Test for rule/macro having unknown source

The rules file has a rule/macro with an unknown source as well as a rule
that matches a trace file, and verifies that the rule/macro with the
unknown source doesn't interfere with rule loading/event matching.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

.circleci/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+  - jonahjon
+reviewers:
+  - jonahjon

.circleci/config.yml

@@ -282,6 +282,8 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
+      - store_test_results:
+          path: /build/release/integration-tests-xunit
   "tests/integration-static":
     docker:
       - image: falcosecurity/falco-tester:latest
@@ -297,6 +299,8 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
+      - store_test_results:
+          path: /build-static/release/integration-tests-xunit
   "tests/driver-loader/integration":
     machine:
       image: ubuntu-1604:202004-01
@@ -306,6 +310,33 @@ jobs:
       - run:
           name: Execute driver-loader integration tests
           command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
+  # Code quality
+  "quality/static-analysis":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "release"
+    steps:
+      - run:
+          name: Install cppcheck
+          command: |
+            yum update -y
+            yum install epel-release -y
+            yum install cppcheck cppcheck-htmlreport -y
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
+      - run:
+          name: cppcheck
+          command: /usr/bin/entrypoint cppcheck
+      - run:
+          name: cppcheck html report
+          command: /usr/bin/entrypoint cppcheck_htmlreport
+      - store_artifacts:
+          path: /build/release/static-analysis-reports
+          destination: /static-analysis-reports
   # Sign rpm packages
   "rpm/sign":
     docker:
@@ -421,6 +452,25 @@ jobs:
             docker build --build-arg FALCO_IMAGE_TAG=master -t falcosecurity/falco-driver-loader:master docker/driver-loader
             echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
             docker push falcosecurity/falco-driver-loader:master
+  # Publish container images to AWS ECR Public
+  "publish/container-images-aws-dev":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish falco to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:master"
   # Publish the packages
   "publish/packages":
     docker:
@@ -487,6 +537,26 @@ jobs:
             echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
             docker push "falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
             docker push "falcosecurity/falco-driver-loader:latest"
+  # Publish container images to AWS ECR Public
+  "publish/container-images-aws":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish falco to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" docker/falco
+            docker tag "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco:latest
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco:latest"
 workflows:
   version: 2
   build_and_test:
@@ -546,6 +616,16 @@ workflows:
           requires:
             - "publish/packages-dev"
             - "tests/driver-loader/integration"
+      - "publish/container-images-aws-dev":
+          context: test-infra # contains Falco AWS credentials
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - publish/docker-dev
+      # - "quality/static-analysis" # This is temporarly disabled: https://github.com/falcosecurity/falco/issues/1526
   release:
     jobs:
       - "build/musl":
@@ -588,3 +668,12 @@ workflows:
               only: /.*/
             branches:
               ignore: /.*/
+      - "publish/container-images-aws":
+          context: test-infra # contains Falco AWS credentials
+          requires:
+            - "publish/docker"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/

.github/stale.yml

@@ -1,20 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 60
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 7
-# Issues with these labels will never be considered stale
-exemptLabels:
-  - cncf
-  - roadmap
-  - "help wanted"
-# Label to use when marking an issue as stale
-staleLabel: wontfix
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no further activity occurs. Thank you
-  for your contributions.
-  Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed.
-  Please refer to a maintainer to get such label added if you think this should be kept open.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false

.gitignore

@@ -2,7 +2,6 @@
 *~
 *.pyc
 
-test/falco_tests.yaml
 test/traces-negative
 test/traces-positive
 test/traces-info
@@ -11,8 +10,6 @@ test/.phoronix-test-suite
 test/results*.json.*
 test/build
 
-userspace/falco/lua/re.lua
-userspace/falco/lua/lpeg.so
 userspace/engine/lua/lyaml
 userspace/engine/lua/lyaml.lua
 

.luacheckrc

@@ -1,7 +1,6 @@
 std = "min"
 cache = true
 include_files = {
-    "userspace/falco/lua/*.lua",
     "userspace/engine/lua/*.lua",
     "userspace/engine/lua/lyaml/*.lua",
     "*.luacheckrc"

ADOPTERS.md

@@ -10,7 +10,7 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.
 
-* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
+* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containers which could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
 
 * [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
   * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
@@ -26,5 +26,6 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.
 
-*  [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-define infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+* [Swissblock Technologies](https://swissblock.net/) At Swissblock we connect the dots by combining cutting-edge algorithmic trading strategies with in-depth market analysis. We route all Falco events to our control systems, both monitoring and logging. Being able to deeply analyse alerts, we can understand what is running on our Kubernetes clusters and check against security policies, specifically defined for each workload. A set of alarms notifies us in case of critical events, letting us react fast. In the near future we plan to build a little application to route Kubernetes internal events directly to Falco, fully leveraging Falco PodSecurityPolicies analyses.
 
+* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.

CHANGELOG.md

@@ -1,41 +1,125 @@
 # Change Log
 
+## v0.27.0
+
+Released on 2021-01-18
+
+### Major Changes
+
+* new: Added falco engine version to grpc version service [[#1507](https://github.com/falcosecurity/falco/pull/1507)] - [@nibalizer](https://github.com/nibalizer)
+* BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [[#1494](https://github.com/falcosecurity/falco/pull/1494)] - [@nibalizer](https://github.com/nibalizer)
+* new: asynchronous outputs implementation, outputs channels will not block event processing anymore [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* new: slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* new: `output_timeout` config option for slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+
+
+### Minor Changes
+
+* build: bump b64 to v2.0.0.1 [[#1441](https://github.com/falcosecurity/falco/pull/1441)] - [@fntlnz](https://github.com/fntlnz)
+* rules(macro container_started): re-use `spawned_process` macro inside `container_started` macro [[#1449](https://github.com/falcosecurity/falco/pull/1449)] - [@leodido](https://github.com/leodido)
+* docs: reach out documentation [[#1472](https://github.com/falcosecurity/falco/pull/1472)] - [@fntlnz](https://github.com/fntlnz)
+* docs: Broken outputs.proto link [[#1493](https://github.com/falcosecurity/falco/pull/1493)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* docs(README.md): correct broken links [[#1506](https://github.com/falcosecurity/falco/pull/1506)] - [@leogr](https://github.com/leogr)
+* docs(proposals): Exceptions handling proposal [[#1376](https://github.com/falcosecurity/falco/pull/1376)] - [@mstemm](https://github.com/mstemm)
+* docs: fix a broken link of README [[#1516](https://github.com/falcosecurity/falco/pull/1516)] - [@oke-py](https://github.com/oke-py)
+* docs: adding the kubernetes privileged use case to use cases [[#1484](https://github.com/falcosecurity/falco/pull/1484)] - [@fntlnz](https://github.com/fntlnz)
+* rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [[#1518](https://github.com/falcosecurity/falco/pull/1518)] - [@leodido](https://github.com/leodido)
+* build: falcosecurity/falco:master also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
+* build: falcosecurity/falco:latest also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
+* update: gRPC clients can now subscribe to drop alerts via gRCP API [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [[#1444](https://github.com/falcosecurity/falco/pull/1444)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): use given priority in falco_outputs::handle_msg() [[#1450](https://github.com/falcosecurity/falco/pull/1450)] - [@leogr](https://github.com/leogr)
+* fix(userspace/engine): free formatters, if any [[#1447](https://github.com/falcosecurity/falco/pull/1447)] - [@leogr](https://github.com/leogr)
+* fix(scripts/falco-driver-loader): lsmod usage [[#1474](https://github.com/falcosecurity/falco/pull/1474)] - [@dnwe](https://github.com/dnwe)
+* fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [[#1485](https://github.com/falcosecurity/falco/pull/1485)] - [@leodido](https://github.com/leodido)
+* fix: set `HOST_ROOT=/host` environment variable for the `falcosecurity/falco-no-driver` container image by default [[#1492](https://github.com/falcosecurity/falco/pull/1492)] - [@leogr](https://github.com/leogr)
+
+
+### Rule Changes
+
+* rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [[#1501](https://github.com/falcosecurity/falco/pull/1501)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Container Run as Root User): new rule created [[#1500](https://github.com/falcosecurity/falco/pull/1500)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using `insmod` from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [[#1478](https://github.com/falcosecurity/falco/pull/1478)] - [@d1vious](https://github.com/d1vious)
+* rule(macro multipath_writing_conf): create and use the macro [[#1475](https://github.com/falcosecurity/falco/pull/1475)] - [@nmarier-coveo](https://github.com/nmarier-coveo)
+* rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [[#1457](https://github.com/falcosecurity/falco/pull/1457)] - [@czunker](https://github.com/czunker)
+* rule(Full K8s Administrative Access): use the right list of admin users (fix) [[#1454](https://github.com/falcosecurity/falco/pull/1454)] - [@mstemm](https://github.com/mstemm)
+
+
+### Non user-facing changes
+
+* chore(cmake): remove unnecessary whitespace patch [[#1522](https://github.com/falcosecurity/falco/pull/1522)] - [@leogr](https://github.com/leogr)
+* remove stale bot in favor of the new lifecycle bot [[#1490](https://github.com/falcosecurity/falco/pull/1490)] - [@leodido](https://github.com/leodido)
+* chore(cmake): mark some variables as advanced [[#1496](https://github.com/falcosecurity/falco/pull/1496)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* chore(cmake/modules): avoid useless rebuild [[#1495](https://github.com/falcosecurity/falco/pull/1495)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* build: BUILD_BYPRODUCTS for civetweb [[#1489](https://github.com/falcosecurity/falco/pull/1489)] - [@fntlnz](https://github.com/fntlnz)
+* build: remove duplicate item from FALCO_SOURCES [[#1480](https://github.com/falcosecurity/falco/pull/1480)] - [@leodido](https://github.com/leodido)
+* build: make our integration tests report clear steps for CircleCI UI [[#1473](https://github.com/falcosecurity/falco/pull/1473)] - [@fntlnz](https://github.com/fntlnz)
+* further improvements outputs impl.  [[#1443](https://github.com/falcosecurity/falco/pull/1443)] - [@leogr](https://github.com/leogr)
+* fix(test): make integration tests properly fail [[#1439](https://github.com/falcosecurity/falco/pull/1439)] - [@leogr](https://github.com/leogr)
+* Falco outputs refactoring [[#1412](https://github.com/falcosecurity/falco/pull/1412)] - [@leogr](https://github.com/leogr)
+
+
+
+## v0.26.2
+
+Released on 2020-11-10
+
+### Major Changes
+
+* update: DRIVERS_REPO now defaults to https://download.falco.org/driver [[#1460](https://github.com/falcosecurity/falco/pull/1460)] - [@leodido](https://github.com/leodido)
+
+## v0.26.1
+
+Released on 2020-10-01
+
+### Major Changes
+
+* new: CLI flag `--alternate-lua-dir` to load Lua files from arbitrary paths [[#1419](https://github.com/falcosecurity/falco/pull/1419)] - [@admiral0](https://github.com/admiral0)
+
+
+### Rule Changes
+
+* rule(Delete or rename shell history): fix warnings/FPs + container teardown [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
+* rule(Write below root): ensure proc_name_exists too [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
+
+
 ## v0.26.0
 
 Released on 2020-24-09
 
 ### Major Changes
 
-* new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)]
-* new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)]
-* new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)]
+* new: address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)] - [@mstemm](https://github.com/mstemm)
+* new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)] - [@leogr](https://github.com/leogr)
+* new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)] - [@fntlnz](https://github.com/fntlnz)
+* new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
 
 
 ### Minor Changes
 
-* update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)]
-* update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)]
-* update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)]
-* docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)]
-* docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)]
-
+* update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
+* update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
+* update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
+* docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
+* docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
 
 
 ### Rule Changes
 
-* rule: Address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)]
-* rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)]
-* rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)]
-* rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)]
-* rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)]
-* rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)]
-* rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)]
-* rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)]
-* rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)]
-
-
-
-This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
+* rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)] - [@rung](https://github.com/rung)
+* rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
+* rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
+* rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)] - [@bgeesaman](https://github.com/bgeesaman)
+* rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)] - [@csschwe](https://github.com/csschwe)
 
 ## v0.25.0
 

CMakeLists.txt

@@ -19,6 +19,15 @@ option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 
+# We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419
+option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF)
+if (${EP_UPDATE_DISCONNECTED})
+  set_property(
+    DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+    PROPERTY EP_UPDATE_DISCONNECTED TRUE)
+endif()
+
+
 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
 
@@ -83,7 +92,7 @@ include(GetFalcoVersion)
 set(PACKAGE_NAME "falco")
 set(PROBE_NAME "falco")
 set(PROBE_DEVICE_NAME "falco")
-set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
+set(DRIVERS_REPO "https://download.falco.org/driver")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
   set(CMAKE_INSTALL_PREFIX
       /usr
@@ -115,20 +124,8 @@ set(CURSES_NEED_NCURSES TRUE)
 find_package(Curses REQUIRED)
 message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
 
-# libb64
-
-set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
-message(STATUS "Using bundled b64 in '${B64_SRC}'")
-set(B64_INCLUDE "${B64_SRC}/include")
-set(B64_LIB "${B64_SRC}/src/libb64.a")
-ExternalProject_Add(
-  b64
-  URL "https://github.com/libb64/libb64/archive/v1.2.1.zip"
-  URL_HASH "SHA256=665134c2b600098a7ebd3d00b6a866cb34909a6d48e0e37a0eda226a4ad2638a"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
+# b64
+include(b64)
 
 # yaml-cpp
 include(yaml-cpp)
@@ -142,52 +139,16 @@ if(NOT MINIMAL_BUILD)
 endif()
 
 # LuaJIT
-set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
-message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
-set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
-set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
-ExternalProject_Add(
-  luajit
-  URL "https://github.com/LuaJIT/LuaJIT/archive/v2.0.3.tar.gz"
-  URL_HASH "SHA256=8da3d984495a11ba1bce9a833ba60e18b532ca0641e7d90d97fafe85ff014baa"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
+include(luajit)
 
 # Lpeg
-set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
-set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
-message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
-set(LPEG_DEPENDENCIES "")
-list(APPEND LPEG_DEPENDENCIES "luajit")
-ExternalProject_Add(
-  lpeg
-  DEPENDS ${LPEG_DEPENDENCIES}
-  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
-  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
-  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ""
-  INSTALL_COMMAND "")
+include(lpeg)
 
 # libyaml
 include(libyaml)
 
 # lyaml
-set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
-set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
-message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
-ExternalProject_Add(
-  lyaml
-  DEPENDS luajit libyaml
-  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
-  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
-  INSTALL_COMMAND sh -c
-                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
+include(lyaml)
 
 # One TBB
 set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
@@ -220,6 +181,7 @@ if(NOT MINIMAL_BUILD)
     COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
     BUILD_IN_SOURCE 1
     BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+    BUILD_BYPRODUCTS ${CIVETWEB_LIB}
     INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
 endif()
 
@@ -254,6 +216,9 @@ add_subdirectory(docker)
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
 
+# Static analysis
+include(static-analysis)
+
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)

GOVERNANCE.md

@@ -1,55 +0,0 @@
-# Process for becoming a maintainer
-
-* Express interest to the existing maintainers that you or your organization is interested in becoming a
-  maintainer. Becoming a maintainer generally means that you are going to be spending substantial
-  time (>25%) on Falco for the foreseeable future. You should have domain expertise and be extremely
-  proficient in C++. Ultimately your goal is to become a maintainer that will represent your
-  organization.
-* We will expect you to start contributing increasingly complicated PRs, under the guidance
-  of the existing maintainers.
-* We may ask you to do some PRs from our backlog.
-* As you gain experience with the code base and our standards, we will ask you to do code reviews
-  for incoming PRs (i.e., all maintainers are expected to shoulder a proportional share of
-  community reviews).
-* After a period of approximately 2-3 months of working together and making sure we see eye to eye,
-  the existing maintainers will confer and decide whether to grant maintainer status or not.
-  We make no guarantees on the length of time this will take, but 2-3 months is the approximate
-  goal.
-
-## Maintainer responsibilities
-
-* Monitor Slack (delayed response is perfectly acceptable).
-* Triage GitHub issues and perform pull request reviews for other maintainers and the community.
-* During GitHub issue triage, apply all applicable [labels](https://github.com/falcosecurity/falco/labels)
-  to each new issue. Labels are extremely useful for future issue follow up. Which labels to apply
-  is somewhat subjective so just use your best judgment.
-* Make sure that ongoing PRs are moving forward at the right pace or closing them.
-* Participate when called upon in the security releases. Note that although this should be a rare
-  occurrence, if a serious vulnerability is found, the process may take up to several full days of
-  work to implement. This reality should be taken into account when discussing time commitment
-  obligations with employers.
-* In general continue to be willing to spend at least 25% of ones time working on Falco (~1.25
-  business days per week).
-
-## When does a maintainer lose maintainer status
-
-If a maintainer is no longer interested or cannot perform the maintainer duties listed above, they
-should volunteer to be moved to emeritus status. In extreme cases this can also occur by a vote of
-the maintainers per the voting process below.
-
-# Conflict resolution and voting
-
-In general, we prefer that technical issues and maintainer membership are amicably worked out
-between the persons involved. If a dispute cannot be decided independently, the maintainers can be
-called in to decide an issue. If the maintainers themselves cannot decide an issue, the issue will
-be resolved by voting. The voting process is a simple majority in which each senior maintainer
-receives two votes and each normal maintainer receives one vote.
-
-# Adding new projects to the falcosecurity GitHub organization
-
-New projects will be added to the falcosecurity organization via GitHub issue discussion in one of the
-existing projects in the organization. Once sufficient discussion has taken place (~3-5 business
-days but depending on the volume of conversation), the maintainers of *the project where the issue
-was opened* (since different projects in the organization may have different maintainers) will
-decide whether the new project should be added. See the section above on voting if the maintainers
-cannot easily decide.

README.md

@@ -5,7 +5,9 @@
 
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
 
-#### Latest releases
+Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH3EH32) channel in the [Kubernetes Slack](https://slack.k8s.io).
+
+### Latest releases
 
 Read the [change log](CHANGELOG.md).
 
@@ -19,27 +21,27 @@ Read the [change log](CHANGELOG.md).
 
 The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
 Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
-Falco has a rich rule set of security rules specifically built for Kubernetes, Linux, and cloud-native.
+Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native.
 If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
 
 ### Installing Falco
 
-If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/installation/).
+If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).
 
 ##### Kubernetes
 
 | Tool     | Link                                                                                       | Note                                                               |
 |----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
 | Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
-| Minikube | [Tutorial](https://falco.org/docs/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
-| Kind     | [Tutorial](https://falco.org/docs/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
-| GKE      | [Tutorial](https://falco.org/docs/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
+| Minikube | [Tutorial](https://falco.org/docs/getting-started/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
+| Kind     | [Tutorial](https://falco.org/docs/getting-started/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
+| GKE      | [Tutorial](https://falco.org/docs/getting-started/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
 
 ### Developing
 
 Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
 
-Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/update-readme/userspace/falco/outputs.proto).
+Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/master/userspace/falco/outputs.proto).
 The Falco Project supports various SDKs for this endpoint.
 
 ##### SDKs
@@ -63,6 +65,7 @@ For example, Falco can easily detect incidents including but not limited to:
 - Unexpected read of a sensitive file, such as `/etc/shadow`.
 - A non-device file is written to `/dev`.
 - A standard system binary, such as `ls`, is making an outbound network connection.
+- A privileged pod is started in a Kubernetes cluster.
 
 ### Documentation
 
@@ -72,6 +75,13 @@ The [Official Documentation](https://falco.org/docs/) is the best resource to le
 
 To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.
 
+How to reach out?
+
+ - Join the #falco channel on the [Kubernetes Slack](https://slack.k8s.io)
+ - [Join the Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev)
+ - [Read the Falco documentation](https://falco.org/docs/)
+
+
 ### Contributing
 
 See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).
@@ -94,4 +104,4 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 [3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
 [4]: https://dl.bintray.com/falcosecurity/deb/stable
 [5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
-[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
+[6]: https://dl.bintray.com/falcosecurity/bin/x86_64

RELEASE.md

@@ -4,7 +4,7 @@ Our release process is mostly automated, but we still need some manual steps to
 
 Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
 
-Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+A release happens every two months ([as per community discussion](https://github.com/falcosecurity/community/blob/master/meeting-notes/2020-09-30.md#agenda)), and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
 
 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
 
@@ -28,8 +28,8 @@ Before cutting a release we need to do some homework in the Falco repository. Th
 
 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
     - If any, manually correct it then open an issue to automate version number bumping later
-    - Versions table in the `README.md` update itself automatically
-- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
+    - Versions table in the `README.md` updates itself automatically
+- Generate the change log https://github.com/leodido/rn2md:
     - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
@@ -61,21 +61,44 @@ Now assume `x.y.z` is the new version.
 - Use `x.y.z` both as tag version and release title
 - Use the following template to fill the release description:
     ```
-    <!-- Copy the relevant part of the changelog here -->
+    <!-- Substitute x.y.z with the current release version -->
+
+    | Packages | Download                                                                                                                                               |
+    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm)        |
+    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
+    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
+
+    | Images                                                                      |
+    | --------------------------------------------------------------------------- |
+    | `docker pull docker.io/falcosecurity/falco:x.y.z`                           |
+    | `docker pull public.ecr.aws/falcosecurity/falco:x.y.z`                      |
+    | `docker pull docker.io/falcosecurity/falco-driver-loader:x.y.z`             |
+    | `docker pull docker.io/falcosecurity/falco-no-driver:x.y.z`                 |
 
     ### Statistics
 
-    | Merged PRs        | Number  |
-    |-------------------|---------|
-    | Not user-facing   | x       |
-    | Release note      | x       |
-    | Total             | x       |
+    | Merged PRs      | Number |
+    | --------------- | ------ |
+    | Not user-facing | x      |
+    | Release note    | x      |
+    | Total           | x      |
 
     <!-- Calculate stats and fill the above table -->
     ```
 
 - Finally, publish the release!
 
+### 3. Update the meeting notes
+
+For each release we archive the meeting notes in git for historical purposes.
+
+ - The notes from the Falco meetings can be [found here](https://hackmd.io/6sEAlInlSaGnLz2FnFz21A).
+    - Note: There may be other notes from working groups that can optionally be added as well as needed.
+ - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-x.y.z.md`
+ - Open up a pull request with the new change.
+
+
 ## Post-Release tasks
 
 Announce the new release to the world!

brand/README.md

@@ -15,6 +15,21 @@ There are 3 logos available for use in this directory. Use the primary logo unle
 
 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
 
+### Colors
+
+| Name      | PMS  | RGB         |
+|-----------|------|-------------|
+| Teal      | 3125 |   0 174 199 |
+| Cool Gray |   11 |  83  86  90 |
+| Black     |      |   0   0   0 |
+| Blue-Gray | 7700 |  22 92 125  |
+| Gold      | 1375 | 255 158  27 |
+| Orange    |  171 | 255  92  57 |
+| Emerald   | 3278 |   0 155 119 |
+| Green     |  360 | 108 194  74 |
+
+The primary colors are those in the first two rows.
+
 ### Slogan
 
 > Cloud Native Runtime Security

cmake/modules/CPackConfig.cmake

@@ -30,9 +30,15 @@ if(NOT CPACK_GENERATOR)
 endif()
 
 message(STATUS "Using package generators: ${CPACK_GENERATOR}")
-
+message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
-set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+endif()
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
+endif()
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA

cmake/modules/OpenSSL.cmake

@@ -10,6 +10,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
+mark_as_advanced(OPENSSL_BINARY)
 if(NOT USE_BUNDLED_DEPS)
   find_package(OpenSSL REQUIRED)
   message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
@@ -20,6 +21,8 @@ if(NOT USE_BUNDLED_DEPS)
     message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
   endif()
 else()
+  mark_as_advanced(OPENSSL_BUNDLE_DIR OPENSSL_INSTALL_DIR OPENSSL_INCLUDE_DIR
+    OPENSSL_LIBRARY_SSL OPENSSL_LIBRARY_CRYPTO)
   set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
   set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
   set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")

cmake/modules/b64.cmake

@@ -0,0 +1,27 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
+message(STATUS "Using bundled b64 in '${B64_SRC}'")
+set(B64_INCLUDE "${B64_SRC}/include")
+set(B64_LIB "${B64_SRC}/src/libb64.a")
+externalproject_add(
+  b64
+  URL "https://github.com/libb64/libb64/archive/ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0.tar.gz"
+  URL_HASH "SHA256=d07173e66f435e5c77dbf81bd9313f8d0e4a3b4edd4105a62f4f8132ba932811"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${B64_LIB}
+  INSTALL_COMMAND ""
+)

cmake/modules/gRPC.cmake

@@ -22,6 +22,7 @@ if(NOT USE_BUNDLED_DEPS)
   endif()
 
   # c-ares
+  mark_as_advanced(CARES_INCLUDE CARES_LIB)
   find_path(CARES_INCLUDE NAMES ares.h)
   find_library(CARES_LIB NAMES libcares.so)
   if(CARES_INCLUDE AND CARES_LIB)
@@ -31,6 +32,7 @@ if(NOT USE_BUNDLED_DEPS)
   endif()
 
   # protobuf
+  mark_as_advanced(PROTOC PROTOBUF_INCLUDE PROTOBUF_LIB)
   find_program(PROTOC NAMES protoc)
   find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
   find_library(PROTOBUF_LIB NAMES libprotobuf.so)
@@ -43,6 +45,7 @@ if(NOT USE_BUNDLED_DEPS)
   endif()
 
   # gpr
+  mark_as_advanced(GPR_LIB)
   find_library(GPR_LIB NAMES gpr)
 
   if(GPR_LIB)
@@ -52,12 +55,16 @@ if(NOT USE_BUNDLED_DEPS)
   endif()
 
   # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
+  mark_as_advanced(GRPC_INCLUDE GRPC_SRC
+    GRPC_LIB GRPC_LIBS_ABSOLUTE  GRPCPP_LIB GRPC_CPP_PLUGIN)
   find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
   if(GRPCXX_INCLUDE)
     set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
+    unset(GRPCXX_INCLUDE CACHE)
   else()
     find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
     set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
+    unset(GRPCPP_INCLUDE CACHE)
     add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
   endif()
   find_library(GRPC_LIB NAMES grpc)
@@ -115,7 +122,7 @@ else()
     grpc
     DEPENDS openssl
     GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.31.1
+    GIT_TAG v1.32.0
     GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
     BUILD_IN_SOURCE 1
     BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}

cmake/modules/jq.cmake

@@ -10,6 +10,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
+mark_as_advanced(JQ_INCLUDE JQ_LIB)
 if (NOT USE_BUNDLED_DEPS)
     find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
     find_library(JQ_LIB NAMES jq)

cmake/modules/libyaml.cmake

@@ -15,12 +15,13 @@ set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
 set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
 message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
 set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
-ExternalProject_Add(
-libyaml
-URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
-URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
-CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
-BUILD_COMMAND ${CMD_MAKE} 
-BUILD_IN_SOURCE 1
-INSTALL_COMMAND ${CMD_MAKE} install)
-
+externalproject_add(
+  libyaml
+  URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
+  URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
+  CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LIBYAML_LIB}
+  INSTALL_COMMAND ${CMD_MAKE} install
+)

cmake/modules/lpeg.cmake

@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
+set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
+message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
+set(LPEG_DEPENDENCIES "")
+list(APPEND LPEG_DEPENDENCIES "luajit")
+ExternalProject_Add(
+  lpeg
+  DEPENDS ${LPEG_DEPENDENCIES}
+  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
+  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
+  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LPEG_LIB}
+  CONFIGURE_COMMAND ""
+  INSTALL_COMMAND "")

cmake/modules/luajit.cmake

@@ -0,0 +1,27 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
+message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
+set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
+set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
+externalproject_add(
+  luajit
+  GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
+  GIT_TAG "1d8b747c161db457e032a023ebbff511f5de5ec2"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LUAJIT_LIB}
+  INSTALL_COMMAND ""
+)

cmake/modules/lyaml.cmake

@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
+set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
+message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
+externalproject_add(
+  lyaml
+  DEPENDS luajit libyaml
+  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
+  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LYAML_LIB}
+  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
+  INSTALL_COMMAND sh -c
+  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua"
+)

cmake/modules/static-analysis.cmake

@@ -0,0 +1,43 @@
+# create the reports folder
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
+
+# cppcheck
+mark_as_advanced(CPPCHECK CPPCHECK_HTMLREPORT)
+find_program(CPPCHECK cppcheck)
+find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
+
+if(NOT CPPCHECK)
+  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
+else()
+  message(STATUS "cppcheck found at: ${CPPCHECK}")
+  # we are aware that cppcheck can be run
+  # along with the software compilation in a single step
+  # using the CMAKE_CXX_CPPCHECK variables.
+  # However, for practical needs we want to keep the
+  # two things separated and have a specific target for it.
+  # Our cppcheck target reads the compilation database produced by CMake
+  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
+  add_custom_target(
+      cppcheck
+      COMMAND ${CPPCHECK}
+      "--enable=all"
+      "--force"
+      "--inconclusive"
+      "--inline-suppr" # allows to specify suppressions directly in source code
+      "--project=${CMAKE_CURRENT_BINARY_DIR}/compile_commands.json" # use the compilation database as source
+      "--quiet"
+      "--xml" # we want to generate a report
+      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
+      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
+  )
+endif() # CPPCHECK
+
+if(NOT CPPCHECK_HTMLREPORT)
+  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
+else()
+  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
+  add_custom_target(
+    cppcheck_htmlreport
+    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
+endif() # CPPCHECK_HTMLREPORT

cmake/modules/sysdig-repo/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -25,4 +25,4 @@ ExternalProject_Add(
   BUILD_COMMAND ""
   INSTALL_COMMAND ""
   TEST_COMMAND ""
-  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
+  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch && patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/luajit.patch)

cmake/modules/sysdig-repo/patch/libscap.patch

@@ -1,8 +1,8 @@
 diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
-index e9faea51..a1b3b501 100644
+index 6f51588e..5f9ea84e 100644
 --- a/userspace/libscap/scap.c
 +++ b/userspace/libscap/scap.c
-@@ -52,7 +52,7 @@ limitations under the License.
+@@ -55,7 +55,7 @@ limitations under the License.
  //#define NDEBUG
  #include <assert.h>
  
@@ -11,7 +11,16 @@ index e9faea51..a1b3b501 100644
  
  //
  // Probe version string size
-@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+@@ -114,7 +114,7 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc,
+ static uint32_t get_max_consumers()
+ {
+ 	uint32_t max;
+-	FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers", "r");
++	FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers", "r");
+ 	if(pfile != NULL)
+ 	{
+ 		int w = fscanf(pfile, "%"PRIu32, &max);
+@@ -186,7 +186,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
  				return NULL;
  			}
  
@@ -20,7 +29,16 @@ index e9faea51..a1b3b501 100644
  			bpf_probe = buf;
  		}
  	}
-@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
+@@ -344,7 +344,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+ 				else if(errno == EBUSY)
+ 				{
+ 					uint32_t curr_max_consumers = get_max_consumers();
+-					snprintf(error, SCAP_LASTERR_SIZE, "Too many sysdig instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
++					snprintf(error, SCAP_LASTERR_SIZE, "Too many Falco instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
+ 				}
+ 				else
+ 				{
+@@ -2175,7 +2175,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
  
  const char* scap_get_host_root()
  {

cmake/modules/sysdig-repo/patch/luajit.patch

@@ -0,0 +1,57 @@
+diff --git a/userspace/libsinsp/chisel.cpp b/userspace/libsinsp/chisel.cpp
+index 0a6e3cf8..0c2e255a 100644
+--- a/userspace/libsinsp/chisel.cpp
++++ b/userspace/libsinsp/chisel.cpp
+@@ -98,7 +98,7 @@ void lua_stackdump(lua_State *L)
+ // Lua callbacks
+ ///////////////////////////////////////////////////////////////////////////////
+ #ifdef HAS_LUA_CHISELS
+-const static struct luaL_reg ll_sysdig [] =
++const static struct luaL_Reg ll_sysdig [] =
+ {
+ 	{"set_filter", &lua_cbacks::set_global_filter},
+ 	{"set_snaplen", &lua_cbacks::set_snaplen},
+@@ -134,7 +134,7 @@ const static struct luaL_reg ll_sysdig [] =
+ 	{NULL,NULL}
+ };
+ 
+-const static struct luaL_reg ll_chisel [] =
++const static struct luaL_Reg ll_chisel [] =
+ {
+ 	{"request_field", &lua_cbacks::request_field},
+ 	{"set_filter", &lua_cbacks::set_filter},
+@@ -146,7 +146,7 @@ const static struct luaL_reg ll_chisel [] =
+ 	{NULL,NULL}
+ };
+ 
+-const static struct luaL_reg ll_evt [] =
++const static struct luaL_Reg ll_evt [] =
+ {
+ 	{"field", &lua_cbacks::field},
+ 	{"get_num", &lua_cbacks::get_num},
+diff --git a/userspace/libsinsp/lua_parser.cpp b/userspace/libsinsp/lua_parser.cpp
+index 0e26617d..78810d96 100644
+--- a/userspace/libsinsp/lua_parser.cpp
++++ b/userspace/libsinsp/lua_parser.cpp
+@@ -32,7 +32,7 @@ extern "C" {
+ #include "lauxlib.h"
+ }
+ 
+-const static struct luaL_reg ll_filter [] =
++const static struct luaL_Reg ll_filter [] =
+ {
+ 	{"rel_expr", &lua_parser_cbacks::rel_expr},
+ 	{"bool_op", &lua_parser_cbacks::bool_op},
+diff --git a/userspace/libsinsp/lua_parser_api.cpp b/userspace/libsinsp/lua_parser_api.cpp
+index c89e9126..c3d8008a 100644
+--- a/userspace/libsinsp/lua_parser_api.cpp
++++ b/userspace/libsinsp/lua_parser_api.cpp
+@@ -266,7 +266,7 @@ int lua_parser_cbacks::rel_expr(lua_State *ls)
+ 					string err = "Got non-table as in-expression operand\n";
+ 					throw sinsp_exception("parser API error");
+ 				}
+-				int n = luaL_getn(ls, 4);  /* get size of table */
++				int n = lua_objlen (ls, 4);  /* get size of table */
+ 				for (i=1; i<=n; i++)
+ 				{
+ 					lua_rawgeti(ls, 4, i);

cmake/modules/sysdig.cmake

@@ -29,8 +29,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
 # -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2")
-  set(SYSDIG_CHECKSUM "SHA256=a737077543a6f3473ab306b424bcf7385d788149829ed1538252661b0f20d0f6")
+  set(SYSDIG_VERSION "5c0b863ddade7a45568c0ac97d037422c9efb750")
+  set(SYSDIG_CHECKSUM "SHA256=9de717b3a4b611ea6df56afee05171860167112f74bb7717b394bcc88ac843cd")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
 
@@ -57,6 +57,7 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
 # Add libscap directory
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
+add_definitions(-DNOCURSESUI)
 if(MUSL_OPTIMIZED_BUILD)
   add_definitions(-DMUSL_OPTIMIZED)
 endif()

cmake/modules/yaml-cpp.cmake

@@ -10,6 +10,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
+mark_as_advanced(YAMLCPP_INCLUDE_DIR YAMLCPP_LIB)
 if(NOT USE_BUNDLED_DEPS)
   find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
   find_library(YAMLCPP_LIB NAMES yaml-cpp)

docker/README.md

@@ -1,17 +1,16 @@
 # Falco Dockerfiles
 
-This directory contains various ways to package Falco as a container and related tools. 
+This directory contains various ways to package Falco as a container and related tools.
 
 ## Currently Supported Images
 
 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
-| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
+| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
 
 > Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
-

docker/driver-loader/Dockerfile

@@ -3,7 +3,7 @@ FROM falcosecurity/falco:${FALCO_IMAGE_TAG}
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
-LABEL usage="docker run -i -t -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"
 
 ENV HOST_ROOT /host
 ENV HOME /root

docker/falco/Dockerfile

@@ -2,7 +2,7 @@ FROM debian:stable
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
 
 ARG FALCO_VERSION=latest
 ARG VERSION_BUCKET=deb

docker/no-driver/Dockerfile

@@ -1,7 +1,5 @@
 FROM ubuntu:18.04 as ubuntu
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=bin
 
@@ -22,6 +20,14 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/
 
 FROM scratch
 
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
+# NOTE: for the "least privileged" use case, please refer to the official documentation
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
 COPY --from=ubuntu /falco /
 
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/root/usr/bin/entrypoint

@@ -1,7 +1,5 @@
 #!/usr/bin/env bash
 
-set -u -o pipefail
-
 BUILD_DIR=${BUILD_DIR:-/build}
 SOURCE_DIR=${SOURCE_DIR:-/source}
 SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
@@ -9,6 +7,9 @@ SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
 CMD=${1:-test}
 shift
 
+# Stop the execution if a command in the pipeline has an error, from now on
+set -e -u -o pipefail
+
 # build type can be "debug" or "release", fallbacks to "release" by default
 BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
 case "$BUILD_TYPE" in
@@ -49,7 +50,8 @@ case "$CMD" in
 "test")
     if [ -z "$FALCO_VERSION" ]; then
         echo "Automatically figuring out Falco version."
-        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+        FALCO_VERSION_FULL=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version)
+        FALCO_VERSION=$(echo "$FALCO_VERSION_FULL" | head -n 1 | cut -d' ' -f3  | tr -d '\r')
         echo "Falco version: $FALCO_VERSION"
     fi
     if [ -z "$FALCO_VERSION" ]; then

falco.yaml

@@ -87,6 +87,23 @@ syscall_event_drops:
   rate: .03333
   max_burst: 10
 
+# Falco continuously monitors outputs performance. When an output channel does not allow
+# to deliver an alert within a given deadline, an error is reported indicating
+# which output is blocking notifications.
+# The timeout error will be reported to the log according to the above log_* settings.
+# Note that the notification will not be discarded from the output queue; thus,
+# output channels may indefinitely remain blocked.
+# An output timeout error indeed indicate a misconfiguration issue or I/O problems
+# that cannot be recovered by Falco and should be fixed by the user.
+#
+# The "output_timeout" value specifies the duration in milliseconds to wait before
+# considering the deadline exceed.
+#
+# With a 2000ms default, the notification consumer can block the Falco output
+# for up to 2 seconds without reaching the timeout.
+
+output_timeout: 2000
+
 # A throttling mechanism implemented as a token bucket limits the
 # rate of falco notifications. This throttling is controlled by the following configuration
 # options:

proposals/20200828-structured-exception-handling.md

@@ -0,0 +1,240 @@
+# Proposal for First Class Structured Exceptions in Falco Rules
+
+## Summary
+
+## Motivation
+
+Almost all Falco Rules have cases where the behavior detected by the
+rule should be allowed. For example, The rule Write Below Binary Dir
+has exceptions for specific programs that are known to write below
+these directories as a part of software installation/management:
+
+```yaml
+- rule: Write below binary dir
+  desc: an attempt to write to any file below a set of binary directories
+  condition: >
+    bin_dir and evt.dir = < and open_write
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not python_running_get_pip
+    and not python_running_ms_oms
+    and not user_known_write_below_binary_dir_activities
+...
+```
+In most cases, these exceptions are expressed as concatenations to the original rule's condition. For example, looking at the macro package_mgmt_procs:
+
+```yaml
+- macro: package_mgmt_procs
+  condition: proc.name in (package_mgmt_binaries)
+```
+
+The result is appending `and not proc.name in (package_mgmt_binaries)` to the condition of the rule.
+
+A more extreme case of this is the write_below_etc macro used by Write below etc rule. It has tens of exceptions:
+
+```
+...
+    and not sed_temporary_file
+    and not exe_running_docker_save
+    and not ansible_running_python
+    and not python_running_denyhosts
+    and not fluentd_writing_conf_files
+    and not user_known_write_etc_conditions
+    and not run_by_centrify
+    and not run_by_adclient
+    and not qualys_writing_conf_files
+    and not git_writing_nssdb
+...
+```
+
+The exceptions all generally follow the same structure--naming a program and a directory prefix below /etc where that program is allowed to write files.
+
+### Using Appends/Overwrites to Customize Rules
+
+An important way to customize rules and macros is to use `append: true` to add to them, or `append: false` to define a new rule/macro, overwriting the original rule/macro. Here's an example from Update Package Repository:
+
+```yaml
+- list: package_mgmt_binaries
+  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]
+
+- macro: package_mgmt_procs
+  condition: proc.name in (package_mgmt_binaries)
+
+- macro: user_known_update_package_registry
+  condition: (never_true)
+
+- rule: Update Package Repository
+  desc: Detect package repositories get updated
+  condition: >
+    ((open_write and access_repositories) or (modify and modify_repositories))
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not user_known_update_package_registry
+```
+
+If someone wanted to add additional exceptions to this rule, they could add the following to the user_rules file:
+
+```yaml
+- list: package_mgmt_binaries
+  items: [puppet]
+  append: true
+
+- macro: package_mgmt_procs
+  condition: and not proc.pname=chef
+  append: true
+
+- macro: user_known_update_package_registry
+  condition: (proc.name in (npm))
+  append: false
+```
+
+This adds an 3 different exceptions:
+* an additional binary to package_mgmt_binaries (because append is true),
+* adds to package_mgmt_procs, adding an exception for programs spawned by chef (because append is true)
+* overrides the macro user_known_update_package_registry to add an exception for npm (because append is false).
+
+### Problems with Appends/Overrides to Define Exceptions
+
+Although the concepts of macros and lists in condition fields, combined with appending to lists/conditions in macros/rules, is very general purpose, it can be unwieldy:
+
+* Appending to conditions can result in incorrect behavior, unless the original condition has its logical operators set up properly with parentheses. For example:
+
+```yaml
+rule: my_rule
+condition: (evt.type=open and (fd.name=/tmp/foo or fd.name=/tmp/bar))
+
+rule: my_rule
+condition: or fd.name=/tmp/baz
+append: true
+```
+
+Results in unintended behavior. It will match any fd related event where the name is /tmp/baz, when the intent was probably to add /tmp/baz as an additional opened file.
+
+* A good convention many rules use is to have a clause "and not user_known_xxxx" built into the condition field. However, it's not in all rules and its use is a bit haphazard.
+
+* Appends and overrides can get confusing if you try to apply them multiple times. For example:
+
+```yaml
+macro: allowed_files
+condition: fd.name=/tmp/foo
+
+...
+
+macro: allowed_files
+condition: and fd.name=/tmp/bar
+append: true
+```
+
+If someone wanted to override the original behavior of allowed_files, they would have to use `append: false` in a third definition of allowed_files, but this would result in losing the append: true override.
+
+## Solution: Exceptions as first class objects
+
+To address some of these problems, we will add the notion of Exceptions as top level objects alongside Rules, Macros, and Lists. A rule that supports exceptions must define a new key `exceptions` in the rule. The exceptions key is a list of identifier plus list of tuples of filtercheck fields. Here's an example:
+
+```yaml
+- rule: Write below binary dir
+  desc: an attempt to write to any file below a set of binary directories
+  condition: >
+    bin_dir and evt.dir = < and open_write
+    and not package_mgmt_procs
+    and not exe_running_docker_save
+    and not python_running_get_pip
+    and not python_running_ms_oms
+    and not user_known_write_below_binary_dir_activities
+  exceptions:
+   - name: proc_writer
+     fields: [proc.name, fd.directory]
+   - name: container_writer
+     fields: [container.image.repository, fd.directory]
+     comps: [=, startswith]
+   - name: proc_filenames
+     fields: [proc.name, fd.name]
+     comps: [=, in]
+   - name: filenames
+     fields: fd.filename
+     comps: in
+```
+
+This rule defines four kinds of exceptions:
+  * proc_writer: uses a combination of proc.name and fd.directory
+  * container_writer: uses a combination of container.image.repository and fd.directory
+  * proc_filenames: uses a combination of process and list of filenames.
+  * filenames: uses a list of filenames
+
+The specific strings "proc_writer"/"container_writer"/"proc_filenames"/"filenames" are arbitrary strings and don't have a special meaning to the rules file parser. They're only used to link together the list of field names with the list of field values that exist in the exception object.
+
+proc_writer does not have any comps property, so the fields are directly compared to values using the = operator. container_writer does have a comps property, so each field will be compared to the corresponding exception items using the corresponding comparison operator.
+
+proc_filenames uses the in comparison operator, so the corresponding values entry should be a list of filenames.
+
+filenames differs from the others in that it names a single field and single comp operator. This changes how the exception condition snippet is constructed (see below).
+
+Notice that exceptions are defined as a part of the rule. This is important because the author of the rule defines what construes a valid exception to the rule. In this case, an exception can consist of a process and file directory (actor and target), but not a process name only (too broad).
+
+Exception values will most commonly be defined in rules with append: true. Here's an example:
+
+```yaml
+- list: apt_files
+  items: [/bin/ls, /bin/rm]
+
+- rule: Write below binary dir
+  exceptions:
+  - name: proc_writer
+    values:
+    - [apk, /usr/lib/alpine]
+    - [npm, /usr/node/bin]
+  - name: container_writer
+    values:
+    - [docker.io/alpine, /usr/libexec/alpine]
+  - name: proc_filenames
+    values:
+    - [apt, apt_files]
+    - [rpm, [/bin/cp, /bin/pwd]]
+  - name: filenames
+    values: [python, go]
+```
+
+A rule exception applies if for a given event, the fields in a rule.exception match all of the values in some exception.item. For example, if a program `apk` writes to a file below `/usr/lib/alpine`, the rule will not trigger, even if the condition is met.
+
+Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parantheses will be added.
+
+Finally, note that the structure of the values property differs between the items where fields is a list of fields (proc_writer/container_writer/proc_filenames) and when it is a single field (procs_only). This changes how the condition snippet is constructed.
+
+### Implementation
+
+For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implict "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented.
+
+When a rule is parsed, the original condition will be wrapped in an extra layer of parentheses and all exception values will be appended to the condition. For example, using the example above, the resulting condition will be:
+
+```
+(<Write below binary dir condition>) and not (
+    (proc.name = apk and fd.directory = /usr/lib/alpine) or (proc.name = npm and fd.directory = /usr/node/bin) or
+	(container.image.repository = docker.io/alpine and fd.directory startswith /usr/libexec/alpine) or
+	(proc.name=apt and fd.name in (apt_files))) or
+	(fd.filename in (python, go))))
+```
+
+The exceptions are effectively syntatic sugar that allows expressing sets of exceptions in a concise way.
+
+### Advantages
+
+Adding Exception objects as described here has several advantages:
+
+* All rules will implicitly support exceptions. A rule writer doesn't need to define a user_known_xxx macro and add it to the condition.
+* The rule writer has some controls on what defines a valid exception. The rule author knows best what is a good exception, and can define the fields that make up the exception.
+* With this approach, it's much easier to add and manage multiple sets of exceptions from multiple sources. You're just combining lists of tuples of filtercheck field values.
+
+## Backwards compatibility
+
+To take advantage of these new features, users will need to upgrade Falco to a version that supports exception objects and exception keys in rules. For the most part, however, the rules file structure is unchanged.
+
+This approach does not remove the ability to append to exceptions nor the existing use of user_xxx macros to define exceptions to rules. It only provides an additional way to express exceptions. Hopefully, we can migrate existing exceptions to use this approach, but there isn't any plan to make wholesale rules changes as a part of this.
+
+This approach is for the most part backwards compatible with older Falco releases. To implement exceptions, we'll add a preprocessing element to rule parsing. The main Falco engine is unchanged.
+
+However, there are a few changes we'll have to make to Falco rules file parsing:
+
+* Currently, Falco will reject files containing anything other than rule/macro/list top-level objects. As a result, `exception` objects would be rejected. We'll probably want to make a one-time change to Falco to allow arbitrary top level objects.
+* Similarly, Falco will reject rule objects with exception keys. We'll also probably want to change Falco to allow unknown keys inside rule/macro/list/exception objects.
+
+

proposals/20201025-drivers-storage-s3.md

@@ -0,0 +1,137 @@
+# Falco Drivers Storage S3
+
+Supersedes: [20200818-artifacts-storage.md#drivers](20200818-artifacts-storage.md#drivers)
+
+Supersedes: [20200901-artifacts-cleanup.md#drivers](20200901-artifacts-cleanup.md#drivers)
+
+## Introduction
+
+In the past days, as many people probably noticed, Bintray started rate-limiting our users, effectively preventing them from downloading any kernel module, rpm/deb package or any pre-built dependency we host there.
+
+This does not only interrupt the workflow of our users but also the workflow of the contributors, since without bintray most of our container images and CMake files can’t download the dependencies we mirror.
+
+### What is the cause?
+
+We had a spike in adoption apparently, either a user with many nodes or an increased number of users. We don’t know this detail specifically yet because bintray does not give us very fine-grained statistics on this.
+
+This is the 30-days history:
+
+![A spike on driver downloads the last ten days](20201025-drivers-storage-s3_downloads.png)
+
+As you can see, we can only see that they downloaded the latest kernel module driver version, however we can’t see if:
+
+* It’s a single source or many different users
+
+* What is the kernel/OS they are using
+
+### What do we host on Bintray?
+
+* RPM packages: high traffic but very manageable ~90k downloads a month
+
+* Deb packages:low traffic ~5k downloads a month
+
+* Pre-built image Dependencies: low traffic, will eventually disappear in the future
+
+* Kernel modules: very high traffic, 700k downloads in 10 days, this is what is causing the current problems. They are primarily used by users of our container images.
+
+* eBPF probes: low traffic ~5k downloads a month
+
+### Motivations to go to S3 instead of Bintray for the Drivers
+
+Bintray does an excellent service at building the rpm/deb structures for us, however we also use them for S3-like storage for the drivers. We have ten thousand files hosted there and the combinations are infinite.
+
+
+Before today, we had many issues with storage even without the spike in users we are seeing since the last ten days.
+
+## Context on AWS
+
+Amazon AWS, recently gave credits to the Falco project to operate some parts of the infrastructure on AWS. The CNCF is providing a sub-account we are already using for the migration of the other pieces (like Prow).
+
+## Interactions with other teams and the CNCF
+
+* The setup on the AWS account side already done, this is all technical work.
+
+* We need to open a CNCF service account ticket for the download.falco.org subdomain to point to the S3 bucket we want to use
+
+## The Plan
+
+We want to propose to move the drivers and the container dependencies to S3.
+
+#### Moving means:
+
+* We create a public S3 bucket with [stats enabled](https://docs.aws.amazon.com/AmazonS3/latest/dev/analytics-storage-class.html)
+
+* We attach the bucket to a cloudfront distribution behind the download.falco.org subdomain
+
+* We move the current content keeping the same web server directory structure
+
+* We change the Falco Dockerfiles and driver loader script accordingly
+
+* We update test-infra to push the drivers to S3
+
+* Once we have the drivers in S3, we can ask bintray to relax the limits for this month so that our users are able to download the other packages we keep there. Otherwise they will have to wait until November 1st. We only want to do that after the moving because otherwise we will hit the limits pretty quickly.
+
+#### The repositories we want to move are:
+
+* [https://bintray.com/falcosecurity/driver](https://bintray.com/falcosecurity/driver) will become https://download.falco.org/driver
+
+* [https://bintray.com/falcosecurity/dependencies](https://bintray.com/falcosecurity/dependencies) will become https://download.falco.org/dependencies
+
+#### Changes in Falco
+
+* [Search for bintray ](https://github.com/falcosecurity/falco/search?p=2&q=bintray)on the Falco repo and replace the URL for the CMake and Docker files.
+
+* It’s very important to change the DRIVERS_REPO environment variable [here](https://github.com/falcosecurity/falco/blob/0a33f555eb8e019806b46fea8b80a6302a935421/CMakeLists.txt#L86) - this is what updates the falco-driver-loader scripts that the users and container images use to fetch the module
+
+#### Changes in Test Infra
+
+* We need to use the S3 cli instead of jfrog cli to upload to the s3 bucket after building [here](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml)
+
+* We can probably remove jfrog from that repo since it only deals with drivers and drivers are being put on S3 now
+
+* Instructions on how to setup the S3 directory structure [here](https://falco.org/docs/installation/#install-driver)
+
+    * `/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]`
+
+#### Changes to Falco website
+
+* Changes should not be necessary, we are not updating the way people install Falco but only the driver. The driver is managed by a script we can change.
+
+## Mitigation and next steps for the users
+
+* **The average users should be good to go now, Bintray raised our limits and we have some room to do this without requiring manual steps on your end**
+
+* **Users that can’t wait for us to have the S3 setup done: **can setup an S3 as driver repo themselves, push the drivers they need to it after compiling them (they can use [Driverkit](https://github.com/falcosecurity/driverkit) for that) Instructions on how to setup the S3 directory structure [here](https://falco.org/docs/installation/#install-driver).
+
+* **Users that can’t wait but don’t want to setup a webserver themselves**: the falco-driver-loader script can also compile the module for you. Make sure to install the kernel-headers on your nodes.
+
+* **Users that can wait** we will approve this document and act on the plan described here by providing the DRIVERS_REPO at  [https://download.falco.org/driver](https://download.falco.org/driver) that then you can use
+
+### How to use an alternative DRIVERS_REPO ?
+
+**On bash:**
+
+export DRIVERS_REPO=https://your-url-here
+
+**Docker**
+
+Pass it as environment variable using the docker run flag -e - for example:
+
+docker run -e DRIVERS_REPO=[https://your-url-here](https://your-url-here)
+
+**Kubernetes**
+
+spec:
+
+  containers:
+
+  - env:
+
+    - name: DRIVERS_REPO
+
+      value: https://your-url-here
+
+## Release
+
+Next release is on December 1st, we want to rollout a hotfix 0.26.2 release that only contains the updated script before that date so that users don’t get confused and we can just tell them "update Falco" to get the thing working again.
+

proposals/2021019-libraries-donation.md

@@ -0,0 +1,167 @@
+# OSS Libraries Donation Plan
+
+## Summary
+
+Sysdig Inc. intends to donate **libsinsp**, **libscap**, the **kernel module driver** and the **eBPF driver sources** by moving them to the Falco project.
+
+This means that some parts of the [draios/sysdig](https://github.com/draios/sysdig) repository will be moved to a new GitHub repository called [falcosecurity/libs](https://github.com/falcosecurity/libs).
+
+This plan aims to describe and clarify the terms and goals to get the donation done.
+
+## Motivation
+
+There are two main OSS projects using the libraries and drivers that we are aware of:
+
+- [sysdig](https://github.com/draios/sysdig)  the command line tool
+- [Falco](https:/github.com/falcosecurity/falco), the CNCF project.
+
+Since the Falco project is a heavy user of the libraries, a lot more than the sysdig cli tool, Sysdig (the company) decided to donate the libraries and the driver to the Falco community.
+
+Sysdig (the command line tool) will continue to use the libraries now provided by the Falco community underneath.
+
+This change is win-win for both parties because of the following reasons:
+
+- The Falco community owns the source code of the three most important parts of the software it distributes.
+  - Right now it is "only" an engine on top of the libraries. This **donation** helps in making the scope of the Falco project broader. Having the majority of the source code under an **open governance** in the same organization gives the Falco project more contribution opportunities, helps it in **evolving independently** and makes the whole Falco community a strong owner of the processes and decision making regarding those crucial parts.
+
+- Given the previous point, Sysdig (the command line tool) will benefit from the now **extended contributors base**
+
+- Sysdig (the company) can now focus on the user experience and user space features
+
+- **Contributions** to the libraries and drivers will be **easier** to spread across the Falco community
+
+- By being donated, with their own **release process**, **release artifacts**, and **documentation**, the libraries can now live on their own and possibly be used directly in other projects by becoming fundamental pieces for their success.
+
+## Goals
+
+There are many sub-projects and each of them interacts in a different way in this donation.
+
+Let's see the goals per sub-project.
+
+### libsinsp
+
+1. Extract libsinsp from `draios/sysdig/userspace/libsinsp` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the CMake and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Distribute the `libsinsp.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+9. Distribute the `libsinsp.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+10. Creation of the CI scripts using the Falco CI and Falco Infra
+
+11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
+
+12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
+
+13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
+
+14. This project will go already "Official support" once the donation is completed
+
+15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+16. Every other additional change will need to have its own process with a proposal
+
+17. Implement the release process as described above
+
+18. Propose a change to Falco repository to use the artifacts produced by the libsinsp release process for the build
+
+19. Document the API
+
+### libscap
+
+1. Extract libscap from `draios/sysdig/userspace/libscap` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the points below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the CMake and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Distribute the `libscap.so` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+9. Distribute the `libscap.a` library and headers as an artifact (rpm, deb, tar.gz) following the falcosecurity current process
+
+10. Creation of the CI scripts using the Falco CI and Falco Infra
+
+11. The CI scripts will need to publish the artifacts in the current falcosecurity artifacts repository
+
+12. Artifacts will be pushed for every tag (release) and for every master merge (development release)
+
+13. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already
+
+14. This project will go already "Official support" once the donation is completed
+
+15. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+16. Every other additional change will need to have its own process with a proposal
+
+17. Implement the release process as described above
+
+18. Propose a change to Falco repository to use the artifacts produced by the libscap  release process for the build
+
+19. Document the API
+
+### Drivers: Kernel module and eBPF probe
+
+1. Extract them from `draios/sysdig/driver` (keeping the commit history) into [falcosecurity/libs](https://github.com/falcosecurity/libs)
+
+2. The migration comes first, then we can do additional PRs for the point below so that we do only one thing at a time and keep the history linear
+
+3. Keep the same code, refactorings will need to be done in subsequent PRs and approved separately
+
+4. Adapt the Makefiles and build files
+
+5. Install [poiana](https://github.com/poiana) and its workflows on it
+
+6. Define the `OWNERS`
+
+   - Owners are chosen from the current major contributors (considering the past two years) to this project, given their availability, commitment is key
+
+7. When possible, migrate issues and PRs to the new repository
+
+8. Falco follows a [multi-stage model for adopting new projects](https://github.com/falcosecurity/evolution#falco-project-evolution), in this case we will do an exception since the library is foundational for Falco and it has a very good track record already. We are just changing maintenance ownership
+
+9. Contributing, Code of Conduct, Governance, Security, and Support will be the same as the rest of the organization, find them [here](https://github.com/falcosecurity/.github)
+
+10. Every other additional change will need to have its own process with a proposal
+
+11. The Falco community already ships driver artifacts using [driverkit](https://github.com/falcosecurity/driverkit) and the [test-infra repository](https://github.com/falcosecurity/test-infra)
+
+    - Adapt the place from which [driverkit](https://github.com/falcosecurity/driverkit) grabs the drivers source
+
+12. This project will go already "Official support" once the migration is completed.
+
+### Falco
+
+1. Adapt the CMake files to point to the new homes for libscap, libsinsp and the drivers
+
+2. When distributing the deb and rpm, libscap and libsinsp will need to be install dependencies and not anymore compiled into Falco
+
+### Driverkit
+
+1. Change the source location for the drivers to point to the new driver repository
+
+### pdig
+
+1. The project will need to be adapted to use libscap and libsinsp and the fillers from their new location

rules/k8s_audit_rules.yaml

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-- required_engine_version: 2
+- required_engine_version: 8
 
 # Like always_true/always_false, but works with k8s audit events
 - macro: k8s_audit_always_true
@@ -49,12 +49,19 @@
     "kubernetes-admin",
     vertical_pod_autoscaler_users,
     cluster-autoscaler,
-    "system:addon-manager"
+    "system:addon-manager",
+    "cloud-controller-manager",
+    "eks:node-manager"
     ]
 
 - rule: Disallowed K8s User
   desc: Detect any k8s operation by users outside of an allowed set of users.
-  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
+  condition: kevt and non_system_user
+  exceptions:
+    - name: user_names
+      fields: ka.user.name
+      comps: in
+      values: [allowed_k8s_users]
   output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
   priority: WARNING
   source: k8s_audit
@@ -121,6 +128,10 @@
   desc: >
     Detect an attempt to start a pod with a container image outside of a list of allowed images.
   condition: kevt and pod and kcreate and not allowed_k8s_containers
+  exceptions:
+    - name: image_repos
+      fields: ka.req.pod.containers.image.repository
+      comps: in
   output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
@@ -129,7 +140,12 @@
 - rule: Create Privileged Pod
   desc: >
     Detect an attempt to start a pod with a privileged container
-  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
+  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true)
+  exceptions:
+    - name: image_repos
+      fields: ka.req.pod.containers.image.repository
+      comps: in
+      values: [falco_privileged_images]
   output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
@@ -143,7 +159,12 @@
   desc: >
     Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
     Exceptions are made for known trusted images.
-  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
+  condition: kevt and pod and kcreate and sensitive_vol_mount
+  exceptions:
+    - name: image_repos
+      fields: ka.req.pod.containers.image.repository
+      comps: in
+      values: [falco_sensitive_mount_images]
   output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
   priority: WARNING
   source: k8s_audit
@@ -152,7 +173,12 @@
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
   desc: Detect an attempt to start a pod using the host network.
-  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
+  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true)
+  exceptions:
+    - name: image_repos
+      fields: ka.req.pod.containers.image.repository
+      comps: in
+      values: [falco_hostnetwork_images]
   output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
@@ -165,6 +191,9 @@
   desc: >
     Detect an attempt to start a service with a NodePort service type
   condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
+  exceptions:
+    - name: services
+      fields: [ka.target.namespace, ka.target.name]
   output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
   priority: WARNING
   source: k8s_audit
@@ -183,6 +212,9 @@
   desc: >
      Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
   condition: kevt and configmap and kmodify and contains_private_credentials
+  exceptions:
+    - name: configmaps
+      fields: [ka.target.namespace, ka.req.configmap.name]
   output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
   priority: WARNING
   source: k8s_audit
@@ -193,6 +225,10 @@
   desc: >
     Detect any request made by the anonymous user that was allowed
   condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
+  exceptions:
+    - name: user_names
+      fields: ka.user.name
+      comps: in
   output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
   priority: WARNING
   source: k8s_audit
@@ -206,6 +242,10 @@
 # events to be stateful, so it could know if a container named in an
 # attach request was created privileged or not. For now, we have a
 # less severe rule that detects attaches/execs to any pod.
+#
+# For the same reason, you can't use things like image names/prefixes,
+# as the event that creates the pod (which has the images) is a
+# separate event than the actual exec/attach to the pod.
 
 - macro: user_known_exec_pod_activities
   condition: (k8s_audit_never_true)
@@ -214,6 +254,10 @@
   desc: >
     Detect any attempt to attach/exec to a pod
   condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
+  exceptions:
+    - name: user_names
+      fields: ka.user.name
+      comps: in
   output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
   priority: NOTICE
   source: k8s_audit
@@ -223,10 +267,14 @@
   condition: (k8s_audit_never_true)
 
 # Only works when feature gate EphemeralContainers is enabled
+# Definining empty exceptions just to avoid warnings. There isn't any
+#  great exception for this kind of object, as you'd expect the images
+#  to vary wildly.
 - rule: EphemeralContainers Created
   desc: >
     Detect any ephemeral container created
   condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
+  exceptions:
   output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
   priority: NOTICE
   source: k8s_audit
@@ -238,7 +286,12 @@
 
 - rule: Create Disallowed Namespace
   desc: Detect any attempt to create a namespace outside of a set of known namespaces
-  condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
+  condition: kevt and namespace and kcreate
+  exceptions:
+    - name: services
+      fields: ka.target.name
+      comps: in
+      values: [allowed_namespaces]
   output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
   priority: WARNING
   source: k8s_audit
@@ -278,15 +331,16 @@
     k8s_image_list
     ]
 
-- macro: allowed_kube_namespace_pods
-  condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
-              ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
-
 # Detect any new pod created in the kube-system namespace
 - rule: Pod Created in Kube Namespace
   desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
-  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
+  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
   output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
+  exceptions:
+    - name: images
+      fields: ka.req.pod.containers.image.repository
+      comps: in
+      values: [user_allowed_kube_namespace_image_list, allowed_kube_namespace_image_list]
   priority: WARNING
   source: k8s_audit
   tags: [k8s]
@@ -301,6 +355,9 @@
 - rule: Service Account Created in Kube Namespace
   desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
   condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
+  exceptions:
+    - name: accounts
+      fields: [ka.target.namespace, ka.target.name]
   output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
   priority: WARNING
   source: k8s_audit
@@ -313,6 +370,9 @@
   desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
   condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
              not ka.target.name in (system:coredns, system:managed-certificate-controller)
+  exceptions:
+    - name: roles
+      fields: [ka.target.namespace, ka.target.name]
   output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
   priority: WARNING
   source: k8s_audit
@@ -323,6 +383,10 @@
 - rule: Attach to cluster-admin Role
   desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
   condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
+  exceptions:
+    - name: subjects
+      fields: ka.req.binding.subjects
+      comps: in
   output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
   priority: WARNING
   source: k8s_audit
@@ -331,6 +395,10 @@
 - rule: ClusterRole With Wildcard Created
   desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
   condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
+  exceptions:
+    - name: roles
+      fields: ka.target.name
+      comps: in
   output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
   priority: WARNING
   source: k8s_audit
@@ -343,6 +411,10 @@
 - rule: ClusterRole With Write Privileges Created
   desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
   condition: kevt and (role or clusterrole) and kcreate and writable_verbs
+  exceptions:
+    - name: roles
+      fields: ka.target.name
+      comps: in
   output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
   priority: NOTICE
   source: k8s_audit
@@ -351,6 +423,10 @@
 - rule: ClusterRole With Pod Exec Created
   desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
   condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
+  exceptions:
+    - name: roles
+      fields: ka.target.name
+      comps: in
   output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
   priority: WARNING
   source: k8s_audit
@@ -362,12 +438,16 @@
 - macro: consider_activity_events
   condition: (k8s_audit_always_true)
 
+# Activity events don't have exceptions. They do define an empty
+# exceptions property just to avoid warnings when loading rules.
+
 - macro: kactivity
   condition: (kevt and consider_activity_events)
 
 - rule: K8s Deployment Created
   desc: Detect any attempt to create a deployment
   condition: (kactivity and kcreate and deployment and response_successful)
+  exceptions:
   output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -376,6 +456,7 @@
 - rule: K8s Deployment Deleted
   desc: Detect any attempt to delete a deployment
   condition: (kactivity and kdelete and deployment and response_successful)
+  exceptions:
   output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -384,6 +465,7 @@
 - rule: K8s Service Created
   desc: Detect any attempt to create a service
   condition: (kactivity and kcreate and service and response_successful)
+  exceptions:
   output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -392,6 +474,7 @@
 - rule: K8s Service Deleted
   desc: Detect any attempt to delete a service
   condition: (kactivity and kdelete and service and response_successful)
+  exceptions:
   output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -400,6 +483,7 @@
 - rule: K8s ConfigMap Created
   desc: Detect any attempt to create a configmap
   condition: (kactivity and kcreate and configmap and response_successful)
+  exceptions:
   output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -408,6 +492,7 @@
 - rule: K8s ConfigMap Deleted
   desc: Detect any attempt to delete a configmap
   condition: (kactivity and kdelete and configmap and response_successful)
+  exceptions:
   output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -416,6 +501,7 @@
 - rule: K8s Namespace Created
   desc: Detect any attempt to create a namespace
   condition: (kactivity and kcreate and namespace and response_successful)
+  exceptions:
   output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -424,6 +510,7 @@
 - rule: K8s Namespace Deleted
   desc: Detect any attempt to delete a namespace
   condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
+  exceptions:
   output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -432,6 +519,7 @@
 - rule: K8s Serviceaccount Created
   desc: Detect any attempt to create a service account
   condition: (kactivity and kcreate and serviceaccount and response_successful)
+  exceptions:
   output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -440,6 +528,7 @@
 - rule: K8s Serviceaccount Deleted
   desc: Detect any attempt to delete a service account
   condition: (kactivity and kdelete and serviceaccount and response_successful)
+  exceptions:
   output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -448,6 +537,7 @@
 - rule: K8s Role/Clusterrole Created
   desc: Detect any attempt to create a cluster role/role
   condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
+  exceptions:
   output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -456,6 +546,7 @@
 - rule: K8s Role/Clusterrole Deleted
   desc: Detect any attempt to delete a cluster role/role
   condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
+  exceptions:
   output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -464,6 +555,7 @@
 - rule: K8s Role/Clusterrolebinding Created
   desc: Detect any attempt to create a clusterrolebinding
   condition: (kactivity and kcreate and clusterrolebinding and response_successful)
+  exceptions:
   output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -472,6 +564,7 @@
 - rule: K8s Role/Clusterrolebinding Deleted
   desc: Detect any attempt to delete a clusterrolebinding
   condition: (kactivity and kdelete and clusterrolebinding and response_successful)
+  exceptions:
   output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -480,6 +573,7 @@
 - rule: K8s Secret Created
   desc: Detect any attempt to create a secret. Service account tokens are excluded.
   condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
+  exceptions:
   output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -488,6 +582,7 @@
 - rule: K8s Secret Deleted
   desc: Detect any attempt to delete a secret Service account tokens are excluded.
   condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
+  exceptions:
   output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -506,6 +601,7 @@
 - rule: All K8s Audit Events
   desc: Match all K8s Audit Events
   condition: kall
+  exceptions:
   output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
   priority: DEBUG
   source: k8s_audit
@@ -520,11 +616,11 @@
 - list: full_admin_k8s_users
   items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
 
-# This rules detect an operation triggered by an user name that is 
-# included in the list of those that are default administrators upon 
-# cluster creation. This may signify a permission setting too broader. 
-# As we can't check for role of the user on a general ka.* event, this 
-# may or may not be an administrator. Customize the full_admin_k8s_users 
+# This rules detect an operation triggered by an user name that is
+# included in the list of those that are default administrators upon
+# cluster creation. This may signify a permission setting too broader.
+# As we can't check for role of the user on a general ka.* event, this
+# may or may not be an administrator. Customize the full_admin_k8s_users
 # list to your needs, and activate at your discrection.
 
 # # How to test:
@@ -534,10 +630,14 @@
 - rule: Full K8s Administrative Access
   desc: Detect any k8s operation by a user name that may be an administrator with full access.
   condition: >
-    kevt 
-    and non_system_user 
-    and ka.user.name in (admin_k8s_users) 
+    kevt
+    and non_system_user
+    and ka.user.name in (full_admin_k8s_users)
     and not allowed_full_admin_users
+  exceptions:
+    - name: user_names
+      fields: ka.user.name
+      comps: in
   output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
   priority: WARNING
   source: k8s_audit
@@ -571,10 +671,13 @@
   desc: Detect any attempt to create an ingress without TLS certification.
   condition: >
     (kactivity and kcreate and ingress and response_successful and not ingress_tls)
+  exceptions:
+    - name: ingresses
+      fields: [ka.target.namespace, ka.target.name]
   output: >
     K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
     namespace=%ka.target.namespace)
-  source: k8s_audit    
+  source: k8s_audit
   priority: WARNING
   tags: [k8s, network]
 
@@ -597,11 +700,15 @@
   desc: >
     Detect a node successfully joined the cluster outside of the list of allowed nodes.
   condition: >
-    kevt and node 
-    and kcreate 
-    and response_successful 
-    and not allow_all_k8s_nodes 
-    and not ka.target.name in (allowed_k8s_nodes)
+    kevt and node
+    and kcreate
+    and response_successful
+    and not allow_all_k8s_nodes
+  exceptions:
+    - name: nodes
+      fields: ka.target.name
+      comps: in
+      values: [allowed_k8s_nodes]
   output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
   priority: ERROR
   source: k8s_audit
@@ -611,11 +718,15 @@
   desc: >
     Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
   condition: >
-    kevt and node 
-    and kcreate 
-    and not response_successful 
-    and not allow_all_k8s_nodes 
-    and not ka.target.name in (allowed_k8s_nodes)
+    kevt and node
+    and kcreate
+    and not response_successful
+    and not allow_all_k8s_nodes
+  exceptions:
+    - name: nodes
+      fields: ka.target.name
+      comps: in
+      values: [allowed_k8s_nodes]
   output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
   priority: WARNING
   source: k8s_audit

scripts/falco-driver-loader

@@ -220,7 +220,7 @@ load_kernel_module() {
 	rmmod "${DRIVER_NAME}" 2>/dev/null
 	WAIT_TIME=0
 	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
+	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do 
 		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
 			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
 			break
@@ -232,7 +232,7 @@ load_kernel_module() {
 		sleep 1
 	done
 
-	if lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
+	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" > /dev/null 2>&1; then
 		echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
 		exit 0
 	fi

test/confs/program_output.yaml

@@ -41,4 +41,4 @@ stdout_output:
 
 program_output:
   enabled: true
-  program: cat > /tmp/falco_outputs/program_output.txt
+  program: cat >> /tmp/falco_outputs/program_output.txt

test/confs/stdout_output.yaml

@@ -0,0 +1,42 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# File containing Falco rules, loaded at startup.
+rules_file: /etc/falco_rules.yaml
+
+# Whether to output events in json or text
+json_output: false
+
+# Send information logs to stderr and/or syslog Note these are *not* security
+# notification logs! These are just Falco lifecycle (and possibly error) logs.
+log_stderr: false
+log_syslog: false
+
+# Where security notifications should go.
+# Multiple outputs can be enabled.
+
+syslog_output:
+  enabled: false
+
+file_output:
+  enabled: false
+
+stdout_output:
+  enabled: true
+
+program_output:
+  enabled: false

test/falco_test.py

@@ -1,4 +1,4 @@
- #!/usr/bin/env python
+#!/usr/bin/env python
 #
 # Copyright (C) 2019 The Falco Authors.
 #
@@ -31,6 +31,7 @@ from avocado.utils import process
 from watchdog.observers import Observer
 from watchdog.events import PatternMatchingEventHandler
 
+
 class FalcoTest(Test):
 
     def setUp(self):
@@ -49,17 +50,20 @@ class FalcoTest(Test):
         self.stdout_is = self.params.get('stdout_is', '*', default='')
         self.stderr_is = self.params.get('stderr_is', '*', default='')
 
-        self.stdout_contains = self.params.get('stdout_contains', '*', default='')
+        self.stdout_contains = self.params.get(
+            'stdout_contains', '*', default='')
 
         if not isinstance(self.stdout_contains, list):
             self.stdout_contains = [self.stdout_contains]
 
-        self.stderr_contains = self.params.get('stderr_contains', '*', default='')
+        self.stderr_contains = self.params.get(
+            'stderr_contains', '*', default='')
 
         if not isinstance(self.stderr_contains, list):
             self.stderr_contains = [self.stderr_contains]
 
-        self.stdout_not_contains = self.params.get('stdout_not_contains', '*', default='')
+        self.stdout_not_contains = self.params.get(
+            'stdout_not_contains', '*', default='')
 
         if not isinstance(self.stdout_not_contains, list):
             if self.stdout_not_contains == '':
@@ -67,7 +71,8 @@ class FalcoTest(Test):
             else:
                 self.stdout_not_contains = [self.stdout_not_contains]
 
-        self.stderr_not_contains = self.params.get('stderr_not_contains', '*', default='')
+        self.stderr_not_contains = self.params.get(
+            'stderr_not_contains', '*', default='')
 
         if not isinstance(self.stderr_not_contains, list):
             if self.stderr_not_contains == '':
@@ -83,15 +88,18 @@ class FalcoTest(Test):
             self.trace_file = os.path.join(build_dir, "test", self.trace_file)
 
         self.json_output = self.params.get('json_output', '*', default=False)
-        self.json_include_output_property = self.params.get('json_include_output_property', '*', default=True)
+        self.json_include_output_property = self.params.get(
+            'json_include_output_property', '*', default=True)
         self.all_events = self.params.get('all_events', '*', default=False)
         self.priority = self.params.get('priority', '*', default='debug')
-        self.rules_file = self.params.get('rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml'))
+        self.rules_file = self.params.get(
+            'rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml'))
 
         if not isinstance(self.rules_file, list):
             self.rules_file = [self.rules_file]
 
-        self.validate_rules_file = self.params.get('validate_rules_file', '*', default=False)
+        self.validate_rules_file = self.params.get(
+            'validate_rules_file', '*', default=False)
 
         if self.validate_rules_file == False:
             self.validate_rules_file = []
@@ -118,13 +126,15 @@ class FalcoTest(Test):
                 file = os.path.join(self.basedir, file)
             self.rules_args = self.rules_args + "-r " + file + " "
 
-        self.conf_file = self.params.get('conf_file', '*', default=os.path.join(self.basedir, '../falco.yaml'))
+        self.conf_file = self.params.get(
+            'conf_file', '*', default=os.path.join(self.basedir, '../falco.yaml'))
         if not os.path.isabs(self.conf_file):
             self.conf_file = os.path.join(self.basedir, self.conf_file)
 
         self.run_duration = self.params.get('run_duration', '*', default='')
 
-        self.disabled_rules = self.params.get('disabled_rules', '*', default='')
+        self.disabled_rules = self.params.get(
+            'disabled_rules', '*', default='')
 
         if self.disabled_rules == '':
             self.disabled_rules = []
@@ -137,7 +147,8 @@ class FalcoTest(Test):
         for rule in self.disabled_rules:
             self.disabled_args = self.disabled_args + "-D " + rule + " "
 
-        self.detect_counts = self.params.get('detect_counts', '*', default=False)
+        self.detect_counts = self.params.get(
+            'detect_counts', '*', default=False)
         if self.detect_counts == False:
             self.detect_counts = {}
         else:
@@ -147,7 +158,8 @@ class FalcoTest(Test):
                     detect_counts[key] = value
             self.detect_counts = detect_counts
 
-        self.rules_warning = self.params.get('rules_warning', '*', default=False)
+        self.rules_warning = self.params.get(
+            'rules_warning', '*', default=False)
         if self.rules_warning == False:
             self.rules_warning = set()
         else:
@@ -172,9 +184,11 @@ class FalcoTest(Test):
 
         self.package = self.params.get('package', '*', default='None')
 
-        self.addl_docker_run_args = self.params.get('addl_docker_run_args', '*', default='')
+        self.addl_docker_run_args = self.params.get(
+            'addl_docker_run_args', '*', default='')
 
-        self.copy_local_driver = self.params.get('copy_local_driver', '*', default=False)
+        self.copy_local_driver = self.params.get(
+            'copy_local_driver', '*', default=False)
 
         # Used by possibly_copy_local_driver as well as docker run
         self.module_dir = os.path.expanduser("~/.falco")
@@ -197,9 +211,33 @@ class FalcoTest(Test):
                         os.makedirs(filedir)
             self.outputs = outputs
 
+        self.output_strictly_contains = self.params.get(
+            'output_strictly_contains', '*', default='')
+
+        if self.output_strictly_contains == '':
+            self.output_strictly_contains = {}
+        else:
+            output_strictly_contains = []
+            for item in self.output_strictly_contains:
+                for key, value in list(item.items()):
+                    output = {}
+                    output['actual'] = key
+                    output['expected'] = value
+                    output_strictly_contains.append(output)
+                    if not output['actual'] == 'stdout':
+                        # Clean up file from previous tests, if any
+                        if os.path.exists(output['actual']):
+                            os.remove(output['actual'])
+                        # Create the parent directory for the file if it doesn't exist.
+                        filedir = os.path.dirname(output['actual'])
+                        if not os.path.isdir(filedir):
+                            os.makedirs(filedir)
+            self.output_strictly_contains = output_strictly_contains
+
         self.grpcurl_res = None
         self.grpc_observer = None
-        self.grpc_address = self.params.get('address', 'grpc/*', default='/var/run/falco.sock')
+        self.grpc_address = self.params.get(
+            'address', 'grpc/*', default='/var/run/falco.sock')
         if self.grpc_address.startswith("unix://"):
             self.is_grpc_using_unix_socket = True
             self.grpc_address = self.grpc_address[len("unix://"):]
@@ -211,21 +249,22 @@ class FalcoTest(Test):
         self.grpc_results = self.params.get('results', 'grpc/*', default='')
         if self.grpc_results == '':
             self.grpc_results = []
-        else: 
+        else:
             if type(self.grpc_results) == str:
                 self.grpc_results = [self.grpc_results]
 
         self.disable_tags = self.params.get('disable_tags', '*', default='')
 
         if self.disable_tags == '':
-            self.disable_tags=[]
+            self.disable_tags = []
 
         self.run_tags = self.params.get('run_tags', '*', default='')
 
         if self.run_tags == '':
-            self.run_tags=[]
+            self.run_tags = []
 
-        self.time_iso_8601 = self.params.get('time_iso_8601', '*', default=False)
+        self.time_iso_8601 = self.params.get(
+            'time_iso_8601', '*', default=False)
 
     def tearDown(self):
         if self.package != 'None':
@@ -244,7 +283,8 @@ class FalcoTest(Test):
         self.log.debug("Actual warning rules: {}".format(found_warning))
 
         if found_warning != self.rules_warning:
-            self.fail("Expected rules with warnings {} does not match actual rules with warnings {}".format(self.rules_warning, found_warning))
+            self.fail("Expected rules with warnings {} does not match actual rules with warnings {}".format(
+                self.rules_warning, found_warning))
 
     def check_rules_events(self, res):
 
@@ -255,50 +295,60 @@ class FalcoTest(Test):
             events = set(match.group(2).split(","))
             found_events[rule] = events
 
-        self.log.debug("Expected events for rules: {}".format(self.rules_events))
+        self.log.debug(
+            "Expected events for rules: {}".format(self.rules_events))
         self.log.debug("Actual events for rules: {}".format(found_events))
 
         for rule in list(found_events.keys()):
             if found_events.get(rule) != self.rules_events.get(rule):
-                self.fail("rule {}: expected events {} differs from actual events {}".format(rule, self.rules_events.get(rule), found_events.get(rule)))
+                self.fail("rule {}: expected events {} differs from actual events {}".format(
+                    rule, self.rules_events.get(rule), found_events.get(rule)))
 
     def check_detections(self, res):
         # Get the number of events detected.
         match = re.search('Events detected: (\d+)', res.stdout.decode("utf-8"))
         if match is None:
-            self.fail("Could not find a line 'Events detected: <count>' in falco output")
+            self.fail(
+                "Could not find a line 'Events detected: <count>' in falco output")
 
         events_detected = int(match.group(1))
 
         if not self.should_detect and events_detected > 0:
-            self.fail("Detected {} events when should have detected none".format(events_detected))
+            self.fail("Detected {} events when should have detected none".format(
+                events_detected))
 
         if self.should_detect:
             if events_detected == 0:
-                self.fail("Detected {} events when should have detected > 0".format(events_detected))
+                self.fail("Detected {} events when should have detected > 0".format(
+                    events_detected))
 
             for level in self.detect_level:
                 level_line = '(?i){}: (\d+)'.format(level)
                 match = re.search(level_line, res.stdout.decode("utf-8"))
 
                 if match is None:
-                    self.fail("Could not find a line '{}: <count>' in falco output".format(level))
+                    self.fail(
+                        "Could not find a line '{}: <count>' in falco output".format(level))
 
                     events_detected = int(match.group(1))
 
                     if not events_detected > 0:
-                        self.fail("Detected {} events at level {} when should have detected > 0".format(events_detected, level))
+                        self.fail("Detected {} events at level {} when should have detected > 0".format(
+                            events_detected, level))
 
     def check_detections_by_rule(self, res):
         # Get the number of events detected for each rule. Must match the expected counts.
-        match = re.search('Triggered rules by rule name:(.*)', res.stdout.decode("utf-8"), re.DOTALL)
+        match = re.search('Triggered rules by rule name:(.*)',
+                          res.stdout.decode("utf-8"), re.DOTALL)
         if match is None:
-            self.fail("Could not find a block 'Triggered rules by rule name: ...' in falco output")
+            self.fail(
+                "Could not find a block 'Triggered rules by rule name: ...' in falco output")
 
         triggered_rules = match.group(1)
 
         for rule, count in list(self.detect_counts.items()):
-            expected = '\s{}: (\d+)'.format(re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
+            expected = '\s{}: (\d+)'.format(
+                re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
             match = re.search(expected, triggered_rules)
 
             if match is None:
@@ -307,9 +357,11 @@ class FalcoTest(Test):
                 actual_count = int(match.group(1))
 
             if actual_count != count:
-                self.fail("Different counts for rule {}: expected={}, actual={}".format(rule, count, actual_count))
+                self.fail("Different counts for rule {}: expected={}, actual={}".format(
+                    rule, count, actual_count))
             else:
-                self.log.debug("Found expected count for rule {}: {}".format(rule, count))
+                self.log.debug(
+                    "Found expected count for rule {}: {}".format(rule, count))
 
     def check_outputs(self):
         for output in self.outputs:
@@ -324,7 +376,8 @@ class FalcoTest(Test):
                     found = True
 
             if found == False:
-                self.fail("Could not find a line '{}' in file '{}'".format(output['line'], output['file']))
+                self.fail("Could not find a line '{}' in file '{}'".format(
+                    output['line'], output['file']))
 
         return True
 
@@ -341,7 +394,27 @@ class FalcoTest(Test):
                         attrs = ['time', 'rule', 'priority']
                     for attr in attrs:
                         if not attr in obj:
-                            self.fail("Falco JSON object {} does not contain property \"{}\"".format(line, attr))
+                            self.fail(
+                                "Falco JSON object {} does not contain property \"{}\"".format(line, attr))
+
+    def check_output_strictly_contains(self, res):
+        for output in self.output_strictly_contains:
+            # Read the expected output (from a file) and actual output (either from a file or the stdout),
+            # then check if the actual one strictly contains the expected one.
+
+            expected = open(output['expected']).read()
+
+            if output['actual'] == 'stdout':
+                actual = res.stdout.decode("utf-8")
+            else:
+                actual = open(output['actual']).read()
+
+            if expected not in actual:
+                self.fail("Output '{}' does not strictly contains the expected content '{}'".format(
+                    output['actual'], output['expected']))
+                return False
+
+        return True
 
     def install_package(self):
 
@@ -360,35 +433,39 @@ class FalcoTest(Test):
                                          self.module_dir, self.addl_docker_run_args, image)
 
         elif self.package.endswith(".deb"):
-            self.falco_binary_path = '/usr/bin/falco';
+            self.falco_binary_path = '/usr/bin/falco'
 
             package_glob = "{}/{}".format(self.falcodir, self.package)
 
             matches = glob.glob(package_glob)
 
             if len(matches) != 1:
-                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}", package_glob, ",".join(matches))
+                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}",
+                          package_glob, ",".join(matches))
 
             package_path = matches[0]
 
             cmdline = "dpkg -i {}".format(package_path)
-            self.log.debug("Installing debian package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Installing debian package via \"{}\"".format(cmdline))
             res = process.run(cmdline, timeout=120, sudo=True)
 
         elif self.package.endswith(".rpm"):
-            self.falco_binary_path = '/usr/bin/falco';
+            self.falco_binary_path = '/usr/bin/falco'
 
             package_glob = "{}/{}".format(self.falcodir, self.package)
 
             matches = glob.glob(package_glob)
 
             if len(matches) != 1:
-                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}", package_glob, ",".join(matches))
+                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}",
+                          package_glob, ",".join(matches))
 
             package_path = matches[0]
 
             cmdline = "rpm -i --nodeps --noscripts {}".format(package_path)
-            self.log.debug("Installing centos package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Installing centos package via \"{}\"".format(cmdline))
             res = process.run(cmdline, timeout=120, sudo=True)
 
     def uninstall_package(self):
@@ -398,25 +475,29 @@ class FalcoTest(Test):
 
         elif self.package.endswith(".rpm"):
             cmdline = "rpm -e --noscripts --nodeps falco"
-            self.log.debug("Uninstalling centos package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Uninstalling centos package via \"{}\"".format(cmdline))
             res = process.run(cmdline, timeout=120, sudo=True)
 
         elif self.package.endswith(".deb"):
             cmdline = "dpkg --purge falco"
-            self.log.debug("Uninstalling debian package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Uninstalling debian package via \"{}\"".format(cmdline))
             res = process.run(cmdline, timeout=120, sudo=True)
 
     def possibly_copy_driver(self):
         # Remove the contents of ~/.falco regardless of copy_local_driver.
         self.log.debug("Checking for module dir {}".format(self.module_dir))
         if os.path.isdir(self.module_dir):
-            self.log.info("Removing files below directory {}".format(self.module_dir))
+            self.log.info(
+                "Removing files below directory {}".format(self.module_dir))
             for rmfile in glob.glob(self.module_dir + "/*"):
                 self.log.debug("Removing file {}".format(rmfile))
                 os.remove(rmfile)
 
         if self.copy_local_driver:
-            verlines = [str.strip() for str in subprocess.check_output([self.falco_binary_path, "--version"]).splitlines()]
+            verlines = [str.strip() for str in subprocess.check_output(
+                [self.falco_binary_path, "--version"]).splitlines()]
             verstr = verlines[0].decode("utf-8")
             self.log.info("verstr {}".format(verstr))
             falco_version = verstr.split(" ")[2]
@@ -428,10 +509,12 @@ class FalcoTest(Test):
 
             # falco-driver-loader has a more comprehensive set of ways to
             # find the config hash. We only look at /boot/config-<kernel release>
-            md5_output = subprocess.check_output(["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
+            md5_output = subprocess.check_output(
+                ["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
             config_hash = md5_output.split(" ")[0]
 
-            probe_filename = "falco-{}-{}-{}-{}.ko".format(falco_version, arch, kernel_release, config_hash)
+            probe_filename = "falco-{}-{}-{}-{}.ko".format(
+                falco_version, arch, kernel_release, config_hash)
             driver_path = os.path.join(self.falcodir, "driver", "falco.ko")
             module_path = os.path.join(self.module_dir, probe_filename)
             self.log.debug("Copying {} to {}".format(driver_path, module_path))
@@ -442,20 +525,22 @@ class FalcoTest(Test):
         if len(self.grpc_results) > 0:
             if not self.is_grpc_using_unix_socket:
                 self.fail("This test suite supports gRPC with unix socket only")
-            
-            cmdline = "grpcurl -import-path ../userspace/falco " \
-                            "-proto {} -plaintext -unix {} " \
-                            "{}/{}".format(self.grpc_proto, self.grpc_address, self.grpc_service, self.grpc_method)
+
+            cmdline = "grpcurl -format text -import-path ../userspace/falco " \
+                "-proto {} -plaintext -unix {} " \
+                "{}/{}".format(self.grpc_proto, self.grpc_address,
+                               self.grpc_service, self.grpc_method)
             that = self
+
             class GRPCUnixSocketEventHandler(PatternMatchingEventHandler):
                 def on_created(self, event):
                     # that.log.info("EVENT: {}", event)
                     that.grpcurl_res = process.run(cmdline)
-                    
+
             path = os.path.dirname(self.grpc_address)
             process.run("mkdir -p {}".format(path))
             event_handler = GRPCUnixSocketEventHandler(patterns=['*'],
-                                ignore_directories=True)
+                                                       ignore_directories=True)
             self.grpc_observer = Observer()
             self.grpc_observer.schedule(event_handler, path, recursive=False)
             self.grpc_observer.start()
@@ -470,19 +555,19 @@ class FalcoTest(Test):
             for exp_result in self.grpc_results:
                 found = False
                 for line in self.grpcurl_res.stdout.decode("utf-8").splitlines():
-                    match = re.search(exp_result, line)
-
-                    if match is not None:
+                    if exp_result in line:
                         found = True
+                        break
 
                 if found == False:
-                    self.fail("Could not find a line '{}' in gRPC responses".format(exp_result))
-
+                    self.fail(
+                        "Could not find a line with '{}' in gRPC responses (protobuf text".format(exp_result))
 
     def test(self):
         self.log.info("Trace file %s", self.trace_file)
 
-        self.falco_binary_path = '{}/userspace/falco/falco'.format(self.falcodir)
+        self.falco_binary_path = '{}/userspace/falco/falco'.format(
+            self.falcodir)
 
         self.possibly_copy_driver()
 
@@ -501,9 +586,11 @@ class FalcoTest(Test):
         if self.psp_file != "":
 
             if not os.path.isfile(self.psp_conv_path):
-                self.log.info("Downloading {} to {}".format(self.psp_conv_url, self.psp_conv_path))
+                self.log.info("Downloading {} to {}".format(
+                    self.psp_conv_url, self.psp_conv_path))
 
-                urllib.request.urlretrieve(self.psp_conv_url, self.psp_conv_path)
+                urllib.request.urlretrieve(
+                    self.psp_conv_url, self.psp_conv_path)
                 os.chmod(self.psp_conv_path, stat.S_IEXEC)
 
             conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
@@ -521,7 +608,6 @@ class FalcoTest(Test):
                 psp_rules = myfile.read()
                 self.log.debug("Converted Rules: {}".format(psp_rules))
 
-
         # Run falco
         cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format(
             self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority)
@@ -557,22 +643,26 @@ class FalcoTest(Test):
         for pattern in self.stderr_contains:
             match = re.search(pattern, res.stderr.decode("utf-8"))
             if match is None:
-                self.fail("Stderr of falco process did not contain content matching {}".format(pattern))
+                self.fail(
+                    "Stderr of falco process did not contain content matching {}".format(pattern))
 
         for pattern in self.stdout_contains:
             match = re.search(pattern, res.stdout.decode("utf-8"))
             if match is None:
-                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout.decode("utf-8"), pattern))
+                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(
+                    res.stdout.decode("utf-8"), pattern))
 
         for pattern in self.stderr_not_contains:
             match = re.search(pattern, res.stderr.decode("utf-8"))
             if match is not None:
-                self.fail("Stderr of falco process contained content matching {} when it should have not".format(pattern))
+                self.fail(
+                    "Stderr of falco process contained content matching {} when it should have not".format(pattern))
 
         for pattern in self.stdout_not_contains:
             match = re.search(pattern, res.stdout.decode("utf-8"))
             if match is not None:
-                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(res.stdout.decode("utf-8"), pattern))
+                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(
+                    res.stdout.decode("utf-8"), pattern))
 
         if res.exit_status != self.exit_status:
             self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(
@@ -585,11 +675,13 @@ class FalcoTest(Test):
         self.check_rules_warnings(res)
         if len(self.rules_events) > 0:
             self.check_rules_events(res)
-        self.check_detections(res)
+        if len(self.validate_rules_file) == 0:
+            self.check_detections(res)
         if len(self.detect_counts) > 0:
             self.check_detections_by_rule(res)
         self.check_json_output(res)
         self.check_outputs()
+        self.check_output_strictly_contains(res)
         self.check_grpc()
         pass
 

test/falco_tests.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016-2018 The Falco Authors..
+# Copyright (C) 2020 The Falco Authors.
 #
 # This file is part of falco.
 #
@@ -262,6 +262,7 @@ trace_files: !mux
   invalid_not_yaml:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Rules content is not yaml
       ---
       This is not yaml
@@ -273,6 +274,7 @@ trace_files: !mux
   invalid_not_array:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Rules content is not yaml array of objects
       ---
       foo: bar
@@ -284,6 +286,7 @@ trace_files: !mux
   invalid_array_item_not_object:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Unexpected element of type string. Each element should be a yaml associative array.
       ---
       - foo
@@ -292,20 +295,10 @@ trace_files: !mux
       - rules/invalid_array_item_not_object.yaml
     trace_file: trace_files/cat_write.scap
 
-  invalid_unexpected object:
-    exit_status: 1
-    stdout_is: |+
-      Unknown rule object: {foo="bar"}
-      ---
-      - foo: bar
-      ---
-    validate_rules_file:
-      - rules/invalid_unexpected_object.yaml
-    trace_file: trace_files/cat_write.scap
-
   invalid_engine_version_not_number:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Value of required_engine_version must be a number
       ---
       - required_engine_version: not-a-number
@@ -317,6 +310,7 @@ trace_files: !mux
   invalid_yaml_parse_error:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       mapping values are not allowed in this context
       ---
       this : is : not : yaml
@@ -328,6 +322,7 @@ trace_files: !mux
   invalid_list_without_items:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       List must have property items
       ---
       - list: bad_list
@@ -340,6 +335,7 @@ trace_files: !mux
   invalid_macro_without_condition:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Macro must have property condition
       ---
       - macro: bad_macro
@@ -352,6 +348,7 @@ trace_files: !mux
   invalid_rule_without_output:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Rule must have property output
       ---
       - rule: no output rule
@@ -359,6 +356,8 @@ trace_files: !mux
         condition: evt.type=fork
         priority: INFO
       ---
+      1 warnings:
+      Rule no output rule: consider adding an exceptions property to define supported exceptions fields
     validate_rules_file:
       - rules/invalid_rule_without_output.yaml
     trace_file: trace_files/cat_write.scap
@@ -366,7 +365,8 @@ trace_files: !mux
   invalid_append_rule_without_condition:
     exit_status: 1
     stdout_is: |+
-      Rule must have property condition
+      1 errors:
+      Rule must have exceptions or condition property
       ---
       - rule: no condition rule
         append: true
@@ -378,6 +378,7 @@ trace_files: !mux
   invalid_append_macro_dangling:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Macro dangling append has 'append' key but no macro by that name already exists
       ---
       - macro: dangling append
@@ -391,6 +392,7 @@ trace_files: !mux
   invalid_list_append_dangling:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       List my_list has 'append' key but no list by that name already exists
       ---
       - list: my_list
@@ -404,12 +406,15 @@ trace_files: !mux
   invalid_rule_append_dangling:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Rule my_rule has 'append' key but no rule by that name already exists
       ---
       - rule: my_rule
         condition: evt.type=open
         append: true
       ---
+      1 warnings:
+      Rule my_rule: consider adding an exceptions property to define supported exceptions fields
     validate_rules_file:
       - rules/rule_append_failure.yaml
     trace_file: trace_files/cat_write.scap
@@ -418,7 +423,8 @@ trace_files: !mux
     exit_status: 1
     stdout_contains: |+
       .*invalid_base_macro.yaml: Ok
-      .*invalid_overwrite_macro.yaml: Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
+      .*invalid_overwrite_macro.yaml: 1 errors:
+      Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
       ---
       - macro: some macro
         condition: foo
@@ -433,7 +439,8 @@ trace_files: !mux
     exit_status: 1
     stdout_contains: |+
       .*invalid_base_macro.yaml: Ok
-      .*invalid_append_macro.yaml: Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
+      .*invalid_append_macro.yaml: 1 errors:
+      Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
       ---
       - macro: some macro
         condition: evt.type=execve
@@ -450,6 +457,7 @@ trace_files: !mux
   invalid_overwrite_macro_multiple_docs:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
       ---
       - macro: some macro
@@ -463,6 +471,7 @@ trace_files: !mux
   invalid_append_macro_multiple_docs:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
       ---
       - macro: some macro
@@ -480,7 +489,8 @@ trace_files: !mux
     exit_status: 1
     stdout_contains: |+
       .*invalid_base_rule.yaml: Ok
-      .*invalid_overwrite_rule.yaml: Undefined macro 'bar' used in filter.
+      .*invalid_overwrite_rule.yaml: 1 errors:
+      Undefined macro 'bar' used in filter.
       ---
       - rule: some rule
         desc: some desc
@@ -498,7 +508,8 @@ trace_files: !mux
     exit_status: 1
     stdout_contains: |+
       .*invalid_base_rule.yaml: Ok
-      .*invalid_append_rule.yaml: Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
+      .*invalid_append_rule.yaml: 1 errors:
+      Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
       ---
       - rule: some rule
         desc: some desc
@@ -521,6 +532,7 @@ trace_files: !mux
   invalid_overwrite_rule_multiple_docs:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Undefined macro 'bar' used in filter.
       ---
       - rule: some rule
@@ -530,6 +542,9 @@ trace_files: !mux
         priority: INFO
         append: false
       ---
+      2 warnings:
+      Rule some rule: consider adding an exceptions property to define supported exceptions fields
+      Rule some rule: consider adding an exceptions property to define supported exceptions fields
     validate_rules_file:
       - rules/invalid_overwrite_rule_multiple_docs.yaml
     trace_file: trace_files/cat_write.scap
@@ -552,6 +567,9 @@ trace_files: !mux
         priority: INFO
         append: true
       ---
+      2 warnings:
+      Rule some rule: consider adding an exceptions property to define supported exceptions fields
+      Rule some rule: consider adding an exceptions property to define supported exceptions fields
     validate_rules_file:
       - rules/invalid_append_rule_multiple_docs.yaml
     trace_file: trace_files/cat_write.scap
@@ -559,6 +577,7 @@ trace_files: !mux
   invalid_missing_rule_name:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Rule name is empty
       ---
       - rule:
@@ -573,6 +592,7 @@ trace_files: !mux
   invalid_missing_list_name:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       List name is empty
       ---
       - list:
@@ -585,6 +605,7 @@ trace_files: !mux
   invalid_missing_macro_name:
     exit_status: 1
     stdout_is: |+
+      1 errors:
       Macro name is empty
       ---
       - macro:
@@ -596,8 +617,19 @@ trace_files: !mux
 
   invalid_rule_output:
     exit_status: 1
-    stderr_contains: "Runtime error: Error loading rules:.* Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'. Exiting."
-    rules_file:
+    stdout_is: |+
+      1 errors:
+      Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'
+      ---
+      - rule: rule_with_invalid_output
+        desc: A rule with an invalid output field
+        condition: evt.type=open
+        output: "An open was seen %not_a_real_field"
+        priority: WARNING
+      ---
+      1 warnings:
+      Rule rule_with_invalid_output: consider adding an exceptions property to define supported exceptions fields
+    validate_rules_file:
       - rules/invalid_rule_output.yaml
     trace_file: trace_files/cat_write.scap
 
@@ -652,25 +684,50 @@ trace_files: !mux
     trace_file: trace_files/cat_write.scap
     stdout_contains: "Warning An open was seen .cport=<NA> command=cat /dev/null."
 
-  file_output:
+  stdout_output_strict:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/stdout_output.yaml
+    trace_file: trace_files/cat_write.scap
+    time_iso_8601: true
+    output_strictly_contains:
+      - stdout: output_files/single_rule_with_cat_write.txt
+
+  stdout_output_json_strict:
+    json_output: True
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/stdout_output.yaml
+    trace_file: trace_files/cat_write.scap
+    time_iso_8601: true
+    output_strictly_contains:
+      - stdout: output_files/single_rule_with_cat_write.json
+
+  file_output_strict:
     detect: True
     detect_level: WARNING
     rules_file:
       - rules/single_rule.yaml
     conf_file: confs/file_output.yaml
     trace_file: trace_files/cat_write.scap
-    outputs:
-      - /tmp/falco_outputs/file_output.txt: Warning An open was seen
+    time_iso_8601: true
+    output_strictly_contains:
+      - /tmp/falco_outputs/file_output.txt: output_files/single_rule_with_cat_write.txt
 
-  program_output:
+  program_output_strict:
     detect: True
     detect_level: WARNING
     rules_file:
       - rules/single_rule.yaml
     conf_file: confs/program_output.yaml
     trace_file: trace_files/cat_write.scap
-    outputs:
-      - /tmp/falco_outputs/program_output.txt: Warning An open was seen
+    time_iso_8601: true
+    output_strictly_contains:
+      - /tmp/falco_outputs/program_output.txt: output_files/single_rule_with_cat_write.txt
 
   grpc_unix_socket_outputs:
     detect: True
@@ -680,13 +737,26 @@ trace_files: !mux
     conf_file: confs/grpc_unix_socket.yaml
     trace_file: trace_files/cat_write.scap
     run_duration: 5
+    time_iso_8601: true
     grpc:
       address: unix:///tmp/falco/falco.sock
       proto: outputs.proto
       service: falco.outputs.service
       method: get
+      # protobuf text format
       results:
-        - "Warning An open was seen"
+        - "seconds:1470327477 nanos:881781397"
+        - "priority: WARNING"
+        - "rule: \"open_from_cat\""
+        - "output: \"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)\""
+        # output fields
+        - "key: \"evt.time.iso8601\""
+        - "value: \"2016-08-04T16:17:57.881781397+0000\""
+        - "key: \"proc.cmdline\""
+        - "value: \"cat /dev/null\""
+        # For the hostname, since we don't know that beforehand,
+        # only check the field presence
+        - "hostname: "
 
   detect_counts:
     detect: True
@@ -1079,7 +1149,7 @@ trace_files: !mux
 
   skip_unknown_noevt:
     detect: False
-    stdout_contains: Skipping rule "Contains Unknown Event And Skipping" that contains unknown filter proc.nobody
+    stdout_contains: Skipping rule "Contains Unknown Event And Skipping". contains unknown filter proc.nobody
     rules_file:
       - rules/skip_unknown_evt.yaml
     trace_file: trace_files/cat_write.scap
@@ -1092,14 +1162,33 @@ trace_files: !mux
 
   skip_unknown_error:
     exit_status: 1
-    stderr_contains: Rule "Contains Unknown Event And Not Skipping" contains unknown filter proc.nobody. Exiting.
+    stderr_contains: |+
+      Could not load rules file.*skip_unknown_error.yaml: 1 errors:
+      rule "Contains Unknown Event And Not Skipping". contains unknown filter proc.nobody
+      ---
+      - rule: Contains Unknown Event And Not Skipping
+        desc: Contains an unknown event
+        condition: proc.nobody=cat
+        output: Never
+        skip-if-unknown-filter: false
+        priority: INFO
+      ---
     rules_file:
       - rules/skip_unknown_error.yaml
     trace_file: trace_files/cat_write.scap
 
   skip_unknown_unspec_error:
     exit_status: 1
-    stderr_contains: Rule "Contains Unknown Event And Unspecified" contains unknown filter proc.nobody. Exiting.
+    stderr_contains: |+
+      Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
+      rule "Contains Unknown Event And Unspecified". contains unknown filter proc.nobody
+      ---
+      - rule: Contains Unknown Event And Unspecified
+        desc: Contains an unknown event
+        condition: proc.nobody=cat
+        output: Never
+        priority: INFO
+      ---
     rules_file:
       - rules/skip_unknown_unspec.yaml
     trace_file: trace_files/cat_write.scap
@@ -1188,3 +1277,10 @@ trace_files: !mux
     trace_file: trace_files/cat_write.scap
     stdout_contains: "2016-08-04T16:17:57.882054739\\+0000: Warning An open was seen"
     stderr_contains: "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\d\\+0000"
+
+  unknown_source:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/unknown_source.yaml
+    trace_file: trace_files/cat_write.scap

test/falco_tests_exceptions.yaml

@@ -0,0 +1,323 @@
+#
+# Copyright (C) 2016-2020 The Falco Authors..
+#
+# This file is part of falco.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+trace_files: !mux
+
+  rule_exception_no_fields:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item ex1: must have fields property with a list of fields
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_no_fields.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_no_name:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item must have name property
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - fields: [proc.name, fd.filename]
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_no_name.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_no_name:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item must have name property
+      ---
+      - rule: My Rule
+        exceptions:
+          - values:
+              - [nginx, /tmp/foo]
+        append: true
+      ---
+    validate_rules_file:
+      - rules/exceptions/append_item_no_name.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_unknown_fields:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item ex1: field name not.exist is not a supported filter field
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+            fields: [not.exist]
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_unknown_fields.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_comps_fields_len_mismatch:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item ex1: fields and comps lists must have equal length
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+            fields: [proc.name, fd.filename]
+            comps: [=]
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_comps_fields_len_mismatch.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_unknown_comp:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Rule exception item ex1: comparison operator no-comp is not a supported comparison operator
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+            fields: [proc.name, fd.filename]
+            comps: [=, no-comp]
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_unknown_comp.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_fields_values_len_mismatch:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Exception item ex1: fields and values lists must have equal length
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+            fields: [proc.name, fd.filename]
+            values:
+              - [nginx]
+        priority: error
+      ---
+    validate_rules_file:
+      - rules/exceptions/item_fields_values_len_mismatch.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_fields_values_len_mismatch:
+    exit_status: 1
+    stdout_is: |+
+      1 errors:
+      Exception item ex1: fields and values lists must have equal length
+      ---
+      - rule: My Rule
+        desc: Some desc
+        condition: evt.type=open and proc.name=cat
+        output: Some output
+        exceptions:
+          - name: ex1
+            fields: [proc.name, fd.filename]
+        priority: error
+
+      - rule: My Rule
+        exceptions:
+          - name: ex1
+            values:
+              - [nginx]
+        append: true
+      ---
+    validate_rules_file:
+      - rules/exceptions/append_item_fields_values_len_mismatch.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_item_not_in_rule:
+    exit_status: 0
+    stderr_contains: |+
+      1 warnings:
+      Rule My Rule with append=true: no set of fields matching name ex2
+    validate_rules_file:
+      - rules/exceptions/append_item_not_in_rule.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_without_exception:
+    exit_status: 0
+    stderr_contains: |+
+      1 warnings:
+      Rule My Rule: consider adding an exceptions property to define supported exceptions fields
+    validate_rules_file:
+      - rules/exceptions/rule_without_exception.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_no_values:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_no_values.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_one_value:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_one_value.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_one_value:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_one_value.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_second_value:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_second_value.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_second_value:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_second_value.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_second_item:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_second_item.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_second_item:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_second_item.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_third_item:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_third_item.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_third_item:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_third_item.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_quoted:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_quoted.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_multiple_values:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_multiple.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_comp:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_comp.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_append_comp:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_append_comp.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_values_listref:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_values_listref.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_values_listref_noparens:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_values_listref_noparens.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_values_list:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_values_list.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_single_field:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_single_field.yaml
+    trace_file: trace_files/cat_write.scap
+
+  rule_exception_single_field_append:
+    detect: False
+    detect_level: WARNING
+    rules_file:
+      - rules/exceptions/rule_exception_single_field_append.yaml
+    trace_file: trace_files/cat_write.scap
+
+

test/output_files/single_rule_with_cat_write.json

@@ -0,0 +1,8 @@
+{"output":"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time.iso8601":1470327477881781397,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time.iso8601":1470327477881785348,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time.iso8601":1470327477881796705,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time.iso8601":1470327477881799840,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time.iso8601":1470327477882003104,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time.iso8601":1470327477882008208,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time.iso8601":1470327477882045694,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time.iso8601":1470327477882054739,"proc.cmdline":"cat /dev/null"}}

test/output_files/single_rule_with_cat_write.txt

@@ -0,0 +1,8 @@
+2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)

test/rules/exceptions/append_item_fields_values_len_mismatch.yaml

@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  exceptions:
+    - name: ex1
+      fields: [proc.name, fd.filename]
+  priority: error
+
+- rule: My Rule
+  exceptions:
+    - name: ex1
+      values:
+        - [nginx]
+  append: true

test/rules/exceptions/append_item_no_name.yaml

@@ -0,0 +1,30 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  exceptions:
+    - name: ex1
+      fields: [proc.name, fd.filename]
+  priority: error
+
+- rule: My Rule
+  exceptions:
+    - values:
+        - [nginx, /tmp/foo]
+  append: true

test/rules/exceptions/append_item_not_in_rule.yaml

@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  exceptions:
+    - name: ex1
+      fields: [proc.name, fd.filename]
+  priority: error
+
+- rule: My Rule
+  exceptions:
+    - name: ex2
+      values:
+        - [apache, /tmp]
+  append: true

test/rules/exceptions/item_comps_fields_len_mismatch.yaml

@@ -0,0 +1,25 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  exceptions:
+    - name: ex1
+      fields: [proc.name, fd.filename]
+      comps: [=]
+  priority: error

test/rules/exceptions/item_fields_values_len_mismatch.yaml

@@ -0,0 +1,26 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  exceptions:
+    - name: ex1
+      fields: [proc.name, fd.filename]
+      values:
+        - [nginx]
+  priority: error

test/rules/exceptions/item_no_fields.yaml

@@ -0,0 +1,23 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  exceptions:
+    - name: ex1
+  priority: error

test/rules/exceptions/item_no_name.yaml

@@ -0,0 +1,23 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  exceptions:
+    - fields: [proc.name, fd.filename]
+  priority: error

test/rules/exceptions/item_unknown_comp.yaml

@@ -0,0 +1,25 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  exceptions:
+    - name: ex1
+      fields: [proc.name, fd.filename]
+      comps: [=, no-comp]
+  priority: error

test/rules/exceptions/item_unknown_fields.yaml

@@ -0,0 +1,24 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  exceptions:
+    - name: ex1
+      fields: [not.exist]
+  priority: error

test/rules/exceptions/rule_exception_append_comp.yaml

@@ -0,0 +1,38 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+    - name: proc_name_contains
+      fields: [proc.name]
+      comps: [contains]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_name_contains
+      values:
+        - [cat]
+  append: true

test/rules/exceptions/rule_exception_append_multiple.yaml

@@ -0,0 +1,42 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_name
+      values:
+        - [not-cat]
+  append: true
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_name
+      values:
+        - [cat]
+  append: true

test/rules/exceptions/rule_exception_append_one_value.yaml

@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+      values:
+        - [cat]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_name
+      values:
+        - [cat]
+  append: true

test/rules/exceptions/rule_exception_append_second_item.yaml

@@ -0,0 +1,41 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_name
+      values:
+        - [not-cat]
+    - name: proc_name_cmdline
+      values:
+        - [cat, "cat /dev/null"]
+    - name: proc_name_cmdline_pname
+      values:
+        - [not-cat, "cat /dev/null", bash]
+  append: true

test/rules/exceptions/rule_exception_append_second_value.yaml

@@ -0,0 +1,36 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_name_cmdline
+      values:
+        - [not-cat, not-cat]
+        - [cat, "cat /dev/null"]
+  append: true

test/rules/exceptions/rule_exception_append_third_item.yaml

@@ -0,0 +1,41 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_name
+      values:
+        - [not-cat]
+    - name: proc_name_cmdline
+      values:
+        - [not-cat, "cat /dev/null"]
+    - name: proc_name_cmdline_pname
+      values:
+        - [cat, "cat /dev/null", bash]
+  append: true

test/rules/exceptions/rule_exception_comp.yaml

@@ -0,0 +1,34 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+    - name: proc_name_contains
+      fields: [proc.name]
+      comps: [contains]
+      values:
+        - [cat]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING
+

test/rules/exceptions/rule_exception_no_values.yaml

@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING

test/rules/exceptions/rule_exception_one_value.yaml

@@ -0,0 +1,30 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+      values:
+        - [cat]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING

test/rules/exceptions/rule_exception_quoted.yaml

@@ -0,0 +1,36 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_name_cmdline
+      values:
+        - [not-cat, not-cat]
+        - [cat, '"cat /dev/null"']
+  append: true

test/rules/exceptions/rule_exception_second_item.yaml

@@ -0,0 +1,34 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+      values:
+        - [not-cat]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+      values:
+        - [cat, "cat /dev/null"]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+      values:
+        - [not-cat, "cat /dev/null", bash]
+  priority: WARNING

test/rules/exceptions/rule_exception_second_value.yaml

@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+      values:
+        - [not-cat, not-cat]
+        - [cat, "cat /dev/null"]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+  priority: WARNING
+

test/rules/exceptions/rule_exception_single_field.yaml

@@ -0,0 +1,30 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_cmdline
+      fields: proc.cmdline
+      comps: in
+      values:
+        - cat /dev/zero
+        - "cat /dev/null"
+  priority: WARNING
+

test/rules/exceptions/rule_exception_single_field_append.yaml

@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_cmdline
+      fields: proc.cmdline
+      comps: in
+      values:
+        - cat /dev/zero
+  priority: WARNING
+
+- rule: Open From Cat
+  exceptions:
+    - name: proc_cmdline
+      values:
+        - "cat /dev/null"
+  append: true
+
+

test/rules/exceptions/rule_exception_third_item.yaml

@@ -0,0 +1,34 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name
+      fields: [proc.name]
+      values:
+        - [not-cat]
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+      values:
+        - [not-cat, "cat /dev/null"]
+    - name: proc_name_cmdline_pname
+      fields: [proc.name, proc.cmdline, proc.pname]
+      values:
+        - [cat, "cat /dev/null", bash]
+  priority: WARNING

test/rules/exceptions/rule_exception_values_list.yaml

@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+      comps: [=, in]
+      values:
+        - [cat, [cat /dev/zero, "cat /dev/null"]]
+  priority: WARNING
+

test/rules/exceptions/rule_exception_values_listref.yaml

@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- list: cat_cmdlines
+  items: [cat /dev/zero, "cat /dev/null"]
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+      comps: [=, in]
+      values:
+        - [cat, (cat_cmdlines)]
+  priority: WARNING
+

test/rules/exceptions/rule_exception_values_listref_noparens.yaml

@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- list: cat_cmdlines
+  items: [cat /dev/zero, "cat /dev/null"]
+
+- rule: Open From Cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  exceptions:
+    - name: proc_name_cmdline
+      fields: [proc.name, proc.cmdline]
+      comps: [=, in]
+      values:
+        - [cat, cat_cmdlines]
+  priority: WARNING
+

test/rules/exceptions/rule_without_exception.yaml

@@ -0,0 +1,21 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- rule: My Rule
+  desc: Some desc
+  condition: evt.type=open and proc.name=cat
+  output: Some output
+  priority: error

test/rules/invalid_unexpected_object.yaml

@@ -1 +0,0 @@
-- foo: bar

test/rules/unknown_source.yaml

@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+- macro: Macro with unknown source
+  condition: some other unknown filter
+  source: unknown-source
+
+- rule: Rule with unknown source
+  condition: some unknown filter
+  output: some unknown output
+  priority: INFO
+  source: unknown-source
+
+- rule: open_from_cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING

test/run_regression_tests.sh

@@ -98,14 +98,18 @@ function run_tests() {
     # as we're watching the return status when running avocado.
     set +e
     TEST_RC=0
-    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml)
+    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml $SCRIPTDIR/falco_tests_exceptions.yaml)
 
     if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
         suites+=($SCRIPTDIR/falco_tests_package.yaml)
     fi
     
+    XUNIT_DIR="${OPT_BUILD_DIR}/integration-tests-xunit"
+    mkdir -p "${XUNIT_DIR}"
+
     for mult in "${suites[@]}"; do
-        CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
+        XUNIT_FILE_NAME="${XUNIT_DIR}/$(basename "${mult}").xml"
+        CMD="avocado run --xunit ${XUNIT_FILE_NAME} --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
         echo "Running $CMD"
         BUILD_DIR=${OPT_BUILD_DIR} $CMD
         RC=$?

userspace/engine/falco_engine.cpp

@@ -171,9 +171,8 @@ void falco_engine::load_rules(const string &rules_content, bool verbose, bool al
 					  m_ls);
 	}
 
-	// Note that falco_formats is added to both the lua state used
-	// by the falco engine as well as the separate lua state used
-	// by falco outputs.  Within the engine, only
+	// Note that falco_formats is added to the lua state used
+	// by the falco engine only. Within the engine, only
 	// formats.formatter is used, so we can unconditionally set
 	// json_output to false.
 	bool json_output = false;
@@ -303,31 +302,9 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_sinsp_event(sinsp_ev
 	}
 
 	unique_ptr<struct rule_result> res(new rule_result());
+	res->source = "syscall";
 
-	std::lock_guard<std::mutex> guard(m_ls_semaphore);
-	lua_getglobal(m_ls, lua_on_event.c_str());
-	if(lua_isfunction(m_ls, -1))
-	{
-		lua_pushnumber(m_ls, ev->get_check_id());
-
-		if(lua_pcall(m_ls, 1, 3, 0) != 0)
-		{
-			const char* lerr = lua_tostring(m_ls, -1);
-			string err = "Error invoking function output: " + string(lerr);
-			throw falco_exception(err);
-		}
-		res->evt = ev;
-		const char *p =  lua_tostring(m_ls, -3);
-		res->rule = p;
-		res->source = "syscall";
-		res->priority_num = (falco_common::priority_type) lua_tonumber(m_ls, -2);
-		res->format = lua_tostring(m_ls, -1);
-		lua_pop(m_ls, 3);
-	}
-	else
-	{
-		throw falco_exception("No function " + lua_on_event + " found in lua compiler module");
-	}
+	populate_rule_result(res, ev);
 
 	return res;
 }
@@ -351,33 +328,50 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_k8s_audit_event(json
 	}
 
 	unique_ptr<struct rule_result> res(new rule_result());
+	res->source = "k8s_audit";
 
+	populate_rule_result(res, ev);
+
+	return res;
+}
+
+void falco_engine::populate_rule_result(unique_ptr<struct rule_result> &res, gen_event *ev)
+{
 	std::lock_guard<std::mutex> guard(m_ls_semaphore);
 	lua_getglobal(m_ls, lua_on_event.c_str());
 	if(lua_isfunction(m_ls, -1))
 	{
 		lua_pushnumber(m_ls, ev->get_check_id());
 
-		if(lua_pcall(m_ls, 1, 3, 0) != 0)
+		if(lua_pcall(m_ls, 1, 4, 0) != 0)
 		{
 			const char* lerr = lua_tostring(m_ls, -1);
 			string err = "Error invoking function output: " + string(lerr);
 			throw falco_exception(err);
 		}
-		res->evt = ev;
-		const char *p =  lua_tostring(m_ls, -3);
+		const char *p =  lua_tostring(m_ls, -4);
 		res->rule = p;
-		res->source = "k8s_audit";
-		res->priority_num = (falco_common::priority_type) lua_tonumber(m_ls, -2);
-		res->format = lua_tostring(m_ls, -1);
-		lua_pop(m_ls, 3);
+		res->evt = ev;
+		res->priority_num = (falco_common::priority_type) lua_tonumber(m_ls, -3);
+		res->format = lua_tostring(m_ls, -2);
+
+		// Exception fields are passed back as a table
+		lua_pushnil(m_ls);  /* first key */
+		while (lua_next(m_ls, -2) != 0) {
+			// key is at index -2, value is at index
+			// -1. We want the keys.
+			res->exception_fields.insert(luaL_checkstring(m_ls, -2));
+
+			// Remove value, keep key for next iteration
+			lua_pop(m_ls, 1);
+		}
+
+		lua_pop(m_ls, 4);
 	}
 	else
 	{
 		throw falco_exception("No function " + lua_on_event + " found in lua compiler module");
 	}
-
-	return res;
 }
 
 bool falco_engine::parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top)

userspace/engine/falco_engine.h

@@ -160,6 +160,7 @@ public:
 		std::string source;
 		falco_common::priority_type priority_num;
 		std::string format;
+		std::set<std::string> exception_fields;
 	};
 
 	//
@@ -262,6 +263,8 @@ private:
 	std::unique_ptr<falco_sinsp_ruleset> m_sinsp_rules;
 	std::unique_ptr<falco_ruleset> m_k8s_audit_rules;
 
+	void populate_rule_result(unique_ptr<struct rule_result> &res, gen_event *ev);
+
 	//
 	// Here's how the sampling ratio and multiplier influence
 	// whether or not an event is dropped in

userspace/engine/falco_engine_version.h

@@ -16,7 +16,7 @@ limitations under the License.
 
 // The version of rules/filter fields/etc supported by this falco
 // engine.
-#define FALCO_ENGINE_VERSION (7)
+#define FALCO_ENGINE_VERSION (8)
 
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used

userspace/engine/formats.cpp

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,24 +20,19 @@ limitations under the License.
 #include "falco_engine.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-
-sinsp* falco_formats::s_inspector = NULL;
+sinsp *falco_formats::s_inspector = NULL;
 falco_engine *falco_formats::s_engine = NULL;
 bool falco_formats::s_json_output = false;
 bool falco_formats::s_json_include_output_property = true;
-sinsp_evt_formatter_cache *falco_formats::s_formatters = NULL;
+std::unique_ptr<sinsp_evt_formatter_cache> falco_formats::s_formatters = NULL;
 
-const static struct luaL_reg ll_falco [] =
-{
-	{"formatter", &falco_formats::formatter},
-	{"free_formatter", &falco_formats::free_formatter},
-	{"free_formatters", &falco_formats::free_formatters},
-	{"format_event", &falco_formats::format_event},
-	{"resolve_tokens", &falco_formats::resolve_tokens},
-	{NULL,NULL}
-};
+const static struct luaL_Reg ll_falco[] =
+	{
+		{"formatter", &falco_formats::lua_formatter},
+		{"free_formatter", &falco_formats::lua_free_formatter},
+		{NULL, NULL}};
 
-void falco_formats::init(sinsp* inspector,
+void falco_formats::init(sinsp *inspector,
 			 falco_engine *engine,
 			 lua_State *ls,
 			 bool json_output,
@@ -47,15 +42,14 @@ void falco_formats::init(sinsp* inspector,
 	s_engine = engine;
 	s_json_output = json_output;
 	s_json_include_output_property = json_include_output_property;
-	if(!s_formatters)
-	{
-		s_formatters = new sinsp_evt_formatter_cache(s_inspector);
-	}
+
+	// todo(leogr): we should have used std::make_unique, but we cannot since it's not C++14
+	s_formatters = std::unique_ptr<sinsp_evt_formatter_cache>(new sinsp_evt_formatter_cache(s_inspector));
 
 	luaL_openlib(ls, "formats", ll_falco, 0);
 }
 
-int falco_formats::formatter(lua_State *ls)
+int falco_formats::lua_formatter(lua_State *ls)
 {
 	string source = luaL_checkstring(ls, -2);
 	string format = luaL_checkstring(ls, -1);
@@ -64,33 +58,40 @@ int falco_formats::formatter(lua_State *ls)
 	{
 		if(source == "syscall")
 		{
-			sinsp_evt_formatter* formatter;
+			sinsp_evt_formatter *formatter;
 			formatter = new sinsp_evt_formatter(s_inspector, format);
+			lua_pushnil(ls);
 			lua_pushlightuserdata(ls, formatter);
 		}
 		else
 		{
 			json_event_formatter *formatter;
 			formatter = new json_event_formatter(s_engine->json_factory(), format);
+			lua_pushnil(ls);
 			lua_pushlightuserdata(ls, formatter);
 		}
 	}
-	catch(sinsp_exception& e)
+	catch(exception &e)
 	{
-		luaL_error(ls, "Invalid output format '%s': '%s'", format.c_str(), e.what());
-	}
-	catch(falco_exception& e)
-	{
-		luaL_error(ls, "Invalid output format '%s': '%s'", format.c_str(), e.what());
+		std::ostringstream os;
+
+		os << "Invalid output format '"
+		   << format
+		   << "': '"
+		   << e.what()
+		   << "'";
+
+		lua_pushstring(ls, os.str().c_str());
+		lua_pushnil(ls);
 	}
 
-	return 1;
+	return 2;
 }
 
-int falco_formats::free_formatter(lua_State *ls)
+int falco_formats::lua_free_formatter(lua_State *ls)
 {
-	if (!lua_islightuserdata(ls, -1) ||
-	    !lua_isstring(ls, -2))
+	if(!lua_islightuserdata(ls, -1) ||
+	   !lua_isstring(ls, -2))
 
 	{
 		luaL_error(ls, "Invalid argument passed to free_formatter");
@@ -100,115 +101,75 @@ int falco_formats::free_formatter(lua_State *ls)
 
 	if(source == "syscall")
 	{
-		sinsp_evt_formatter *formatter = (sinsp_evt_formatter *) lua_topointer(ls, -1);
+		sinsp_evt_formatter *formatter = (sinsp_evt_formatter *)lua_topointer(ls, -1);
 		delete(formatter);
 	}
 	else
 	{
-		json_event_formatter *formatter = (json_event_formatter *) lua_topointer(ls, -1);
+		json_event_formatter *formatter = (json_event_formatter *)lua_topointer(ls, -1);
 		delete(formatter);
 	}
 
 	return 0;
 }
 
-int falco_formats::free_formatters(lua_State *ls)
+string falco_formats::format_event(const gen_event *evt, const std::string &rule, const std::string &source,
+				   const std::string &level, const std::string &format)
 {
-	if(s_formatters)
-	{
-		delete(s_formatters);
-		s_formatters = NULL;
-	}
-	return 0;
-}
 
-int falco_formats::format_event (lua_State *ls)
-{
 	string line;
 	string json_line;
-
-	if (!lua_isstring(ls, -1) ||
-	    !lua_isstring(ls, -2) ||
-	    !lua_isstring(ls, -3) ||
-	    !lua_isstring(ls, -4) ||
-	    !lua_islightuserdata(ls, -5)) {
-		lua_pushstring(ls, "Invalid arguments passed to format_event()");
-		lua_error(ls);
-	}
-	gen_event* evt = (gen_event*)lua_topointer(ls, 1);
-	const char *rule = (char *) lua_tostring(ls, 2);
-	const char *source = (char *) lua_tostring(ls, 3);
-	const char *level = (char *) lua_tostring(ls, 4);
-	const char *format = (char *) lua_tostring(ls, 5);
-
 	string sformat = format;
 
-	if(strcmp(source, "syscall") == 0)
+	if(strcmp(source.c_str(), "syscall") == 0)
 	{
-		try {
-			// This is "output"
-			s_formatters->tostring((sinsp_evt *) evt, sformat, &line);
+		// This is "output"
+		s_formatters->tostring((sinsp_evt *)evt, sformat, &line);
 
-			if(s_json_output)
-			{
-				sinsp_evt::param_fmt cur_fmt = s_inspector->get_buffer_format();
-				switch(cur_fmt)
-				{
-					case sinsp_evt::PF_NORMAL:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSON);
-						break;
-					case sinsp_evt::PF_EOLS:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONEOLS);
-						break;
-					case sinsp_evt::PF_HEX:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEX);
-						break;
-					case sinsp_evt::PF_HEXASCII:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEXASCII);
-						break;
-					case sinsp_evt::PF_BASE64:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONBASE64);
-						break;
-					default:
-						// do nothing
-						break;
-				}
-				// This is output fields
-				s_formatters->tostring((sinsp_evt *) evt, sformat, &json_line);
-
-				// The formatted string might have a leading newline. If it does, remove it.
-				if (json_line[0] == '\n')
-				{
-					json_line.erase(0, 1);
-				}
-				s_inspector->set_buffer_format(cur_fmt);
-			}
-		}
-		catch (sinsp_exception& e)
+		if(s_json_output)
 		{
-			string err = "Invalid output format '" + sformat + "': '" + string(e.what()) + "'";
-			lua_pushstring(ls, err.c_str());
-			lua_error(ls);
+			sinsp_evt::param_fmt cur_fmt = s_inspector->get_buffer_format();
+			switch(cur_fmt)
+			{
+			case sinsp_evt::PF_NORMAL:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSON);
+				break;
+			case sinsp_evt::PF_EOLS:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONEOLS);
+				break;
+			case sinsp_evt::PF_HEX:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEX);
+				break;
+			case sinsp_evt::PF_HEXASCII:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEXASCII);
+				break;
+			case sinsp_evt::PF_BASE64:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONBASE64);
+				break;
+			default:
+				// do nothing
+				break;
+			}
+			// This is output fields
+			s_formatters->tostring((sinsp_evt *)evt, sformat, &json_line);
+
+			// The formatted string might have a leading newline. If it does, remove it.
+			if(json_line[0] == '\n')
+			{
+				json_line.erase(0, 1);
+			}
+			s_inspector->set_buffer_format(cur_fmt);
 		}
 	}
 	else
 	{
-		try {
+		json_event_formatter formatter(s_engine->json_factory(), sformat);
 
-			json_event_formatter formatter(s_engine->json_factory(), sformat);
+		line = formatter.tostring((json_event *)evt);
 
-			line = formatter.tostring((json_event *) evt);
-
-			if(s_json_output)
-			{
-				json_line = formatter.tojson((json_event *) evt);
-			}
-		}
-		catch (exception &e)
+		if(s_json_output)
 		{
-			string err = "Invalid output format '" + sformat + "': '" + string(e.what()) + "'";
-			lua_pushstring(ls, err.c_str());
-			lua_error(ls);
+			json_line = formatter.tojson((json_event *)evt);
 		}
 	}
 
@@ -217,15 +178,16 @@ int falco_formats::format_event (lua_State *ls)
 	// message as well as the event time in ns. Use this to build
 	// a more detailed object containing the event time, rule,
 	// severity, full output, and fields.
-	if (s_json_output) {
+	if(s_json_output)
+	{
 		Json::Value event;
 		Json::FastWriter writer;
 		string full_line;
 
 		// Convert the time-as-nanoseconds to a more json-friendly ISO8601.
-		time_t evttime = evt->get_ts()/1000000000;
+		time_t evttime = evt->get_ts() / 1000000000;
 		char time_sec[20]; // sizeof "YYYY-MM-DDTHH:MM:SS"
-		char time_ns[12]; // sizeof ".sssssssssZ"
+		char time_ns[12];  // sizeof ".sssssssssZ"
 		string iso8601evttime;
 
 		strftime(time_sec, sizeof(time_sec), "%FT%T", gmtime(&evttime));
@@ -246,9 +208,9 @@ int falco_formats::format_event (lua_State *ls)
 
 		// Json::FastWriter may add a trailing newline. If it
 		// does, remove it.
-		if (full_line[full_line.length()-1] == '\n')
+		if(full_line[full_line.length() - 1] == '\n')
 		{
-			full_line.resize(full_line.length()-1);
+			full_line.resize(full_line.length() - 1);
 		}
 
 		// Cheat-graft the output from the formatter into this
@@ -261,24 +223,12 @@ int falco_formats::format_event (lua_State *ls)
 		line = full_line;
 	}
 
-	lua_pushstring(ls, line.c_str());
-	return 1;
+	return line.c_str();
 }
 
-int falco_formats::resolve_tokens(lua_State *ls)
+map<string, string> falco_formats::resolve_tokens(const gen_event *evt, const std::string &source, const std::string &format)
 {
-	if(!lua_isstring(ls, -1) ||
-	   !lua_isstring(ls, -2) ||
-	   !lua_islightuserdata(ls, -3))
-	{
-		lua_pushstring(ls, "Invalid arguments passed to resolve_tokens()");
-		lua_error(ls);
-	}
-	gen_event *evt = (gen_event *)lua_topointer(ls, 1);
-	string source = luaL_checkstring(ls, 2);
-	const char *format = (char *)lua_tostring(ls, 3);
 	string sformat = format;
-
 	map<string, string> values;
 	if(source == "syscall")
 	{
@@ -288,16 +238,7 @@ int falco_formats::resolve_tokens(lua_State *ls)
 	else
 	{
 		json_event_formatter json_formatter(s_engine->json_factory(), sformat);
-		values = json_formatter.tomap((json_event*) evt);
+		values = json_formatter.tomap((json_event *)evt);
 	}
-
-	lua_newtable(ls);
-	for(auto const& v : values)
-	{
-		lua_pushstring(ls, v.first.c_str());
-		lua_pushstring(ls, v.second.c_str());
-		lua_settable(ls, -3);
-	}
-
-	return 1;
+	return values;
 }

userspace/engine/formats.h

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -18,7 +18,8 @@ limitations under the License.
 
 #include "sinsp.h"
 
-extern "C" {
+extern "C"
+{
 #include "lua.h"
 #include "lualib.h"
 #include "lauxlib.h"
@@ -31,31 +32,28 @@ class sinsp_evt_formatter;
 
 class falco_formats
 {
- public:
-	static void init(sinsp* inspector,
+public:
+	static void init(sinsp *inspector,
 			 falco_engine *engine,
 			 lua_State *ls,
 			 bool json_output,
 			 bool json_include_output_property);
 
 	// formatter = falco.formatter(format_string)
-	static int formatter(lua_State *ls);
+	static int lua_formatter(lua_State *ls);
 
 	// falco.free_formatter(formatter)
-	static int free_formatter(lua_State *ls);
+	static int lua_free_formatter(lua_State *ls);
 
-	// falco.free_formatters()
-	static int free_formatters(lua_State *ls);
+	static string format_event(const gen_event *evt, const std::string &rule, const std::string &source,
+				   const std::string &level, const std::string &format);
 
-	// formatted_string = falco.format_event(evt, formatter)
-	static int format_event(lua_State *ls);
+	static map<string, string> resolve_tokens(const gen_event *evt, const std::string &source,
+						  const std::string &format);
 
-	// resolve_tokens = falco.resolve_tokens(evt, formatter)
-	static int resolve_tokens(lua_State *ls);
-
-	static sinsp* s_inspector;
+	static sinsp *s_inspector;
 	static falco_engine *s_engine;
-	static sinsp_evt_formatter_cache *s_formatters;
+	static std::unique_ptr<sinsp_evt_formatter_cache> s_formatters;
 	static bool s_json_output;
 	static bool s_json_include_output_property;
 };

userspace/engine/lua/rule_loader.lua

@@ -126,6 +126,31 @@ function set_output(output_format, state)
    end
 end
 
+-- This should be keep in sync with parser.lua
+defined_comp_operators = {
+   ["="]=1,
+   ["=="] = 1,
+   ["!="] = 1,
+   ["<="] = 1,
+   [">="] = 1,
+   ["<"] = 1,
+   [">"] = 1,
+   ["contains"] = 1,
+   ["icontains"] = 1,
+   ["glob"] = 1,
+   ["startswith"] = 1,
+   ["endswith"] = 1,
+   ["in"] = 1,
+   ["intersects"] = 1,
+   ["pmatch"] = 1
+}
+
+defined_list_comp_operators = {
+   ["in"] = 1,
+   ["intersects"] = 1,
+   ["pmatch"] = 1
+}
+
 -- Note that the rules_by_name and rules_by_idx refer to the same rule
 -- object. The by_name index is used for things like describing rules,
 -- and the by_idx index is used to map the relational node index back
@@ -253,19 +278,126 @@ function get_lines(rules_lines, row, num_lines)
    return ret
 end
 
+function quote_item(item)
+
+   -- Add quotes if the string contains spaces and doesn't start/end
+   -- w/ quotes
+   if string.find(item, " ") then
+      if string.sub(item, 1, 1) ~= "'" and string.sub(item, 1, 1) ~= '"' then
+	 item = "\""..item.."\""
+      end
+   end
+
+   return item
+end
+
+function paren_item(item)
+   if string.sub(item, 1, 1) ~= "(" then
+      item = "("..item..")"
+   end
+
+   return item
+end
+
 function build_error(rules_lines, row, num_lines, err)
    local ret = err.."\n---\n"..get_lines(rules_lines, row, num_lines).."---"
 
-   return ret
+   return {ret}
 end
 
 function build_error_with_context(ctx, err)
    local ret = err.."\n---\n"..ctx.."---"
-   return ret
+   return {ret}
 end
 
+function validate_exception_item_multi_fields(eitem, context)
+
+   local name = eitem['name']
+   local fields = eitem['fields']
+   local values = eitem['values']
+   local comps = eitem['comps']
+
+   if comps == nil then
+      comps = {}
+      for c=1,#fields do
+	 table.insert(comps, "=")
+      end
+      eitem['comps'] = comps
+   else
+      if #fields ~= #comps then
+	 return false, build_error_with_context(context, "Rule exception item "..name..": fields and comps lists must have equal length"), warnings
+      end
+   end
+   for k, fname in ipairs(fields) do
+      if not is_defined_filter(fname) then
+	 return false, build_error_with_context(context, "Rule exception item "..name..": field name "..fname.." is not a supported filter field"), warnings
+      end
+   end
+   for k, comp in ipairs(comps) do
+      if defined_comp_operators[comp] == nil then
+	 return false, build_error_with_context(context, "Rule exception item "..name..": comparison operator "..comp.." is not a supported comparison operator"), warnings
+      end
+   end
+end
+
+function validate_exception_item_single_field(eitem, context)
+
+   local name = eitem['name']
+   local fields = eitem['fields']
+   local values = eitem['values']
+   local comps = eitem['comps']
+
+   if comps == nil then
+      eitem['comps'] = "in"
+      comps = eitem['comps']
+   else
+      if type(fields) ~= "string" or type(comps) ~= "string" then
+	 return false, build_error_with_context(context, "Rule exception item "..name..": fields and comps must both be strings"), warnings
+      end
+   end
+   if not is_defined_filter(fields) then
+      return false, build_error_with_context(context, "Rule exception item "..name..": field name "..fields.." is not a supported filter field"), warnings
+   end
+   if defined_comp_operators[comps] == nil then
+      return false, build_error_with_context(context, "Rule exception item "..name..": comparison operator "..comps.." is not a supported comparison operator"), warnings
+   end
+end
+
+function is_defined_filter(filter)
+   if defined_noarg_filters[filter] ~= nil then
+      return true
+   else
+      bracket_idx = string.find(filter, "[", 1, true)
+
+      if bracket_idx ~= nil then
+	 subfilter = string.sub(filter, 1, bracket_idx-1)
+
+	 if defined_arg_filters[subfilter] ~= nil then
+	    return true
+	 end
+      end
+
+      dot_idx = string.find(filter, ".", 1, true)
+
+      while dot_idx ~= nil do
+	 subfilter = string.sub(filter, 1, dot_idx-1)
+
+	 if defined_arg_filters[subfilter] ~= nil then
+	    return true
+	 end
+
+	 dot_idx = string.find(filter, ".", dot_idx+1, true)
+      end
+   end
+
+   return false
+end
+
+
 function load_rules_doc(rules_mgr, doc, load_state)
 
+   local warnings = {}
+
    -- Iterate over yaml list. In this pass, all we're doing is
    -- populating the set of rules, macros, and lists. We're not
    -- expanding/compiling anything yet. All that will happen in a
@@ -279,7 +411,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 					load_state.indices[load_state.cur_item_idx])
 
       if (not (type(v) == "table")) then
-	 return false, build_error_with_context(context, "Unexpected element of type " ..type(v)..". Each element should be a yaml associative array.")
+	 return false, build_error_with_context(context, "Unexpected element of type " ..type(v)..". Each element should be a yaml associative array."), warnings
       end
 
       v['context'] = context
@@ -291,26 +423,31 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	 end
 
 	 if falco_rules.engine_version(rules_mgr) < v['required_engine_version'] then
-	    return false, build_error_with_context(v['context'], "Rules require engine version "..v['required_engine_version']..", but engine version is "..falco_rules.engine_version(rules_mgr))
+	    return false, build_error_with_context(v['context'], "Rules require engine version "..v['required_engine_version']..", but engine version is "..falco_rules.engine_version(rules_mgr)), warnings
 	 end
 
       elseif (v['macro']) then
 
 	 if (v['macro'] == nil or type(v['macro']) == "table") then
-	    return false, build_error_with_context(v['context'], "Macro name is empty")
+	    return false, build_error_with_context(v['context'], "Macro name is empty"), warnings
 	 end
 
 	 if v['source'] == nil then
 	    v['source'] = "syscall"
 	 end
 
+	 -- Ignore macros with unknown sources
+	 if (v['source'] ~= "syscall" and v['source'] ~= "k8s_audit") then
+	    goto next_object
+	 end
+
 	 if state.macros_by_name[v['macro']] == nil then
 	    state.ordered_macro_names[#state.ordered_macro_names+1] = v['macro']
 	 end
 
 	 for j, field in ipairs({'condition'}) do
 	    if (v[field] == nil) then
-	       return false, build_error_with_context(v['context'], "Macro must have property "..field)
+	       return false, build_error_with_context(v['context'], "Macro must have property "..field), warnings
 	    end
 	 end
 
@@ -323,7 +460,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 
 	 if append then
 	    if state.macros_by_name[v['macro']] == nil then
-	       return false, build_error_with_context(v['context'], "Macro " ..v['macro'].. " has 'append' key but no macro by that name already exists")
+	       return false, build_error_with_context(v['context'], "Macro " ..v['macro'].. " has 'append' key but no macro by that name already exists"), warnings
 	    end
 
 	    state.macros_by_name[v['macro']]['condition'] = state.macros_by_name[v['macro']]['condition'] .. " " .. v['condition']
@@ -338,7 +475,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
       elseif (v['list']) then
 
 	 if (v['list'] == nil or type(v['list']) == "table") then
-	    return false, build_error_with_context(v['context'], "List name is empty")
+	    return false, build_error_with_context(v['context'], "List name is empty"), warnings
 	 end
 
 	 if state.lists_by_name[v['list']] == nil then
@@ -347,7 +484,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 
 	 for j, field in ipairs({'items'}) do
 	    if (v[field] == nil) then
-	       return false, build_error_with_context(v['context'], "List must have property "..field)
+	       return false, build_error_with_context(v['context'], "List must have property "..field), warnings
 	    end
 	 end
 
@@ -360,7 +497,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 
 	 if append then
 	    if state.lists_by_name[v['list']] == nil then
-	       return false, build_error_with_context(v['context'], "List " ..v['list'].. " has 'append' key but no list by that name already exists")
+	       return false, build_error_with_context(v['context'], "List " ..v['list'].. " has 'append' key but no list by that name already exists"), warnings
 	    end
 
 	    for j, elem in ipairs(v['items']) do
@@ -373,7 +510,11 @@ function load_rules_doc(rules_mgr, doc, load_state)
       elseif (v['rule']) then
 
 	 if (v['rule'] == nil or type(v['rule']) == "table") then
-	    return false, build_error_with_context(v['context'], "Rule name is empty")
+	    return false, build_error_with_context(v['context'], "Rule name is empty"), warnings
+	 end
+
+	 if (v['condition'] == nil and v['exceptions'] == nil) then
+	    return false, build_error_with_context(v['context'], "Rule must have exceptions or condition property"), warnings
 	 end
 
 	 -- By default, if a rule's condition refers to an unknown
@@ -386,6 +527,18 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['source'] = "syscall"
 	 end
 
+	 -- Ignore rules with unknown sources
+	 if (v['source'] ~= "syscall" and v['source'] ~= "k8s_audit") then
+	    goto next_object
+	 end
+
+	 -- Add an empty exceptions property to the rule if not
+	 -- defined, but add a warning about defining one
+	 if v['exceptions'] == nil then
+	    warnings[#warnings + 1] = "Rule "..v['rule']..": consider adding an exceptions property to define supported exceptions fields"
+	    v['exceptions'] = {}
+	 end
+
 	 -- Possibly append to the condition field of an existing rule
 	 append = false
 
@@ -393,21 +546,95 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    append = v['append']
 	 end
 
-	 if append then
+	 -- Validate the contents of the rule exception
+	 if next(v['exceptions']) ~= nil then
 
-	    -- For append rules, all you need is the condition
-	    for j, field in ipairs({'condition'}) do
-	       if (v[field] == nil) then
-		  return false, build_error_with_context(v['context'], "Rule must have property "..field)
+	    -- This validation only applies if append=false. append=true validation is handled below
+	    if append == false then
+
+	       for _, eitem in ipairs(v['exceptions']) do
+
+		  if eitem['name'] == nil then
+		     return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
+		  end
+
+		  if eitem['fields'] == nil then
+		     return false, build_error_with_context(v['context'], "Rule exception item "..eitem['name']..": must have fields property with a list of fields"), warnings
+		  end
+
+		  if eitem['values'] == nil then
+		     -- An empty values array is okay
+		     eitem['values'] = {}
+		  end
+
+		  -- Different handling if the fields property is a single item vs a list
+		  local valid, err
+		  if type(eitem['fields']) == "table" then
+		     valid, err = validate_exception_item_multi_fields(eitem, v['context'])
+		  else
+		     valid, err = validate_exception_item_single_field(eitem, v['context'])
+		  end
+
+		  if valid == false then
+		     return valid, err
+		  end
 	       end
 	    end
+	 end
+
+	 if append then
 
 	    if state.rules_by_name[v['rule']] == nil then
 	       if state.skipped_rules_by_name[v['rule']] == nil then
-		  return false, build_error_with_context(v['context'], "Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists")
+		  return false, build_error_with_context(v['context'], "Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists"), warnings
 	       end
 	    else
-	       state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']
+
+	       if next(v['exceptions']) ~= nil then
+
+		  for _, eitem in ipairs(v['exceptions']) do
+		     local name = eitem['name']
+		     local fields = eitem['fields']
+		     local comps = eitem['comps']
+
+		     if name == nil then
+			return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
+		     end
+
+		     -- You can't append exception fields or comps to a rule
+		     if fields ~= nil then
+			return false, build_error_with_context(v['context'], "Can not append exception fields to existing rule, only values"), warnings
+		     end
+
+		     if comps ~= nil then
+			return false, build_error_with_context(v['context'], "Can not append exception comps to existing rule, only values"), warnings
+		     end
+
+		     -- You can append values. They are added to the
+		     -- corresponding name, if it exists. If no
+		     -- exception with that name exists, add a
+		     -- warning.
+		     if eitem['values'] ~= nil then
+			local found=false
+			for _, reitem in ipairs(state.rules_by_name[v['rule']]['exceptions']) do
+			   if reitem['name'] == eitem['name'] then
+			      found=true
+			      for _, values in ipairs(eitem['values']) do
+				 reitem['values'][#reitem['values'] + 1] = values
+			      end
+			   end
+			end
+
+			if found == false then
+			   warnings[#warnings + 1] = "Rule "..v['rule'].." with append=true: no set of fields matching name "..eitem['name']
+			end
+		     end
+		  end
+	       end
+
+	       if v['condition'] ~= nil then
+		  state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']
+	       end
 
 	    -- Add the current object to the context of the base rule
 	       state.rules_by_name[v['rule']]['context'] = state.rules_by_name[v['rule']]['context'].."\n"..v['context']
@@ -417,7 +644,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 
 	    for j, field in ipairs({'condition', 'output', 'desc', 'priority'}) do
 	       if (v[field] == nil) then
-		  return false, build_error_with_context(v['context'], "Rule must have property "..field)
+		  return false, build_error_with_context(v['context'], "Rule must have property "..field), warnings
 	       end
 	    end
 
@@ -446,16 +673,118 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    end
 	 end
       else
-	 -- Remove the context from the table, so the table is exactly what was parsed
 	 local context = v['context']
-	 v['context'] = nil
-	 return false, build_error_with_context(context, "Unknown rule object: "..table.tostring(v))
+
+	 arr = build_error_with_context(context, "Unknown top level object: "..table.tostring(v))
+	 warnings[#warnings + 1] = arr[1]
       end
+
+      ::next_object::
    end
 
-   return true, ""
+   return true, {}, warnings
 end
 
+-- cond and not ((proc.name=apk and fd.directory=/usr/lib/alpine) or (proc.name=npm and fd.directory=/usr/node/bin) or ...)
+-- Populates exfields with all fields used
+function build_exception_condition_string_multi_fields(eitem, exfields)
+
+   local fields = eitem['fields']
+   local comps = eitem['comps']
+
+   local icond = "("
+
+   for i, values in ipairs(eitem['values']) do
+
+      if #fields ~= #values then
+	 return nil, "Exception item "..eitem['name']..": fields and values lists must have equal length"
+      end
+
+      if icond ~= "(" then
+	 icond=icond.." or "
+      end
+
+      icond=icond.."("
+
+      for k=1,#fields do
+	 if k > 1 then
+	    icond=icond.." and "
+	 end
+	 local ival = values[k]
+	 local istr = ""
+
+	 -- If ival is a table, express it as (titem1, titem2, etc)
+	 if type(ival) == "table" then
+	    istr = "("
+	    for _, item in ipairs(ival) do
+	       if istr ~= "(" then
+		  istr = istr..", "
+	       end
+	       istr = istr..quote_item(item)
+	    end
+	    istr = istr..")"
+	 else
+	    -- If the corresponding operator is one that works on lists, possibly add surrounding parentheses.
+	    if defined_list_comp_operators[comps[k]] then
+	       istr = paren_item(ival)
+	    else
+	       -- Quote the value if not already quoted
+	       istr = quote_item(ival)
+	    end
+	 end
+
+	 icond = icond..fields[k].." "..comps[k].." "..istr
+	 exfields[fields[k]] = true
+      end
+
+      icond=icond..")"
+   end
+
+   icond = icond..")"
+
+   -- Don't return a trivially empty condition string
+   if icond == "()" then
+      icond = ""
+   end
+
+   return icond, nil
+
+end
+
+function build_exception_condition_string_single_field(eitem, exfields)
+
+   local icond = ""
+
+   for i, value in ipairs(eitem['values']) do
+
+      if type(value) ~= "string" then
+	 return "", "Expected values array for item "..eitem['name'].." to contain a list of strings"
+      end
+
+      if icond == "" then
+	 icond = "("..eitem['fields'].." "..eitem['comps'].." ("
+      else
+	 icond = icond..", "
+      end
+
+      exfields[eitem['fields']] = true
+
+      icond = icond..quote_item(value)
+   end
+
+   if icond ~= "" then
+      icond = icond.."))"
+   end
+
+   return icond, nil
+
+end
+
+-- Returns:
+-- - Load Result: bool
+-- - required engine version. will be nil when load result is false
+-- - List of Errors
+-- - List of Warnings
 function load_rules(sinsp_lua_parser,
 		    json_lua_parser,
 		    rules_content,
@@ -466,6 +795,8 @@ function load_rules(sinsp_lua_parser,
 		    replace_container_info,
 		    min_priority)
 
+   local warnings = {}
+
    local load_state = {lines={}, indices={}, cur_item_idx=0, min_priority=min_priority, required_engine_version=0}
 
    load_state.lines, load_state.indices = split_lines(rules_content)
@@ -487,36 +818,42 @@ function load_rules(sinsp_lua_parser,
       row = tonumber(row)
       col = tonumber(col)
 
-      return false, build_error(load_state.lines, row, 3, docs)
+      return false, nil, build_error(load_state.lines, row, 3, docs), warnings
    end
 
    if docs == nil then
       -- An empty rules file is acceptable
-      return true, load_state.required_engine_version
+      return true, load_state.required_engine_version, {}, warnings
    end
 
    if type(docs) ~= "table" then
-      return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml")
+      return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml"), warnings
    end
 
    for docidx, doc in ipairs(docs) do
 
       if type(doc) ~= "table" then
-	 return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml")
+	 return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml"), warnings
       end
 
       -- Look for non-numeric indices--implies that document is not array
       -- of objects.
       for key, val in pairs(doc) do
 	 if type(key) ~= "number" then
-	    return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml array of objects")
+	    return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml array of objects"), warnings
 	 end
       end
 
-      res, errstr = load_rules_doc(rules_mgr, doc, load_state)
+      res, errors, doc_warnings = load_rules_doc(rules_mgr, doc, load_state)
+
+      if (doc_warnings ~= nil) then
+	 for idx, warning in pairs(doc_warnings) do
+	    table.insert(warnings, warning)
+	 end
+      end
 
       if not res then
-	 return res, errstr
+	 return res, nil, errors, warnings
       end
    end
 
@@ -538,8 +875,9 @@ function load_rules(sinsp_lua_parser,
       -- the items and expand any references to the items in the list
       for i, item in ipairs(v['items']) do
 	 if (state.lists[item] == nil) then
-	    items[#items+1] = item
+	    items[#items+1] = quote_item(item)
 	 else
+	    state.lists[item].used = true
 	    for i, exp_item in ipairs(state.lists[item].items) do
 	       items[#items+1] = exp_item
 	    end
@@ -556,7 +894,7 @@ function load_rules(sinsp_lua_parser,
       local status, ast = compiler.compile_macro(v['condition'], state.macros, state.lists)
 
       if status == false then
-	 return false, build_error_with_context(v['context'], ast)
+	 return false, nil, build_error_with_context(v['context'], ast), warnings
       end
 
       if v['source'] == "syscall" then
@@ -572,16 +910,48 @@ function load_rules(sinsp_lua_parser,
 
       local v = state.rules_by_name[name]
 
+      local econd = ""
+
+      local exfields = {}
+
+      -- Turn exceptions into condition strings and add them to each
+      -- rule's condition
+      for _, eitem in ipairs(v['exceptions']) do
+
+	 local icond, err
+	 if type(eitem['fields']) == "table" then
+	    icond, err = build_exception_condition_string_multi_fields(eitem, exfields)
+	 else
+	    icond, err = build_exception_condition_string_single_field(eitem, exfields)
+	 end
+
+	 if err ~= nil then
+	    return false, nil, build_error_with_context(v['context'], err), warnings
+	 end
+
+	 if icond ~= "" then
+	    econd = econd.." and not "..icond
+	 end
+      end
+
+      state.rules_by_name[name]['exception_fields'] = exfields
+
+      if econd ~= "" then
+	 state.rules_by_name[name]['compile_condition'] = "("..state.rules_by_name[name]['condition']..") "..econd
+      else
+	 state.rules_by_name[name]['compile_condition'] = state.rules_by_name[name]['condition']
+      end
+
       warn_evttypes = true
       if v['warn_evttypes'] ~= nil then
 	 warn_evttypes = v['warn_evttypes']
       end
 
-      local status, filter_ast, filters = compiler.compile_filter(v['rule'], v['condition'],
+      local status, filter_ast, filters = compiler.compile_filter(v['rule'], v['compile_condition'],
 								  state.macros, state.lists)
 
       if status == false then
-	 return false, build_error_with_context(v['context'], filter_ast)
+	 return false, nil, build_error_with_context(v['context'], filter_ast), warnings
       end
 
       local evtttypes = {}
@@ -592,52 +962,22 @@ function load_rules(sinsp_lua_parser,
 	    sinsp_rule_utils.check_for_ignored_syscalls_events(filter_ast, 'rule', v['rule'])
 	 end
 
-	 evttypes, syscallnums = sinsp_rule_utils.get_evttypes_syscalls(name, filter_ast, v['condition'], warn_evttypes, verbose)
+	 evttypes, syscallnums = sinsp_rule_utils.get_evttypes_syscalls(name, filter_ast, v['compile_condition'], warn_evttypes, verbose)
       end
 
       -- If a filter in the rule doesn't exist, either skip the rule
       -- or raise an error, depending on the value of
       -- skip-if-unknown-filter.
       for filter, _ in pairs(filters) do
-	 found = false
+	 if not is_defined_filter(filter) then
+	    msg = "rule \""..v['rule'].."\": contains unknown filter "..filter
+	    warnings[#warnings + 1] = msg
 
-	 if defined_noarg_filters[filter] ~= nil then
-	    found = true
-	 else
-	    bracket_idx = string.find(filter, "[", 1, true)
-
-	    if bracket_idx ~= nil then
-	       subfilter = string.sub(filter, 1, bracket_idx-1)
-
-	       if defined_arg_filters[subfilter] ~= nil then
-		  found = true
-	       end
-	    end
-
-	    if not found then
-	       dot_idx = string.find(filter, ".", 1, true)
-
-	       while dot_idx ~= nil do
-		  subfilter = string.sub(filter, 1, dot_idx-1)
-
-		  if defined_arg_filters[subfilter] ~= nil then
-		     found = true
-		     break
-		  end
-
-		  dot_idx = string.find(filter, ".", dot_idx+1, true)
-	       end
-	    end
-	 end
-
-	 if not found then
-	    if v['skip-if-unknown-filter'] then
-	       if verbose then
-		  print("Skipping rule \""..v['rule'].."\" that contains unknown filter "..filter)
-	       end
-	       goto next_rule
+	    if not v['skip-if-unknown-filter'] then
+	       return false, nil, build_error_with_context(v['context'], msg), warnings
 	    else
-	       error("Rule \""..v['rule'].."\" contains unknown filter "..filter)
+	       print("Skipping "..msg)
+	       goto next_rule
 	    end
 	 end
       end
@@ -716,33 +1056,37 @@ function load_rules(sinsp_lua_parser,
 	 -- Ensure that the output field is properly formatted by
 	 -- creating a formatter from it. Any error will be thrown
 	 -- up to the top level.
-	 formatter = formats.formatter(v['source'], v['output'])
-	 formats.free_formatter(v['source'], formatter)
+	 local err, formatter = formats.formatter(v['source'], v['output'])
+	 if err == nil then
+	    formats.free_formatter(v['source'], formatter)
+	 else
+	    return false, nil, build_error_with_context(v['context'], err), warnings
+	 end
       else
-	 return false, build_error_with_context(v['context'], "Unexpected type in load_rule: "..filter_ast.type)
+	 return false, nil, build_error_with_context(v['context'], "Unexpected type in load_rule: "..filter_ast.type), warnings
       end
 
       ::next_rule::
    end
 
-   if verbose then
-      -- Print info on any dangling lists or macros that were not used anywhere
-      for name, macro in pairs(state.macros) do
-	 if macro.used == false then
-	    print("Warning: macro "..name.." not refered to by any rule/macro")
-	 end
+   -- Print info on any dangling lists or macros that were not used anywhere
+   for name, macro in pairs(state.macros) do
+      if macro.used == false then
+	 msg = "macro "..name.." not refered to by any rule/macro"
+	 warnings[#warnings + 1] = msg
       end
+   end
 
-      for name, list in pairs(state.lists) do
-	 if list.used == false then
-	    print("Warning: list "..name.." not refered to by any rule/macro/list")
-	 end
+   for name, list in pairs(state.lists) do
+      if list.used == false then
+	 msg = "list "..name.." not refered to by any rule/macro/list"
+	 warnings[#warnings + 1] = msg
       end
    end
 
    io.flush()
 
-   return true, load_state.required_engine_version
+   return true, load_state.required_engine_version, {}, warnings
 end
 
 local rule_fmt = "%-50s %s"
@@ -819,7 +1163,14 @@ function on_event(rule_id)
    -- Prefix output with '*' so formatting is permissive
    output = "*"..rule.output
 
-   return rule.rule, rule.priority_num, output
+   -- Also return all fields from all exceptions
+   combined_rule = state.rules_by_name[rule.rule]
+
+   if combined_rule == nil then
+      error ("rule_loader.on_event(): could not find rule by name: ", rule.rule)
+   end
+
+   return rule.rule, rule.priority_num, output, combined_rule.exception_fields
 end
 
 function print_stats()

userspace/engine/rules.cpp

@@ -14,8 +14,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+#include <sstream>
+
 #include "rules.h"
-#include "logger.h"
 
 extern "C" {
 #include "lua.h"
@@ -26,15 +27,14 @@ extern "C" {
 #include "falco_engine.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-const static struct luaL_reg ll_falco_rules [] =
-{
-	{"clear_filters", &falco_rules::clear_filters},
-	{"add_filter", &falco_rules::add_filter},
-	{"add_k8s_audit_filter", &falco_rules::add_k8s_audit_filter},
-	{"enable_rule", &falco_rules::enable_rule},
-	{"engine_version", &falco_rules::engine_version},
-	{NULL,NULL}
-};
+const static struct luaL_Reg ll_falco_rules[] =
+	{
+		{"clear_filters", &falco_rules::clear_filters},
+		{"add_filter", &falco_rules::add_filter},
+		{"add_k8s_audit_filter", &falco_rules::add_k8s_audit_filter},
+		{"enable_rule", &falco_rules::enable_rule},
+		{"engine_version", &falco_rules::engine_version},
+		{NULL, NULL}};
 
 falco_rules::falco_rules(sinsp* inspector,
 			 falco_engine *engine,
@@ -219,6 +219,31 @@ int falco_rules::engine_version(lua_State *ls)
 	return 1;
 }
 
+static std::list<std::string> get_lua_table_values(lua_State *ls, int idx)
+{
+	std::list<std::string> ret;
+
+	if (lua_isnil(ls, idx)) {
+		return ret;
+	}
+
+	lua_pushnil(ls);  /* first key */
+	while (lua_next(ls, idx-1) != 0) {
+                // key is at index -2, value is at index
+                // -1. We want the values.
+		if (! lua_isstring(ls, -1)) {
+			std::string err = "Non-string value in table of strings";
+			throw falco_exception(err);
+		}
+		ret.push_back(string(lua_tostring(ls, -1)));
+
+		// Remove value, keep key for next iteration
+		lua_pop(ls, 1);
+	}
+
+	return ret;
+}
+
 void falco_rules::load_rules(const string &rules_content,
 			     bool verbose, bool all_events,
 			     string &extra, bool replace_container_info,
@@ -424,7 +449,7 @@ void falco_rules::load_rules(const string &rules_content,
 		lua_pushstring(m_ls, extra.c_str());
 		lua_pushboolean(m_ls, (replace_container_info ? 1 : 0));
 		lua_pushnumber(m_ls, min_priority);
-		if(lua_pcall(m_ls, 9, 2, 0) != 0)
+		if(lua_pcall(m_ls, 9, 4, 0) != 0)
 		{
 			const char* lerr = lua_tostring(m_ls, -1);
 
@@ -433,20 +458,49 @@ void falco_rules::load_rules(const string &rules_content,
 			throw falco_exception(err);
 		}
 
-		// Either returns (true, required_engine_version), or (false, error string)
-		bool successful = lua_toboolean(m_ls, -2);
+		// Returns:
+		// Load result: bool
+		// required engine version: will be nil when load result is false
+		// array of errors
+		// array of warnings
+		bool successful = lua_toboolean(m_ls, -4);
+		required_engine_version = lua_tonumber(m_ls, -3);
+		std::list<std::string> errors = get_lua_table_values(m_ls, -2);
+		std::list<std::string> warnings = get_lua_table_values(m_ls, -1);
 
-		if(successful)
+		// Concatenate errors/warnings
+		std::ostringstream os;
+		if (errors.size() > 0)
 		{
-			required_engine_version = lua_tonumber(m_ls, -1);
-		}
-		else
-		{
-			std::string err = lua_tostring(m_ls, -1);
-			throw falco_exception(err);
+			os << errors.size() << " errors:" << std::endl;
+			for(auto err : errors)
+			{
+				os << err << std::endl;
+			}
 		}
 
-		lua_pop(m_ls, 2);
+		if (warnings.size() > 0)
+		{
+			os << warnings.size() << " warnings:" << std::endl;
+			for(auto warn : warnings)
+			{
+				os << warn << std::endl;
+			}
+		}
+
+		if(!successful)
+		{
+			throw falco_exception(os.str());
+		}
+
+		if (verbose && os.str() != "") {
+			// We don't really have a logging callback
+			// from the falco engine, but this would be a
+			// good place to use it.
+			fprintf(stderr, "When reading rules content: %s", os.str().c_str());
+		}
+
+		lua_pop(m_ls, 4);
 
 	} else {
 		throw falco_exception("No function " + m_lua_load_rules + " found in lua rule module");

userspace/falco/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -11,117 +11,88 @@
 # specific language governing permissions and limitations under the License.
 #
 
-configure_file("${SYSDIG_SOURCE_DIR}/userspace/sysdig/config_sysdig.h.in" config_sysdig.h)
+configure_file(config_falco.h.in config_falco.h)
 
-if(NOT MINIMAL_BUILD)
-  add_custom_command(
-    OUTPUT
-      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
-    COMMENT "Generate gRPC API"
-    # Falco gRPC Version API
-    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-            ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    # Falco gRPC Outputs API
-    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-            ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-            ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
-endif()
-
-if(MINIMAL_BUILD)
-add_executable(
-  falco
+set(
+  FALCO_SOURCES
   configuration.cpp
   logger.cpp
   falco_outputs.cpp
+  outputs_file.cpp
+  outputs_program.cpp
+  outputs_stdout.cpp
+  outputs_syslog.cpp
   event_drops.cpp
   statsfilewriter.cpp
   falco.cpp
-  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp")
-else()
-  add_executable(
-    falco
-    configuration.cpp
-    logger.cpp
-    falco_outputs.cpp
-    event_drops.cpp
-    statsfilewriter.cpp
-    falco.cpp
-    "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
+  "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/fields_info.cpp"
+)
+
+set(
+  FALCO_INCLUDE_DIRECTORIES
+  "${PROJECT_SOURCE_DIR}/userspace/engine"
+  "${PROJECT_BINARY_DIR}/userspace/falco"
+  "${PROJECT_BINARY_DIR}/driver/src"
+  "${STRING_VIEW_LITE_INCLUDE}"
+  "${YAMLCPP_INCLUDE_DIR}"
+  "${CMAKE_CURRENT_BINARY_DIR}"
+  "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include"
+)
+
+set(
+  FALCO_DEPENDENCIES
+  string-view-lite
+  libyaml
+  b64
+  luajit
+  lpeg
+  lyaml
+)
+
+set(
+  FALCO_LIBRARIES
+  falco_engine
+  sinsp
+  "${LIBYAML_LIB}"
+  "${YAMLCPP_LIB}"
+)
+
+if(USE_BUNDLED_DEPS)
+  list(APPEND FALCO_DEPENDENCIES yamlcpp)
+endif()
+
+if(NOT MINIMAL_BUILD)
+  list(
+    APPEND FALCO_SOURCES
+    outputs_grpc.cpp
+    outputs_http.cpp
     webserver.cpp
     grpc_context.cpp
     grpc_server_impl.cpp
     grpc_request_context.cpp
     grpc_server.cpp
+    grpc_context.cpp
+    grpc_server_impl.cpp
     ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+  )
 
-    add_dependencies(falco civetweb)
-endif()
+  list(
+    APPEND FALCO_INCLUDE_DIRECTORIES
+    "${CIVETWEB_INCLUDE_DIR}"
+    "${OPENSSL_INCLUDE_DIR}"
+    "${GRPC_INCLUDE}"
+    "${GRPCPP_INCLUDE}"
+    "${PROTOBUF_INCLUDE}"
+  )
 
-add_dependencies(falco string-view-lite)
+  list(APPEND FALCO_DEPENDENCIES civetweb)
 
-if(USE_BUNDLED_DEPS)
-  add_dependencies(falco yamlcpp)
-endif()
-
-if(MINIMAL_BUILD)
-  target_include_directories(
-    falco
-    PUBLIC
-      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-      "${PROJECT_SOURCE_DIR}/userspace/engine"
-      "${PROJECT_BINARY_DIR}/userspace/falco"
-      "${PROJECT_BINARY_DIR}/driver/src"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${YAMLCPP_INCLUDE_DIR}"
-      "${CMAKE_CURRENT_BINARY_DIR}"
-      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
-
-  target_link_libraries(
-    falco
-    falco_engine
-    sinsp
-    "${LIBYAML_LIB}"
-    "${YAMLCPP_LIB}")
-else()
-  target_include_directories(
-    falco
-    PUBLIC
-      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-      "${PROJECT_SOURCE_DIR}/userspace/engine"
-      "${PROJECT_BINARY_DIR}/userspace/falco"
-      "${PROJECT_BINARY_DIR}/driver/src"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${YAMLCPP_INCLUDE_DIR}"
-      "${CIVETWEB_INCLUDE_DIR}"
-      "${OPENSSL_INCLUDE_DIR}"
-      "${GRPC_INCLUDE}"
-      "${GRPCPP_INCLUDE}"
-      "${PROTOBUF_INCLUDE}"
-      "${CMAKE_CURRENT_BINARY_DIR}"
-      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
-
-  target_link_libraries(
-    falco
-    falco_engine
-    sinsp
+  list(
+    APPEND FALCO_LIBRARIES
     "${GPR_LIB}"
     "${GRPC_LIB}"
     "${GRPCPP_LIB}"
@@ -130,19 +101,66 @@ else()
     "${OPENSSL_LIBRARY_CRYPTO}"
     "${LIBYAML_LIB}"
     "${YAMLCPP_LIB}"
-    "${CIVETWEB_LIB}")
+    "${CIVETWEB_LIB}"
+  )
 endif()
 
-configure_file(config_falco.h.in config_falco.h)
+add_executable(
+  falco
+  ${FALCO_SOURCES}
+)
+
+add_dependencies(falco ${FALCO_DEPENDENCIES})
+
+target_link_libraries(
+  falco
+  ${FALCO_LIBRARIES}
+)
+
+target_include_directories(
+  falco
+  PUBLIC
+  ${FALCO_INCLUDE_DIRECTORIES}
+)
 
 if(NOT MINIMAL_BUILD)
   add_custom_command(
     TARGET falco
     COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-    COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
+    COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields"
+  )
 else()
-  MESSAGE(STATUS "Skipping engine fields checksum when building the minimal Falco.")
+  message(STATUS "Skipping engine fields checksum when building the minimal Falco.")
+endif()
+
+if(NOT MINIMAL_BUILD)
+  add_custom_command(
+    OUTPUT
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
+    COMMENT "Generate gRPC API"
+    # Falco gRPC Version API
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+    ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    # Falco gRPC Outputs API
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+    ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+  )
 endif()
 
 # strip the Falco binary when releasing using musl
@@ -151,12 +169,8 @@ if(MUSL_OPTIMIZED_BUILD AND CMAKE_BUILD_TYPE STREQUAL "release")
     TARGET falco
     POST_BUILD
     COMMAND ${CMAKE_STRIP} --strip-unneeded falco
-    COMMENT "Strip the Falco binary when releasing the musl build")
+    COMMENT "Strip the Falco binary when releasing the musl build"
+  )
 endif()
 
 install(TARGETS falco DESTINATION ${FALCO_BIN_DIR})
-install(
-  DIRECTORY lua
-  DESTINATION ${FALCO_SHARE_DIR}
-  FILES_MATCHING
-  PATTERN *.lua)

userspace/falco/config_falco.h.in

@@ -25,11 +25,9 @@ limitations under the License.
 #define FALCO_VERSION_PRERELEASE "@FALCO_VERSION_PRERELEASE@"
 #define FALCO_VERSION_BUILD "@FALCO_VERSION_BUILD@"
 
-#define FALCO_LUA_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}/lua/"
 #define FALCO_SOURCE_DIR "${PROJECT_SOURCE_DIR}"
 #define FALCO_SOURCE_CONF_FILE "${PROJECT_SOURCE_DIR}/falco.yaml"
 #define FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml"
-#define FALCO_SOURCE_LUA_DIR "${PROJECT_SOURCE_DIR}/userspace/falco/lua/"
 
 #define PROBE_NAME "@PROBE_NAME@"
 #define DRIVER_VERSION "@PROBE_VERSION@"

userspace/falco/configuration.cpp

@@ -47,16 +47,6 @@ falco_configuration::~falco_configuration()
 	}
 }
 
-// If we don't have a configuration file, we just use stdout output and all other defaults
-void falco_configuration::init(list<string> &cmdline_options)
-{
-	init_cmdline_options(cmdline_options);
-
-	falco_outputs::output_config stdout_output;
-	stdout_output.name = "stdout";
-	m_outputs.push_back(stdout_output);
-}
-
 void falco_configuration::init(string conf_filename, list<string> &cmdline_options)
 {
 	string m_config_file = conf_filename;
@@ -81,7 +71,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 	m_json_output = m_config->get_scalar<bool>("json_output", false);
 	m_json_include_output_property = m_config->get_scalar<bool>("json_include_output_property", true);
 
-	falco_outputs::output_config file_output;
+	falco::outputs::config file_output;
 	file_output.name = "file";
 	if(m_config->get_scalar<bool>("file_output", "enabled", false))
 	{
@@ -99,21 +89,21 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		m_outputs.push_back(file_output);
 	}
 
-	falco_outputs::output_config stdout_output;
+	falco::outputs::config stdout_output;
 	stdout_output.name = "stdout";
 	if(m_config->get_scalar<bool>("stdout_output", "enabled", false))
 	{
 		m_outputs.push_back(stdout_output);
 	}
 
-	falco_outputs::output_config syslog_output;
+	falco::outputs::config syslog_output;
 	syslog_output.name = "syslog";
 	if(m_config->get_scalar<bool>("syslog_output", "enabled", false))
 	{
 		m_outputs.push_back(syslog_output);
 	}
 
-	falco_outputs::output_config program_output;
+	falco::outputs::config program_output;
 	program_output.name = "program";
 	if(m_config->get_scalar<bool>("program_output", "enabled", false))
 	{
@@ -131,7 +121,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		m_outputs.push_back(program_output);
 	}
 
-	falco_outputs::output_config http_output;
+	falco::outputs::config http_output;
 	http_output.name = "http";
 	if(m_config->get_scalar<bool>("http_output", "enabled", false))
 	{
@@ -159,7 +149,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 	m_grpc_cert_chain = m_config->get_scalar<string>("grpc", "cert_chain", "/etc/falco/certs/server.crt");
 	m_grpc_root_certs = m_config->get_scalar<string>("grpc", "root_certs", "/etc/falco/certs/ca.crt");
 
-	falco_outputs::output_config grpc_output;
+	falco::outputs::config grpc_output;
 	grpc_output.name = "grpc";
 	// gRPC output is enabled only if gRPC server is enabled too
 	if(m_config->get_scalar<bool>("grpc_output", "enabled", true) && m_grpc_enabled)
@@ -176,6 +166,8 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 
 	falco_logger::set_level(m_log_level);
 
+	m_output_timeout = m_config->get_scalar<uint32_t>("output_timeout", 2000);
+
 	m_notifications_rate = m_config->get_scalar<uint32_t>("outputs", "rate", 1);
 	m_notifications_max_burst = m_config->get_scalar<uint32_t>("outputs", "max_burst", 1000);
 
@@ -346,4 +338,4 @@ void falco_configuration::set_cmdline_option(const string &opt)
 	{
 		m_config->set_scalar(keyval.first, keyval.second);
 	}
-}
+}

userspace/falco/configuration.h

@@ -37,7 +37,7 @@ public:
 	{
 		m_path = path;
 		YAML::Node config;
-		std::vector<falco_outputs::output_config> outputs;
+		std::vector<falco::outputs::config> outputs;
 		try
 		{
 			m_root = YAML::LoadFile(path);
@@ -196,7 +196,7 @@ public:
 	bool m_json_output;
 	bool m_json_include_output_property;
 	std::string m_log_level;
-	std::vector<falco_outputs::output_config> m_outputs;
+	std::vector<falco::outputs::config> m_outputs;
 	uint32_t m_notifications_rate;
 	uint32_t m_notifications_max_burst;
 
@@ -204,6 +204,7 @@ public:
 
 	bool m_buffered_outputs;
 	bool m_time_format_iso_8601;
+	uint32_t m_output_timeout;
 
 	bool m_grpc_enabled;
 	uint32_t m_grpc_threadiness;

userspace/falco/event_drops.cpp

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -15,6 +15,7 @@ limitations under the License.
 */
 
 #include "event_drops.h"
+#include "falco_common.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 syscall_evt_drop_mgr::syscall_evt_drop_mgr():
@@ -137,7 +138,7 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now, scap_stats &delta, bool
 
 		case ACT_ALERT:
 			m_outputs->handle_msg(now,
-					      falco_outputs::PRIORITY_CRITICAL,
+					      falco_common::PRIORITY_CRITICAL,
 					      msg,
 					      rule,
 					      output_fields);

userspace/falco/falco.cpp

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -36,7 +36,7 @@ limitations under the License.
 #include "logger.h"
 #include "utils.h"
 #include "chisel.h"
-#include "sysdig.h"
+#include "fields_info.h"
 
 #include "event_drops.h"
 #include "configuration.h"
@@ -86,6 +86,7 @@ static void usage()
 	   " -h, --help                    Print this page\n"
 	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
 	   " -A                            Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
+	   " --alternate-lua-dir <path>    Specify an alternate path for loading Falco lua files\n"
 	   " -b, --print-base64            Print data buffers in base64.\n"
 	   "                               This is useful for encoding binary data that needs to be used over media designed to.\n"
 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
@@ -478,37 +479,38 @@ int falco_init(int argc, char **argv)
 #endif
 
 	static struct option long_options[] =
-	{
-		{"cri", required_argument, 0},
-        {"daemon", no_argument, 0, 'd'},
-        {"disable-cri-async", no_argument, 0, 0},
-        {"disable-source", required_argument, 0},
-        {"help", no_argument, 0, 'h'},
-        {"ignored-events", no_argument, 0, 'i'},
-        {"k8s-api-cert", required_argument, 0, 'K'},
-        {"k8s-api", required_argument, 0, 'k'},
-        {"list", optional_argument, 0},
-        {"mesos-api", required_argument, 0, 'm'},
-        {"option", required_argument, 0, 'o'},
-        {"pidfile", required_argument, 0, 'P'},
-        {"print-base64", no_argument, 0, 'b'},
-        {"print", required_argument, 0, 'p'},
-        {"snaplen", required_argument, 0, 'S'},
-        {"stats-interval", required_argument, 0},
-        {"support", no_argument, 0},
-        {"unbuffered", no_argument, 0, 'U'},
-        {"userspace", no_argument, 0, 'u'},
-        {"validate", required_argument, 0, 'V'},
-        {"version", no_argument, 0, 0},
-        {"writefile", required_argument, 0, 'w'},
-		{0, 0, 0, 0}
-	};
+		{
+			{"alternate-lua-dir", required_argument, 0},
+			{"cri", required_argument, 0},
+			{"daemon", no_argument, 0, 'd'},
+			{"disable-cri-async", no_argument, 0, 0},
+			{"disable-source", required_argument, 0},
+			{"help", no_argument, 0, 'h'},
+			{"ignored-events", no_argument, 0, 'i'},
+			{"k8s-api-cert", required_argument, 0, 'K'},
+			{"k8s-api", required_argument, 0, 'k'},
+			{"list", optional_argument, 0},
+			{"mesos-api", required_argument, 0, 'm'},
+			{"option", required_argument, 0, 'o'},
+			{"pidfile", required_argument, 0, 'P'},
+			{"print-base64", no_argument, 0, 'b'},
+			{"print", required_argument, 0, 'p'},
+			{"snaplen", required_argument, 0, 'S'},
+			{"stats-interval", required_argument, 0},
+			{"support", no_argument, 0},
+			{"unbuffered", no_argument, 0, 'U'},
+			{"userspace", no_argument, 0, 'u'},
+			{"validate", required_argument, 0, 'V'},
+			{"version", no_argument, 0, 0},
+			{"writefile", required_argument, 0, 'w'},
+			{0, 0, 0, 0}};
 
 	try
 	{
 		set<string> disabled_rule_substrings;
 		string substring;
 		string all_rules = "";
+		string alternate_lua_dir = FALCO_ENGINE_SOURCE_LUA_DIR;
 		set<string> disabled_rule_tags;
 		set<string> enabled_rule_tags;
 
@@ -686,6 +688,16 @@ int falco_init(int argc, char **argv)
 						disable_sources.insert(optarg);
 					}
 				}
+				else if (string(long_options[long_index].name)== "alternate-lua-dir")
+				{
+					if(optarg != NULL)
+					{
+						alternate_lua_dir = optarg;
+						if (alternate_lua_dir.back() != '/') {
+							alternate_lua_dir += '/';
+						}
+					}
+				}
 				break;
 
 			default:
@@ -721,7 +733,7 @@ int falco_init(int argc, char **argv)
 			return EXIT_SUCCESS;
 		}
 
-		engine = new falco_engine();
+		engine = new falco_engine(true, alternate_lua_dir);
 		engine->set_inspector(inspector);
 		engine->set_extra(output_format, replace_container_info);
 
@@ -750,9 +762,6 @@ int falco_init(int argc, char **argv)
 			}
 		}
 
-		outputs = new falco_outputs(engine);
-		outputs->set_inspector(inspector);
-
 		// Some combinations of arguments are not allowed.
 		if (daemon && pidfilename == "") {
 			throw std::invalid_argument("If -d is provided, a pid file must also be provided");
@@ -783,7 +792,7 @@ int falco_init(int argc, char **argv)
 				}
 				else
 				{
-					conf_filename = "";
+					throw std::invalid_argument("You must create a config file at " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE " or by passing -c\n");
 				}
 			}
 		}
@@ -804,7 +813,7 @@ int falco_init(int argc, char **argv)
 				}
 				catch(falco_exception &e)
 				{
-					printf("%s%s\n", prefix.c_str(), e.what());
+					printf("%s%s", prefix.c_str(), e.what());
 					throw;
 				}
 				printf("%sOk\n", prefix.c_str());
@@ -825,12 +834,7 @@ int falco_init(int argc, char **argv)
 		}
 		else
 		{
-			config.init(cmdline_options);
-			falco_logger::set_time_format_iso_8601(config.m_time_format_iso_8601);
-
-			// log after config init because config determines where logs go
-			falco_logger::log(LOG_INFO, "Falco version " + std::string(FALCO_VERSION) + " (driver version " + std::string(DRIVER_VERSION) + ")\n");
-			falco_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n");
+			throw std::runtime_error("Could not find configuration file at " + conf_filename);
 		}
 
 		if (rules_filenames.size())
@@ -861,7 +865,15 @@ int falco_init(int argc, char **argv)
 			falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
 			uint64_t required_engine_version;
 
-			engine->load_rules_file(filename, verbose, all_events, required_engine_version);
+			try {
+				engine->load_rules_file(filename, verbose, all_events, required_engine_version);
+			}
+			catch(falco_exception &e)
+			{
+				std::string prefix = "Could not load rules file " + filename + ": ";
+
+				throw falco_exception(prefix + e.what());
+			}
 			required_engine_versions[filename] = required_engine_version;
 		}
 
@@ -959,14 +971,6 @@ int falco_init(int argc, char **argv)
 			hostname = c_hostname;
 		}
 
-
-		outputs->init(config.m_json_output,
-			      config.m_json_include_output_property,
-			      config.m_notifications_rate, config.m_notifications_max_burst,
-			      config.m_buffered_outputs,
-			      config.m_time_format_iso_8601,
-			      hostname);
-
 		if(!all_events)
 		{
 			inspector->set_drop_event_flags(EF_DROP_SIMPLE_CONS);
@@ -986,11 +990,6 @@ int falco_init(int argc, char **argv)
 
 		inspector->set_hostname_and_port_resolution_mode(false);
 
-		for(auto output : config.m_outputs)
-		{
-			outputs->add_output(output);
-		}
-
 		if(signal(SIGINT, signal_callback) == SIG_ERR)
 		{
 			fprintf(stderr, "An error occurred while setting SIGINT signal handler.\n");
@@ -1076,6 +1075,21 @@ int falco_init(int argc, char **argv)
 			g_daemonized = true;
 		}
 
+		outputs = new falco_outputs();
+
+		outputs->init(config.m_json_output,
+			config.m_json_include_output_property,
+			config.m_output_timeout,
+			config.m_notifications_rate, config.m_notifications_max_burst,
+			config.m_buffered_outputs,
+			config.m_time_format_iso_8601,
+			hostname);
+
+		for(auto output : config.m_outputs)
+		{
+			outputs->add_output(output);
+		}
+
 		if(trace_filename.size())
 		{
 			// Try to open the trace file as a sysdig
@@ -1171,8 +1185,8 @@ int falco_init(int argc, char **argv)
 						falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
 					}
 					open_f(inspector);
-				} 
-				else 
+				}
+				else
 				{
 					rethrow_exception(current_exception());
 				}
@@ -1281,7 +1295,7 @@ int falco_init(int argc, char **argv)
 
 		if(!trace_filename.empty() && !trace_is_scap)
 		{
-#ifndef MINIMAL_BUILD			
+#ifndef MINIMAL_BUILD
 			read_k8s_audit_trace_file(engine,
 						  outputs,
 						  trace_filename);

userspace/falco/falco_outputs.cpp

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -24,24 +24,22 @@ limitations under the License.
 
 #include "formats.h"
 #include "logger.h"
+#include "watchdog.h"
+
+#include "outputs_file.h"
+#include "outputs_program.h"
+#include "outputs_stdout.h"
+#include "outputs_syslog.h"
 #ifndef MINIMAL_BUILD
-#include "falco_outputs_queue.h"
+#include "outputs_http.h"
+#include "outputs_grpc.h"
 #endif
+
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 using namespace std;
 
-const static struct luaL_reg ll_falco_outputs [] =
-{
-#ifndef MINIMAL_BUILD
-	{"handle_http", &falco_outputs::handle_http},
-	{"handle_grpc", &falco_outputs::handle_grpc},
-#endif
-	{NULL, NULL}
-};
-
-falco_outputs::falco_outputs(falco_engine *engine):
-	m_falco_engine(engine),
+falco_outputs::falco_outputs():
 	m_initialized(false),
 	m_buffered(true),
 	m_json_output(false),
@@ -52,52 +50,37 @@ falco_outputs::falco_outputs(falco_engine *engine):
 
 falco_outputs::~falco_outputs()
 {
-	// Note: The assert()s in this destructor were previously places where
-	//       exceptions were thrown.  C++11 doesn't allow destructors to
-	//       emit exceptions; if they're thrown, they'll trigger a call
-	//       to 'terminate()'.  To maintain similar behavior, the exceptions
-	//       were replace with calls to 'assert()'
 	if(m_initialized)
 	{
-		lua_getglobal(m_ls, m_lua_output_cleanup.c_str());
-		if(!lua_isfunction(m_ls, -1))
+		this->stop_worker();
+		for(auto o : m_outputs)
 		{
-			falco_logger::log(LOG_ERR, std::string("No function ") + m_lua_output_cleanup + " found. ");
-			assert(nullptr == "Missing lua cleanup function in ~falco_outputs");
-		}
-
-		if(lua_pcall(m_ls, 0, 0, 0) != 0)
-		{
-			const char *lerr = lua_tostring(m_ls, -1);
-			falco_logger::log(LOG_ERR, std::string("lua_pcall failed, err: ") + lerr);
-			assert(nullptr == "lua_pcall failed in ~falco_outputs");
+			delete o;
 		}
 	}
 }
 
 void falco_outputs::init(bool json_output,
-			 bool json_include_output_property,
-			 uint32_t rate, uint32_t max_burst, bool buffered,
-			 bool time_format_iso_8601, string hostname)
+		  bool json_include_output_property,
+		  uint32_t timeout,
+		  uint32_t rate, uint32_t max_burst, bool buffered,
+		  bool time_format_iso_8601, std::string hostname)
 {
-	// The engine must have been given an inspector by now.
-	if(!m_inspector)
+	// Cannot be initialized more than one time.
+	if(m_initialized)
 	{
-		throw falco_exception("No inspector provided");
+		throw falco_exception("falco_outputs already initialized");
 	}
 
 	m_json_output = json_output;
 
-	falco_common::init(m_lua_main_filename.c_str(), FALCO_SOURCE_LUA_DIR);
+	// Note that falco_formats is already initialized by the engine,
+	// and the following json options are not used within the engine.
+	// So we can safely update them.
+	falco_formats::s_json_output = json_output;
+	falco_formats::s_json_include_output_property = json_include_output_property;
 
-	// Note that falco_formats is added to both the lua state used
-	// by the falco engine as well as the separate lua state used
-	// by falco outputs.
-	falco_formats::init(m_inspector, m_falco_engine, m_ls, json_output, json_include_output_property);
-
-	falco_logger::init(m_ls);
-
-	luaL_openlib(m_ls, "c_outputs", ll_falco_outputs, 0);
+	m_timeout = std::chrono::milliseconds(timeout);
 
 	m_notifications_tb.init(rate, max_burst);
 
@@ -105,43 +88,60 @@ void falco_outputs::init(bool json_output,
 	m_time_format_iso_8601 = time_format_iso_8601;
 	m_hostname = hostname;
 
+	m_worker_thread = std::thread(&falco_outputs::worker, this);
+
 	m_initialized = true;
 }
 
-void falco_outputs::add_output(output_config oc)
+// This function has to be called after init() since some configuration settings
+// need to be passed to the output plugins. Then, although the worker has started,
+// the worker is still on hold, waiting for a message.
+// Thus it is still safe to call add_output() before any message has been enqueued.
+void falco_outputs::add_output(falco::outputs::config oc)
 {
-	uint8_t nargs = 3;
-	lua_getglobal(m_ls, m_lua_add_output.c_str());
-
-	if(!lua_isfunction(m_ls, -1))
+	if(!m_initialized)
 	{
-		throw falco_exception("No function " + m_lua_add_output + " found. ");
-	}
-	lua_pushstring(m_ls, oc.name.c_str());
-	lua_pushnumber(m_ls, (m_buffered ? 1 : 0));
-	lua_pushnumber(m_ls, (m_time_format_iso_8601 ? 1 : 0));
-
-	// If we have options, build up a lua table containing them
-	if(oc.options.size())
-	{
-		nargs = 4;
-		lua_createtable(m_ls, 0, oc.options.size());
-
-		for(auto it = oc.options.cbegin(); it != oc.options.cend(); ++it)
-		{
-			lua_pushstring(m_ls, (*it).second.c_str());
-			lua_setfield(m_ls, -2, (*it).first.c_str());
-		}
+		throw falco_exception("cannot add output: falco_outputs not initialized yet");
 	}
 
-	if(lua_pcall(m_ls, nargs, 0, 0) != 0)
+	falco::outputs::abstract_output *oo;
+
+	if(oc.name == "file")
 	{
-		const char *lerr = lua_tostring(m_ls, -1);
-		throw falco_exception(string(lerr));
+		oo = new falco::outputs::output_file();
 	}
+	else if(oc.name == "program")
+	{
+		oo = new falco::outputs::output_program();
+	}
+	else if(oc.name == "stdout")
+	{
+		oo = new falco::outputs::output_stdout();
+	}
+	else if(oc.name == "syslog")
+	{
+		oo = new falco::outputs::output_syslog();
+	}
+#ifndef MINIMAL_BUILD
+	else if(oc.name == "http")
+	{
+		oo = new falco::outputs::output_http();
+	}
+	else if(oc.name == "grpc")
+	{
+		oo = new falco::outputs::output_grpc();
+	}
+#endif
+	else
+	{
+		throw falco_exception("Output not supported: " + oc.name);
+	}
+
+	oo->init(oc, m_buffered, m_hostname);
+	m_outputs.push_back(oo);
 }
 
-void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,
+void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
 				 falco_common::priority_type priority, string &format)
 {
 	if(!m_notifications_tb.claim())
@@ -150,70 +150,96 @@ void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,
 		return;
 	}
 
-	std::lock_guard<std::mutex> guard(m_ls_semaphore);
-	lua_getglobal(m_ls, m_lua_output_event.c_str());
+	falco_outputs::ctrl_msg cmsg = {};
+	cmsg.ts = evt->get_ts();
+	cmsg.priority = priority;
+	cmsg.source = source;
+	cmsg.rule = rule;
 
-	if(lua_isfunction(m_ls, -1))
+	string sformat;
+	if(source == "syscall")
 	{
-		lua_pushlightuserdata(m_ls, ev);
-		lua_pushstring(m_ls, rule.c_str());
-		lua_pushstring(m_ls, source.c_str());
-		lua_pushstring(m_ls, falco_common::priority_names[priority].c_str());
-		lua_pushnumber(m_ls, priority);
-		lua_pushstring(m_ls, format.c_str());
-		lua_pushstring(m_ls, m_hostname.c_str());
-
-		if(lua_pcall(m_ls, 7, 0, 0) != 0)
+		if(m_time_format_iso_8601)
 		{
-			const char *lerr = lua_tostring(m_ls, -1);
-			string err = "Error invoking function output: " + string(lerr);
-			throw falco_exception(err);
+			sformat = "*%evt.time.iso8601: " + falco_common::priority_names[priority];
+		}
+		else
+		{
+			sformat = "*%evt.time: " + falco_common::priority_names[priority];
 		}
 	}
 	else
 	{
-		throw falco_exception("No function " + m_lua_output_event + " found in lua compiler module");
+		if(m_time_format_iso_8601)
+		{
+			sformat = "*%jevt.time.iso8601: " + falco_common::priority_names[priority];
+		}
+		else
+		{
+			sformat = "*%jevt.time: " + falco_common::priority_names[priority];
+		}
 	}
+
+	// if format starts with a *, remove it, as we added our own prefix
+	if(format[0] == '*')
+	{
+		sformat += " " + format.substr(1, format.length() - 1);
+	}
+	else
+	{
+		sformat += " " + format;
+	}
+
+	cmsg.msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat);
+	cmsg.fields = falco_formats::resolve_tokens(evt, source, sformat);
+
+	cmsg.type = ctrl_msg_type::CTRL_MSG_OUTPUT;
+	m_queue.push(cmsg);
 }
 
-void falco_outputs::handle_msg(uint64_t now,
+void falco_outputs::handle_msg(uint64_t ts,
 			       falco_common::priority_type priority,
 			       std::string &msg,
 			       std::string &rule,
 			       std::map<std::string, std::string> &output_fields)
 {
-	std::string full_msg;
+	falco_outputs::ctrl_msg cmsg = {};
+	cmsg.ts = ts;
+	cmsg.priority = priority;
+	cmsg.source = "internal";
+	cmsg.rule = rule;
+	cmsg.fields = output_fields;
 
 	if(m_json_output)
 	{
 		nlohmann::json jmsg;
 
 		// Convert the time-as-nanoseconds to a more json-friendly ISO8601.
-		time_t evttime = now / 1000000000;
+		time_t evttime = ts / 1000000000;
 		char time_sec[20]; // sizeof "YYYY-MM-DDTHH:MM:SS"
 		char time_ns[12];  // sizeof ".sssssssssZ"
 		string iso8601evttime;
 
 		strftime(time_sec, sizeof(time_sec), "%FT%T", gmtime(&evttime));
-		snprintf(time_ns, sizeof(time_ns), ".%09luZ", now % 1000000000);
+		snprintf(time_ns, sizeof(time_ns), ".%09luZ", ts % 1000000000);
 		iso8601evttime = time_sec;
 		iso8601evttime += time_ns;
 
 		jmsg["output"] = msg;
-		jmsg["priority"] = "Critical";
+		jmsg["priority"] = falco_common::priority_names[priority];
 		jmsg["rule"] = rule;
 		jmsg["time"] = iso8601evttime;
 		jmsg["output_fields"] = output_fields;
 
-		full_msg = jmsg.dump();
+		cmsg.msg = jmsg.dump();
 	}
 	else
 	{
 		std::string timestr;
 		bool first = true;
 
-		sinsp_utils::ts_to_string(now, &timestr, false, true);
-		full_msg = timestr + ": " + falco_common::priority_names[LOG_CRIT] + " " + msg + " (";
+		sinsp_utils::ts_to_string(ts, &timestr, false, true);
+		cmsg.msg = timestr + ": " + falco_common::priority_names[priority] + " " + msg + " (";
 		for(auto &pair : output_fields)
 		{
 			if(first)
@@ -222,158 +248,95 @@ void falco_outputs::handle_msg(uint64_t now,
 			}
 			else
 			{
-				full_msg += " ";
+				cmsg.msg += " ";
 			}
-			full_msg += pair.first + "=" + pair.second;
+			cmsg.msg += pair.first + "=" + pair.second;
 		}
-		full_msg += ")";
+		cmsg.msg += ")";
 	}
 
-	std::lock_guard<std::mutex> guard(m_ls_semaphore);
-	lua_getglobal(m_ls, m_lua_output_msg.c_str());
-	if(lua_isfunction(m_ls, -1))
-	{
-		lua_pushstring(m_ls, full_msg.c_str());
-		lua_pushstring(m_ls, falco_common::priority_names[priority].c_str());
-		lua_pushnumber(m_ls, priority);
+	cmsg.type = ctrl_msg_type::CTRL_MSG_OUTPUT;
+	m_queue.push(cmsg);
+}
 
-		if(lua_pcall(m_ls, 3, 0, 0) != 0)
-		{
-			const char *lerr = lua_tostring(m_ls, -1);
-			string err = "Error invoking function output: " + string(lerr);
-			throw falco_exception(err);
-		}
-	}
-	else
-	{
-		throw falco_exception("No function " + m_lua_output_msg + " found in lua compiler module");
-	}
+void falco_outputs::cleanup_outputs()
+{
+	this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_CLEANUP);
 }
 
 void falco_outputs::reopen_outputs()
 {
-	lua_getglobal(m_ls, m_lua_output_reopen.c_str());
-	if(!lua_isfunction(m_ls, -1))
-	{
-		throw falco_exception("No function " + m_lua_output_reopen + " found. ");
-	}
+	this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_REOPEN);
+}
 
-	if(lua_pcall(m_ls, 0, 0, 0) != 0)
+void falco_outputs::stop_worker()
+{
+	watchdog<void *> wd;
+	wd.start([&](void *) -> void {
+		falco_logger::log(LOG_NOTICE, "output channels still blocked, discarding all remaining notifications\n");
+		m_queue.clear();
+		this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_STOP);
+	});
+	wd.set_timeout(m_timeout, nullptr);
+
+	this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_STOP);
+	if(m_worker_thread.joinable())
 	{
-		const char *lerr = lua_tostring(m_ls, -1);
-		throw falco_exception(string(lerr));
+		m_worker_thread.join();
 	}
 }
 
-#ifndef MINIMAL_BUILD
-int falco_outputs::handle_http(lua_State *ls)
+inline void falco_outputs::push(ctrl_msg_type cmt)
 {
-	CURL *curl = NULL;
-	CURLcode res = CURLE_FAILED_INIT;
-	struct curl_slist *slist1;
-	slist1 = NULL;
+	falco_outputs::ctrl_msg cmsg = {};
+	cmsg.type = cmt;
+	m_queue.push(cmsg);
+}
 
-	if(!lua_isstring(ls, -1) ||
-	   !lua_isstring(ls, -2))
+// todo(leogr,leodido): this function is not supposed to throw exceptions, and with "noexcept",
+// the program is terminated if that occurs. Although that's the wanted behavior,
+// we still need to improve the error reporting since some inner functions can throw exceptions.
+void falco_outputs::worker() noexcept
+{
+	watchdog<std::string> wd;
+	wd.start([&](std::string payload) -> void {
+		falco_logger::log(LOG_CRIT, "\"" + payload + "\" output timeout, all output channels are blocked\n");
+	});
+
+	auto timeout = m_timeout;
+
+	falco_outputs::ctrl_msg cmsg;
+	do
 	{
-		lua_pushstring(ls, "Invalid arguments passed to handle_http()");
-		lua_error(ls);
-	}
+		// Block until a message becomes available.
+		m_queue.pop(cmsg);
 
-	string url = (char *)lua_tostring(ls, 1);
-	string msg = (char *)lua_tostring(ls, 2);
-
-	curl = curl_easy_init();
-	if(curl)
-	{
-		slist1 = curl_slist_append(slist1, "Content-Type: application/json");
-		curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1);
-		curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
-		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg.c_str());
-		curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);
-
-		res = curl_easy_perform(curl);
-
-		if(res != CURLE_OK)
+		for(const auto o : m_outputs)
 		{
-			falco_logger::log(LOG_ERR, "libcurl error: " + string(curl_easy_strerror(res)));
+			wd.set_timeout(timeout, o->get_name());
+			try
+			{
+				switch(cmsg.type)
+				{
+					case ctrl_msg_type::CTRL_MSG_OUTPUT:
+						o->output(&cmsg);
+						break;
+					case ctrl_msg_type::CTRL_MSG_CLEANUP:
+					case ctrl_msg_type::CTRL_MSG_STOP:
+						o->cleanup();
+						break;
+					case ctrl_msg_type::CTRL_MSG_REOPEN:
+						o->reopen();
+						break;
+					default:
+						falco_logger::log(LOG_DEBUG, "Outputs worker received an unknown message type\n");	
+				}
+			}
+			catch(const exception &e)
+			{
+				falco_logger::log(LOG_ERR, o->get_name() + ": " + string(e.what()) + "\n");
+			}
 		}
-		curl_easy_cleanup(curl);
-		curl = NULL;
-		curl_slist_free_all(slist1);
-		slist1 = NULL;
-	}
-	return 1;
+		wd.cancel_timeout();
+	} while(cmsg.type != ctrl_msg_type::CTRL_MSG_STOP);
 }
-
-int falco_outputs::handle_grpc(lua_State *ls)
-{
-	// check parameters
-	if(!lua_islightuserdata(ls, -8) ||
-	   !lua_isstring(ls, -7) ||
-	   !lua_isstring(ls, -6) ||
-	   !lua_isstring(ls, -5) ||
-	   !lua_isstring(ls, -4) ||
-	   !lua_istable(ls, -3) ||
-	   !lua_isstring(ls, -2) ||
-	   !lua_istable(ls, -1))
-	{
-		lua_pushstring(ls, "Invalid arguments passed to handle_grpc()");
-		lua_error(ls);
-	}
-
-	falco::outputs::response grpc_res;
-
-	// time
-	gen_event *evt = (gen_event *)lua_topointer(ls, 1);
-	auto timestamp = grpc_res.mutable_time();
-	*timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(evt->get_ts());
-
-	// rule
-	auto rule = grpc_res.mutable_rule();
-	*rule = (char *)lua_tostring(ls, 2);
-
-	// source
-	falco::schema::source s = falco::schema::source::SYSCALL;
-	string sstr = (char *)lua_tostring(ls, 3);
-	if(!falco::schema::source_Parse(sstr, &s))
-	{
-		lua_pushstring(ls, "Unknown source passed to to handle_grpc()");
-		lua_error(ls);
-	}
-	grpc_res.set_source(s);
-
-	// priority
-	falco::schema::priority p = falco::schema::priority::EMERGENCY;
-	string pstr = (char *)lua_tostring(ls, 4);
-	if(!falco::schema::priority_Parse(pstr, &p))
-	{
-		lua_pushstring(ls, "Unknown priority passed to to handle_grpc()");
-		lua_error(ls);
-	}
-	grpc_res.set_priority(p);
-
-	// output
-	auto output = grpc_res.mutable_output();
-	*output = (char *)lua_tostring(ls, 5);
-
-	// output fields
-	auto &fields = *grpc_res.mutable_output_fields();
-
-	lua_pushnil(ls); // so that lua_next removes it from stack and puts (k, v) on it
-	while(lua_next(ls, 6) != 0)
-	{
-		fields[lua_tostring(ls, -2)] = lua_tostring(ls, -1);
-		lua_pop(ls, 1); // remove value, keep key for lua_next
-	}
-	lua_pop(ls, 1); // pop table
-
-	// hostname
-	auto host = grpc_res.mutable_hostname();
-	*host = (char *)lua_tostring(ls, 7);
-
-	falco::outputs::queue::get().push(grpc_res);
-
-	return 1;
-}
-#endif

userspace/falco/falco_outputs.h

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,84 +19,81 @@ limitations under the License.
 #include <memory>
 #include <map>
 
-extern "C" {
-#include "lua.h"
-#include "lualib.h"
-#include "lauxlib.h"
-}
-
 #include "gen_filter.h"
 #include "json_evt.h"
 #include "falco_common.h"
 #include "token_bucket.h"
 #include "falco_engine.h"
+#include "outputs.h"
+#include "tbb/concurrent_queue.h"
 
 //
 // This class acts as the primary interface between a program and the
 // falco output engine. The falco rules engine is implemented by a
 // separate class falco_engine.
 //
-
-class falco_outputs : public falco_common
+class falco_outputs
 {
 public:
-	falco_outputs(falco_engine *engine);
+	falco_outputs();
 	virtual ~falco_outputs();
 
-	// The way to refer to an output (file, syslog, stdout, etc.)
-	// An output has a name and set of options.
-	struct output_config
-	{
-		std::string name;
-		std::map<std::string, std::string> options;
-	};
-
 	void init(bool json_output,
 		  bool json_include_output_property,
+		  uint32_t timeout,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
 		  bool time_format_iso_8601, std::string hostname);
 
-	void add_output(output_config oc);
+	void add_output(falco::outputs::config oc);
 
-	//
-	// ev is an event that has matched some rule. Pass the event
-	// to all configured outputs.
-	//
-	void handle_event(gen_event *ev, std::string &rule, std::string &source,
+	// Format then send the event to all configured outputs (`evt` is an event that has matched some rule).
+	void handle_event(gen_event *evt, std::string &rule, std::string &source,
 			  falco_common::priority_type priority, std::string &format);
 
-	// Send a generic message to all outputs. Not necessarily associated with any event.
+	// Format then send a generic message to all outputs. Not necessarily associated with any event.
 	void handle_msg(uint64_t now,
 			falco_common::priority_type priority,
 			std::string &msg,
 			std::string &rule,
-			std::map<std::string,std::string> &output_fields);
+			std::map<std::string, std::string> &output_fields);
+
+	void cleanup_outputs();
 
 	void reopen_outputs();
 
-#ifndef MINIMAL_BUILD
-	static int handle_http(lua_State *ls);
-	static int handle_grpc(lua_State *ls);
-#endif
-
 private:
-
-	falco_engine *m_falco_engine;
-
 	bool m_initialized;
 
+	std::vector<falco::outputs::abstract_output *> m_outputs;
+
 	// Rate limits notifications
 	token_bucket m_notifications_tb;
 
 	bool m_buffered;
 	bool m_json_output;
 	bool m_time_format_iso_8601;
+	std::chrono::milliseconds m_timeout;
 	std::string m_hostname;
 
-	std::string m_lua_add_output = "add_output";
-	std::string m_lua_output_event = "output_event";
-	std::string m_lua_output_msg = "output_msg";
-	std::string m_lua_output_cleanup = "output_cleanup";
-	std::string m_lua_output_reopen = "output_reopen";
-	std::string m_lua_main_filename = "output.lua";
+	enum ctrl_msg_type
+	{
+		CTRL_MSG_STOP = 0,
+		CTRL_MSG_OUTPUT = 1,
+		CTRL_MSG_CLEANUP = 2,
+		CTRL_MSG_REOPEN = 3,
+	};
+
+	struct ctrl_msg : falco::outputs::message
+	{
+		ctrl_msg_type type;
+	};
+
+	typedef tbb::concurrent_bounded_queue<ctrl_msg> falco_outputs_cbq;
+
+	falco_outputs_cbq m_queue;
+
+	std::thread m_worker_thread;
+	inline void push(ctrl_msg_type cmt);
+	void worker() noexcept;
+	void stop_worker();
 };

userspace/falco/grpc_queue.h

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors
+Copyright (C) 2020 The Falco Authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -21,9 +21,9 @@ limitations under the License.
 
 namespace falco
 {
-namespace outputs
+namespace grpc
 {
-typedef tbb::concurrent_queue<response> response_cq;
+typedef tbb::concurrent_queue<outputs::response> response_cq;
 
 class queue
 {
@@ -34,12 +34,12 @@ public:
 		return instance;
 	}
 
-	bool try_pop(response& res)
+	bool try_pop(outputs::response& res)
 	{
 		return m_queue.try_pop(res);
 	}
 
-	void push(response& res)
+	void push(outputs::response& res)
 	{
 		m_queue.push(res);
 	}
@@ -56,5 +56,5 @@ public:
 	queue(queue const&) = delete;
 	void operator=(queue const&) = delete;
 };
-} // namespace output
+} // namespace grpc
 } // namespace falco

userspace/falco/grpc_server_impl.cpp

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors
+Copyright (C) 2020 The Falco Authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -15,8 +15,9 @@ limitations under the License.
 */
 
 #include "config_falco.h"
+#include "falco_engine_version.h"
 #include "grpc_server_impl.h"
-#include "falco_outputs_queue.h"
+#include "grpc_queue.h"
 #include "logger.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
@@ -44,7 +45,7 @@ void falco::grpc::server_impl::get(const stream_context& ctx, const outputs::req
 	// m_status == stream_context::STREAMING?
 	// todo(leodido) > set m_stream
 
-	ctx.m_has_more = outputs::queue::get().try_pop(res);
+	ctx.m_has_more = queue::get().try_pop(res);
 }
 
 void falco::grpc::server_impl::sub(const bidi_context& ctx, const outputs::request& req, outputs::response& res)
@@ -61,7 +62,7 @@ void falco::grpc::server_impl::sub(const bidi_context& ctx, const outputs::reque
 	// m_status == stream_context::STREAMING?
 	// todo(leodido) > set m_stream
 
-	ctx.m_has_more = outputs::queue::get().try_pop(res);
+	ctx.m_has_more = queue::get().try_pop(res);
 }
 
 void falco::grpc::server_impl::version(const context& ctx, const version::request&, version::response& res)
@@ -75,6 +76,9 @@ void falco::grpc::server_impl::version(const context& ctx, const version::reques
 	auto& version = *res.mutable_version();
 	version = FALCO_VERSION;
 
+	res.set_engine_version(FALCO_ENGINE_VERSION);
+	res.set_engine_fields_checksum(FALCO_FIELDS_CHECKSUM); 
+
 	res.set_major(FALCO_VERSION_MAJOR);
 	res.set_minor(FALCO_VERSION_MINOR);
 	res.set_patch(FALCO_VERSION_PATCH);

userspace/falco/logger.cpp

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,25 +16,13 @@ limitations under the License.
 
 #include <ctime>
 #include "logger.h"
-#include "chisel_api.h"
 
 #include "falco_common.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-const static struct luaL_reg ll_falco [] =
-{
-	{"syslog", &falco_logger::syslog},
-	{NULL,NULL}
-};
-
 int falco_logger::level = LOG_INFO;
 bool falco_logger::time_format_iso_8601 = false;
 
-void falco_logger::init(lua_State *ls)
-{
-	luaL_openlib(ls, "falco", ll_falco, 0);
-}
-
 void falco_logger::set_time_format_iso_8601(bool val)
 {
 	falco_logger::time_format_iso_8601 = val;
@@ -81,19 +69,6 @@ void falco_logger::set_level(string &level)
 }
 
 
-int falco_logger::syslog(lua_State *ls) {
-	int priority = luaL_checknumber(ls, 1);
-
-	if (priority > LOG_DEBUG) {
-		return luaL_argerror(ls, 1, "falco.syslog: priority must be a number between 0 and 7");
-	}
-
-	const char *msg = luaL_checkstring(ls, 2);
-	::syslog(priority, "%s", msg);
-
-	return 0;
-}
-
 bool falco_logger::log_stderr = true;
 bool falco_logger::log_syslog = true;
 

userspace/falco/logger.h

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,25 +19,15 @@ limitations under the License.
 #include "sinsp.h"
 #include <syslog.h>
 
-extern "C" {
-#include "lua.h"
-#include "lualib.h"
-#include "lauxlib.h"
-}
-
 class falco_logger
 {
  public:
-	static void init(lua_State *ls);
 
 	static void set_time_format_iso_8601(bool val);
 
 	// Will throw exception if level is unknown.
 	static void set_level(string &level);
 
-	// value = falco.syslog(level, message)
-	static int syslog(lua_State *ls);
-
 	static void log(int priority, const string msg);
 
 	static int level;

userspace/falco/lua/.gitignore

@@ -1 +0,0 @@
-lyaml*

userspace/falco/lua/output.lua

@@ -1,271 +0,0 @@
--- Copyright (C) 2019 The Falco Authors.
---
--- Licensed under the Apache License, Version 2.0 (the "License");
--- you may not use this file except in compliance with the License.
--- You may obtain a copy of the License at
---
---     http://www.apache.org/licenses/LICENSE-2.0
---
--- Unless required by applicable law or agreed to in writing, software
--- distributed under the License is distributed on an "AS IS" BASIS,
--- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--- See the License for the specific language governing permissions and
--- limitations under the License.
---
-
-local mod = {}
-
-local outputs = {}
-
-function mod.stdout(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   mod.stdout_message(priority, priority_num, msg, options)
-end
-
-function mod.stdout_message(priority, priority_num, msg, options)
-   if options.buffered == 0 then
-      io.stdout:setvbuf "no"
-   end
-   print(msg)
-end
-
-function mod.stdout_cleanup()
-   io.stdout:flush()
-end
-
--- Note: not actually closing/reopening stdout
-function mod.stdout_reopen(options)
-end
-
-function mod.file_validate(options)
-   if (not type(options.filename) == "string") then
-      error("File output needs to be configured with a valid filename")
-   end
-
-   local file, err = io.open(options.filename, "a+")
-   if file == nil then
-      error("Error with file output: " .. err)
-   end
-   file:close()
-end
-
-function mod.file_open(options)
-   if ffile == nil then
-      ffile = io.open(options.filename, "a+")
-      if options.buffered == 0 then
-         ffile:setvbuf "no"
-      end
-   end
-end
-
-function mod.file(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   mod.file_message(priority, priority_num, msg, options)
-end
-
-function mod.file_message(priority, priority_num, msg, options)
-   if options.keep_alive == "true" then
-      mod.file_open(options)
-   else
-      ffile = io.open(options.filename, "a+")
-   end
-
-   ffile:write(msg, "\n")
-
-   if options.keep_alive == nil or options.keep_alive ~= "true" then
-      ffile:close()
-      ffile = nil
-   end
-end
-
-function mod.file_cleanup()
-   if ffile ~= nil then
-      ffile:flush()
-      ffile:close()
-      ffile = nil
-   end
-end
-
-function mod.file_reopen(options)
-   if options.keep_alive == "true" then
-      mod.file_cleanup()
-      mod.file_open(options)
-   end
-end
-
-function mod.syslog(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   mod.syslog_message(priority, priority_num, msg, options)
-end
-
-function mod.syslog_message(priority, priority_num, msg, options)
-   falco.syslog(priority_num, msg)
-end
-
-function mod.syslog_cleanup()
-end
-
-function mod.syslog_reopen()
-end
-
-function mod.program_open(options)
-   if pfile == nil then
-      pfile = io.popen(options.program, "w")
-      if options.buffered == 0 then
-         pfile:setvbuf "no"
-      end
-   end
-end
-
-function mod.program(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   mod.program_message(priority, priority_num, msg, options)
-end
-
-function mod.program_message(priority, priority_num, msg, options)
-   -- XXX Ideally we'd check that the program ran
-   -- successfully. However, the luajit we're using returns true even
-   -- when the shell can't run the program.
-
-   -- Note: options are all strings
-   if options.keep_alive == "true" then
-      mod.program_open(options)
-   else
-      pfile = io.popen(options.program, "w")
-   end
-
-   pfile:write(msg, "\n")
-
-   if options.keep_alive == nil or options.keep_alive ~= "true" then
-      pfile:close()
-      pfile = nil
-   end
-end
-
-function mod.program_cleanup()
-   if pfile ~= nil then
-      pfile:flush()
-      pfile:close()
-      pfile = nil
-   end
-end
-
-function mod.program_reopen(options)
-   if options.keep_alive == "true" then
-      mod.program_cleanup()
-      mod.program_open(options)
-   end
-end
-
-function mod.http(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   mod.http_message(priority, priority_num, msg, options)
-end
-
-function mod.http_message(priority, priority_num, msg, options)
-   c_outputs.handle_http(options.url, msg)
-end
-
-function mod.http_cleanup()
-end
-
-function mod.http_reopen()
-end
-
-function mod.grpc(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   fields = formats.resolve_tokens(event, source, format)
-   c_outputs.handle_grpc(event, rule, source, priority, msg, fields, hostname, options)
-end
-
-function mod.grpc_message(priority, priority_num, msg, options)
-   -- todo(fntlnz, leodido) > gRPC does not support subscribing to dropped events yet
-end
-
-
-function mod.grpc_cleanup()
-end
-
-function mod.grpc_reopen()
-end
-
-function output_event(event, rule, source, priority, priority_num, format, hostname)
-   -- If format starts with a *, remove it, as we're adding our own
-   -- prefix here.
-   if format:sub(1, 1) == "*" then
-      format = format:sub(2)
-   end
-
-   -- time_format_iso_8601 will be the same for all output channels
-   time_format_iso_8601 = 0
-
-   for index, o in ipairs(outputs) do
-      time_format_iso_8601 = o.options.time_format_iso_8601
-      break
-   end
-
-   if source == "syscall" then
-      if time_format_iso_8601 == 1 then
-         format = "*%evt.time.iso8601: " .. priority .. " " .. format
-      else
-         format = "*%evt.time: " .. priority .. " " .. format
-      end
-   else
-      if time_format_iso_8601 == 1 then
-         format = "*%jevt.time.iso8601: " .. priority .. " " .. format
-      else
-         format = "*%jevt.time: " .. priority .. " " .. format
-      end
-   end
-
-   msg = formats.format_event(event, rule, source, priority, format)
-
-   for index, o in ipairs(outputs) do
-      o.output(event, rule, source, priority, priority_num, msg, format, hostname, o.options)
-   end
-end
-
-function output_msg(msg, priority, priority_num)
-   for index, o in ipairs(outputs) do
-      o.message(priority, priority_num, msg, o.options)
-   end
-end
-
-function output_cleanup()
-   formats.free_formatters()
-   for index, o in ipairs(outputs) do
-      o.cleanup()
-   end
-end
-
-function output_reopen()
-   for index, o in ipairs(outputs) do
-      o.reopen(o.options)
-   end
-end
-
-function add_output(output_name, buffered, time_format_iso_8601, options)
-   if not (type(mod[output_name]) == "function") then
-      error("rule_loader.add_output(): invalid output_name: " .. output_name)
-   end
-
-   -- outputs can optionally define a validation function so that we don't
-   -- find out at runtime (when an event finally matches a rule!) that the options are invalid
-   if (type(mod[output_name .. "_validate"]) == "function") then
-      mod[output_name .. "_validate"](options)
-   end
-
-   if options == nil then
-      options = {}
-   end
-
-   options.buffered = buffered
-   options.time_format_iso_8601 = time_format_iso_8601
-
-   table.insert(
-      outputs,
-      {
-         output = mod[output_name],
-         cleanup = mod[output_name .. "_cleanup"],
-         reopen = mod[output_name .. "_reopen"],
-         message = mod[output_name .. "_message"],
-         options = options
-      }
-   )
-end
-
-return mod

userspace/falco/lua/test.lua

@@ -1,44 +0,0 @@
--- Copyright (C) 2019 The Falco Authors.
---
--- Licensed under the Apache License, Version 2.0 (the "License");
--- you may not use this file except in compliance with the License.
--- You may obtain a copy of the License at
---
---     http://www.apache.org/licenses/LICENSE-2.0
---
--- Unless required by applicable law or agreed to in writing, software
--- distributed under the License is distributed on an "AS IS" BASIS,
--- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--- See the License for the specific language governing permissions and
--- limitations under the License.
---
-
-local parser = require "parser"
-
-if #arg ~= 1 then
-    print("Usage: test.lua <string>")
-    os.exit(1)
-end
-
-local macros = {}
-local ast
-
-local function doit(line)
-   ast = parser.parse_filter(line)
-
-   if not ast then
-      print("error", error_msg)
-      os.exit(1)
-   end
-
-end
-for str in string.gmatch(arg[1], "([^;]+)") do
-   doit(str)
-end
-
-if (ast and ast.type) then
-   parser.print_ast(ast)
-end
-
-os.exit(0)
-