.yaml
+```
+
+### falco_traces
+
+The `falco_traces.yaml` test suite gets generated through the `falco_traces.yaml.in` file and some fixtures (`scap` files) downloaded from the web at execution time.
+
+1. Ensure you have `unzip` and `xargs` utilities
+2. Prepare the test suite with the following command:
+
+    ```console
+    bash run_regression_tests.sh -p -v
+    ```
+
+### falco_tests_package
+
+The `falco_tests_package.yaml` test suite requires some additional setup steps to be succesfully run on your local machine.
+
+In particular, it requires some runners (ie., docker images) to be already built and present into your local machine.
+
+1. Ensure you have `docker` up and running
+2. Ensure you build Falco (with bundled deps)
+
+    The recommended way of doing it by running the `falcosecurity/falco-builder` docker image from the project root:
+
+    ```console
+    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder cmake
+    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder falco
+    ```
+
+3. Ensure you build the Falco packages from the Falco above:
+
+    ```console
+    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder package
+    ```
+
+4. Ensure you build the runners:
+
+    ```console
+    FALCO_VERSION=$(./mybuild/release/userspace/falco/falco --version  | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+    mkdir -p /tmp/runners-rootfs
+    cp -R ./test/rules /tmp/runners-rootfs
+    cp -R ./test/trace_files /tmp/runners-rootfs
+    cp ./mybuild/release/falco-${FALCO_VERSION}-x86_64.{deb,rpm,tar.gz} /tmp/runners-rootfs
+    docker build -f docker/tester/root/runners/deb.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-deb /tmp/runners-rootfs
+    docker build -f docker/tester/root/runners/rpm.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-rpm /tmp/runners-rootfs
+    docker build -f docker/tester/root/runners/tar.gz.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-tar.gz /tmp/runners-rootfs
+    ```
+
+5. Run the `falco_tests_package.yaml` test suite from the `test` directory
+
+    ```console
+    cd test
+    BUILD_DIR="../mybuild" avocado run --mux-yaml falco_tests_package.yaml --job-results-dir /tmp/job-results -- falco_test.py
+    ```
+
+### Execute all the test suites
+
+In case you want to run all the test suites at once, you can directly use the `run_regression_tests.sh` runner script.
+
+```console
+cd test
+./run_regression_tests.sh -v
+```
+
+Just make sure you followed all the previous setup steps.
--- a/test/confs/grpc_unix_socket.yaml
+++ b/test/confs/grpc_unix_socket.yaml
@@ -0,0 +1,38 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Whether to output events in json or text.
+json_output: false
+
+# Send information logs to stderr and/or syslog
+# Note these are *not* security notification logs!
+# These are just Falco lifecycle (and possibly error) logs.
+log_stderr: false
+log_syslog: false
+
+# Where security notifications should go.
+stdout_output:
+  enabled: false
+
+# gRPC server using an unix socket.
+grpc:
+    enabled: true
+    bind_address: "unix:///tmp/falco/falco.sock"
+    threadiness: 8
+
+grpc_output:
+  enabled: true
--- a/test/confs/program_output.yaml
+++ b/test/confs/program_output.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -21,14 +21,14 @@ rules_file: /etc/falco_rules.yaml
 # Whether to output events in json or text
 json_output: false

-# Send information logs to stderr and/or syslog Note these are *not* security
-# notification logs! These are just Falco lifecycle (and possibly error) logs.
+# Send information logs to stderr and/or syslog
+# Note these are *not* security notification logs!
+# These are just Falco lifecycle (and possibly error) logs.
 log_stderr: false
 log_syslog: false

 # Where security notifications should go.
 # Multiple outputs can be enabled.
-
 syslog_output:
  enabled: false

@@ -41,4 +41,4 @@ stdout_output:

 program_output:
  enabled: true
-  program: cat > /tmp/falco_outputs/program_output.txt
+  program: cat >> /tmp/falco_outputs/program_output.txt
--- a/test/confs/psp.yaml
+++ b/test/confs/psp.yaml
@@ -136,7 +136,7 @@ stdout_output:
 webserver:
  enabled: true
  listen_port: 8765
-  k8s_audit_endpoint: /k8s_audit
+  k8s_audit_endpoint: /k8s-audit
  ssl_enabled: false
  ssl_certificate: /etc/falco/falco.pem

--- a/test/confs/stdout_output.yaml
+++ b/test/confs/stdout_output.yaml
@@ -0,0 +1,42 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# File containing Falco rules, loaded at startup.
+rules_file: /etc/falco_rules.yaml
+
+# Whether to output events in json or text
+json_output: false
+
+# Send information logs to stderr and/or syslog Note these are *not* security
+# notification logs! These are just Falco lifecycle (and possibly error) logs.
+log_stderr: false
+log_syslog: false
+
+# Where security notifications should go.
+# Multiple outputs can be enabled.
+
+syslog_output:
+  enabled: false
+
+file_output:
+  enabled: false
+
+stdout_output:
+  enabled: true
+
+program_output:
+  enabled: false
--- a/test/driver-loader/run_test.sh
+++ b/test/driver-loader/run_test.sh
@@ -20,17 +20,17 @@ set -euo pipefail
 BUILD_DIR=$1

 SCRIPT=$(readlink -f $0)
-SCRIPTDIR=$(dirname $SCRIPT)
+SCRIPTDIR=$(dirname "$SCRIPT")
 RUNNERDIR="${SCRIPTDIR}/runner"
 FALCO_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
 DRIVER_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'DRIVER_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
 FALCO_PACKAGE="falco-${FALCO_VERSION}-x86_64.tar.gz"

 cp "${BUILD_DIR}/${FALCO_PACKAGE}" "${RUNNERDIR}"
-pushd ${RUNNERDIR}
+pushd "${RUNNERDIR}"
 docker build --build-arg FALCO_VERSION="$FALCO_VERSION" \
    -t falcosecurity/falco:test-driver-loader \
-    -f "${RUNNERDIR}/Dockerfile" ${RUNNERDIR}
+    -f "${RUNNERDIR}/Dockerfile" "${RUNNERDIR}"
 popd
 rm -f "${RUNNERDIR}/${FALCO_PACKAGE}"

--- a/test/driver-loader/runner/Dockerfile
+++ b/test/driver-loader/runner/Dockerfile
@@ -10,7 +10,6 @@ ENV HOST_ROOT=/host
 RUN apt-get update -y
 RUN apt-get install -y --no-install-recommends \
 	ca-certificates \
-	libyaml-0-2 \
 	dkms \
 	curl \
 	gcc \
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -1,4 +1,4 @@
- #!/usr/bin/env python
+#!/usr/bin/env python
 #
 # Copyright (C) 2019 The Falco Authors.
 #
@@ -28,6 +28,9 @@ import urllib.request
 from avocado import Test
 from avocado import main
 from avocado.utils import process
+from watchdog.observers import Observer
+from watchdog.events import PatternMatchingEventHandler
+

 class FalcoTest(Test):

@@ -47,17 +50,20 @@ class FalcoTest(Test):
        self.stdout_is = self.params.get('stdout_is', '*', default='')
        self.stderr_is = self.params.get('stderr_is', '*', default='')

-        self.stdout_contains = self.params.get('stdout_contains', '*', default='')
+        self.stdout_contains = self.params.get(
+            'stdout_contains', '*', default='')

        if not isinstance(self.stdout_contains, list):
            self.stdout_contains = [self.stdout_contains]

-        self.stderr_contains = self.params.get('stderr_contains', '*', default='')
+        self.stderr_contains = self.params.get(
+            'stderr_contains', '*', default='')

        if not isinstance(self.stderr_contains, list):
            self.stderr_contains = [self.stderr_contains]

-        self.stdout_not_contains = self.params.get('stdout_not_contains', '*', default='')
+        self.stdout_not_contains = self.params.get(
+            'stdout_not_contains', '*', default='')

        if not isinstance(self.stdout_not_contains, list):
            if self.stdout_not_contains == '':
@@ -65,7 +71,8 @@ class FalcoTest(Test):
            else:
                self.stdout_not_contains = [self.stdout_not_contains]

-        self.stderr_not_contains = self.params.get('stderr_not_contains', '*', default='')
+        self.stderr_not_contains = self.params.get(
+            'stderr_not_contains', '*', default='')

        if not isinstance(self.stderr_not_contains, list):
            if self.stderr_not_contains == '':
@@ -81,15 +88,18 @@ class FalcoTest(Test):
            self.trace_file = os.path.join(build_dir, "test", self.trace_file)

        self.json_output = self.params.get('json_output', '*', default=False)
-        self.json_include_output_property = self.params.get('json_include_output_property', '*', default=True)
+        self.json_include_output_property = self.params.get(
+            'json_include_output_property', '*', default=True)
        self.all_events = self.params.get('all_events', '*', default=False)
        self.priority = self.params.get('priority', '*', default='debug')
-        self.rules_file = self.params.get('rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml'))
+        self.rules_file = self.params.get(
+            'rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml'))

        if not isinstance(self.rules_file, list):
            self.rules_file = [self.rules_file]

-        self.validate_rules_file = self.params.get('validate_rules_file', '*', default=False)
+        self.validate_rules_file = self.params.get(
+            'validate_rules_file', '*', default=False)

        if self.validate_rules_file == False:
            self.validate_rules_file = []
@@ -116,13 +126,15 @@ class FalcoTest(Test):
                file = os.path.join(self.basedir, file)
            self.rules_args = self.rules_args + "-r " + file + " "

-        self.conf_file = self.params.get('conf_file', '*', default=os.path.join(self.basedir, '../falco.yaml'))
+        self.conf_file = self.params.get(
+            'conf_file', '*', default=os.path.join(self.basedir, '../falco.yaml'))
        if not os.path.isabs(self.conf_file):
            self.conf_file = os.path.join(self.basedir, self.conf_file)

        self.run_duration = self.params.get('run_duration', '*', default='')

-        self.disabled_rules = self.params.get('disabled_rules', '*', default='')
+        self.disabled_rules = self.params.get(
+            'disabled_rules', '*', default='')

        if self.disabled_rules == '':
            self.disabled_rules = []
@@ -135,7 +147,8 @@ class FalcoTest(Test):
        for rule in self.disabled_rules:
            self.disabled_args = self.disabled_args + "-D " + rule + " "

-        self.detect_counts = self.params.get('detect_counts', '*', default=False)
+        self.detect_counts = self.params.get(
+            'detect_counts', '*', default=False)
        if self.detect_counts == False:
            self.detect_counts = {}
        else:
@@ -145,7 +158,8 @@ class FalcoTest(Test):
                    detect_counts[key] = value
            self.detect_counts = detect_counts

-        self.rules_warning = self.params.get('rules_warning', '*', default=False)
+        self.rules_warning = self.params.get(
+            'rules_warning', '*', default=False)
        if self.rules_warning == False:
            self.rules_warning = set()
        else:
@@ -170,9 +184,11 @@ class FalcoTest(Test):

        self.package = self.params.get('package', '*', default='None')

-        self.addl_docker_run_args = self.params.get('addl_docker_run_args', '*', default='')
+        self.addl_docker_run_args = self.params.get(
+            'addl_docker_run_args', '*', default='')

-        self.copy_local_driver = self.params.get('copy_local_driver', '*', default=False)
+        self.copy_local_driver = self.params.get(
+            'copy_local_driver', '*', default=False)

        # Used by possibly_copy_local_driver as well as docker run
        self.module_dir = os.path.expanduser("~/.falco")
@@ -195,17 +211,60 @@ class FalcoTest(Test):
                        os.makedirs(filedir)
            self.outputs = outputs

+        self.output_strictly_contains = self.params.get(
+            'output_strictly_contains', '*', default='')
+
+        if self.output_strictly_contains == '':
+            self.output_strictly_contains = {}
+        else:
+            output_strictly_contains = []
+            for item in self.output_strictly_contains:
+                for key, value in list(item.items()):
+                    output = {}
+                    output['actual'] = key
+                    output['expected'] = value
+                    output_strictly_contains.append(output)
+                    if not output['actual'] == 'stdout':
+                        # Clean up file from previous tests, if any
+                        if os.path.exists(output['actual']):
+                            os.remove(output['actual'])
+                        # Create the parent directory for the file if it doesn't exist.
+                        filedir = os.path.dirname(output['actual'])
+                        if not os.path.isdir(filedir):
+                            os.makedirs(filedir)
+            self.output_strictly_contains = output_strictly_contains
+
+        self.grpcurl_res = None
+        self.grpc_observer = None
+        self.grpc_address = self.params.get(
+            'address', 'grpc/*', default='/var/run/falco.sock')
+        if self.grpc_address.startswith("unix://"):
+            self.is_grpc_using_unix_socket = True
+            self.grpc_address = self.grpc_address[len("unix://"):]
+        else:
+            self.is_grpc_using_unix_socket = False
+        self.grpc_proto = self.params.get('proto', 'grpc/*', default='')
+        self.grpc_service = self.params.get('service', 'grpc/*', default='')
+        self.grpc_method = self.params.get('method', 'grpc/*', default='')
+        self.grpc_results = self.params.get('results', 'grpc/*', default='')
+        if self.grpc_results == '':
+            self.grpc_results = []
+        else:
+            if type(self.grpc_results) == str:
+                self.grpc_results = [self.grpc_results]
+
        self.disable_tags = self.params.get('disable_tags', '*', default='')

        if self.disable_tags == '':
-            self.disable_tags=[]
+            self.disable_tags = []

        self.run_tags = self.params.get('run_tags', '*', default='')

        if self.run_tags == '':
-            self.run_tags=[]
+            self.run_tags = []

-        self.time_iso_8601 = self.params.get('time_iso_8601', '*', default=False)
+        self.time_iso_8601 = self.params.get(
+            'time_iso_8601', '*', default=False)

    def tearDown(self):
        if self.package != 'None':
@@ -224,7 +283,8 @@ class FalcoTest(Test):
        self.log.debug("Actual warning rules: {}".format(found_warning))

        if found_warning != self.rules_warning:
-            self.fail("Expected rules with warnings {} does not match actual rules with warnings {}".format(self.rules_warning, found_warning))
+            self.fail("Expected rules with warnings {} does not match actual rules with warnings {}".format(
+                self.rules_warning, found_warning))

    def check_rules_events(self, res):

@@ -235,50 +295,60 @@ class FalcoTest(Test):
            events = set(match.group(2).split(","))
            found_events[rule] = events

-        self.log.debug("Expected events for rules: {}".format(self.rules_events))
+        self.log.debug(
+            "Expected events for rules: {}".format(self.rules_events))
        self.log.debug("Actual events for rules: {}".format(found_events))

        for rule in list(found_events.keys()):
            if found_events.get(rule) != self.rules_events.get(rule):
-                self.fail("rule {}: expected events {} differs from actual events {}".format(rule, self.rules_events.get(rule), found_events.get(rule)))
+                self.fail("rule {}: expected events {} differs from actual events {}".format(
+                    rule, self.rules_events.get(rule), found_events.get(rule)))

    def check_detections(self, res):
        # Get the number of events detected.
        match = re.search('Events detected: (\d+)', res.stdout.decode("utf-8"))
        if match is None:
-            self.fail("Could not find a line 'Events detected: <count>' in falco output")
+            self.fail(
+                "Could not find a line 'Events detected: <count>' in falco output")

        events_detected = int(match.group(1))

        if not self.should_detect and events_detected > 0:
-            self.fail("Detected {} events when should have detected none".format(events_detected))
+            self.fail("Detected {} events when should have detected none".format(
+                events_detected))

        if self.should_detect:
            if events_detected == 0:
-                self.fail("Detected {} events when should have detected > 0".format(events_detected))
+                self.fail("Detected {} events when should have detected > 0".format(
+                    events_detected))

            for level in self.detect_level:
                level_line = '(?i){}: (\d+)'.format(level)
                match = re.search(level_line, res.stdout.decode("utf-8"))

                if match is None:
-                    self.fail("Could not find a line '{}: <count>' in falco output".format(level))
+                    self.fail(
+                        "Could not find a line '{}: <count>' in falco output".format(level))

                    events_detected = int(match.group(1))

                    if not events_detected > 0:
-                        self.fail("Detected {} events at level {} when should have detected > 0".format(events_detected, level))
+                        self.fail("Detected {} events at level {} when should have detected > 0".format(
+                            events_detected, level))

    def check_detections_by_rule(self, res):
        # Get the number of events detected for each rule. Must match the expected counts.
-        match = re.search('Triggered rules by rule name:(.*)', res.stdout.decode("utf-8"), re.DOTALL)
+        match = re.search('Triggered rules by rule name:(.*)',
+                          res.stdout.decode("utf-8"), re.DOTALL)
        if match is None:
-            self.fail("Could not find a block 'Triggered rules by rule name: ...' in falco output")
+            self.fail(
+                "Could not find a block 'Triggered rules by rule name: ...' in falco output")

        triggered_rules = match.group(1)

        for rule, count in list(self.detect_counts.items()):
-            expected = '\s{}: (\d+)'.format(re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
+            expected = '\s{}: (\d+)'.format(
+                re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
            match = re.search(expected, triggered_rules)

            if match is None:
@@ -287,9 +357,11 @@ class FalcoTest(Test):
                actual_count = int(match.group(1))

            if actual_count != count:
-                self.fail("Different counts for rule {}: expected={}, actual={}".format(rule, count, actual_count))
+                self.fail("Different counts for rule {}: expected={}, actual={}".format(
+                    rule, count, actual_count))
            else:
-                self.log.debug("Found expected count for rule {}: {}".format(rule, count))
+                self.log.debug(
+                    "Found expected count for rule {}: {}".format(rule, count))

    def check_outputs(self):
        for output in self.outputs:
@@ -304,7 +376,8 @@ class FalcoTest(Test):
                    found = True

            if found == False:
-                self.fail("Could not find a line '{}' in file '{}'".format(output['line'], output['file']))
+                self.fail("Could not find a line '{}' in file '{}'".format(
+                    output['line'], output['file']))

        return True

@@ -321,7 +394,27 @@ class FalcoTest(Test):
                        attrs = ['time', 'rule', 'priority']
                    for attr in attrs:
                        if not attr in obj:
-                            self.fail("Falco JSON object {} does not contain property \"{}\"".format(line, attr))
+                            self.fail(
+                                "Falco JSON object {} does not contain property \"{}\"".format(line, attr))
+
+    def check_output_strictly_contains(self, res):
+        for output in self.output_strictly_contains:
+            # Read the expected output (from a file) and actual output (either from a file or the stdout),
+            # then check if the actual one strictly contains the expected one.
+
+            expected = open(output['expected']).read()
+
+            if output['actual'] == 'stdout':
+                actual = res.stdout.decode("utf-8")
+            else:
+                actual = open(output['actual']).read()
+
+            if expected not in actual:
+                self.fail("Output '{}' does not strictly contains the expected content '{}'".format(
+                    output['actual'], output['expected']))
+                return False
+
+        return True

    def install_package(self):

@@ -340,35 +433,39 @@ class FalcoTest(Test):
                                         self.module_dir, self.addl_docker_run_args, image)

        elif self.package.endswith(".deb"):
-            self.falco_binary_path = '/usr/bin/falco';
+            self.falco_binary_path = '/usr/bin/falco'

            package_glob = "{}/{}".format(self.falcodir, self.package)

            matches = glob.glob(package_glob)

            if len(matches) != 1:
-                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}", package_glob, ",".join(matches))
+                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}",
+                          package_glob, ",".join(matches))

            package_path = matches[0]

            cmdline = "dpkg -i {}".format(package_path)
-            self.log.debug("Installing debian package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Installing debian package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)

        elif self.package.endswith(".rpm"):
-            self.falco_binary_path = '/usr/bin/falco';
+            self.falco_binary_path = '/usr/bin/falco'

            package_glob = "{}/{}".format(self.falcodir, self.package)

            matches = glob.glob(package_glob)

            if len(matches) != 1:
-                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}", package_glob, ",".join(matches))
+                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}",
+                          package_glob, ",".join(matches))

            package_path = matches[0]

            cmdline = "rpm -i --nodeps --noscripts {}".format(package_path)
-            self.log.debug("Installing centos package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Installing centos package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)

    def uninstall_package(self):
@@ -378,25 +475,29 @@ class FalcoTest(Test):

        elif self.package.endswith(".rpm"):
            cmdline = "rpm -e --noscripts --nodeps falco"
-            self.log.debug("Uninstalling centos package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Uninstalling centos package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)

        elif self.package.endswith(".deb"):
            cmdline = "dpkg --purge falco"
-            self.log.debug("Uninstalling debian package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Uninstalling debian package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)

    def possibly_copy_driver(self):
        # Remove the contents of ~/.falco regardless of copy_local_driver.
        self.log.debug("Checking for module dir {}".format(self.module_dir))
        if os.path.isdir(self.module_dir):
-            self.log.info("Removing files below directory {}".format(self.module_dir))
+            self.log.info(
+                "Removing files below directory {}".format(self.module_dir))
            for rmfile in glob.glob(self.module_dir + "/*"):
                self.log.debug("Removing file {}".format(rmfile))
                os.remove(rmfile)

        if self.copy_local_driver:
-            verlines = [str.strip() for str in subprocess.check_output([self.falco_binary_path, "--version"]).splitlines()]
+            verlines = [str.strip() for str in subprocess.check_output(
+                [self.falco_binary_path, "--version"]).splitlines()]
            verstr = verlines[0].decode("utf-8")
            self.log.info("verstr {}".format(verstr))
            falco_version = verstr.split(" ")[2]
@@ -408,22 +509,70 @@ class FalcoTest(Test):

            # falco-driver-loader has a more comprehensive set of ways to
            # find the config hash. We only look at /boot/config-<kernel release>
-            md5_output = subprocess.check_output(["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
+            md5_output = subprocess.check_output(
+                ["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
            config_hash = md5_output.split(" ")[0]

-            probe_filename = "falco-{}-{}-{}-{}.ko".format(falco_version, arch, kernel_release, config_hash)
+            probe_filename = "falco-{}-{}-{}-{}.ko".format(
+                falco_version, arch, kernel_release, config_hash)
            driver_path = os.path.join(self.falcodir, "driver", "falco.ko")
            module_path = os.path.join(self.module_dir, probe_filename)
            self.log.debug("Copying {} to {}".format(driver_path, module_path))
            shutil.copyfile(driver_path, module_path)

+    def init_grpc_handler(self):
+        self.grpcurl_res = None
+        if len(self.grpc_results) > 0:
+            if not self.is_grpc_using_unix_socket:
+                self.fail("This test suite supports gRPC with unix socket only")
+
+            cmdline = "grpcurl -format text -import-path ../userspace/falco " \
+                "-proto {} -plaintext -unix {} " \
+                "{}/{}".format(self.grpc_proto, self.grpc_address,
+                               self.grpc_service, self.grpc_method)
+            that = self
+
+            class GRPCUnixSocketEventHandler(PatternMatchingEventHandler):
+                def on_created(self, event):
+                    # that.log.info("EVENT: {}", event)
+                    that.grpcurl_res = process.run(cmdline)
+
+            path = os.path.dirname(self.grpc_address)
+            process.run("mkdir -p {}".format(path))
+            event_handler = GRPCUnixSocketEventHandler(patterns=['*'],
+                                                       ignore_directories=True)
+            self.grpc_observer = Observer()
+            self.grpc_observer.schedule(event_handler, path, recursive=False)
+            self.grpc_observer.start()
+
+    def check_grpc(self):
+        if self.grpc_observer is not None:
+            self.grpc_observer.stop()
+            self.grpc_observer = None
+            if self.grpcurl_res is None:
+                self.fail("gRPC responses not found")
+
+            for exp_result in self.grpc_results:
+                found = False
+                for line in self.grpcurl_res.stdout.decode("utf-8").splitlines():
+                    if exp_result in line:
+                        found = True
+                        break
+
+                if found == False:
+                    self.fail(
+                        "Could not find a line with '{}' in gRPC responses (protobuf text".format(exp_result))
+
    def test(self):
        self.log.info("Trace file %s", self.trace_file)

-        self.falco_binary_path = '{}/userspace/falco/falco'.format(self.falcodir)
+        self.falco_binary_path = '{}/userspace/falco/falco'.format(
+            self.falcodir)

        self.possibly_copy_driver()

+        self.init_grpc_handler()
+
        if self.package != 'None':
            # This sets falco_binary_path as a side-effect.
            self.install_package()
@@ -437,9 +586,11 @@ class FalcoTest(Test):
        if self.psp_file != "":

            if not os.path.isfile(self.psp_conv_path):
-                self.log.info("Downloading {} to {}".format(self.psp_conv_url, self.psp_conv_path))
+                self.log.info("Downloading {} to {}".format(
+                    self.psp_conv_url, self.psp_conv_path))

-                urllib.request.urlretrieve(self.psp_conv_url, self.psp_conv_path)
+                urllib.request.urlretrieve(
+                    self.psp_conv_url, self.psp_conv_path)
                os.chmod(self.psp_conv_path, stat.S_IEXEC)

            conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
@@ -457,7 +608,6 @@ class FalcoTest(Test):
                psp_rules = myfile.read()
                self.log.debug("Converted Rules: {}".format(psp_rules))

-
        # Run falco
        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format(
            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority)
@@ -493,22 +643,26 @@ class FalcoTest(Test):
        for pattern in self.stderr_contains:
            match = re.search(pattern, res.stderr.decode("utf-8"))
            if match is None:
-                self.fail("Stderr of falco process did not contain content matching {}".format(pattern))
+                self.fail(
+                    "Stderr of falco process did not contain content matching {}".format(pattern))

        for pattern in self.stdout_contains:
            match = re.search(pattern, res.stdout.decode("utf-8"))
            if match is None:
-                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout.decode("utf-8"), pattern))
+                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(
+                    res.stdout.decode("utf-8"), pattern))

        for pattern in self.stderr_not_contains:
            match = re.search(pattern, res.stderr.decode("utf-8"))
            if match is not None:
-                self.fail("Stderr of falco process contained content matching {} when it should have not".format(pattern))
+                self.fail(
+                    "Stderr of falco process contained content matching {} when it should have not".format(pattern))

        for pattern in self.stdout_not_contains:
            match = re.search(pattern, res.stdout.decode("utf-8"))
            if match is not None:
-                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(res.stdout.decode("utf-8"), pattern))
+                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(
+                    res.stdout.decode("utf-8"), pattern))

        if res.exit_status != self.exit_status:
            self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(
@@ -526,6 +680,8 @@ class FalcoTest(Test):
            self.check_detections_by_rule(res)
        self.check_json_output(res)
        self.check_outputs()
+        self.check_output_strictly_contains(res)
+        self.check_grpc()
        pass


--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016-2018 The Falco Authors..
+# Copyright (C) 2020 The Falco Authors.
 #
 # This file is part of falco.
 #
@@ -652,25 +652,79 @@ trace_files: !mux
    trace_file: trace_files/cat_write.scap
    stdout_contains: "Warning An open was seen .cport=<NA> command=cat /dev/null."

-  file_output:
+  stdout_output_strict:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/stdout_output.yaml
+    trace_file: trace_files/cat_write.scap
+    time_iso_8601: true
+    output_strictly_contains:
+      - stdout: output_files/single_rule_with_cat_write.txt
+
+  stdout_output_json_strict:
+    json_output: True
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/stdout_output.yaml
+    trace_file: trace_files/cat_write.scap
+    time_iso_8601: true
+    output_strictly_contains:
+      - stdout: output_files/single_rule_with_cat_write.json
+
+  file_output_strict:
    detect: True
    detect_level: WARNING
    rules_file:
      - rules/single_rule.yaml
    conf_file: confs/file_output.yaml
    trace_file: trace_files/cat_write.scap
-    outputs:
-      - /tmp/falco_outputs/file_output.txt: Warning An open was seen
+    time_iso_8601: true
+    output_strictly_contains:
+      - /tmp/falco_outputs/file_output.txt: output_files/single_rule_with_cat_write.txt

-  program_output:
+  program_output_strict:
    detect: True
    detect_level: WARNING
    rules_file:
      - rules/single_rule.yaml
    conf_file: confs/program_output.yaml
    trace_file: trace_files/cat_write.scap
-    outputs:
-      - /tmp/falco_outputs/program_output.txt: Warning An open was seen
+    time_iso_8601: true
+    output_strictly_contains:
+      - /tmp/falco_outputs/program_output.txt: output_files/single_rule_with_cat_write.txt
+
+  grpc_unix_socket_outputs:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/grpc_unix_socket.yaml
+    trace_file: trace_files/cat_write.scap
+    run_duration: 5
+    time_iso_8601: true
+    grpc:
+      address: unix:///tmp/falco/falco.sock
+      proto: outputs.proto
+      service: falco.outputs.service
+      method: get
+      # protobuf text format
+      results:
+        - "seconds:1470327477 nanos:881781397"
+        - "priority: WARNING"
+        - "rule: \"open_from_cat\""
+        - "output: \"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)\""
+        # output fields
+        - "key: \"evt.time.iso8601\""
+        - "value: \"2016-08-04T16:17:57.881781397+0000\""
+        - "key: \"proc.cmdline\""
+        - "value: \"cat /dev/null\""
+        # For the hostname, since we don't know that beforehand,
+        # only check the field presence
+        - "hostname: "

  detect_counts:
    detect: True
--- a/test/falco_traces.yaml.in
+++ b/test/falco_traces.yaml.in
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
--- a/test/output_files/single_rule_with_cat_write.json
+++ b/test/output_files/single_rule_with_cat_write.json
@@ -0,0 +1,8 @@
+{"output":"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time.iso8601":1470327477881781397,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time.iso8601":1470327477881785348,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time.iso8601":1470327477881796705,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time.iso8601":1470327477881799840,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time.iso8601":1470327477882003104,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time.iso8601":1470327477882008208,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time.iso8601":1470327477882045694,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time.iso8601":1470327477882054739,"proc.cmdline":"cat /dev/null"}}
--- a/test/output_files/single_rule_with_cat_write.txt
+++ b/test/output_files/single_rule_with_cat_write.txt
@@ -0,0 +1,8 @@
+2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)
--- a/test/requirements.txt
+++ b/test/requirements.txt
@@ -0,0 +1,13 @@
+avocado-framework==69.0
+avocado-framework-plugin-varianter-yaml-to-mux==69.0
+certifi==2020.4.5.1
+chardet==3.0.4
+idna==2.9
+pathtools==0.1.2
+pbr==5.4.5
+PyYAML==5.3.1
+requests==2.23.0
+six==1.14.0
+stevedore==1.32.0
+urllib3==1.25.9
+watchdog==0.10.2
--- a/test/rules/detect_connect_using_in.yaml
+++ b/test/rules/detect_connect_using_in.yaml
@@ -18,5 +18,5 @@
  desc: Detect any connect to the localhost network, using fd.net and the in operator
  condition: evt.type=connect and fd.net in ("127.0.0.1/24")
  output: Program connected to localhost network
-    (user=%user.name command=%proc.cmdline connection=%fd.name)
+    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name)
  priority: INFO
--- a/test/run_regression_tests.sh
+++ b/test/run_regression_tests.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,45 +18,53 @@
 set -euo pipefail

 SCRIPT=$(readlink -f $0)
-SCRIPTDIR=$(dirname $SCRIPT)
-BUILD_DIR=$1
-BRANCH=${2:-none}
+SCRIPTDIR=$(dirname "$SCRIPT")
+SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}

-TRACE_DIR=$BUILD_DIR/test
-
-mkdir -p $TRACE_DIR
+# Trace file tarballs are now versioned. Any time a substantial change
+# is made that affects the interaction of rules+engine and the trace
+# files here, upload a new trace file zip file and change the version
+# suffix here.
+TRACE_FILES_VERSION=20200831

 function download_trace_files() {
-    echo "branch=$BRANCH"
    for TRACE in traces-positive traces-negative traces-info ; do
-	if [ ! -e $TRACE_DIR/$TRACE ]; then
-	    if [ $BRANCH != "none" ]; then
-		curl -fso $TRACE_DIR/$TRACE.zip https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$BRANCH.zip
-	    else
-		curl -fso $TRACE_DIR/$TRACE.zip https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip
-	    fi
-	    unzip -d $TRACE_DIR $TRACE_DIR/$TRACE.zip
-	    rm -rf $TRACE_DIR/$TRACE.zip
-	fi
+    if [ ! -e "$TRACE_DIR/$TRACE" ]; then
+        if [ "$OPT_BRANCH" != "none" ]; then
+        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
+        else
+        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$TRACE_FILES_VERSION.zip
+        fi
+        unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
+        rm -rf "$TRACE_DIR/$TRACE.zip"
+    else
+        if ${OPT_VERBOSE}; then
+            echo "Trace directory $TRACE_DIR/$TRACE already exist: skipping"
+        fi
+    fi
    done
 }

 function prepare_multiplex_fileset() {
-
    dir=$1
    detect=$2

-    for trace in $TRACE_DIR/$dir/*.scap ; do
-	[ -e "$trace" ] || continue
-	NAME=`basename $trace .scap`
+    for trace in "$TRACE_DIR/$dir"/*.scap ; do
+        [ -e "$trace" ] || continue
+        NAME=$(basename "$trace" .scap)

-	# falco_traces.yaml might already have an entry for this trace
-	# file, with specific detection levels and counts. If so, skip
-	# it. Otherwise, add a generic entry showing whether or not to
-	# detect anything.
-	grep -q "$NAME:" $SCRIPTDIR/falco_traces.yaml && continue
+        # falco_traces.yaml might already have an entry for this trace file, with specific detection levels and counts.
+        # If so, skip it.
+        # Otherwise, add a generic entry showing whether or not to detect anything.
+        if grep -q "$NAME:" "$SCRIPTDIR/falco_traces.yaml"; then
+            if ${OPT_VERBOSE}; then
+                echo "Entry $NAME already exist: skipping"
+            fi
+            continue
+        fi
+
+        cat << EOF >> "$SCRIPTDIR/falco_traces.yaml"

-	cat << EOF >> $SCRIPTDIR/falco_traces.yaml
  $NAME:
    detect: $detect
    detect_level: WARNING
@@ -66,41 +74,102 @@ EOF
 }

 function prepare_multiplex_file() {
-    cp $SCRIPTDIR/falco_traces.yaml.in $SCRIPTDIR/falco_traces.yaml
+    /bin/cp -f "$SCRIPTDIR/falco_traces.yaml.in" "$SCRIPTDIR/falco_traces.yaml"

    prepare_multiplex_fileset traces-positive True
    prepare_multiplex_fileset traces-negative False
    prepare_multiplex_fileset traces-info True

-    echo "Contents of $SCRIPTDIR/falco_traces.yaml:"
-    cat $SCRIPTDIR/falco_traces.yaml
+    if ${OPT_VERBOSE}; then
+        echo "Contents of $SCRIPTDIR/falco_traces.yaml"
+        cat "$SCRIPTDIR/falco_traces.yaml"
+    fi
 }

 function print_test_failure_details() {
    echo "Showing full job logs for any tests that failed:"
-    jq '.tests[] | select(.status != "PASS") | .logfile' $SCRIPTDIR/job-results/latest/results.json  | xargs cat
+    jq '.tests[] | select(.status != "PASS") | .logfile' "$SCRIPTDIR/job-results/latest/results.json" | xargs cat
 }

 function run_tests() {
    rm -rf /tmp/falco_outputs
    mkdir /tmp/falco_outputs
-    # If we got this far, we can undo set -e, as we're watching the
-    # return status when running avocado.
+    # If we got this far, we can undo set -e,
+    # as we're watching the return status when running avocado.
    set +e
    TEST_RC=0
-    for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml; do
-	CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
-	echo "Running: $CMD"
-	BUILD_DIR=${BUILD_DIR} $CMD
-	RC=$?
-	TEST_RC=$((TEST_RC+$RC))
-	if [ $RC -ne 0 ]; then
-	    print_test_failure_details
-	fi
+    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml)
+
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+        suites+=($SCRIPTDIR/falco_tests_package.yaml)
+    fi
+    
+    for mult in "${suites[@]}"; do
+        CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
+        echo "Running $CMD"
+        BUILD_DIR=${OPT_BUILD_DIR} $CMD
+        RC=$?
+        TEST_RC=$((TEST_RC+RC))
+        if [ $RC -ne 0 ]; then
+            print_test_failure_details
+        fi
    done
 }

+OPT_ONLY_PREPARE="false"
+OPT_VERBOSE="false"
+OPT_BUILD_DIR="$(dirname "$SCRIPTDIR")/build"
+OPT_BRANCH="none"
+while getopts ':p :h :v :b: :d:' 'OPTKEY'; do
+    case ${OPTKEY} in
+        'p')
+            OPT_ONLY_PREPARE="true"
+            ;;
+        'h')
+            /bin/bash usage
+            exit 0
+            ;;
+        'v')
+            OPT_VERBOSE="true"
+            ;;
+        'd')
+            OPT_BUILD_DIR=${OPTARG}
+            ;;
+        'b')
+            OPT_BRANCH=${OPTARG}
+            ;;
+        '?')
+            echo "Invalid option: ${OPTARG}." >&2
+            /bin/bash usage
+            exit 1
+            ;;
+        ':')
+            echo "Missing argument for option: ${OPTARG}." >&2
+            /bin/bash usage
+            exit 1
+            ;;
+        *)
+            echo "Unimplemented option: ${OPTKEY}." >&2
+            /bin/bash usage
+            exit 1
+            ;;
+        esac
+done
+
+TRACE_DIR=$OPT_BUILD_DIR/test
+
+if ${OPT_VERBOSE}; then
+    echo "Build directory = $OPT_BUILD_DIR"
+    echo "Trace directory = $TRACE_DIR"
+    echo "Custom branch   = $OPT_BRANCH"
+fi
+
+mkdir -p "$TRACE_DIR"
+
 download_trace_files
 prepare_multiplex_file
-run_tests
-exit $TEST_RC
+
+if ! ${OPT_ONLY_PREPARE}; then
+    run_tests
+    exit $TEST_RC
+fi
--- a/test/trace_files/CMakeLists.txt
+++ b/test/trace_files/CMakeLists.txt
@@ -1,5 +1,6 @@
 add_subdirectory(k8s_audit)
 add_subdirectory(psp)
+
 # Note: list of traces is created at cmake time, not build time
 file(GLOB test_trace_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/*.scap")
@@ -11,4 +12,8 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
+	list(APPEND BASE_SCAP_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
+
+add_custom_target(trace-files-base-scap ALL)
+add_dependencies(trace-files-base-scap ${BASE_SCAP_TRACE_FILES_TARGETS})
--- a/test/trace_files/k8s_audit/CMakeLists.txt
+++ b/test/trace_files/k8s_audit/CMakeLists.txt
@@ -9,4 +9,8 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
+	list(APPEND K8S_AUDIT_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
+
+add_custom_target(trace-files-k8s-audit ALL)
+add_dependencies(trace-files-k8s-audit ${K8S_AUDIT_TRACE_FILES_TARGETS})
--- a/test/trace_files/psp/CMakeLists.txt
+++ b/test/trace_files/psp/CMakeLists.txt
@@ -10,4 +10,8 @@ foreach(trace_file_path ${test_trace_files})
 	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
 		DEPENDS ${trace_file_path})
+	list(APPEND PSP_TRACE_FILES_TARGETS test-trace-${trace_file})
 endforeach()
+
+add_custom_target(trace-files-psp ALL)
+add_dependencies(trace-files-psp ${PSP_TRACE_FILES_TARGETS})
--- a/test/usage
+++ b/test/usage
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+cat <<EOF
+Hello, this is Falco integration tests runner.
+
+SYNOPSIS
+
+    bash run_regression_tests.sh [-h] [-v] [-p] [-d=<build directory>] [-b=<custom branch>]
+
+DESCRIPTION
+
+    -h                      Display usage instructions
+    -v                      Verbose output
+    -p                      Prepare the falco_traces integration test suite
+    -b=CUSTOM_BRANCH        Specify a custom branch for downloading falco_traces fixtures (defaults to "none")
+    -d=BUILD_DIRECTORY      Specify the build directory where Falco has been built (defaults to $SCRIPTDIR/../build)
+EOF
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -14,7 +14,11 @@
 # License for the specific language governing permissions and limitations under
 # the License.
 #
-set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp falco/test_webserver.cpp)
+if(MINIMAL_BUILD)
+  set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp)
+else()
+  set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp)
+endif()

 set(FALCO_TESTED_LIBRARIES falco_engine)

@@ -35,14 +39,25 @@ if(FALCO_BUILD_TESTS)
  add_executable(falco_test ${FALCO_TESTS_SOURCES})

  target_link_libraries(falco_test PUBLIC ${FALCO_TESTED_LIBRARIES})
-  target_include_directories(
-    falco_test
-    PUBLIC "${CATCH2_INCLUDE}"
-           "${FAKEIT_INCLUDE}"
-           "${PROJECT_SOURCE_DIR}/userspace/engine"
-           "${YAMLCPP_INCLUDE_DIR}"
-           "${CIVETWEB_INCLUDE_DIR}"
-           "${PROJECT_SOURCE_DIR}/userspace/falco")
+
+  if(MINIMAL_BUILD)
+    target_include_directories(
+      falco_test
+      PUBLIC "${CATCH2_INCLUDE}"
+            "${FAKEIT_INCLUDE}"
+            "${PROJECT_SOURCE_DIR}/userspace/engine"
+            "${YAMLCPP_INCLUDE_DIR}"
+            "${PROJECT_SOURCE_DIR}/userspace/falco")
+  else()
+    target_include_directories(
+      falco_test
+      PUBLIC "${CATCH2_INCLUDE}"
+            "${FAKEIT_INCLUDE}"
+            "${PROJECT_SOURCE_DIR}/userspace/engine"
+            "${YAMLCPP_INCLUDE_DIR}"
+            "${CIVETWEB_INCLUDE_DIR}"
+            "${PROJECT_SOURCE_DIR}/userspace/falco")
+  endif()
  add_dependencies(falco_test catch2)

  include(CMakeParseArguments)
--- a/tests/engine/test_falco_utils.cpp
+++ b/tests/engine/test_falco_utils.cpp
@@ -0,0 +1,53 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+#include "falco_utils.h"
+#include <nonstd/string_view.hpp>
+#include <catch.hpp>
+
+TEST_CASE("is_unix_scheme matches", "[utils]")
+{
+	SECTION("rvalue")
+	{
+		bool res = falco::utils::network::is_unix_scheme("unix:///var/run/falco.sock");
+		REQUIRE(res);
+	}
+
+	SECTION("std::string")
+	{
+		std::string url("unix:///var/run/falco.sock");
+		bool res = falco::utils::network::is_unix_scheme(url);
+		REQUIRE(res);
+	}
+
+	SECTION("char[]")
+	{
+		char url[] = "unix:///var/run/falco.sock";
+		bool res = falco::utils::network::is_unix_scheme(url);
+		REQUIRE(res);
+	}
+}
+
+TEST_CASE("is_unix_scheme does not match", "[utils]")
+{
+	bool res = falco::utils::network::is_unix_scheme("something:///var/run/falco.sock");
+	REQUIRE_FALSE(res);
+}
+
+TEST_CASE("is_unix_scheme only matches scheme at the start of the string", "[utils]")
+{
+	bool res = falco::utils::network::is_unix_scheme("/var/run/unix:///falco.sock");
+	REQUIRE_FALSE(res);
+}
--- a/userspace/engine/CMakeLists.txt
+++ b/userspace/engine/CMakeLists.txt
@@ -21,22 +21,48 @@ set(FALCO_ENGINE_SOURCE_FILES
    formats.cpp)

 add_library(falco_engine STATIC ${FALCO_ENGINE_SOURCE_FILES})
-add_dependencies(falco_engine njson lyaml lpeg)
+add_dependencies(falco_engine njson lyaml lpeg string-view-lite)

-target_include_directories(
-  falco_engine
-  PUBLIC
-    "${LUAJIT_INCLUDE}"
-    "${NJSON_INCLUDE}"
-    "${CURL_INCLUDE_DIR}"
-    "${TBB_INCLUDE_DIR}"
-    "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
-    "${SYSDIG_SOURCE_DIR}/userspace/libscap"
-    "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
-    "${PROJECT_BINARY_DIR}/userspace/engine")
+if(USE_BUNDLED_DEPS)
+  add_dependencies(falco_engine libyaml)
+endif()
+
+if(MINIMAL_BUILD)
+  target_include_directories(
+    falco_engine
+    PUBLIC
+      "${LUAJIT_INCLUDE}"
+      "${NJSON_INCLUDE}"
+      "${TBB_INCLUDE_DIR}"
+      "${STRING_VIEW_LITE_INCLUDE}"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
+      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
+      "${PROJECT_BINARY_DIR}/userspace/engine"
+      "${PROJECT_SOURCE_DIR}/userspace/libhawk")
+else()
+  target_include_directories(
+    falco_engine
+    PUBLIC
+      "${LUAJIT_INCLUDE}"
+      "${NJSON_INCLUDE}"
+      "${CURL_INCLUDE_DIR}"
+      "${TBB_INCLUDE_DIR}"
+      "${STRING_VIEW_LITE_INCLUDE}"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
+      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
+      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
+      "${PROJECT_BINARY_DIR}/userspace/engine"
+      "${PROJECT_SOURCE_DIR}/userspace/libhawk")
+endif()

 target_link_libraries(falco_engine "${FALCO_SINSP_LIBRARY}" "${LPEG_LIB}" "${LYAML_LIB}" "${LIBYAML_LIB}")

+if(DEFINED LIBHAWK_LIBRARIES)
+  message(STATUS "Using externally provided libhawk implementations: ${LIBHAWK_LIBRARIES}")
+  target_link_libraries(falco_engine ${LIBHAWK_LIBRARIES})
+endif()
+
 configure_file(config_falco_engine.h.in config_falco_engine.h)

 if(DEFINED FALCO_COMPONENT)
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -26,7 +26,8 @@ limitations under the License.

 #include "formats.h"

-extern "C" {
+extern "C"
+{
 #include "lpeg.h"
 #include "lyaml.h"
 }
@@ -34,7 +35,6 @@ extern "C" {
 #include "utils.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

-
 string lua_on_event = "on_event";
 string lua_print_stats = "print_stats";

@@ -42,24 +42,24 @@ using namespace std;

 nlohmann::json::json_pointer falco_engine::k8s_audit_time = "/stageTimestamp"_json_pointer;

-falco_engine::falco_engine(bool seed_rng, const std::string& alternate_lua_dir)
-	: m_rules(NULL), m_next_ruleset_id(0),
-	  m_min_priority(falco_common::PRIORITY_DEBUG),
-	  m_sampling_ratio(1), m_sampling_multiplier(0),
-	  m_replace_container_info(false)
+falco_engine::falco_engine(bool seed_rng, const std::string &alternate_lua_dir):
+	m_rules(NULL), m_next_ruleset_id(0),
+	m_min_priority(falco_common::PRIORITY_DEBUG),
+	m_sampling_ratio(1), m_sampling_multiplier(0),
+	m_replace_container_info(false)
 {
 	luaopen_lpeg(m_ls);
 	luaopen_yaml(m_ls);

+	m_alternate_lua_dir = alternate_lua_dir;
 	falco_common::init(m_lua_main_filename.c_str(), alternate_lua_dir.c_str());
 	falco_rules::init(m_ls);

-	m_sinsp_rules.reset(new falco_sinsp_ruleset());
-	m_k8s_audit_rules.reset(new falco_ruleset());
+	clear_filters();

 	if(seed_rng)
 	{
-		srandom((unsigned) getpid());
+		srandom((unsigned)getpid());
 	}

 	m_default_ruleset_id = find_ruleset_id(m_default_ruleset);
@@ -70,15 +70,24 @@ falco_engine::falco_engine(bool seed_rng, const std::string& alternate_lua_dir)

 falco_engine::~falco_engine()
 {
-	if (m_rules)
+	if(m_rules)
 	{
 		delete m_rules;
 	}
 }

+falco_engine *falco_engine::clone()
+{
+	auto engine = new falco_engine(true, m_alternate_lua_dir);
+	engine->set_inspector(m_inspector);
+	engine->set_extra(m_extra, m_replace_container_info);
+	engine->set_min_priority(m_min_priority);
+	return engine;
+}
+
 uint32_t falco_engine::engine_version()
 {
-	return (uint32_t) FALCO_ENGINE_VERSION;
+	return (uint32_t)FALCO_ENGINE_VERSION;
 }

 #define DESCRIPTION_TEXT_START 16
@@ -144,17 +153,28 @@ void falco_engine::list_fields(bool names_only)
 	}
 }

-void falco_engine::load_rules(const string &rules_content, bool verbose, bool all_events)
+void falco_engine::load_rules_file(const string &rules_filename, bool verbose, bool all_events)
 {
-	uint64_t dummy;
+	ifstream is;

-	return load_rules(rules_content, verbose, all_events, dummy);
+	is.open(rules_filename);
+	if(!is.is_open())
+	{
+		throw falco_exception("Could not open rules filename " +
+				      rules_filename + " " +
+				      "for reading");
+	}
+
+	string rules_content((istreambuf_iterator<char>(is)),
+			     istreambuf_iterator<char>());
+
+	load_rules(rules_content, verbose, all_events);
 }

-void falco_engine::load_rules(const string &rules_content, bool verbose, bool all_events, uint64_t &required_engine_version)
+void falco_engine::load_rules(const string &rules_content, bool verbose, bool all_events)
 {
 	// The engine must have been given an inspector by now.
-	if(! m_inspector)
+	if(!m_inspector)
 	{
 		throw falco_exception("No inspector provided");
 	}
@@ -166,46 +186,52 @@ void falco_engine::load_rules(const string &rules_content, bool verbose, bool al

 	if(!m_rules)
 	{
-		m_rules = new falco_rules(m_inspector,
-					  this,
-					  m_ls);
+		// Note that falco_formats is added to the lua state used by the falco engine only.
+		// Within the engine, only formats.
+		// Formatter is used, so we can unconditionally set json_output to false.
+		bool json_output = false;
+		bool json_include_output_property = false;
+		falco_formats::init(m_inspector, this, m_ls, json_output, json_include_output_property);
+		m_rules = new falco_rules(m_inspector, this, m_ls);
 	}

-	// Note that falco_formats is added to both the lua state used
-	// by the falco engine as well as the separate lua state used
-	// by falco outputs.  Within the engine, only
-	// formats.formatter is used, so we can unconditionally set
-	// json_output to false.
-	bool json_output = false;
-	bool json_include_output_property = false;
-	falco_formats::init(m_inspector, this, m_ls, json_output, json_include_output_property);
-
-	m_rules->load_rules(rules_content, verbose, all_events, m_extra, m_replace_container_info, m_min_priority, required_engine_version);
-}
-
-void falco_engine::load_rules_file(const string &rules_filename, bool verbose, bool all_events)
-{
 	uint64_t dummy;
+	// m_sinsp_rules.reset(new falco_sinsp_ruleset());
+	// m_k8s_audit_rules.reset(new falco_ruleset());
+	m_rules->load_rules(rules_content, verbose, all_events, m_extra, m_replace_container_info, m_min_priority, dummy);

-	return load_rules_file(rules_filename, verbose, all_events, dummy);
+	m_is_ready = true;
+
+	return;
+
+	//
+	// auto local_rules = new falco_rules(m_inspector, this, m_ls);
+	// try
+	// {
+	// 	uint64_t dummy;
+	// 	local_rules->load_rules(rules_content, verbose, all_events, m_extra, m_replace_container_info, m_min_priority, dummy);
+
+	// 	// m_rules = local_rules
+	// 	// std::atomic<falco_rules *> lore(m_rules);
+	// 	// std::atomic_exchange(&lore, local_rules);
+	// 	// SCHEDULE LOCAL_RULES AS NEXT RULESET
+	// }
+	// catch(const falco_exception &e)
+	// {
+	// 	// todo
+	// 	printf("IGNORE BECAUSE OF ERROR LOADING RULESET!\n");
+	// }
 }

-void falco_engine::load_rules_file(const string &rules_filename, bool verbose, bool all_events, uint64_t &required_engine_version)
+// // todo(fntlnz): not sure we want this in falco_engine
+// void falco_engine::watch_rules(bool verbose, bool all_events)
+// {
+// 	hawk_watch_rules((hawk_watch_rules_cb)rules_cb, reinterpret_cast<hawk_engine *>(this));
+// }
+
+bool falco_engine::is_ready()
 {
-	ifstream is;
-
-	is.open(rules_filename);
-	if (!is.is_open())
-	{
-		throw falco_exception("Could not open rules filename " +
-				      rules_filename + " " +
-				      "for reading");
-	}
-
-	string rules_content((istreambuf_iterator<char>(is)),
-			     istreambuf_iterator<char>());
-
-	load_rules(rules_content, verbose, all_events, required_engine_version);
+	return m_is_ready;
 }

 void falco_engine::enable_rule(const string &substring, bool enabled, const string &ruleset)
@@ -273,7 +299,7 @@ uint64_t falco_engine::num_rules_for_ruleset(const std::string &ruleset)
 	uint16_t ruleset_id = find_ruleset_id(ruleset);

 	return m_sinsp_rules->num_rules_for_ruleset(ruleset_id) +
-		m_k8s_audit_rules->num_rules_for_ruleset(ruleset_id);
+	       m_k8s_audit_rules->num_rules_for_ruleset(ruleset_id);
 }

 void falco_engine::evttypes_for_ruleset(std::vector<bool> &evttypes, const std::string &ruleset)
@@ -312,15 +338,15 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_sinsp_event(sinsp_ev

 		if(lua_pcall(m_ls, 1, 3, 0) != 0)
 		{
-			const char* lerr = lua_tostring(m_ls, -1);
+			const char *lerr = lua_tostring(m_ls, -1);
 			string err = "Error invoking function output: " + string(lerr);
 			throw falco_exception(err);
 		}
 		res->evt = ev;
-		const char *p =  lua_tostring(m_ls, -3);
+		const char *p = lua_tostring(m_ls, -3);
 		res->rule = p;
 		res->source = "syscall";
-		res->priority_num = (falco_common::priority_type) lua_tonumber(m_ls, -2);
+		res->priority_num = (falco_common::priority_type)lua_tonumber(m_ls, -2);
 		res->format = lua_tostring(m_ls, -1);
 		lua_pop(m_ls, 3);
 	}
@@ -334,6 +360,7 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_sinsp_event(sinsp_ev

 unique_ptr<falco_engine::rule_result> falco_engine::process_sinsp_event(sinsp_evt *ev)
 {
+	// todo(leodido, fntlnz) > pass the last ruleset id
 	return process_sinsp_event(ev, m_default_ruleset_id);
 }

@@ -345,7 +372,7 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_k8s_audit_event(json
 	}

 	// All k8s audit events have the single tag "1".
-	if(!m_k8s_audit_rules->run((gen_event *) ev, 1, ruleset_id))
+	if(!m_k8s_audit_rules->run((gen_event *)ev, 1, ruleset_id))
 	{
 		return unique_ptr<struct rule_result>();
 	}
@@ -360,15 +387,15 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_k8s_audit_event(json

 		if(lua_pcall(m_ls, 1, 3, 0) != 0)
 		{
-			const char* lerr = lua_tostring(m_ls, -1);
+			const char *lerr = lua_tostring(m_ls, -1);
 			string err = "Error invoking function output: " + string(lerr);
 			throw falco_exception(err);
 		}
 		res->evt = ev;
-		const char *p =  lua_tostring(m_ls, -3);
+		const char *p = lua_tostring(m_ls, -3);
 		res->rule = p;
 		res->source = "k8s_audit";
-		res->priority_num = (falco_common::priority_type) lua_tonumber(m_ls, -2);
+		res->priority_num = (falco_common::priority_type)lua_tonumber(m_ls, -2);
 		res->format = lua_tostring(m_ls, -1);
 		lua_pop(m_ls, 3);
 	}
@@ -394,7 +421,7 @@ bool falco_engine::parse_k8s_audit_json(nlohmann::json &j, std::list<json_event>
 				{
 					// Note we only handle a single top level array, to
 					// avoid excessive recursion.
-					if(! parse_k8s_audit_json(item, evts, false))
+					if(!parse_k8s_audit_json(item, evts, false))
 					{
 						return false;
 					}
@@ -472,7 +499,7 @@ void falco_engine::print_stats()
 	{
 		if(lua_pcall(m_ls, 0, 0, 0) != 0)
 		{
-			const char* lerr = lua_tostring(m_ls, -1);
+			const char *lerr = lua_tostring(m_ls, -1);
 			string err = "Error invoking function print_stats: " + string(lerr);
 			throw falco_exception(err);
 		}
@@ -481,21 +508,20 @@ void falco_engine::print_stats()
 	{
 		throw falco_exception("No function " + lua_print_stats + " found in lua rule loader module");
 	}
-
 }

 void falco_engine::add_sinsp_filter(string &rule,
 				    set<uint32_t> &evttypes,
 				    set<uint32_t> &syscalls,
 				    set<string> &tags,
-				    sinsp_filter* filter)
+				    sinsp_filter *filter)
 {
 	m_sinsp_rules->add(rule, evttypes, syscalls, tags, filter);
 }

 void falco_engine::add_k8s_audit_filter(string &rule,
 					set<string> &tags,
-					json_event_filter* filter)
+					json_event_filter *filter)
 {
 	// All k8s audit events have a single tag "1".
 	std::set<uint32_t> event_tags = {1};
@@ -537,8 +563,8 @@ inline bool falco_engine::should_drop_evt()
 		return false;
 	}

-	double coin = (random() * (1.0/RAND_MAX));
-	return (coin >= (1.0/(m_sampling_multiplier * m_sampling_ratio)));
+	double coin = (random() * (1.0 / RAND_MAX));
+	return (coin >= (1.0 / (m_sampling_multiplier * m_sampling_ratio)));
 }

 sinsp_filter_factory &falco_engine::sinsp_factory()
--- a/userspace/engine/falco_engine.h
+++ b/userspace/engine/falco_engine.h
@@ -38,6 +38,11 @@ limitations under the License.
 #include "config_falco_engine.h"
 #include "falco_common.h"

+extern "C"
+{
+#include "hawk.h"
+}
+
 //
 // This class acts as the primary interface between a program and the
 // falco rules engine. Falco outputs (writing to files/syslog/etc) are
@@ -47,9 +52,12 @@ limitations under the License.
 class falco_engine : public falco_common
 {
 public:
-	falco_engine(bool seed_rng=true, const std::string& alternate_lua_dir=FALCO_ENGINE_SOURCE_LUA_DIR);
+	falco_engine(bool seed_rng = true, const std::string &alternate_lua_dir = FALCO_ENGINE_SOURCE_LUA_DIR);
 	virtual ~falco_engine();

+	falco_engine(const falco_engine &rhs);
+	falco_engine *clone();
+
 	// A given engine has a version which identifies the fields
 	// and rules file format it supports. This version will change
 	// any time the code that handles rules files, expression
@@ -57,7 +65,7 @@ public:
 	static uint32_t engine_version();

 	// Print to stdout (using printf) a description of each field supported by this engine.
-	void list_fields(bool names_only=false);
+	void list_fields(bool names_only = false);

 	//
 	// Load rules either directly or from a filename.
@@ -65,12 +73,8 @@ public:
 	void load_rules_file(const std::string &rules_filename, bool verbose, bool all_events);
 	void load_rules(const std::string &rules_content, bool verbose, bool all_events);

-	//
-	// Identical to above, but also returns the required engine version for the file/content.
-	// (If no required engine version is specified, returns 0).
-	//
-	void load_rules_file(const std::string &rules_filename, bool verbose, bool all_events, uint64_t &required_engine_version);
-	void load_rules(const std::string &rules_content, bool verbose, bool all_events, uint64_t &required_engine_version);
+	// Watch and live-reload rules using an external ABI interface provided by libhawk
+	void watch_rules(bool verbose, bool all_events);

 	//
 	// Enable/Disable any rules matching the provided substring.
@@ -85,7 +89,6 @@ public:
 	// Wrapper that assumes the default ruleset
 	void enable_rule(const std::string &substring, bool enabled);

-
 	// Like enable_rule, but the rule name must be an exact match.
 	void enable_rule_exact(const std::string &rule_name, bool enabled, const std::string &ruleset);

@@ -154,7 +157,8 @@ public:

 	// **Methods Related to k8s audit log events, which are
 	// **represented as json objects.
-	struct rule_result {
+	struct rule_result
+	{
 		gen_event *evt;
 		std::string rule;
 		std::string source;
@@ -170,7 +174,7 @@ public:
 	// Returns true if the json object was recognized as a k8s
 	// audit event(s), false otherwise.
 	//
-	bool parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top=true);
+	bool parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top = true);

 	//
 	// Given an event, check it against the set of rules in the
@@ -195,7 +199,7 @@ public:
 	//
 	void add_k8s_audit_filter(std::string &rule,
 				  std::set<std::string> &tags,
-				  json_event_filter* filter);
+				  json_event_filter *filter);

 	// **Methods Related to Sinsp Events e.g system calls
 	//
@@ -236,13 +240,14 @@ public:
 			      std::set<uint32_t> &evttypes,
 			      std::set<uint32_t> &syscalls,
 			      std::set<std::string> &tags,
-			      sinsp_filter* filter);
+			      sinsp_filter *filter);

 	sinsp_filter_factory &sinsp_factory();
 	json_event_filter_factory &json_factory();

-private:
+	bool is_ready();

+private:
 	static nlohmann::json::json_pointer k8s_audit_time;

 	//
@@ -262,6 +267,8 @@ private:
 	std::unique_ptr<falco_sinsp_ruleset> m_sinsp_rules;
 	std::unique_ptr<falco_ruleset> m_k8s_audit_rules;

+	std::string m_alternate_lua_dir;
+
 	//
 	// Here's how the sampling ratio and multiplier influence
 	// whether or not an event is dropped in
@@ -291,5 +298,6 @@ private:

 	std::string m_extra;
 	bool m_replace_container_info;
-};

+	bool m_is_ready = false;
+};
--- a/userspace/engine/falco_engine_version.h
+++ b/userspace/engine/falco_engine_version.h
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,9 +16,9 @@ limitations under the License.

 // The version of rules/filter fields/etc supported by this falco
 // engine.
-#define FALCO_ENGINE_VERSION (5)
+#define FALCO_ENGINE_VERSION (7)

 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used
 // at build time to detect a changed set of fields.
-#define FALCO_FIELDS_CHECKSUM "ca9e75fa41fe4480cdfad8cf275cdbbc334e656569f070c066d87cbd2955c1ae"
+#define FALCO_FIELDS_CHECKSUM "2f324e2e66d4b423f53600e7e0fcf2f0ff72e4a87755c490f2ae8f310aba9386"
--- a/userspace/engine/falco_utils.cpp
+++ b/userspace/engine/falco_utils.cpp
@@ -16,6 +16,7 @@ See the License for the specific language governing permissions and
 limitations under the License.

 */
+#include <cstring>

 #include "falco_utils.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
@@ -26,7 +27,7 @@ namespace falco
 namespace utils
 {

-std::string wrap_text(const std::string &str, uint32_t initial_pos, uint32_t indent, uint32_t line_len)
+std::string wrap_text(const std::string& str, uint32_t initial_pos, uint32_t indent, uint32_t line_len)
 {
 	std::string ret;

@@ -51,6 +52,34 @@ std::string wrap_text(const std::string &str, uint32_t initial_pos, uint32_t ind
 	return ret;
 }

-} // namespace utils
+uint32_t hardware_concurrency()
+{
+	auto hc = std::thread::hardware_concurrency();
+	return hc ? hc : 1;
+}

+void readfile(const std::string& filename, std::string& data)
+{
+	std::ifstream file(filename.c_str(), std::ios::in);
+
+	if(file.is_open())
+	{
+		std::stringstream ss;
+		ss << file.rdbuf();
+
+		file.close();
+
+		data = ss.str();
+	}
+
+	return;
+}
+namespace network
+{
+bool is_unix_scheme(nonstd::string_view url)
+{
+	return url.starts_with(UNIX_SCHEME);
+}
+} // namespace network
+} // namespace utils
 } // namespace falco
--- a/userspace/engine/falco_utils.h
+++ b/userspace/engine/falco_utils.h
@@ -17,7 +17,12 @@ limitations under the License.

 */

+#include <sstream>
+#include <fstream>
+#include <iostream>
 #include <string>
+#include <thread>
+#include <nonstd/string_view.hpp>

 #pragma once

@@ -27,8 +32,16 @@ namespace falco
 namespace utils
 {

-std::string wrap_text(const std::string &str, uint32_t initial_pos, uint32_t indent, uint32_t line_len);
+std::string wrap_text(const std::string& str, uint32_t initial_pos, uint32_t indent, uint32_t line_len);

+void readfile(const std::string& filename, std::string& data);
+
+uint32_t hardware_concurrency();
+
+namespace network
+{
+static const std::string UNIX_SCHEME("unix://");
+bool is_unix_scheme(nonstd::string_view url);
+} // namespace network
 } // namespace utils
-
 } // namespace falco
--- a/userspace/engine/formats.cpp
+++ b/userspace/engine/formats.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,24 +20,19 @@ limitations under the License.
 #include "falco_engine.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

-
-sinsp* falco_formats::s_inspector = NULL;
+sinsp *falco_formats::s_inspector = NULL;
 falco_engine *falco_formats::s_engine = NULL;
 bool falco_formats::s_json_output = false;
 bool falco_formats::s_json_include_output_property = true;
-sinsp_evt_formatter_cache *falco_formats::s_formatters = NULL;
+std::unique_ptr<sinsp_evt_formatter_cache> falco_formats::s_formatters = NULL;

-const static struct luaL_reg ll_falco [] =
-{
-	{"formatter", &falco_formats::formatter},
-	{"free_formatter", &falco_formats::free_formatter},
-	{"free_formatters", &falco_formats::free_formatters},
-	{"format_event", &falco_formats::format_event},
-	{"resolve_tokens", &falco_formats::resolve_tokens},
-	{NULL,NULL}
-};
+const static struct luaL_reg ll_falco[] =
+	{
+		{"formatter", &falco_formats::lua_formatter},
+		{"free_formatter", &falco_formats::lua_free_formatter},
+		{NULL, NULL}};

-void falco_formats::init(sinsp* inspector,
+void falco_formats::init(sinsp *inspector,
 			 falco_engine *engine,
 			 lua_State *ls,
 			 bool json_output,
@@ -47,15 +42,14 @@ void falco_formats::init(sinsp* inspector,
 	s_engine = engine;
 	s_json_output = json_output;
 	s_json_include_output_property = json_include_output_property;
-	if(!s_formatters)
-	{
-		s_formatters = new sinsp_evt_formatter_cache(s_inspector);
-	}
+
+	// todo(leogr): we should have used std::make_unique, but we cannot since it's not C++14
+	s_formatters = std::unique_ptr<sinsp_evt_formatter_cache>(new sinsp_evt_formatter_cache(s_inspector));

 	luaL_openlib(ls, "formats", ll_falco, 0);
 }

-int falco_formats::formatter(lua_State *ls)
+int falco_formats::lua_formatter(lua_State *ls)
 {
 	string source = luaL_checkstring(ls, -2);
 	string format = luaL_checkstring(ls, -1);
@@ -64,7 +58,7 @@ int falco_formats::formatter(lua_State *ls)
 	{
 		if(source == "syscall")
 		{
-			sinsp_evt_formatter* formatter;
+			sinsp_evt_formatter *formatter;
 			formatter = new sinsp_evt_formatter(s_inspector, format);
 			lua_pushlightuserdata(ls, formatter);
 		}
@@ -75,11 +69,11 @@ int falco_formats::formatter(lua_State *ls)
 			lua_pushlightuserdata(ls, formatter);
 		}
 	}
-	catch(sinsp_exception& e)
+	catch(sinsp_exception &e)
 	{
 		luaL_error(ls, "Invalid output format '%s': '%s'", format.c_str(), e.what());
 	}
-	catch(falco_exception& e)
+	catch(falco_exception &e)
 	{
 		luaL_error(ls, "Invalid output format '%s': '%s'", format.c_str(), e.what());
 	}
@@ -87,10 +81,10 @@ int falco_formats::formatter(lua_State *ls)
 	return 1;
 }

-int falco_formats::free_formatter(lua_State *ls)
+int falco_formats::lua_free_formatter(lua_State *ls)
 {
-	if (!lua_islightuserdata(ls, -1) ||
-	    !lua_isstring(ls, -2))
+	if(!lua_islightuserdata(ls, -1) ||
+	   !lua_isstring(ls, -2))

 	{
 		luaL_error(ls, "Invalid argument passed to free_formatter");
@@ -100,115 +94,75 @@ int falco_formats::free_formatter(lua_State *ls)

 	if(source == "syscall")
 	{
-		sinsp_evt_formatter *formatter = (sinsp_evt_formatter *) lua_topointer(ls, -1);
+		sinsp_evt_formatter *formatter = (sinsp_evt_formatter *)lua_topointer(ls, -1);
 		delete(formatter);
 	}
 	else
 	{
-		json_event_formatter *formatter = (json_event_formatter *) lua_topointer(ls, -1);
+		json_event_formatter *formatter = (json_event_formatter *)lua_topointer(ls, -1);
 		delete(formatter);
 	}

 	return 0;
 }

-int falco_formats::free_formatters(lua_State *ls)
+string falco_formats::format_event(const gen_event *evt, const std::string &rule, const std::string &source,
+				   const std::string &level, const std::string &format)
 {
-	if(s_formatters)
-	{
-		delete(s_formatters);
-		s_formatters = NULL;
-	}
-	return 0;
-}

-int falco_formats::format_event (lua_State *ls)
-{
 	string line;
 	string json_line;
-
-	if (!lua_isstring(ls, -1) ||
-	    !lua_isstring(ls, -2) ||
-	    !lua_isstring(ls, -3) ||
-	    !lua_isstring(ls, -4) ||
-	    !lua_islightuserdata(ls, -5)) {
-		lua_pushstring(ls, "Invalid arguments passed to format_event()");
-		lua_error(ls);
-	}
-	gen_event* evt = (gen_event*)lua_topointer(ls, 1);
-	const char *rule = (char *) lua_tostring(ls, 2);
-	const char *source = (char *) lua_tostring(ls, 3);
-	const char *level = (char *) lua_tostring(ls, 4);
-	const char *format = (char *) lua_tostring(ls, 5);
-
 	string sformat = format;

-	if(strcmp(source, "syscall") == 0)
+	if(strcmp(source.c_str(), "syscall") == 0)
 	{
-		try {
-			// This is "output"
-			s_formatters->tostring((sinsp_evt *) evt, sformat, &line);
+		// This is "output"
+		s_formatters->tostring((sinsp_evt *)evt, sformat, &line);

-			if(s_json_output)
-			{
-				sinsp_evt::param_fmt cur_fmt = s_inspector->get_buffer_format();
-				switch(cur_fmt)
-				{
-					case sinsp_evt::PF_NORMAL:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSON);
-						break;
-					case sinsp_evt::PF_EOLS:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONEOLS);
-						break;
-					case sinsp_evt::PF_HEX:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEX);
-						break;
-					case sinsp_evt::PF_HEXASCII:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEXASCII);
-						break;
-					case sinsp_evt::PF_BASE64:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONBASE64);
-						break;
-					default:
-						// do nothing
-						break;
-				}
-				// This is output fields
-				s_formatters->tostring((sinsp_evt *) evt, sformat, &json_line);
-
-				// The formatted string might have a leading newline. If it does, remove it.
-				if (json_line[0] == '\n')
-				{
-					json_line.erase(0, 1);
-				}
-				s_inspector->set_buffer_format(cur_fmt);
-			}
-		}
-		catch (sinsp_exception& e)
+		if(s_json_output)
 		{
-			string err = "Invalid output format '" + sformat + "': '" + string(e.what()) + "'";
-			lua_pushstring(ls, err.c_str());
-			lua_error(ls);
+			sinsp_evt::param_fmt cur_fmt = s_inspector->get_buffer_format();
+			switch(cur_fmt)
+			{
+			case sinsp_evt::PF_NORMAL:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSON);
+				break;
+			case sinsp_evt::PF_EOLS:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONEOLS);
+				break;
+			case sinsp_evt::PF_HEX:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEX);
+				break;
+			case sinsp_evt::PF_HEXASCII:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEXASCII);
+				break;
+			case sinsp_evt::PF_BASE64:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONBASE64);
+				break;
+			default:
+				// do nothing
+				break;
+			}
+			// This is output fields
+			s_formatters->tostring((sinsp_evt *)evt, sformat, &json_line);
+
+			// The formatted string might have a leading newline. If it does, remove it.
+			if(json_line[0] == '\n')
+			{
+				json_line.erase(0, 1);
+			}
+			s_inspector->set_buffer_format(cur_fmt);
 		}
 	}
 	else
 	{
-		try {
+		json_event_formatter formatter(s_engine->json_factory(), sformat);

-			json_event_formatter formatter(s_engine->json_factory(), sformat);
+		line = formatter.tostring((json_event *)evt);

-			line = formatter.tostring((json_event *) evt);
-
-			if(s_json_output)
-			{
-				json_line = formatter.tojson((json_event *) evt);
-			}
-		}
-		catch (exception &e)
+		if(s_json_output)
 		{
-			string err = "Invalid output format '" + sformat + "': '" + string(e.what()) + "'";
-			lua_pushstring(ls, err.c_str());
-			lua_error(ls);
+			json_line = formatter.tojson((json_event *)evt);
 		}
 	}

@@ -217,15 +171,16 @@ int falco_formats::format_event (lua_State *ls)
 	// message as well as the event time in ns. Use this to build
 	// a more detailed object containing the event time, rule,
 	// severity, full output, and fields.
-	if (s_json_output) {
+	if(s_json_output)
+	{
 		Json::Value event;
 		Json::FastWriter writer;
 		string full_line;

 		// Convert the time-as-nanoseconds to a more json-friendly ISO8601.
-		time_t evttime = evt->get_ts()/1000000000;
+		time_t evttime = evt->get_ts() / 1000000000;
 		char time_sec[20]; // sizeof "YYYY-MM-DDTHH:MM:SS"
-		char time_ns[12]; // sizeof ".sssssssssZ"
+		char time_ns[12];  // sizeof ".sssssssssZ"
 		string iso8601evttime;

 		strftime(time_sec, sizeof(time_sec), "%FT%T", gmtime(&evttime));
@@ -246,9 +201,9 @@ int falco_formats::format_event (lua_State *ls)

 		// Json::FastWriter may add a trailing newline. If it
 		// does, remove it.
-		if (full_line[full_line.length()-1] == '\n')
+		if(full_line[full_line.length() - 1] == '\n')
 		{
-			full_line.resize(full_line.length()-1);
+			full_line.resize(full_line.length() - 1);
 		}

 		// Cheat-graft the output from the formatter into this
@@ -261,24 +216,12 @@ int falco_formats::format_event (lua_State *ls)
 		line = full_line;
 	}

-	lua_pushstring(ls, line.c_str());
-	return 1;
+	return line.c_str();
 }

-int falco_formats::resolve_tokens(lua_State *ls)
+map<string, string> falco_formats::resolve_tokens(const gen_event *evt, const std::string &source, const std::string &format)
 {
-	if(!lua_isstring(ls, -1) ||
-	   !lua_isstring(ls, -2) ||
-	   !lua_islightuserdata(ls, -3))
-	{
-		lua_pushstring(ls, "Invalid arguments passed to resolve_tokens()");
-		lua_error(ls);
-	}
-	gen_event *evt = (gen_event *)lua_topointer(ls, 1);
-	string source = luaL_checkstring(ls, 2);
-	const char *format = (char *)lua_tostring(ls, 3);
 	string sformat = format;
-
 	map<string, string> values;
 	if(source == "syscall")
 	{
@@ -288,16 +231,7 @@ int falco_formats::resolve_tokens(lua_State *ls)
 	else
 	{
 		json_event_formatter json_formatter(s_engine->json_factory(), sformat);
-		values = json_formatter.tomap((json_event*) evt);
+		values = json_formatter.tomap((json_event *)evt);
 	}
-
-	lua_newtable(ls);
-	for(auto const& v : values)
-	{
-		lua_pushstring(ls, v.first.c_str());
-		lua_pushstring(ls, v.second.c_str());
-		lua_settable(ls, -3);
-	}
-
-	return 1;
+	return values;
 }
--- a/userspace/engine/formats.h
+++ b/userspace/engine/formats.h
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -18,7 +18,8 @@ limitations under the License.

 #include "sinsp.h"

-extern "C" {
+extern "C"
+{
 #include "lua.h"
 #include "lualib.h"
 #include "lauxlib.h"
@@ -31,31 +32,28 @@ class sinsp_evt_formatter;

 class falco_formats
 {
- public:
-	static void init(sinsp* inspector,
+public:
+	static void init(sinsp *inspector,
 			 falco_engine *engine,
 			 lua_State *ls,
 			 bool json_output,
 			 bool json_include_output_property);

 	// formatter = falco.formatter(format_string)
-	static int formatter(lua_State *ls);
+	static int lua_formatter(lua_State *ls);

 	// falco.free_formatter(formatter)
-	static int free_formatter(lua_State *ls);
+	static int lua_free_formatter(lua_State *ls);

-	// falco.free_formatters()
-	static int free_formatters(lua_State *ls);
+	static string format_event(const gen_event *evt, const std::string &rule, const std::string &source,
+				   const std::string &level, const std::string &format);

-	// formatted_string = falco.format_event(evt, formatter)
-	static int format_event(lua_State *ls);
+	static map<string, string> resolve_tokens(const gen_event *evt, const std::string &source,
+						  const std::string &format);

-	// resolve_tokens = falco.resolve_tokens(evt, formatter)
-	static int resolve_tokens(lua_State *ls);
-
-	static sinsp* s_inspector;
+	static sinsp *s_inspector;
 	static falco_engine *s_engine;
-	static sinsp_evt_formatter_cache *s_formatters;
+	static std::unique_ptr<sinsp_evt_formatter_cache> s_formatters;
 	static bool s_json_output;
 	static bool s_json_include_output_property;
 };
--- a/userspace/engine/json_evt.cpp
+++ b/userspace/engine/json_evt.cpp
@@ -45,7 +45,7 @@ const json &json_event::jevt()
 	return m_jevt;
 }

-uint64_t json_event::get_ts()
+uint64_t json_event::get_ts() const
 {
 	return m_event_ts;
 }
--- a/userspace/engine/json_evt.h
+++ b/userspace/engine/json_evt.h
@@ -38,14 +38,14 @@ public:
 	void set_jevt(nlohmann::json &evt, uint64_t ts);
 	const nlohmann::json &jevt();

-	uint64_t get_ts();
+	uint64_t get_ts() const;

-	inline uint16_t get_source()
+	inline uint16_t get_source() const
 	{
 		return ESRC_K8S_AUDIT;
 	}

-	inline uint16_t get_type()
+	inline uint16_t get_type() const
 	{
 		// All k8s audit events have the single tag "1". - see falco_engine::process_k8s_audit_event
 		return 1;
--- a/userspace/falco/CMakeLists.txt
+++ b/userspace/falco/CMakeLists.txt
@@ -13,100 +13,155 @@

 configure_file("${SYSDIG_SOURCE_DIR}/userspace/sysdig/config_sysdig.h.in" config_sysdig.h)

-add_custom_command(
-  OUTPUT
-    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/output.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/output.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
-  COMMENT "Generate gRPC version API"
-  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-          ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-  COMMENT "Generate gRPC outputs API"
-  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
-          ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
-  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-          ${CMAKE_CURRENT_SOURCE_DIR}/output.proto
-  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
+if(NOT MINIMAL_BUILD)
+  add_custom_command(
+    OUTPUT
+      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
+      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
+    COMMENT "Generate gRPC API"
+    # Falco gRPC Version API
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+            ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    # Falco gRPC Outputs API
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+            ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+            ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
+endif()

+if(MINIMAL_BUILD)
 add_executable(
  falco
  configuration.cpp
  logger.cpp
  falco_outputs.cpp
+  outputs_file.cpp
+  outputs_program.cpp
+  outputs_stdout.cpp
+  outputs_syslog.cpp
  event_drops.cpp
  statsfilewriter.cpp
  falco.cpp
-  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
-  webserver.cpp
-  grpc_context.cpp
-  grpc_server_impl.cpp
-  grpc_request_context.cpp
-  grpc_server.cpp
-  utils.cpp
-  ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-  ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-  ${CMAKE_CURRENT_BINARY_DIR}/output.grpc.pb.cc
-  ${CMAKE_CURRENT_BINARY_DIR}/output.pb.cc
-  ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
+  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp")
+else()
+  add_executable(
+    falco
+    configuration.cpp
+    logger.cpp
+    falco_outputs.cpp
+    outputs_file.cpp
+    outputs_grpc.cpp
+    outputs_http.cpp
+    outputs_program.cpp
+    outputs_stdout.cpp
+    outputs_syslog.cpp
+    event_drops.cpp
+    statsfilewriter.cpp
+    falco.cpp
+    "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
+    webserver.cpp
+    grpc_context.cpp
+    grpc_server_impl.cpp
+    grpc_request_context.cpp
+    grpc_server.cpp
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)

-add_dependencies(falco civetweb)
+    add_dependencies(falco civetweb)
+endif()
+
+add_dependencies(falco string-view-lite)

 if(USE_BUNDLED_DEPS)
  add_dependencies(falco yamlcpp)
 endif()

-target_include_directories(
-  falco
-  PUBLIC
-    "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-    "${PROJECT_SOURCE_DIR}/userspace/engine"
-    "${PROJECT_BINARY_DIR}/userspace/falco"
-    "${PROJECT_BINARY_DIR}/driver/src"
-    "${YAMLCPP_INCLUDE_DIR}"
-    "${CIVETWEB_INCLUDE_DIR}"
-    "${GRPC_INCLUDE}"
-    "${GRPCPP_INCLUDE}"
-    "${PROTOBUF_INCLUDE}"
-    "${CMAKE_CURRENT_BINARY_DIR}"
-    "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
+if(MINIMAL_BUILD)
+  target_include_directories(
+    falco
+    PUBLIC
+      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
+      "${PROJECT_SOURCE_DIR}/userspace/engine"
+      "${PROJECT_BINARY_DIR}/userspace/falco"
+      "${PROJECT_BINARY_DIR}/driver/src"
+      "${STRING_VIEW_LITE_INCLUDE}"
+      "${YAMLCPP_INCLUDE_DIR}"
+      "${CMAKE_CURRENT_BINARY_DIR}"
+      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")

-target_link_libraries(
-  falco
-  falco_engine
-  sinsp
-  "${GPR_LIB}"
-  "${GRPC_LIB}"
-  "${GRPCPP_LIB}"
-  "${PROTOBUF_LIB}"
-  "${LIBYAML_LIB}"
-  "${YAMLCPP_LIB}"
-  "${CIVETWEB_LIB}")
+  target_link_libraries(
+    falco
+    falco_engine
+    sinsp
+    "${LIBYAML_LIB}"
+    "${YAMLCPP_LIB}")
+else()
+  target_include_directories(
+    falco
+    PUBLIC
+      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
+      "${PROJECT_SOURCE_DIR}/userspace/engine"
+      "${PROJECT_BINARY_DIR}/userspace/falco"
+      "${PROJECT_BINARY_DIR}/driver/src"
+      "${STRING_VIEW_LITE_INCLUDE}"
+      "${YAMLCPP_INCLUDE_DIR}"
+      "${CIVETWEB_INCLUDE_DIR}"
+      "${OPENSSL_INCLUDE_DIR}"
+      "${GRPC_INCLUDE}"
+      "${GRPCPP_INCLUDE}"
+      "${PROTOBUF_INCLUDE}"
+      "${CMAKE_CURRENT_BINARY_DIR}"
+      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
+
+  target_link_libraries(
+    falco
+    falco_engine
+    sinsp
+    "${GPR_LIB}"
+    "${GRPC_LIB}"
+    "${GRPCPP_LIB}"
+    "${PROTOBUF_LIB}"
+    "${OPENSSL_LIBRARY_SSL}"
+    "${OPENSSL_LIBRARY_CRYPTO}"
+    "${LIBYAML_LIB}"
+    "${YAMLCPP_LIB}"
+    "${CIVETWEB_LIB}")
+endif()

 configure_file(config_falco.h.in config_falco.h)

-add_custom_command(
-  TARGET falco
-  COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR} ${OPENSSL_BINARY}
-  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-  COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
+if(NOT MINIMAL_BUILD)
+  # add_custom_command(
+  #   TARGET falco
+  #   COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
+  #   WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+  #   COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
+else()
+  MESSAGE(STATUS "Skipping engine fields checksum when building the minimal Falco.")
+endif()

-# add_custom_target(verify_engine_fields DEPENDS verify_engine_fields.sh falco_engine.h)
-
-# add_dependencies(verify_engine_fields falco)
+# strip the Falco binary when releasing using musl
+if(MUSL_OPTIMIZED_BUILD AND CMAKE_BUILD_TYPE STREQUAL "release")
+  add_custom_command(
+    TARGET falco
+    POST_BUILD
+    COMMAND ${CMAKE_STRIP} --strip-unneeded falco
+    COMMENT "Strip the Falco binary when releasing the musl build")
+endif()

 install(TARGETS falco DESTINATION ${FALCO_BIN_DIR})
-install(
-  DIRECTORY lua
-  DESTINATION ${FALCO_SHARE_DIR}
-  FILES_MATCHING
-  PATTERN *.lua)
--- a/userspace/falco/config_falco.h.in
+++ b/userspace/falco/config_falco.h.in
@@ -25,11 +25,9 @@ limitations under the License.
 #define FALCO_VERSION_PRERELEASE "@FALCO_VERSION_PRERELEASE@"
 #define FALCO_VERSION_BUILD "@FALCO_VERSION_BUILD@"

-#define FALCO_LUA_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}/lua/"
 #define FALCO_SOURCE_DIR "${PROJECT_SOURCE_DIR}"
 #define FALCO_SOURCE_CONF_FILE "${PROJECT_SOURCE_DIR}/falco.yaml"
 #define FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml"
-#define FALCO_SOURCE_LUA_DIR "${PROJECT_SOURCE_DIR}/userspace/falco/lua/"

 #define PROBE_NAME "@PROBE_NAME@"
 #define DRIVER_VERSION "@PROBE_VERSION@"
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ limitations under the License.
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
+#include "falco_utils.h"

 #include "configuration.h"
 #include "logger.h"
@@ -32,7 +33,7 @@ falco_configuration::falco_configuration():
 	m_time_format_iso_8601(false),
 	m_webserver_enabled(false),
 	m_webserver_listen_port(8765),
-	m_webserver_k8s_audit_endpoint("/k8s_audit"),
+	m_webserver_k8s_audit_endpoint("/k8s-audit"),
 	m_webserver_ssl_enabled(false),
 	m_config(NULL)
 {
@@ -51,7 +52,7 @@ void falco_configuration::init(list<string> &cmdline_options)
 {
 	init_cmdline_options(cmdline_options);

-	falco_outputs::output_config stdout_output;
+	falco::outputs::config stdout_output;
 	stdout_output.name = "stdout";
 	m_outputs.push_back(stdout_output);
 }
@@ -67,20 +68,10 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio

 	m_config->get_sequence<list<string>>(rules_files, string("rules_file"));

-	for(auto &file : rules_files)
-	{
-		// Here, we only include files that exist
-		struct stat buffer;
-		if(stat(file.c_str(), &buffer) == 0)
-		{
-			read_rules_file_directory(file, m_rules_filenames);
-		}
-	}
-
 	m_json_output = m_config->get_scalar<bool>("json_output", false);
 	m_json_include_output_property = m_config->get_scalar<bool>("json_include_output_property", true);

-	falco_outputs::output_config file_output;
+	falco::outputs::config file_output;
 	file_output.name = "file";
 	if(m_config->get_scalar<bool>("file_output", "enabled", false))
 	{
@@ -98,21 +89,21 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		m_outputs.push_back(file_output);
 	}

-	falco_outputs::output_config stdout_output;
+	falco::outputs::config stdout_output;
 	stdout_output.name = "stdout";
 	if(m_config->get_scalar<bool>("stdout_output", "enabled", false))
 	{
 		m_outputs.push_back(stdout_output);
 	}

-	falco_outputs::output_config syslog_output;
+	falco::outputs::config syslog_output;
 	syslog_output.name = "syslog";
 	if(m_config->get_scalar<bool>("syslog_output", "enabled", false))
 	{
 		m_outputs.push_back(syslog_output);
 	}

-	falco_outputs::output_config program_output;
+	falco::outputs::config program_output;
 	program_output.name = "program";
 	if(m_config->get_scalar<bool>("program_output", "enabled", false))
 	{
@@ -130,7 +121,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		m_outputs.push_back(program_output);
 	}

-	falco_outputs::output_config http_output;
+	falco::outputs::config http_output;
 	http_output.name = "http";
 	if(m_config->get_scalar<bool>("http_output", "enabled", false))
 	{
@@ -148,16 +139,17 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio

 	m_grpc_enabled = m_config->get_scalar<bool>("grpc", "enabled", false);
 	m_grpc_bind_address = m_config->get_scalar<string>("grpc", "bind_address", "0.0.0.0:5060");
-	m_grpc_threadiness = m_config->get_scalar<uint32_t>("grpc", "threadiness", 8); // todo > limit it to avoid overshubscription? std::thread::hardware_concurrency()
+	m_grpc_threadiness = m_config->get_scalar<uint32_t>("grpc", "threadiness", 0);
 	if(m_grpc_threadiness == 0)
 	{
-		throw logic_error("error reading config file (" + m_config_file +"): gRPC threadiness must be greater than 0");
+		m_grpc_threadiness = falco::utils::hardware_concurrency();
 	}
+	// todo > else limit threadiness to avoid oversubscription?
 	m_grpc_private_key = m_config->get_scalar<string>("grpc", "private_key", "/etc/falco/certs/server.key");
 	m_grpc_cert_chain = m_config->get_scalar<string>("grpc", "cert_chain", "/etc/falco/certs/server.crt");
 	m_grpc_root_certs = m_config->get_scalar<string>("grpc", "root_certs", "/etc/falco/certs/ca.crt");

-	falco_outputs::output_config grpc_output;
+	falco::outputs::config grpc_output;
 	grpc_output.name = "grpc";
 	// gRPC output is enabled only if gRPC server is enabled too
 	if(m_config->get_scalar<bool>("grpc_output", "enabled", true) && m_grpc_enabled)
@@ -170,9 +162,9 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		throw logic_error("Error reading config file (" + m_config_file + "): No outputs configured. Please configure at least one output file output enabled but no filename in configuration block");
 	}

-	string log_level = m_config->get_scalar<string>("log_level", "info");
+	m_log_level = m_config->get_scalar<string>("log_level", "info");

-	falco_logger::set_level(log_level);
+	falco_logger::set_level(m_log_level);

 	m_notifications_rate = m_config->get_scalar<uint32_t>("outputs", "rate", 1);
 	m_notifications_max_burst = m_config->get_scalar<uint32_t>("outputs", "max_burst", 1000);
@@ -198,7 +190,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio

 	m_webserver_enabled = m_config->get_scalar<bool>("webserver", "enabled", false);
 	m_webserver_listen_port = m_config->get_scalar<uint32_t>("webserver", "listen_port", 8765);
-	m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver", "k8s_audit_endpoint", "/k8s_audit");
+	m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver", "k8s_audit_endpoint", "/k8s-audit");
 	m_webserver_ssl_enabled = m_config->get_scalar<bool>("webserver", "ssl_enabled", false);
 	m_webserver_ssl_certificate = m_config->get_scalar<string>("webserver", "ssl_certificate", "/etc/falco/falco.pem");

@@ -240,69 +232,6 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 	m_syscall_evt_simulate_drops = m_config->get_scalar<bool>("syscall_event_drops", "simulate_drops", false);
 }

-void falco_configuration::read_rules_file_directory(const string &path, list<string> &rules_filenames)
-{
-	struct stat st;
-
-	int rc = stat(path.c_str(), &st);
-
-	if(rc != 0)
-	{
-		std::cerr << "Could not get info on rules file " << path << ": " << strerror(errno) << std::endl;
-		exit(-1);
-	}
-
-	if(st.st_mode & S_IFDIR)
-	{
-		// It's a directory. Read the contents, sort
-		// alphabetically, and add every path to
-		// rules_filenames
-		vector<string> dir_filenames;
-
-		DIR *dir = opendir(path.c_str());
-
-		if(!dir)
-		{
-			std::cerr << "Could not get read contents of directory " << path << ": " << strerror(errno) << std::endl;
-			exit(-1);
-		}
-
-		for(struct dirent *ent = readdir(dir); ent; ent = readdir(dir))
-		{
-			string efile = path + "/" + ent->d_name;
-
-			rc = stat(efile.c_str(), &st);
-
-			if(rc != 0)
-			{
-				std::cerr << "Could not get info on rules file " << efile << ": " << strerror(errno) << std::endl;
-				exit(-1);
-			}
-
-			if(st.st_mode & S_IFREG)
-			{
-				dir_filenames.push_back(efile);
-			}
-		}
-
-		closedir(dir);
-
-		std::sort(dir_filenames.begin(),
-			  dir_filenames.end());
-
-		for(string &ent : dir_filenames)
-		{
-			rules_filenames.push_back(ent);
-		}
-	}
-	else
-	{
-		// Assume it's a file and just add to
-		// rules_filenames. If it can't be opened/etc that
-		// will be reported later..
-		rules_filenames.push_back(path);
-	}
-}

 static bool split(const string &str, char delim, pair<string, string> &parts)
 {
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@@ -37,7 +37,7 @@ public:
 	{
 		m_path = path;
 		YAML::Node config;
-		std::vector<falco_outputs::output_config> outputs;
+		std::vector<falco::outputs::config> outputs;
 		try
 		{
 			m_root = YAML::LoadFile(path);
@@ -190,12 +190,10 @@ public:
 	void init(std::string conf_filename, std::list<std::string>& cmdline_options);
 	void init(std::list<std::string>& cmdline_options);

-	static void read_rules_file_directory(const string& path, list<string>& rules_filenames);
-
-	std::list<std::string> m_rules_filenames;
 	bool m_json_output;
 	bool m_json_include_output_property;
-	std::vector<falco_outputs::output_config> m_outputs;
+	std::string m_log_level;
+	std::vector<falco::outputs::config> m_outputs;
 	uint32_t m_notifications_rate;
 	uint32_t m_notifications_max_burst;

@@ -205,7 +203,7 @@ public:
 	bool m_time_format_iso_8601;

 	bool m_grpc_enabled;
-	int m_grpc_threadiness;
+	uint32_t m_grpc_threadiness;
 	std::string m_grpc_bind_address;
 	std::string m_grpc_private_key;
 	std::string m_grpc_cert_chain;
--- a/userspace/falco/event_drops.cpp
+++ b/userspace/falco/event_drops.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -15,6 +15,7 @@ limitations under the License.
 */

 #include "event_drops.h"
+#include "falco_common.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

 syscall_evt_drop_mgr::syscall_evt_drop_mgr():
@@ -137,7 +138,7 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now, scap_stats &delta, bool

 		case ACT_ALERT:
 			m_outputs->handle_msg(now,
-					      falco_outputs::PRIORITY_CRITICAL,
+					      falco_common::PRIORITY_CRITICAL,
 					      msg,
 					      rule,
 					      output_fields);
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
--- a/userspace/falco/falco_outputs.cpp
+++ b/userspace/falco/falco_outputs.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,7 +14,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

+#ifndef MINIMAL_BUILD
 #include <google/protobuf/util/time_util.h>
+#endif

 #include "falco_outputs.h"

@@ -22,21 +24,21 @@ limitations under the License.

 #include "formats.h"
 #include "logger.h"
-#include "falco_output_queue.h"
+
+#include "outputs_file.h"
+#include "outputs_program.h"
+#include "outputs_stdout.h"
+#include "outputs_syslog.h"
+#ifndef MINIMAL_BUILD
+#include "outputs_http.h"
+#include "outputs_grpc.h"
+#endif
+
 #include "banned.h" // This raises a compilation error when certain functions are used

 using namespace std;
-using namespace falco::output;

-const static struct luaL_reg ll_falco_outputs [] =
-{
-	{"handle_http", &falco_outputs::handle_http},
-	{"handle_grpc", &falco_outputs::handle_grpc},
-	{NULL, NULL}
-};
-
-falco_outputs::falco_outputs(falco_engine *engine):
-	m_falco_engine(engine),
+falco_outputs::falco_outputs():
 	m_initialized(false),
 	m_buffered(true),
 	m_json_output(false),
@@ -47,25 +49,11 @@ falco_outputs::falco_outputs(falco_engine *engine):

 falco_outputs::~falco_outputs()
 {
-	// Note: The assert()s in this destructor were previously places where
-	//       exceptions were thrown.  C++11 doesn't allow destructors to
-	//       emit exceptions; if they're thrown, they'll trigger a call
-	//       to 'terminate()'.  To maintain similar behavior, the exceptions
-	//       were replace with calls to 'assert()'
 	if(m_initialized)
 	{
-		lua_getglobal(m_ls, m_lua_output_cleanup.c_str());
-		if(!lua_isfunction(m_ls, -1))
+		for(auto it = m_outputs.cbegin(); it != m_outputs.cend(); ++it)
 		{
-			falco_logger::log(LOG_ERR, std::string("No function ") + m_lua_output_cleanup + " found. ");
-			assert(nullptr == "Missing lua cleanup function in ~falco_outputs");
-		}
-
-		if(lua_pcall(m_ls, 0, 0, 0) != 0)
-		{
-			const char *lerr = lua_tostring(m_ls, -1);
-			falco_logger::log(LOG_ERR, std::string("lua_pcall failed, err: ") + lerr);
-			assert(nullptr == "lua_pcall failed in ~falco_outputs");
+			(*it)->cleanup();
 		}
 	}
 }
@@ -75,24 +63,13 @@ void falco_outputs::init(bool json_output,
 			 uint32_t rate, uint32_t max_burst, bool buffered,
 			 bool time_format_iso_8601, string hostname)
 {
-	// The engine must have been given an inspector by now.
-	if(!m_inspector)
-	{
-		throw falco_exception("No inspector provided");
-	}
-
 	m_json_output = json_output;

-	falco_common::init(m_lua_main_filename.c_str(), FALCO_SOURCE_LUA_DIR);
-
-	// Note that falco_formats is added to both the lua state used
-	// by the falco engine as well as the separate lua state used
-	// by falco outputs.
-	falco_formats::init(m_inspector, m_falco_engine, m_ls, json_output, json_include_output_property);
-
-	falco_logger::init(m_ls);
-
-	luaL_openlib(m_ls, "c_outputs", ll_falco_outputs, 0);
+	// Note that falco_formats is already initialized by the engine,
+	// and the following json options are not used within the engine.
+	// So we can safely update them.
+	falco_formats::s_json_output = json_output;
+	falco_formats::s_json_include_output_property = json_include_output_property;

 	m_notifications_tb.init(rate, max_burst);

@@ -103,40 +80,47 @@ void falco_outputs::init(bool json_output,
 	m_initialized = true;
 }

-void falco_outputs::add_output(output_config oc)
+void falco_outputs::add_output(falco::outputs::config oc)
 {
-	uint8_t nargs = 3;
-	lua_getglobal(m_ls, m_lua_add_output.c_str());

-	if(!lua_isfunction(m_ls, -1))
+	falco::outputs::abstract_output *oo;
+
+	if(oc.name == "file")
 	{
-		throw falco_exception("No function " + m_lua_add_output + " found. ");
+		oo = new falco::outputs::output_file();
 	}
-	lua_pushstring(m_ls, oc.name.c_str());
-	lua_pushnumber(m_ls, (m_buffered ? 1 : 0));
-	lua_pushnumber(m_ls, (m_time_format_iso_8601 ? 1 : 0));
-
-	// If we have options, build up a lua table containing them
-	if(oc.options.size())
+	else if(oc.name == "program")
 	{
-		nargs = 4;
-		lua_createtable(m_ls, 0, oc.options.size());
-
-		for(auto it = oc.options.cbegin(); it != oc.options.cend(); ++it)
-		{
-			lua_pushstring(m_ls, (*it).second.c_str());
-			lua_setfield(m_ls, -2, (*it).first.c_str());
-		}
+		oo = new falco::outputs::output_program();
+	}
+	else if(oc.name == "stdout")
+	{
+		oo = new falco::outputs::output_stdout();
+	}
+	else if(oc.name == "syslog")
+	{
+		oo = new falco::outputs::output_syslog();
+	}
+#ifndef MINIMAL_BUILD
+	else if(oc.name == "http")
+	{
+		oo = new falco::outputs::output_http();
+	}
+	else if(oc.name == "grpc")
+	{
+		oo = new falco::outputs::output_grpc();
+	}
+#endif
+	else
+	{
+		throw falco_exception("Output not supported: " + oc.name);
 	}

-	if(lua_pcall(m_ls, nargs, 0, 0) != 0)
-	{
-		const char *lerr = lua_tostring(m_ls, -1);
-		throw falco_exception(string(lerr));
-	}
+	oo->init(oc, m_buffered, m_hostname);
+	m_outputs.push_back(oo);
 }

-void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,
+void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
 				 falco_common::priority_type priority, string &format)
 {
 	if(!m_notifications_tb.claim())
@@ -145,29 +129,46 @@ void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,
 		return;
 	}

-	std::lock_guard<std::mutex> guard(m_ls_semaphore);
-	lua_getglobal(m_ls, m_lua_output_event.c_str());
-
-	if(lua_isfunction(m_ls, -1))
+	string sformat;
+	if(source == "syscall")
 	{
-		lua_pushlightuserdata(m_ls, ev);
-		lua_pushstring(m_ls, rule.c_str());
-		lua_pushstring(m_ls, source.c_str());
-		lua_pushstring(m_ls, falco_common::priority_names[priority].c_str());
-		lua_pushnumber(m_ls, priority);
-		lua_pushstring(m_ls, format.c_str());
-		lua_pushstring(m_ls, m_hostname.c_str());
-
-		if(lua_pcall(m_ls, 7, 0, 0) != 0)
+		if(m_time_format_iso_8601)
 		{
-			const char *lerr = lua_tostring(m_ls, -1);
-			string err = "Error invoking function output: " + string(lerr);
-			throw falco_exception(err);
+			sformat = "*%evt.time.iso8601: " + falco_common::priority_names[priority];
+		}
+		else
+		{
+			sformat = "*%evt.time: " + falco_common::priority_names[priority];
 		}
 	}
 	else
 	{
-		throw falco_exception("No function " + m_lua_output_event + " found in lua compiler module");
+		if(m_time_format_iso_8601)
+		{
+			sformat = "*%jevt.time.iso8601: " + falco_common::priority_names[priority];
+		}
+		else
+		{
+			sformat = "*%jevt.time: " + falco_common::priority_names[priority];
+		}
+	}
+
+	// if format starts with a *, remove it, as we added our own prefix
+	if(format[0] == '*')
+	{
+		sformat += " " + format.substr(1, format.length() - 1);
+	}
+	else
+	{
+		sformat += " " + format;
+	}
+
+	string msg;
+	msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat);
+
+	for(auto it = m_outputs.cbegin(); it != m_outputs.cend(); ++it)
+	{
+		(*it)->output_event(evt, rule, source, priority, sformat, msg);
 	}
 }

@@ -195,7 +196,7 @@ void falco_outputs::handle_msg(uint64_t now,
 		iso8601evttime += time_ns;

 		jmsg["output"] = msg;
-		jmsg["priority"] = "Critical";
+		jmsg["priority"] = falco_common::priority_names[priority];
 		jmsg["rule"] = rule;
 		jmsg["time"] = iso8601evttime;
 		jmsg["output_fields"] = output_fields;
@@ -208,7 +209,7 @@ void falco_outputs::handle_msg(uint64_t now,
 		bool first = true;

 		sinsp_utils::ts_to_string(now, &timestr, false, true);
-		full_msg = timestr + ": " + falco_common::priority_names[LOG_CRIT] + " " + msg + " (";
+		full_msg = timestr + ": " + falco_common::priority_names[priority] + " " + msg + " (";
 		for(auto &pair : output_fields)
 		{
 			if(first)
@@ -224,149 +225,16 @@ void falco_outputs::handle_msg(uint64_t now,
 		full_msg += ")";
 	}

-	std::lock_guard<std::mutex> guard(m_ls_semaphore);
-	lua_getglobal(m_ls, m_lua_output_msg.c_str());
-	if(lua_isfunction(m_ls, -1))
+	for(auto it = m_outputs.cbegin(); it != m_outputs.cend(); ++it)
 	{
-		lua_pushstring(m_ls, full_msg.c_str());
-		lua_pushstring(m_ls, falco_common::priority_names[priority].c_str());
-		lua_pushnumber(m_ls, priority);
-
-		if(lua_pcall(m_ls, 3, 0, 0) != 0)
-		{
-			const char *lerr = lua_tostring(m_ls, -1);
-			string err = "Error invoking function output: " + string(lerr);
-			throw falco_exception(err);
-		}
-	}
-	else
-	{
-		throw falco_exception("No function " + m_lua_output_msg + " found in lua compiler module");
+		(*it)->output_msg(priority, full_msg);
 	}
 }

 void falco_outputs::reopen_outputs()
 {
-	lua_getglobal(m_ls, m_lua_output_reopen.c_str());
-	if(!lua_isfunction(m_ls, -1))
+	for(auto it = m_outputs.cbegin(); it != m_outputs.cend(); ++it)
 	{
-		throw falco_exception("No function " + m_lua_output_reopen + " found. ");
-	}
-
-	if(lua_pcall(m_ls, 0, 0, 0) != 0)
-	{
-		const char *lerr = lua_tostring(m_ls, -1);
-		throw falco_exception(string(lerr));
+		(*it)->reopen();
 	}
 }
-
-int falco_outputs::handle_http(lua_State *ls)
-{
-	CURL *curl = NULL;
-	CURLcode res = CURLE_FAILED_INIT;
-	struct curl_slist *slist1;
-	slist1 = NULL;
-
-	if(!lua_isstring(ls, -1) ||
-	   !lua_isstring(ls, -2))
-	{
-		lua_pushstring(ls, "Invalid arguments passed to handle_http()");
-		lua_error(ls);
-	}
-
-	string url = (char *)lua_tostring(ls, 1);
-	string msg = (char *)lua_tostring(ls, 2);
-
-	curl = curl_easy_init();
-	if(curl)
-	{
-		slist1 = curl_slist_append(slist1, "Content-Type: application/json");
-		curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1);
-		curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
-		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg.c_str());
-		curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);
-
-		res = curl_easy_perform(curl);
-
-		if(res != CURLE_OK)
-		{
-			falco_logger::log(LOG_ERR, "libcurl error: " + string(curl_easy_strerror(res)));
-		}
-		curl_easy_cleanup(curl);
-		curl = NULL;
-		curl_slist_free_all(slist1);
-		slist1 = NULL;
-	}
-	return 1;
-}
-
-int falco_outputs::handle_grpc(lua_State *ls)
-{
-	// check parameters
-	if(!lua_islightuserdata(ls, -8) ||
-	   !lua_isstring(ls, -7) ||
-	   !lua_isstring(ls, -6) ||
-	   !lua_isstring(ls, -5) ||
-	   !lua_isstring(ls, -4) ||
-	   !lua_istable(ls, -3) ||
-	   !lua_isstring(ls, -2) ||
-	   !lua_istable(ls, -1))
-	{
-		lua_pushstring(ls, "Invalid arguments passed to handle_grpc()");
-		lua_error(ls);
-	}
-
-	response grpc_res = response();
-
-	// time
-	gen_event *evt = (gen_event *)lua_topointer(ls, 1);
-	auto timestamp = grpc_res.mutable_time();
-	*timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(evt->get_ts());
-
-	// rule
-	auto rule = grpc_res.mutable_rule();
-	*rule = (char *)lua_tostring(ls, 2);
-
-	// source
-	falco::schema::source s = falco::schema::source::SYSCALL;
-	string sstr = (char *)lua_tostring(ls, 3);
-	if(!falco::schema::source_Parse(sstr, &s))
-	{
-		lua_pushstring(ls, "Unknown source passed to to handle_grpc()");
-		lua_error(ls);
-	}
-	grpc_res.set_source(s);
-
-	// priority
-	falco::schema::priority p = falco::schema::priority::EMERGENCY;
-	string pstr = (char *)lua_tostring(ls, 4);
-	if(!falco::schema::priority_Parse(pstr, &p))
-	{
-		lua_pushstring(ls, "Unknown priority passed to to handle_grpc()");
-		lua_error(ls);
-	}
-	grpc_res.set_priority(p);
-
-	// output
-	auto output = grpc_res.mutable_output();
-	*output = (char *)lua_tostring(ls, 5);
-
-	// output fields
-	auto &fields = *grpc_res.mutable_output_fields();
-
-	lua_pushnil(ls); // so that lua_next removes it from stack and puts (k, v) on it
-	while(lua_next(ls, 6) != 0)
-	{
-		fields[lua_tostring(ls, -2)] = lua_tostring(ls, -1);
-		lua_pop(ls, 1); // remove value, keep key for lua_next
-	}
-	lua_pop(ls, 1); // pop table
-
-	// hostname
-	auto host = grpc_res.mutable_hostname();
-	*host = (char *)lua_tostring(ls, 7);
-
-	falco::output::queue::get().push(grpc_res);
-
-	return 1;
-}
--- a/userspace/falco/falco_outputs.h
+++ b/userspace/falco/falco_outputs.h
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,50 +19,36 @@ limitations under the License.
 #include <memory>
 #include <map>

-extern "C" {
-#include "lua.h"
-#include "lualib.h"
-#include "lauxlib.h"
-}
-
 #include "gen_filter.h"
 #include "json_evt.h"
 #include "falco_common.h"
 #include "token_bucket.h"
 #include "falco_engine.h"
+#include "outputs.h"

 //
 // This class acts as the primary interface between a program and the
 // falco output engine. The falco rules engine is implemented by a
 // separate class falco_engine.
 //
-
-class falco_outputs : public falco_common
+class falco_outputs
 {
 public:
-	falco_outputs(falco_engine *engine);
+	falco_outputs();
 	virtual ~falco_outputs();

-	// The way to refer to an output (file, syslog, stdout, etc.)
-	// An output has a name and set of options.
-	struct output_config
-	{
-		std::string name;
-		std::map<std::string, std::string> options;
-	};
-
 	void init(bool json_output,
 		  bool json_include_output_property,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
 		  bool time_format_iso_8601, std::string hostname);

-	void add_output(output_config oc);
+	void add_output(falco::outputs::config oc);

 	//
-	// ev is an event that has matched some rule. Pass the event
+	// evt is an event that has matched some rule. Pass the event
 	// to all configured outputs.
 	//
-	void handle_event(gen_event *ev, std::string &rule, std::string &source,
+	void handle_event(gen_event *evt, std::string &rule, std::string &source,
 			  falco_common::priority_type priority, std::string &format);

 	// Send a generic message to all outputs. Not necessarily associated with any event.
@@ -70,19 +56,15 @@ public:
 			falco_common::priority_type priority,
 			std::string &msg,
 			std::string &rule,
-			std::map<std::string,std::string> &output_fields);
+			std::map<std::string, std::string> &output_fields);

 	void reopen_outputs();

-	static int handle_http(lua_State *ls);
-	static int handle_grpc(lua_State *ls);
-
 private:
-
-	falco_engine *m_falco_engine;
-
 	bool m_initialized;

+	std::vector<falco::outputs::abstract_output *> m_outputs;
+
 	// Rate limits notifications
 	token_bucket m_notifications_tb;

@@ -90,11 +72,4 @@ private:
 	bool m_json_output;
 	bool m_time_format_iso_8601;
 	std::string m_hostname;
-
-	std::string m_lua_add_output = "add_output";
-	std::string m_lua_output_event = "output_event";
-	std::string m_lua_output_msg = "output_msg";
-	std::string m_lua_output_cleanup = "output_cleanup";
-	std::string m_lua_output_reopen = "output_reopen";
-	std::string m_lua_main_filename = "output.lua";
 };
--- a/userspace/falco/grpc_context.h
+++ b/userspace/falco/grpc_context.h
@@ -36,7 +36,7 @@ class context
 {
 public:
 	context(::grpc::ServerContext* ctx);
-	~context() = default;
+	virtual ~context() = default;

 	void get_metadata(std::string key, std::string& val);

@@ -50,7 +50,7 @@ class stream_context : public context
 public:
 	stream_context(::grpc::ServerContext* ctx):
 		context(ctx){};
-	~stream_context() = default;
+	virtual ~stream_context() = default;

 	enum : char
 	{
@@ -61,6 +61,15 @@ public:

 	mutable void* m_stream = nullptr; // todo(fntlnz, leodido) > useful in the future
 	mutable bool m_has_more = false;
+	mutable bool m_is_running = true;
+};
+
+class bidi_context : public stream_context
+{
+public:
+	bidi_context(::grpc::ServerContext* ctx):
+		stream_context(ctx){};
+	virtual ~bidi_context() = default;
 };

 } // namespace grpc
--- a/userspace/falco/falco_output_queue.h
+++ b/userspace/falco/falco_output_queue.h
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors
+Copyright (C) 2020 The Falco Authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,14 +16,14 @@ limitations under the License.

 #pragma once

-#include "output.pb.h"
+#include "outputs.pb.h"
 #include "tbb/concurrent_queue.h"

 namespace falco
 {
-namespace output
+namespace grpc
 {
-typedef tbb::concurrent_queue<response> response_cq;
+typedef tbb::concurrent_queue<outputs::response> response_cq;

 class queue
 {
@@ -34,12 +34,12 @@ public:
 		return instance;
 	}

-	bool try_pop(response& res)
+	bool try_pop(outputs::response& res)
 	{
 		return m_queue.try_pop(res);
 	}

-	void push(response& res)
+	void push(outputs::response& res)
 	{
 		m_queue.push(res);
 	}
@@ -56,5 +56,5 @@ public:
 	queue(queue const&) = delete;
 	void operator=(queue const&) = delete;
 };
-} // namespace output
+} // namespace grpc
 } // namespace falco
--- a/userspace/falco/grpc_request_context.cpp
+++ b/userspace/falco/grpc_request_context.cpp
@@ -24,12 +24,12 @@ namespace grpc
 {

 template<>
-void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::start(server* srv)
+void request_stream_context<outputs::service, outputs::request, outputs::response>::start(server* srv)
 {
 	m_state = request_context_base::REQUEST;
 	m_srv_ctx.reset(new ::grpc::ServerContext);
 	auto srvctx = m_srv_ctx.get();
-	m_res_writer.reset(new ::grpc::ServerAsyncWriter<output::response>(srvctx));
+	m_res_writer.reset(new ::grpc::ServerAsyncWriter<outputs::response>(srvctx));
 	m_stream_ctx.reset();
 	m_req.Clear();
 	auto cq = srv->m_completion_queue.get();
@@ -38,7 +38,7 @@ void request_stream_context<falco::output::service, falco::output::request, falc
 }

 template<>
-void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::process(server* srv)
+void request_stream_context<outputs::service, outputs::request, outputs::response>::process(server* srv)
 {
 	// When it is the 1st process call
 	if(m_state == request_context_base::REQUEST)
@@ -48,40 +48,46 @@ void request_stream_context<falco::output::service, falco::output::request, falc
 	}

 	// Processing
-	output::response res;
-	(srv->*m_process_func)(*m_stream_ctx, m_req, res); // subscribe()
+	outputs::response res;
+	(srv->*m_process_func)(*m_stream_ctx, m_req, res); // get()
+
+	if(!m_stream_ctx->m_is_running)
+	{
+		m_state = request_context_base::FINISH;
+		m_res_writer->Finish(::grpc::Status::OK, this);
+		return;
+	}

 	// When there are still more responses to stream
 	if(m_stream_ctx->m_has_more)
 	{
 		// todo(leodido) > log "write: tag=this, state=m_state"
 		m_res_writer->Write(res, this);
+		return;
 	}
+
 	// No more responses to stream
-	else
-	{
-		// Communicate to the gRPC runtime that we have finished.
-		// The memory address of "this" instance uniquely identifies the event.
-		m_state = request_context_base::FINISH;
-		// todo(leodido) > log "finish: tag=this, state=m_state"
-		m_res_writer->Finish(::grpc::Status::OK, this);
-	}
+	// Communicate to the gRPC runtime that we have finished.
+	// The memory address of "this" instance uniquely identifies the event.
+	m_state = request_context_base::FINISH;
+	// todo(leodido) > log "finish: tag=this, state=m_state"
+	m_res_writer->Finish(::grpc::Status::OK, this);
 }

 template<>
-void request_stream_context<falco::output::service, falco::output::request, falco::output::response>::end(server* srv, bool errored)
+void request_stream_context<outputs::service, outputs::request, outputs::response>::end(server* srv, bool error)
 {
 	if(m_stream_ctx)
 	{
-		if(errored)
+		if(error)
 		{
 			// todo(leodido) > log error "error streaming: tag=this, state=m_state, stream=m_stream_ctx->m_stream"
 		}
-		m_stream_ctx->m_status = errored ? stream_context::ERROR : stream_context::SUCCESS;
+		m_stream_ctx->m_status = error ? stream_context::ERROR : stream_context::SUCCESS;

 		// Complete the processing
-		output::response res;
-		(srv->*m_process_func)(*m_stream_ctx, m_req, res); // subscribe()
+		outputs::response res;
+		(srv->*m_process_func)(*m_stream_ctx, m_req, res); // get()
 	}
 	else
 	{
@@ -98,7 +104,7 @@ void request_stream_context<falco::output::service, falco::output::request, falc
 }

 template<>
-void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::start(server* srv)
+void request_context<version::service, version::request, version::response>::start(server* srv)
 {
 	m_state = request_context_base::REQUEST;
 	m_srv_ctx.reset(new ::grpc::ServerContext);
@@ -113,7 +119,7 @@ void falco::grpc::request_context<falco::version::service, falco::version::reque
 }

 template<>
-void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::process(server* srv)
+void request_context<version::service, version::request, version::response>::process(server* srv)
 {
 	version::response res;
 	(srv->*m_process_func)(m_srv_ctx.get(), m_req, res);
@@ -125,13 +131,85 @@ void falco::grpc::request_context<falco::version::service, falco::version::reque
 }

 template<>
-void falco::grpc::request_context<falco::version::service, falco::version::request, falco::version::response>::end(server* srv, bool errored)
+void request_context<version::service, version::request, version::response>::end(server* srv, bool error)
 {
 	// todo(leodido) > handle processing errors here
-	
+
 	// Ask to start processing requests
 	start(srv);
 }

+template<>
+void request_bidi_context<outputs::service, outputs::request, outputs::response>::start(server* srv)
+{
+	m_state = request_context_base::REQUEST;
+	m_srv_ctx.reset(new ::grpc::ServerContext);
+	auto srvctx = m_srv_ctx.get();
+	m_reader_writer.reset(new ::grpc::ServerAsyncReaderWriter<outputs::response, outputs::request>(srvctx));
+	m_req.Clear();
+	auto cq = srv->m_completion_queue.get();
+	// Request to start processing given requests.
+	// Using "this" - ie., the memory address of this context - as the tag that uniquely identifies the request.
+	// In this way, different contexts can serve different requests concurrently.
+	(srv->m_output_svc.*m_request_func)(srvctx, m_reader_writer.get(), cq, cq, this);
+};
+
+template<>
+void request_bidi_context<outputs::service, outputs::request, outputs::response>::process(server* srv)
+{
+	switch(m_state)
+	{
+	case request_context_base::REQUEST:
+		m_bidi_ctx.reset(new bidi_context(m_srv_ctx.get()));
+		m_bidi_ctx->m_status = bidi_context::STREAMING;
+		m_state = request_context_base::WRITE;
+		m_reader_writer->Read(&m_req, this);
+		return;
+	case request_context_base::WRITE:
+		// Processing
+		{
+			outputs::response res;
+			(srv->*m_process_func)(*m_bidi_ctx, m_req, res); // sub()
+
+			if(!m_bidi_ctx->m_is_running)
+			{
+				m_state = request_context_base::FINISH;
+				m_reader_writer->Finish(::grpc::Status::OK, this);
+				return;
+			}
+
+			if(m_bidi_ctx->m_has_more)
+			{
+				m_state = request_context_base::WRITE;
+				m_reader_writer->Write(res, this);
+				return;
+			}
+
+			m_state = request_context_base::WRITE;
+			m_reader_writer->Read(&m_req, this);
+		}
+
+		return;
+	default:
+		return;
+	}
+};
+
+template<>
+void request_bidi_context<outputs::service, outputs::request, outputs::response>::end(server* srv, bool error)
+{
+	if(m_bidi_ctx)
+	{
+		m_bidi_ctx->m_status = error ? bidi_context::ERROR : bidi_context::SUCCESS;
+
+		// Complete the processing
+		outputs::response res;
+		(srv->*m_process_func)(*m_bidi_ctx, m_req, res); // sub()
+	}
+
+	// Ask to start processing requests
+	start(srv);
+};
+
 } // namespace grpc
-} // namespace falco
+} // namespace falco
--- a/userspace/falco/grpc_request_context.h
+++ b/userspace/falco/grpc_request_context.h
@@ -29,7 +29,8 @@ class request_context_base
 {
 public:
 	request_context_base() = default;
-	~request_context_base() = default;
+	// virtual to guarantee that the derived classes are destructed properly
+	virtual ~request_context_base() = default;

 	std::unique_ptr<::grpc::ServerContext> m_srv_ctx;
 	enum : char
@@ -39,6 +40,7 @@ public:
 		WRITE,
 		FINISH
 	} m_state = UNKNOWN;
+
 	virtual void start(server* srv) = 0;
 	virtual void process(server* srv) = 0;
 	virtual void end(server* srv, bool isError) = 0;
@@ -63,7 +65,7 @@ public:

 	void start(server* srv);
 	void process(server* srv);
-	void end(server* srv, bool isError);
+	void end(server* srv, bool error);

 private:
 	std::unique_ptr<::grpc::ServerAsyncWriter<Response>> m_res_writer;
@@ -90,11 +92,37 @@ public:

 	void start(server* srv);
 	void process(server* srv);
-	void end(server* srv, bool isError);
+	void end(server* srv, bool error);

 private:
 	std::unique_ptr<::grpc::ServerAsyncResponseWriter<Response>> m_res_writer;
 	Request m_req;
 };
+
+template<class Service, class Request, class Response>
+class request_bidi_context : public request_context_base
+{
+public:
+	request_bidi_context():
+		m_process_func(nullptr),
+		m_request_func(nullptr){};
+	~request_bidi_context() = default;
+
+	// Pointer to function that does actual processing
+	void (server::*m_process_func)(const bidi_context&, const Request&, Response&);
+
+	// Pointer to function that requests the system to start processing given requests
+	void (Service::AsyncService::*m_request_func)(::grpc::ServerContext*, ::grpc::ServerAsyncReaderWriter<Response, Request>*, ::grpc::CompletionQueue*, ::grpc::ServerCompletionQueue*, void*);
+
+	void start(server* srv);
+	void process(server* srv);
+	void end(server* srv, bool error);
+
+private:
+	std::unique_ptr<::grpc::ServerAsyncReaderWriter<Response, Request>> m_reader_writer;
+	std::unique_ptr<bidi_context> m_bidi_ctx;
+	Request m_req;
+};
+
 } // namespace grpc
-} // namespace falco
+} // namespace falco
--- a/userspace/falco/grpc_server.cpp
+++ b/userspace/falco/grpc_server.cpp
@@ -23,7 +23,7 @@ limitations under the License.
 #include "logger.h"
 #include "grpc_server.h"
 #include "grpc_request_context.h"
-#include "utils.h"
+#include "falco_utils.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

 #define REGISTER_STREAM(req, res, svc, rpc, impl, num)                          \
@@ -44,6 +44,37 @@ limitations under the License.
 		c.start(this);                                           \
 	}

+#define REGISTER_BIDI(req, res, svc, rpc, impl, num)                          \
+	std::vector<request_bidi_context<svc, req, res>> rpc##_contexts(num); \
+	for(request_bidi_context<svc, req, res> & c : rpc##_contexts)         \
+	{                                                                     \
+		c.m_process_func = &server::impl;                             \
+		c.m_request_func = &svc::AsyncService::Request##rpc;          \
+		c.start(this);                                                \
+	}
+
+static void gpr_log_dispatcher_func(gpr_log_func_args* args)
+{
+	int priority;
+	switch(args->severity)
+	{
+	case GPR_LOG_SEVERITY_ERROR:
+		priority = LOG_ERR;
+		break;
+	case GPR_LOG_SEVERITY_DEBUG:
+		priority = LOG_DEBUG;
+		break;
+	default:
+		priority = LOG_INFO;
+		break;
+	}
+
+	string copy = "grpc: ";
+	copy.append(args->message);
+	copy.push_back('\n');
+	falco_logger::log(priority, copy);
+}
+
 void falco::grpc::server::thread_process(int thread_index)
 {
 	void* tag = nullptr;
@@ -96,38 +127,81 @@ void falco::grpc::server::thread_process(int thread_index)
 	}
 }

-void falco::grpc::server::init(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs)
+void falco::grpc::server::init(
+	std::string server_addr,
+	int threadiness,
+	std::string private_key,
+	std::string cert_chain,
+	std::string root_certs,
+	std::string log_level)
 {
 	m_server_addr = server_addr;
 	m_threadiness = threadiness;
 	m_private_key = private_key;
 	m_cert_chain = cert_chain;
 	m_root_certs = root_certs;
+
+	// Set the verbosity level of gpr logger
+	falco::schema::priority logging_level = falco::schema::INFORMATIONAL;
+	falco::schema::priority_Parse(log_level, &logging_level);
+	switch(logging_level)
+	{
+	case falco::schema::ERROR:
+		gpr_set_log_verbosity(GPR_LOG_SEVERITY_ERROR);
+		break;
+	case falco::schema::DEBUG:
+		gpr_set_log_verbosity(GPR_LOG_SEVERITY_DEBUG);
+		break;
+	case falco::schema::INFORMATIONAL:
+	default:
+		// note > info will always enter here since it is != from "informational"
+		gpr_set_log_verbosity(GPR_LOG_SEVERITY_INFO);
+		break;
+	}
+	gpr_log_verbosity_init();
+	gpr_set_log_function(gpr_log_dispatcher_func);
+
+	if(falco::utils::network::is_unix_scheme(m_server_addr))
+	{
+		init_unix_server_builder();
+		return;
+	}
+	init_mtls_server_builder();
 }

-void falco::grpc::server::run()
+void falco::grpc::server::init_mtls_server_builder()
 {
 	string private_key;
 	string cert_chain;
 	string root_certs;
-
-	falco::utils::read(m_cert_chain, cert_chain);
-	falco::utils::read(m_private_key, private_key);
-	falco::utils::read(m_root_certs, root_certs);
-
+	falco::utils::readfile(m_cert_chain, cert_chain);
+	falco::utils::readfile(m_private_key, private_key);
+	falco::utils::readfile(m_root_certs, root_certs);
 	::grpc::SslServerCredentialsOptions::PemKeyCertPair cert_pair{private_key, cert_chain};
-
 	::grpc::SslServerCredentialsOptions ssl_opts(GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
 	ssl_opts.pem_root_certs = root_certs;
 	ssl_opts.pem_key_cert_pairs.push_back(cert_pair);

-	::grpc::ServerBuilder builder;
-	builder.AddListeningPort(m_server_addr, ::grpc::SslServerCredentials(ssl_opts));
-	builder.RegisterService(&m_output_svc);
-	builder.RegisterService(&m_version_svc);
+	m_server_builder.AddListeningPort(m_server_addr, ::grpc::SslServerCredentials(ssl_opts));
+}

-	m_completion_queue = builder.AddCompletionQueue();
-	m_server = builder.BuildAndStart();
+void falco::grpc::server::init_unix_server_builder()
+{
+	m_server_builder.AddListeningPort(m_server_addr, ::grpc::InsecureServerCredentials());
+}
+
+void falco::grpc::server::run()
+{
+	m_server_builder.RegisterService(&m_output_svc);
+	m_server_builder.RegisterService(&m_version_svc);
+
+	m_completion_queue = m_server_builder.AddCompletionQueue();
+	m_server = m_server_builder.BuildAndStart();
+	if(m_server == nullptr)
+	{
+		falco_logger::log(LOG_EMERG, "Error starting gRPC server\n");
+		return;
+	}
 	falco_logger::log(LOG_INFO, "Starting gRPC server at " + m_server_addr + "\n");

 	// The number of contexts is multiple of the number of threads
@@ -137,7 +211,8 @@ void falco::grpc::server::run()
 	// todo(leodido) > take a look at thread_stress_test.cc into grpc repository

 	REGISTER_UNARY(version::request, version::response, version::service, version, version, context_num)
-	REGISTER_STREAM(output::request, output::response, output::service, subscribe, subscribe, context_num)
+	REGISTER_STREAM(outputs::request, outputs::response, outputs::service, get, get, context_num)
+	REGISTER_BIDI(outputs::request, outputs::response, outputs::service, sub, sub, context_num)

 	m_threads.resize(m_threadiness);
 	int thread_idx = 0;
@@ -149,7 +224,7 @@ void falco::grpc::server::run()

 	while(server_impl::is_running())
 	{
-		sleep(1);
+		std::this_thread::sleep_for(std::chrono::milliseconds(100));
 	}
 	// todo(leodido) > log "stopping gRPC server"
 	stop();
--- a/userspace/falco/grpc_server.h
+++ b/userspace/falco/grpc_server.h
@@ -29,25 +29,22 @@ namespace grpc
 class server : public server_impl
 {
 public:
-	server()
-	{
-	}
-	server(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs):
-		m_server_addr(server_addr),
-		m_threadiness(threadiness),
-		m_private_key(private_key),
-		m_cert_chain(cert_chain),
-		m_root_certs(root_certs)
-	{
-	}
+	server() = default;
 	virtual ~server() = default;

-	void init(std::string server_addr, int threadiness, std::string private_key, std::string cert_chain, std::string root_certs);
+	void init(
+		std::string server_addr,
+		int threadiness,
+		std::string private_key,
+		std::string cert_chain,
+		std::string root_certs,
+		std::string log_level
+	);
 	void thread_process(int thread_index);
 	void run();
 	void stop();

-	output::service::AsyncService m_output_svc;
+	outputs::service::AsyncService m_output_svc;
 	version::service::AsyncService m_version_svc;

 	std::unique_ptr<::grpc::ServerCompletionQueue> m_completion_queue;
@@ -61,7 +58,10 @@ private:

 	std::unique_ptr<::grpc::Server> m_server;
 	std::vector<std::thread> m_threads;
+	::grpc::ServerBuilder m_server_builder;
+	void init_mtls_server_builder();
+	void init_unix_server_builder();
 };

 } // namespace grpc
-} // namespace falco
+} // namespace falco
--- a/userspace/falco/grpc_server_impl.cpp
+++ b/userspace/falco/grpc_server_impl.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors
+Copyright (C) 2020 The Falco Authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,7 +16,8 @@ limitations under the License.

 #include "config_falco.h"
 #include "grpc_server_impl.h"
-#include "falco_output_queue.h"
+#include "grpc_queue.h"
+#include "logger.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

 bool falco::grpc::server_impl::is_running()
@@ -28,29 +29,39 @@ bool falco::grpc::server_impl::is_running()
 	return true;
 }

-void falco::grpc::server_impl::subscribe(const stream_context& ctx, const output::request& req, output::response& res)
+void falco::grpc::server_impl::get(const stream_context& ctx, const outputs::request& req, outputs::response& res)
 {
 	if(ctx.m_status == stream_context::SUCCESS || ctx.m_status == stream_context::ERROR)
 	{
 		// todo(leodido) > log "status=ctx->m_status, stream=ctx->m_stream"
 		ctx.m_stream = nullptr;
+		return;
 	}
-	else
-	{
-		// Start or continue streaming
-		// todo(leodido) > check for m_status == stream_context::STREAMING?
-		// todo(leodido) > set m_stream
-		if(output::queue::get().try_pop(res) && !req.keepalive())
-		{
-			ctx.m_has_more = true;
-			return;
-		}
-		while(is_running() && !output::queue::get().try_pop(res) && req.keepalive())
-		{
-		}

-		ctx.m_has_more = !is_running() ? false : req.keepalive();
+	ctx.m_is_running = is_running();
+
+	// Start or continue streaming
+	// m_status == stream_context::STREAMING?
+	// todo(leodido) > set m_stream
+
+	ctx.m_has_more = queue::get().try_pop(res);
+}
+
+void falco::grpc::server_impl::sub(const bidi_context& ctx, const outputs::request& req, outputs::response& res)
+{
+	if(ctx.m_status == stream_context::SUCCESS || ctx.m_status == stream_context::ERROR)
+	{
+		ctx.m_stream = nullptr;
+		return;
 	}
+
+	ctx.m_is_running = is_running();
+
+	// Start or continue streaming
+	// m_status == stream_context::STREAMING?
+	// todo(leodido) > set m_stream
+
+	ctx.m_has_more = queue::get().try_pop(res);
 }

 void falco::grpc::server_impl::version(const context& ctx, const version::request&, version::response& res)
--- a/userspace/falco/grpc_server_impl.h
+++ b/userspace/falco/grpc_server_impl.h
@@ -17,7 +17,7 @@ limitations under the License.
 #pragma once

 #include <atomic>
-#include "output.grpc.pb.h"
+#include "outputs.grpc.pb.h"
 #include "version.grpc.pb.h"
 #include "grpc_context.h"

@@ -36,8 +36,11 @@ public:
 protected:
 	bool is_running();

-	void subscribe(const stream_context& ctx, const output::request& req, output::response& res);
+	// Outputs
+	void get(const stream_context& ctx, const outputs::request& req, outputs::response& res);
+	void sub(const bidi_context& ctx, const outputs::request& req, outputs::response& res);

+	// Version
 	void version(const context& ctx, const version::request& req, version::response& res);

 private:
--- a/userspace/falco/logger.cpp
+++ b/userspace/falco/logger.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,25 +16,13 @@ limitations under the License.

 #include <ctime>
 #include "logger.h"
-#include "chisel_api.h"

 #include "falco_common.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

-const static struct luaL_reg ll_falco [] =
-{
-	{"syslog", &falco_logger::syslog},
-	{NULL,NULL}
-};
-
 int falco_logger::level = LOG_INFO;
 bool falco_logger::time_format_iso_8601 = false;

-void falco_logger::init(lua_State *ls)
-{
-	luaL_openlib(ls, "falco", ll_falco, 0);
-}
-
 void falco_logger::set_time_format_iso_8601(bool val)
 {
 	falco_logger::time_format_iso_8601 = val;
@@ -81,19 +69,6 @@ void falco_logger::set_level(string &level)
 }


-int falco_logger::syslog(lua_State *ls) {
-	int priority = luaL_checknumber(ls, 1);
-
-	if (priority > LOG_DEBUG) {
-		return luaL_argerror(ls, 1, "falco.syslog: priority must be a number between 0 and 7");
-	}
-
-	const char *msg = luaL_checkstring(ls, 2);
-	::syslog(priority, "%s", msg);
-
-	return 0;
-}
-
 bool falco_logger::log_stderr = true;
 bool falco_logger::log_syslog = true;

@@ -134,7 +109,7 @@ void falco_logger::log(int priority, const string msg)
 			if(gtm != NULL &&
 			   (strftime(buf, sizeof(buf), "%FT%T%z", gtm) != 0))
 			{
-				fprintf(stderr, "%s: %s", buf, msg.c_str());
+				fprintf(stderr, "%s: %s", buf, copy.c_str());
 			}
 		}
 		else
@@ -151,7 +126,7 @@ void falco_logger::log(int priority, const string msg)
 			{
 				tstr = "N/A";
 			}
-			fprintf(stderr, "%s: %s", tstr.c_str(), msg.c_str());
+			fprintf(stderr, "%s: %s", tstr.c_str(), copy.c_str());
 		}
 	}
 }
--- a/userspace/falco/logger.h
+++ b/userspace/falco/logger.h
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,25 +19,15 @@ limitations under the License.
 #include "sinsp.h"
 #include <syslog.h>

-extern "C" {
-#include "lua.h"
-#include "lualib.h"
-#include "lauxlib.h"
-}
-
 class falco_logger
 {
 public:
-	static void init(lua_State *ls);

 	static void set_time_format_iso_8601(bool val);

 	// Will throw exception if level is unknown.
 	static void set_level(string &level);

-	// value = falco.syslog(level, message)
-	static int syslog(lua_State *ls);
-
 	static void log(int priority, const string msg);

 	static int level;
--- a/Show More
+++ b/Show More