update: reference for the logo

Signed-off-by: Lorenzo Fontana <lo@linux.com>
add exception macro
2026-03-20 19:52:08 +00:00 · 2020-12-09 18:36:22 +01:00 · 2020-12-04 06:21:34 -05:00 · 2020-12-04 06:21:34 -05:00 · 2020-12-01 04:18:04 -05:00 · 2020-12-01 04:18:04 -05:00
75 changed files with 2143 additions and 1170 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -282,6 +282,8 @@ jobs:
      - run:
          name: Execute integration tests
          command: /usr/bin/entrypoint test
+      - store_test_results:
+          path: /build/release/integration-tests-xunit
  "tests/integration-static":
    docker:
      - image: falcosecurity/falco-tester:latest
@@ -297,6 +299,8 @@ jobs:
      - run:
          name: Execute integration tests
          command: /usr/bin/entrypoint test
+      - store_test_results:
+          path: /build-static/release/integration-tests-xunit
  "tests/driver-loader/integration":
    machine:
      image: ubuntu-1604:202004-01
@@ -306,6 +310,33 @@ jobs:
      - run:
          name: Execute driver-loader integration tests
          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
+  # Code quality
+  "quality/static-analysis":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "release"
+    steps:
+      - run:
+          name: Install cppcheck
+          command: |
+            yum update -y
+            yum install epel-release -y
+            yum install cppcheck cppcheck-htmlreport -y
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
+      - run:
+          name: cppcheck
+          command: /usr/bin/entrypoint cppcheck
+      - run:
+          name: cppcheck html report
+          command: /usr/bin/entrypoint cppcheck_htmlreport
+      - store_artifacts:
+          path: /build/release/static-analysis-reports
+          destination: /static-analysis-reports
  # Sign rpm packages
  "rpm/sign":
    docker:
@@ -546,6 +577,7 @@ workflows:
          requires:
            - "publish/packages-dev"
            - "tests/driver-loader/integration"
+      - "quality/static-analysis"
  release:
    jobs:
      - "build/musl":
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -1,20 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 60
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 7
-# Issues with these labels will never be considered stale
-exemptLabels:
-  - cncf
-  - roadmap
-  - "help wanted"
-# Label to use when marking an issue as stale
-staleLabel: wontfix
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no further activity occurs. Thank you
-  for your contributions.
-  Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed.
-  Please refer to a maintainer to get such label added if you think this should be kept open.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false
--- a/.gitignore
+++ b/.gitignore
@@ -11,8 +11,6 @@ test/.phoronix-test-suite
 test/results*.json.*
 test/build

-userspace/falco/lua/re.lua
-userspace/falco/lua/lpeg.so
 userspace/engine/lua/lyaml
 userspace/engine/lua/lyaml.lua

--- a/.luacheckrc
+++ b/.luacheckrc
@@ -1,7 +1,6 @@
 std = "min"
 cache = true
 include_files = {
-    "userspace/falco/lua/*.lua",
    "userspace/engine/lua/*.lua",
    "userspace/engine/lua/lyaml/*.lua",
    "*.luacheckrc"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,41 +1,59 @@
 # Change Log

+## v0.26.2
+
+Released on 2020-11-10
+
+### Major Changes
+
+* update: DRIVERS_REPO now defaults to https://download.falco.org/driver [[#1460](https://github.com/falcosecurity/falco/pull/1460)] - [@leodido](https://github.com/leodido)
+
+## v0.26.1
+
+Released on 2020-10-01
+
+### Major Changes
+
+* new: CLI flag `--alternate-lua-dir` to load Lua files from arbitrary paths [[#1419](https://github.com/falcosecurity/falco/pull/1419)] - [@admiral0](https://github.com/admiral0)
+
+
+### Rule Changes
+
+* rule(Delete or rename shell history): fix warnings/FPs + container teardown [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
+* rule(Write below root): ensure proc_name_exists too [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
+
+
 ## v0.26.0

 Released on 2020-24-09

 ### Major Changes

-* new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)]
-* new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)]
-* new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)]
+* new: address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)] - [@mstemm](https://github.com/mstemm)
+* new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)] - [@leogr](https://github.com/leogr)
+* new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)] - [@fntlnz](https://github.com/fntlnz)
+* new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)


 ### Minor Changes

-* update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)]
-* update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)]
-* update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)]
-* docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)]
-* docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)]
-
+* update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
+* update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
+* update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
+* docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
+* docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)


 ### Rule Changes

-* rule: Address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)]
-* rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)]
-* rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)]
-* rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)]
-* rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)]
-* rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)]
-* rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)]
-* rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)]
-* rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)]
-
-
-
-This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
+* rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)] - [@rung](https://github.com/rung)
+* rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
+* rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
+* rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)] - [@bgeesaman](https://github.com/bgeesaman)
+* rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)] - [@csschwe](https://github.com/csschwe)

 ## v0.25.0

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -83,7 +83,7 @@ include(GetFalcoVersion)
 set(PACKAGE_NAME "falco")
 set(PROBE_NAME "falco")
 set(PROBE_DEVICE_NAME "falco")
-set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
+set(DRIVERS_REPO "https://download.falco.org/driver")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
  set(CMAKE_INSTALL_PREFIX
      /usr
@@ -115,20 +115,8 @@ set(CURSES_NEED_NCURSES TRUE)
 find_package(Curses REQUIRED)
 message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")

-# libb64
-
-set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
-message(STATUS "Using bundled b64 in '${B64_SRC}'")
-set(B64_INCLUDE "${B64_SRC}/include")
-set(B64_LIB "${B64_SRC}/src/libb64.a")
-ExternalProject_Add(
-  b64
-  URL "https://github.com/libb64/libb64/archive/v1.2.1.zip"
-  URL_HASH "SHA256=665134c2b600098a7ebd3d00b6a866cb34909a6d48e0e37a0eda226a4ad2638a"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
+# b64
+include(b64)

 # yaml-cpp
 include(yaml-cpp)
@@ -142,52 +130,16 @@ if(NOT MINIMAL_BUILD)
 endif()

 # LuaJIT
-set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
-message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
-set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
-set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
-ExternalProject_Add(
-  luajit
-  URL "https://github.com/LuaJIT/LuaJIT/archive/v2.0.3.tar.gz"
-  URL_HASH "SHA256=8da3d984495a11ba1bce9a833ba60e18b532ca0641e7d90d97fafe85ff014baa"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
+include(luajit)

 # Lpeg
-set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
-set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
-message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
-set(LPEG_DEPENDENCIES "")
-list(APPEND LPEG_DEPENDENCIES "luajit")
-ExternalProject_Add(
-  lpeg
-  DEPENDS ${LPEG_DEPENDENCIES}
-  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
-  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
-  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ""
-  INSTALL_COMMAND "")
+include(lpeg)

 # libyaml
 include(libyaml)

 # lyaml
-set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
-set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
-message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
-ExternalProject_Add(
-  lyaml
-  DEPENDS luajit libyaml
-  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
-  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
-  INSTALL_COMMAND sh -c
-                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
+include(lyaml)

 # One TBB
 set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
@@ -220,6 +172,7 @@ if(NOT MINIMAL_BUILD)
    COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
    BUILD_IN_SOURCE 1
    BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+    BUILD_BYPRODUCTS ${CIVETWEB_LIB}
    INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
 endif()

@@ -254,6 +207,9 @@ add_subdirectory(docker)
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)

+# Static analysis
+include(static-analysis)
+
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
--- a/README.md
+++ b/README.md
@@ -5,7 +5,9 @@

 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)

-#### Latest releases
+Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH3EH32) channel in the [Kubernetes Slack](https://slack.k8s.io).
+
+### Latest releases

 Read the [change log](CHANGELOG.md).

@@ -39,7 +41,7 @@ If you would like to run Falco in **production** please adhere to the [official

 Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.

-Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/update-readme/userspace/falco/outputs.proto).
+Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/master/userspace/falco/outputs.proto).
 The Falco Project supports various SDKs for this endpoint.

 ##### SDKs
@@ -63,6 +65,7 @@ For example, Falco can easily detect incidents including but not limited to:
 - Unexpected read of a sensitive file, such as `/etc/shadow`.
 - A non-device file is written to `/dev`.
 - A standard system binary, such as `ls`, is making an outbound network connection.
+- A privileged pod is started in a Kubernetes cluster.

 ### Documentation

@@ -72,6 +75,13 @@ The [Official Documentation](https://falco.org/docs/) is the best resource to le

 To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.

+How to reach out?
+
+ - Join the #falco channel on the [Kubernetes Slack](https://slack.k8s.io)
+ - [Join the Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev)
+ - [Read the Falco documentation](https://falco.org/docs/)
+
+
 ### Contributing

 See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).
@@ -94,4 +104,4 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 [3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
 [4]: https://dl.bintray.com/falcosecurity/deb/stable
 [5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
-[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
+[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -4,7 +4,7 @@ Our release process is mostly automated, but we still need some manual steps to

 Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.

-Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+A release happens every two months ([as per community discussion](https://github.com/falcosecurity/community/blob/master/meeting-notes/2020-09-30.md#agenda)), and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.

 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.

@@ -61,21 +61,45 @@ Now assume `x.y.z` is the new version.
 - Use `x.y.z` both as tag version and release title
 - Use the following template to fill the release description:
    ```
+    <!-- Substitute x.y.z with the current release version -->
+
+    | Packages | Download                                                                                                                                               |
+    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm)        |
+    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
+    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
+
+    | Images                                                          |
+    | --------------------------------------------------------------- |
+    | `docker pull docker.io/falcosecurity/falco:_tag_`               |
+    | `docker pull docker.io/falcosecurity/falco-driver-loader:_tag_` |
+    | `docker pull docker.io/falcosecurity/falco-no-driver:_tag_`     |
+
    <!-- Copy the relevant part of the changelog here -->

    ### Statistics

-    | Merged PRs        | Number  |
-    |-------------------|---------|
-    | Not user-facing   | x       |
-    | Release note      | x       |
-    | Total             | x       |
+    | Merged PRs      | Number |
+    | --------------- | ------ |
+    | Not user-facing | x      |
+    | Release note    | x      |
+    | Total           | x      |

    <!-- Calculate stats and fill the above table -->
    ```

 - Finally, publish the release!

+### 3. Update the meeting notes
+
+For each release we archive the meeting notes in git for historical purposes.
+
+ - The notes from the Falco meetings can be [found here](https://hackmd.io/6sEAlInlSaGnLz2FnFz21A).
+    - Note: There may be other notes from working groups that can optionally be added as well as needed.
+ - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-x.y.z.md`
+ - Open up a pull request with the new change.
+
+
 ## Post-Release tasks

 Announce the new release to the world!
--- a/brand/README.md
+++ b/brand/README.md
@@ -11,9 +11,23 @@ Content in this document can be used to publically share about Falco.

 ### Logo

-There are 3 logos available for use in this directory. Use the primary logo unless required otherwise due to background issues, or printing.
+You can find the Falco logo in PNG and SVG in different colors in
+the [CNCF's artwork repository](https://github.com/cncf/artwork/blob/master/examples/incubating.md#falco-logos).

-The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
+### Colors
+
+| Name      | PMS  | RGB         |
+|-----------|------|-------------|
+| Teal      | 3125 |   0 174 199 |
+| Cool Gray |   11 |  83  86  90 |
+| Black     |      |   0   0   0 |
+| Blue-Gray | 7700 |  22 92 125  |
+| Gold      | 1375 | 255 158  27 |
+| Orange    |  171 | 255  92  57 |
+| Emerald   | 3278 |   0 155 119 |
+| Green     |  360 | 108 194  74 |
+
+The primary colors are those in the first two rows.

 ### Slogan

--- a/brand/primary-logo.png
+++ b/brand/primary-logo.png
--- a/brand/teal-logo.svg
+++ b/brand/teal-logo.svg
@@ -1 +0,0 @@
-<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 708.41 374.92"><defs><style>.cls-1{fill:#00b4c8;}</style></defs><title>Falco horizontal logo_teal2</title><g id="fqqZXT"><path class="cls-1" d="M204.69,154.4Q151.5,208,98,261.25a48.42,48.42,0,0,1-5.27,4.87c-2.55,1.89-5.34,2-7.65-.45s-1.51-5,.41-7.06c4.6-4.94,9.35-9.74,14.13-14.5q52.56-52.31,105.14-104.59c3.35-3.34,18.05,7.52,21.58,11.1"/><path class="cls-1" d="M215.06,171.36c-.15,2.14-1.54,3.55-2.93,4.94l-87.82,87.79c-2.75,2.74-6,5.42-9.46,1.68-3.15-3.39-.5-6.44,2.06-9q43.44-43.44,86.89-86.87c2.21-2.22,4.58-4.23,8-3A4.61,4.61,0,0,1,215.06,171.36Z"/><path class="cls-1" d="M70.93,71c2.42-.09,4.09,1.31,5.64,2.87q41.82,41.79,83.61,83.59c2.6,2.61,5,5.74,1.69,9s-6.41,1-9-1.66Q111,123,69.25,81.2c-2.09-2.1-3.72-4.39-2.45-7.53A4.34,4.34,0,0,1,70.93,71Z"/><path class="cls-1" d="M203.42,268c-5,1-8.9-1.34-12.45-5-6.35-6.61-12.87-13-19.41-19.46-3.85-3.8-4-7.41-.14-11.28,11.14-11.07,22.21-22.21,33.35-33.29,2.45-2.44,5.43-4.49,8.55-1.55,3.48,3.29,1.19,6.41-1.39,9-8.74,8.84-17.44,17.73-26.4,26.35-3.4,3.27-3.93,5.72-.19,9.06,4.22,3.78,8.13,7.91,12,12,2.54,2.68,5.35,4.25,9.18,4.11s8.28-.12,8.16,5.09c-.12,5-4.74,4.8-8.4,5.14A21,21,0,0,1,203.42,268Z"/><path class="cls-1" d="M148.7,178.36c-.75,3.49-2.68,5.6-6.43,4.36a13,13,0,0,1-4.74-3.31q-30.11-30-60.1-60a23.14,23.14,0,0,1-2.56-3c-1.72-2.42-1.88-5,.3-7.11s4.84-1.76,7,.26c3.65,3.42,7.17,7,10.71,10.53q25.65,25.64,51.28,51.3C146.12,173.37,148.49,175.13,148.7,178.36Z"/><path class="cls-1" d="M133.74,192.93a4.9,4.9,0,0,1-2.53,4.29,5.37,5.37,0,0,1-6.63-.95c-3.35-3.1-6.57-6.34-9.8-9.57q-14.34-14.3-28.61-28.63a34.27,34.27,0,0,1-4.17-5,4.57,4.57,0,0,1,.36-6,5,5,0,0,1,6-1.12,11.65,11.65,0,0,1,3.7,2.58q19.44,19.33,38.79,38.76C132.4,188.85,133.77,190.54,133.74,192.93Z"/></g><path class="cls-1" d="M413.15,190.86a25.57,25.57,0,0,0-10.35-6.63,46.78,46.78,0,0,0-16-2.37A83.35,83.35,0,0,0,372,183.12a75.16,75.16,0,0,0-10.58,2.53l2.37,15.48a53.47,53.47,0,0,1,9-2.21A72.44,72.44,0,0,1,385,198a22.61,22.61,0,0,1,8.13,1.26,13,13,0,0,1,5.22,3.56,13.23,13.23,0,0,1,2.76,5.29,24.6,24.6,0,0,1,.79,6.32v3.16a61.65,61.65,0,0,0-7.42-1.34,57.43,57.43,0,0,0-6.64-.4,61.45,61.45,0,0,0-13,1.35,32.26,32.26,0,0,0-11,4.42,22.7,22.7,0,0,0-7.51,8,24.09,24.09,0,0,0-2.76,12A28.39,28.39,0,0,0,356,254.05a21.6,21.6,0,0,0,6.79,8.22,28.56,28.56,0,0,0,10.51,4.58,60.24,60.24,0,0,0,13.58,1.42A137.25,137.25,0,0,0,407,266.93c5.94-.9,10.4-1.66,13.35-2.29V214.56a50.84,50.84,0,0,0-1.66-13.35A24.93,24.93,0,0,0,413.15,190.86Zm-11.3,61.3a71.4,71.4,0,0,1-13.43.94q-7.26,0-11.53-2.6t-4.26-9.4a10,10,0,0,1,1.57-5.77,10.67,10.67,0,0,1,4.19-3.55,20.18,20.18,0,0,1,5.85-1.74,43.43,43.43,0,0,1,6.39-.47,42.23,42.23,0,0,1,6.64.47,37,37,0,0,1,4.58,1Z"/><path class="cls-1" d="M461.38,248.44a9.27,9.27,0,0,1-2-4,26.17,26.17,0,0,1-.55-5.85V143.94l-19.12,3.16v95.1a40.74,40.74,0,0,0,1.35,11,17.57,17.57,0,0,0,4.66,8.06,21.71,21.71,0,0,0,8.92,5,52,52,0,0,0,14.14,1.89l2.69-15.8a29.78,29.78,0,0,1-6.24-1.34A8.76,8.76,0,0,1,461.38,248.44Z"/><path class="cls-1" d="M532.2,251.05a49.24,49.24,0,0,1-9.64.95q-13.11,0-18.64-7.19t-5.53-19.51q0-12.8,5.85-19.83t17.06-7a40.4,40.4,0,0,1,8.92.95,43.38,43.38,0,0,1,7.51,2.37l4.1-15.64a57.88,57.88,0,0,0-22.11-4.26,42.15,42.15,0,0,0-17.06,3.31,37.35,37.35,0,0,0-12.88,9.17,40.64,40.64,0,0,0-8.14,13.82,50.82,50.82,0,0,0-2.84,17.14,56.83,56.83,0,0,0,2.53,17.3A37.22,37.22,0,0,0,489,256.34a34.82,34.82,0,0,0,13,9,47.83,47.83,0,0,0,18.4,3.24,68.05,68.05,0,0,0,13.19-1.27,39.84,39.84,0,0,0,9.56-2.84l-2.69-15.8A45,45,0,0,1,532.2,251.05Z"/><path class="cls-1" d="M625.77,207.37a40.7,40.7,0,0,0-8.14-13.67,35.23,35.23,0,0,0-12.56-8.76,40.93,40.93,0,0,0-16-3.08,40.34,40.34,0,0,0-16,3.08,36.32,36.32,0,0,0-12.56,8.76,39.88,39.88,0,0,0-8.21,13.67,51.31,51.31,0,0,0-2.93,17.77A52,52,0,0,0,552.31,243a40.47,40.47,0,0,0,8.13,13.75,36.57,36.57,0,0,0,12.48,8.85A40.14,40.14,0,0,0,589,268.74a40.69,40.69,0,0,0,16.19-3.15,36.32,36.32,0,0,0,12.56-8.85A39.7,39.7,0,0,0,625.85,243a53.47,53.47,0,0,0,2.84-17.85A51.55,51.55,0,0,0,625.77,207.37Zm-22,37.52q-5.29,7.28-14.77,7.27t-14.77-7.27q-5.29-7.26-5.3-19.75,0-12.31,5.3-19.51T589,198.44q9.48,0,14.77,7.19t5.29,19.51Q609.1,237.62,603.81,244.89Z"/><path class="cls-1" d="M347.24,218h-47.8v50.57H279.65V150h75.89v15.88h-56.1v36.23h47.8Z"/></svg>
--- a/brand/white-logo.png
+++ b/brand/white-logo.png
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -30,9 +30,15 @@ if(NOT CPACK_GENERATOR)
 endif()

 message(STATUS "Using package generators: ${CPACK_GENERATOR}")
-
+message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
-set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+endif()
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
+endif()
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
--- a/cmake/modules/b64.cmake
+++ b/cmake/modules/b64.cmake
@@ -0,0 +1,27 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
+message(STATUS "Using bundled b64 in '${B64_SRC}'")
+set(B64_INCLUDE "${B64_SRC}/include")
+set(B64_LIB "${B64_SRC}/src/libb64.a")
+externalproject_add(
+  b64
+  URL "https://github.com/libb64/libb64/archive/ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0.tar.gz"
+  URL_HASH "SHA256=d07173e66f435e5c77dbf81bd9313f8d0e4a3b4edd4105a62f4f8132ba932811"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${B64_LIB}
+  INSTALL_COMMAND ""
+)
--- a/cmake/modules/gRPC.cmake
+++ b/cmake/modules/gRPC.cmake
@@ -115,7 +115,7 @@ else()
    grpc
    DEPENDS openssl
    GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.31.1
+    GIT_TAG v1.32.0
    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
    BUILD_IN_SOURCE 1
    BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
--- a/cmake/modules/libyaml.cmake
+++ b/cmake/modules/libyaml.cmake
@@ -15,12 +15,13 @@ set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
 set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
 message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
 set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
-ExternalProject_Add(
-libyaml
-URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
-URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
-CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
-BUILD_COMMAND ${CMD_MAKE} 
-BUILD_IN_SOURCE 1
-INSTALL_COMMAND ${CMD_MAKE} install)
-
+externalproject_add(
+  libyaml
+  URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
+  URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
+  CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LIBYAML_LIB}
+  INSTALL_COMMAND ${CMD_MAKE} install
+)
--- a/cmake/modules/lpeg.cmake
+++ b/cmake/modules/lpeg.cmake
@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
+set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
+message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
+set(LPEG_DEPENDENCIES "")
+list(APPEND LPEG_DEPENDENCIES "luajit")
+ExternalProject_Add(
+  lpeg
+  DEPENDS ${LPEG_DEPENDENCIES}
+  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
+  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
+  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LPEG_LIB}
+  CONFIGURE_COMMAND ""
+  INSTALL_COMMAND "")
--- a/cmake/modules/luajit.cmake
+++ b/cmake/modules/luajit.cmake
@@ -0,0 +1,27 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
+message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
+set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
+set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
+externalproject_add(
+  luajit
+  GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
+  GIT_TAG "1d8b747c161db457e032a023ebbff511f5de5ec2"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LUAJIT_LIB}
+  INSTALL_COMMAND ""
+)
--- a/cmake/modules/lyaml.cmake
+++ b/cmake/modules/lyaml.cmake
@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
+set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
+message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
+externalproject_add(
+  lyaml
+  DEPENDS luajit libyaml
+  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
+  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LYAML_LIB}
+  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
+  INSTALL_COMMAND sh -c
+  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua"
+)
--- a/cmake/modules/static-analysis.cmake
+++ b/cmake/modules/static-analysis.cmake
@@ -0,0 +1,42 @@
+# create the reports folder
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
+
+# cppcheck
+find_program(CPPCHECK cppcheck)
+find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
+
+if(NOT CPPCHECK)
+  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
+else()
+  message(STATUS "cppcheck found at: ${CPPCHECK}")
+  # we are aware that cppcheck can be run
+  # along with the software compilation in a single step
+  # using the CMAKE_CXX_CPPCHECK variables.
+  # However, for practical needs we want to keep the
+  # two things separated and have a specific target for it.
+  # Our cppcheck target reads the compilation database produced by CMake
+  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
+  add_custom_target(
+      cppcheck
+      COMMAND ${CPPCHECK}
+      "--enable=all"
+      "--force"
+      "--inconclusive"
+      "--inline-suppr" # allows to specify suppressions directly in source code
+      "--project=${CMAKE_CURRENT_BINARY_DIR}/compile_commands.json" # use the compilation database as source
+      "--quiet"
+      "--xml" # we want to generate a report
+      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
+      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
+  )
+endif() # CPPCHECK
+
+if(NOT CPPCHECK_HTMLREPORT)
+  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
+else()
+  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
+  add_custom_target(
+    cppcheck_htmlreport
+    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
+endif() # CPPCHECK_HTMLREPORT
--- a/cmake/modules/sysdig-repo/CMakeLists.txt
+++ b/cmake/modules/sysdig-repo/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -25,4 +25,4 @@ ExternalProject_Add(
  BUILD_COMMAND ""
  INSTALL_COMMAND ""
  TEST_COMMAND ""
-  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
+  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch && patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/luajit.patch)
--- a/cmake/modules/sysdig-repo/patch/libscap.patch
+++ b/cmake/modules/sysdig-repo/patch/libscap.patch
@@ -1,8 +1,8 @@
 diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
-index e9faea51..a1b3b501 100644
+index 6f51588e..5f9ea84e 100644
 --- a/userspace/libscap/scap.c
 +++ b/userspace/libscap/scap.c
-@@ -52,7 +52,7 @@ limitations under the License.
+@@ -55,7 +55,7 @@ limitations under the License.
 //#define NDEBUG
 #include <assert.h>
 
@@ -11,7 +11,16 @@ index e9faea51..a1b3b501 100644
 
 //
 // Probe version string size
-@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+@@ -114,7 +114,7 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc,
+ static uint32_t get_max_consumers()
+ {
+ 	uint32_t max;
+-	FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers", "r");
+	FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers", "r");
+ 	if(pfile != NULL)
+ 	{
+ 		int w = fscanf(pfile, "%"PRIu32, &max);
+@@ -186,7 +186,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
 				return NULL;
 			}
 
@@ -20,7 +29,27 @@ index e9faea51..a1b3b501 100644
 			bpf_probe = buf;
 		}
 	}
-@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
+@@ -344,7 +344,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+ 				else if(errno == EBUSY)
+ 				{
+ 					uint32_t curr_max_consumers = get_max_consumers();
+-					snprintf(error, SCAP_LASTERR_SIZE, "Too many sysdig instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
+					snprintf(error, SCAP_LASTERR_SIZE, "Too many Falco instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
+ 				}
+ 				else
+ 				{
+@@ -579,8 +579,8 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc,
+ 	//
+ 	// Map the ppm_ring_buffer_info that contains the buffer pointers
+ 	//
+-	if(udig_alloc_ring_descriptors(&(handle->m_devs[0].m_bufinfo_fd), 
+-		&handle->m_devs[0].m_bufinfo, 
+	if(udig_alloc_ring_descriptors(&(handle->m_devs[0].m_bufinfo_fd),
+		&handle->m_devs[0].m_bufinfo,
+ 		&handle->m_devs[0].m_bufstatus,
+ 		error) != SCAP_SUCCESS)
+ 	{
+@@ -2175,7 +2175,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
 
 const char* scap_get_host_root()
 {
--- a/cmake/modules/sysdig-repo/patch/luajit.patch
+++ b/cmake/modules/sysdig-repo/patch/luajit.patch
@@ -0,0 +1,57 @@
+diff --git a/userspace/libsinsp/chisel.cpp b/userspace/libsinsp/chisel.cpp
+index 0a6e3cf8..0c2e255a 100644
+--- a/userspace/libsinsp/chisel.cpp
+++ b/userspace/libsinsp/chisel.cpp
+@@ -98,7 +98,7 @@ void lua_stackdump(lua_State *L)
+ // Lua callbacks
+ ///////////////////////////////////////////////////////////////////////////////
+ #ifdef HAS_LUA_CHISELS
+-const static struct luaL_reg ll_sysdig [] =
+const static struct luaL_Reg ll_sysdig [] =
+ {
+ 	{"set_filter", &lua_cbacks::set_global_filter},
+ 	{"set_snaplen", &lua_cbacks::set_snaplen},
+@@ -134,7 +134,7 @@ const static struct luaL_reg ll_sysdig [] =
+ 	{NULL,NULL}
+ };
+ 
+-const static struct luaL_reg ll_chisel [] =
+const static struct luaL_Reg ll_chisel [] =
+ {
+ 	{"request_field", &lua_cbacks::request_field},
+ 	{"set_filter", &lua_cbacks::set_filter},
+@@ -146,7 +146,7 @@ const static struct luaL_reg ll_chisel [] =
+ 	{NULL,NULL}
+ };
+ 
+-const static struct luaL_reg ll_evt [] =
+const static struct luaL_Reg ll_evt [] =
+ {
+ 	{"field", &lua_cbacks::field},
+ 	{"get_num", &lua_cbacks::get_num},
+diff --git a/userspace/libsinsp/lua_parser.cpp b/userspace/libsinsp/lua_parser.cpp
+index 0e26617d..78810d96 100644
+--- a/userspace/libsinsp/lua_parser.cpp
+++ b/userspace/libsinsp/lua_parser.cpp
+@@ -32,7 +32,7 @@ extern "C" {
+ #include "lauxlib.h"
+ }
+ 
+-const static struct luaL_reg ll_filter [] =
+const static struct luaL_Reg ll_filter [] =
+ {
+ 	{"rel_expr", &lua_parser_cbacks::rel_expr},
+ 	{"bool_op", &lua_parser_cbacks::bool_op},
+diff --git a/userspace/libsinsp/lua_parser_api.cpp b/userspace/libsinsp/lua_parser_api.cpp
+index c89e9126..c3d8008a 100644
+--- a/userspace/libsinsp/lua_parser_api.cpp
+++ b/userspace/libsinsp/lua_parser_api.cpp
+@@ -266,7 +266,7 @@ int lua_parser_cbacks::rel_expr(lua_State *ls)
+ 					string err = "Got non-table as in-expression operand\n";
+ 					throw sinsp_exception("parser API error");
+ 				}
+-				int n = luaL_getn(ls, 4);  /* get size of table */
+				int n = lua_objlen (ls, 4);  /* get size of table */
+ 				for (i=1; i<=n; i++)
+ 				{
+ 					lua_rawgeti(ls, 4, i);
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -29,8 +29,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
 # -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2")
-  set(SYSDIG_CHECKSUM "SHA256=a737077543a6f3473ab306b424bcf7385d788149829ed1538252661b0f20d0f6")
+  set(SYSDIG_VERSION "5c0b863ddade7a45568c0ac97d037422c9efb750")
+  set(SYSDIG_CHECKSUM "SHA256=9de717b3a4b611ea6df56afee05171860167112f74bb7717b394bcc88ac843cd")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")

@@ -57,6 +57,7 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
 # Add libscap directory
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
+add_definitions(-DNOCURSESUI)
 if(MUSL_OPTIMIZED_BUILD)
  add_definitions(-DMUSL_OPTIMIZED)
 endif()
--- a/docker/driver-loader/Dockerfile
+++ b/docker/driver-loader/Dockerfile
@@ -3,7 +3,7 @@ FROM falcosecurity/falco:${FALCO_IMAGE_TAG}

 LABEL maintainer="cncf-falco-dev@lists.cncf.io"

-LABEL usage="docker run -i -t -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"

 ENV HOST_ROOT /host
 ENV HOME /root
--- a/docker/falco/Dockerfile
+++ b/docker/falco/Dockerfile
@@ -2,7 +2,7 @@ FROM debian:stable

 LABEL maintainer="cncf-falco-dev@lists.cncf.io"

-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"

 ARG FALCO_VERSION=latest
 ARG VERSION_BUCKET=deb
--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -1,7 +1,5 @@
 FROM ubuntu:18.04 as ubuntu

-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=bin

@@ -22,6 +20,14 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/

 FROM scratch

+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
+# NOTE: for the "least privileged" use case, please refer to the official documentation
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
 COPY --from=ubuntu /falco /

 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/tester/root/usr/bin/entrypoint
+++ b/docker/tester/root/usr/bin/entrypoint
@@ -1,7 +1,5 @@
 #!/usr/bin/env bash

-set -u -o pipefail
-
 BUILD_DIR=${BUILD_DIR:-/build}
 SOURCE_DIR=${SOURCE_DIR:-/source}
 SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
@@ -9,6 +7,9 @@ SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
 CMD=${1:-test}
 shift

+# Stop the execution if a command in the pipeline has an error, from now on
+set -e -u -o pipefail
+
 # build type can be "debug" or "release", fallbacks to "release" by default
 BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
 case "$BUILD_TYPE" in
@@ -49,7 +50,8 @@ case "$CMD" in
 "test")
    if [ -z "$FALCO_VERSION" ]; then
        echo "Automatically figuring out Falco version."
-        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+        FALCO_VERSION_FULL=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version)
+        FALCO_VERSION=$(echo "$FALCO_VERSION_FULL" | head -n 1 | cut -d' ' -f3  | tr -d '\r')
        echo "Falco version: $FALCO_VERSION"
    fi
    if [ -z "$FALCO_VERSION" ]; then
--- a/falco.yaml
+++ b/falco.yaml
@@ -87,6 +87,23 @@ syscall_event_drops:
  rate: .03333
  max_burst: 10

+# Falco continuously monitors outputs performance. When an output channel does not allow
+# to deliver an alert within a given deadline, an error is reported indicating
+# which output is blocking notifications.
+# The timeout error will be reported to the log according to the above log_* settings.
+# Note that the notification will not be discarded from the output queue; thus,
+# output channels may indefinitely remain blocked.
+# An output timeout error indeed indicate a misconfiguration issue or I/O problems
+# that cannot be recovered by Falco and should be fixed by the user.
+#
+# The "output_timeout" value specifies the duration in milliseconds to wait before
+# considering the deadline exceed.
+#
+# With a 2000ms default, the notification consumer can block the Falco output
+# for up to 2 seconds without reaching the timeout.
+
+output_timeout: 2000
+
 # A throttling mechanism implemented as a token bucket limits the
 # rate of falco notifications. This throttling is controlled by the following configuration
 # options:
--- a/proposals/20201025-drivers-storage-s3.md
+++ b/proposals/20201025-drivers-storage-s3.md
@@ -0,0 +1,137 @@
+# Falco Drivers Storage S3
+
+Supersedes: [20200818-artifacts-storage.md#drivers](20200818-artifacts-storage.md#drivers)
+
+Supersedes: [20200901-artifacts-cleanup.md#drivers](20200901-artifacts-cleanup.md#drivers)
+
+## Introduction
+
+In the past days, as many people probably noticed, Bintray started rate-limiting our users, effectively preventing them from downloading any kernel module, rpm/deb package or any pre-built dependency we host there.
+
+This does not only interrupt the workflow of our users but also the workflow of the contributors, since without bintray most of our container images and CMake files can’t download the dependencies we mirror.
+
+### What is the cause?
+
+We had a spike in adoption apparently, either a user with many nodes or an increased number of users. We don’t know this detail specifically yet because bintray does not give us very fine-grained statistics on this.
+
+This is the 30-days history:
+
+![A spike on driver downloads the last ten days](20201025-drivers-storage-s3_downloads.png)
+
+As you can see, we can only see that they downloaded the latest kernel module driver version, however we can’t see if:
+
+* It’s a single source or many different users
+
+* What is the kernel/OS they are using
+
+### What do we host on Bintray?
+
+* RPM packages: high traffic but very manageable ~90k downloads a month
+
+* Deb packages:low traffic ~5k downloads a month
+
+* Pre-built image Dependencies: low traffic, will eventually disappear in the future
+
+* Kernel modules: very high traffic, 700k downloads in 10 days, this is what is causing the current problems. They are primarily used by users of our container images.
+
+* eBPF probes: low traffic ~5k downloads a month
+
+### Motivations to go to S3 instead of Bintray for the Drivers
+
+Bintray does an excellent service at building the rpm/deb structures for us, however we also use them for S3-like storage for the drivers. We have ten thousand files hosted there and the combinations are infinite.
+
+
+Before today, we had many issues with storage even without the spike in users we are seeing since the last ten days.
+
+## Context on AWS
+
+Amazon AWS, recently gave credits to the Falco project to operate some parts of the infrastructure on AWS. The CNCF is providing a sub-account we are already using for the migration of the other pieces (like Prow).
+
+## Interactions with other teams and the CNCF
+
+* The setup on the AWS account side already done, this is all technical work.
+
+* We need to open a CNCF service account ticket for the download.falco.org subdomain to point to the S3 bucket we want to use
+
+## The Plan
+
+We want to propose to move the drivers and the container dependencies to S3.
+
+#### Moving means:
+
+* We create a public S3 bucket with [stats enabled](https://docs.aws.amazon.com/AmazonS3/latest/dev/analytics-storage-class.html)
+
+* We attach the bucket to a cloudfront distribution behind the download.falco.org subdomain
+
+* We move the current content keeping the same web server directory structure
+
+* We change the Falco Dockerfiles and driver loader script accordingly
+
+* We update test-infra to push the drivers to S3
+
+* Once we have the drivers in S3, we can ask bintray to relax the limits for this month so that our users are able to download the other packages we keep there. Otherwise they will have to wait until November 1st. We only want to do that after the moving because otherwise we will hit the limits pretty quickly.
+
+#### The repositories we want to move are:
+
+* [https://bintray.com/falcosecurity/driver](https://bintray.com/falcosecurity/driver) will become https://download.falco.org/driver
+
+* [https://bintray.com/falcosecurity/dependencies](https://bintray.com/falcosecurity/dependencies) will become https://download.falco.org/dependencies
+
+#### Changes in Falco
+
+* [Search for bintray ](https://github.com/falcosecurity/falco/search?p=2&q=bintray)on the Falco repo and replace the URL for the CMake and Docker files.
+
+* It’s very important to change the DRIVERS_REPO environment variable [here](https://github.com/falcosecurity/falco/blob/0a33f555eb8e019806b46fea8b80a6302a935421/CMakeLists.txt#L86) - this is what updates the falco-driver-loader scripts that the users and container images use to fetch the module
+
+#### Changes in Test Infra
+
+* We need to use the S3 cli instead of jfrog cli to upload to the s3 bucket after building [here](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml)
+
+* We can probably remove jfrog from that repo since it only deals with drivers and drivers are being put on S3 now
+
+* Instructions on how to setup the S3 directory structure [here](https://falco.org/docs/installation/#install-driver)
+
+    * `/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]`
+
+#### Changes to Falco website
+
+* Changes should not be necessary, we are not updating the way people install Falco but only the driver. The driver is managed by a script we can change.
+
+## Mitigation and next steps for the users
+
+* **The average users should be good to go now, Bintray raised our limits and we have some room to do this without requiring manual steps on your end**
+
+* **Users that can’t wait for us to have the S3 setup done: **can setup an S3 as driver repo themselves, push the drivers they need to it after compiling them (they can use [Driverkit](https://github.com/falcosecurity/driverkit) for that) Instructions on how to setup the S3 directory structure [here](https://falco.org/docs/installation/#install-driver).
+
+* **Users that can’t wait but don’t want to setup a webserver themselves**: the falco-driver-loader script can also compile the module for you. Make sure to install the kernel-headers on your nodes.
+
+* **Users that can wait** we will approve this document and act on the plan described here by providing the DRIVERS_REPO at  [https://download.falco.org/driver](https://download.falco.org/driver) that then you can use
+
+### How to use an alternative DRIVERS_REPO ?
+
+**On bash:**
+
+export DRIVERS_REPO=https://your-url-here
+
+**Docker**
+
+Pass it as environment variable using the docker run flag -e - for example:
+
+docker run -e DRIVERS_REPO=[https://your-url-here](https://your-url-here)
+
+**Kubernetes**
+
+spec:
+
+  containers:
+
+  - env:
+
+    - name: DRIVERS_REPO
+
+      value: https://your-url-here
+
+## Release
+
+Next release is on December 1st, we want to rollout a hotfix 0.26.2 release that only contains the updated script before that date so that users don’t get confused and we can just tell them "update Falco" to get the thing working again.
+
--- a/proposals/20201025-drivers-storage-s3_downloads.png
+++ b/proposals/20201025-drivers-storage-s3_downloads.png
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -522,7 +522,7 @@
 - macro: container_started
  condition: >
    ((evt.type = container or
-     (evt.type=execve and evt.dir=< and proc.vpid=1)) and
+     (spawned_process and proc.vpid=1)) and
     container.image.repository != incomplete)

 - macro: interactive
@@ -1213,6 +1213,9 @@
       fd.name startswith /etc/ssh/ssh_monitor_config_ or
       fd.name startswith /etc/ssh/ssh_config_))

+- macro: multipath_writing_conf
+  condition: (proc.name = multipath and fd.name startswith /etc/multipath/)
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -1333,6 +1336,7 @@
    and not automount_using_mtab
    and not mcafee_writing_cma_d
    and not avinetworks_supervisor_writing_ssh
+    and not multipath_writing_conf

 - rule: Write below etc
  desc: an attempt to write to any file below /etc
@@ -1413,6 +1417,7 @@
  desc: an attempt to write to any file directly below / or /root
  condition: >
    root_dir and evt.dir = < and open_write
+    and proc_name_exists
    and not fd.name in (known_root_files)
    and not fd.directory pmatch (known_root_directories)
    and not exe_running_docker_save
@@ -1865,6 +1870,7 @@
 - list: falco_privileged_images
  items: [
    docker.io/calico/node,
+    calico/node,
    docker.io/cloudnativelabs/kube-router,
    docker.io/docker/ucp-agent,
    docker.io/falcosecurity/falco,
@@ -1917,6 +1923,7 @@
 - list: falco_sensitive_mount_images
  items: [
    docker.io/sysdig/falco, docker.io/sysdig/sysdig, sysdig/falco, sysdig/sysdig,
+    docker.io/falcosecurity/falco, falcosecurity/falco,
    gcr.io/google_containers/hyperkube,
    gcr.io/google_containers/kube-proxy, docker.io/calico/node,
    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
@@ -2312,6 +2319,9 @@
 - macro: user_known_user_management_activities
  condition: (never_true)

+- macro: chage_list
+  condition: (proc.name=chage and (proc.cmdline contains "-l" or proc.cmdline contains "--list"))
+
 - rule: User mgmt binaries
  desc: >
    activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
@@ -2330,6 +2340,7 @@
    not run_by_yum and
    not run_by_ms_oms and
    not run_by_google_accounts_daemon and
+    not chage_list and
    not user_known_user_management_activities
  output: >
    User management binary command run outside of container
@@ -2615,11 +2626,9 @@
    WARNING
  tags: [process, mitre_persistence]

- rule: Delete or rename shell history
-  desc: Detect shell history deletion
+- macro: modify_shell_history
  condition: >
    (modify and (
-      not evt.arg.name startswith /var/lib/docker and (
      evt.arg.name contains "bash_history" or
      evt.arg.name contains "zsh_history" or
      evt.arg.name contains "fish_read_history" or
@@ -2631,13 +2640,25 @@
      evt.arg.path contains "bash_history" or
      evt.arg.path contains "zsh_history" or
      evt.arg.path contains "fish_read_history" or
-      evt.arg.path endswith "fish_history"))) or
+      evt.arg.path endswith "fish_history"))
+
+- macro: truncate_shell_history
+  condition: >
    (open_write and (
-      not fd.name startswith /var/lib/docker and (
      fd.name contains "bash_history" or
      fd.name contains "zsh_history" or
      fd.name contains "fish_read_history" or
-      fd.name endswith "fish_history")) and evt.arg.flags contains "O_TRUNC")
+      fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
+
+- macro: var_lib_docker_filepath
+  condition: (evt.arg.name startswith /var/lib/docker or fd.name startswith /var/lib/docker)
+
+- rule: Delete or rename shell history
+  desc: Detect shell history deletion
+  condition: >
+    (modify_shell_history or truncate_shell_history) and
+       not var_lib_docker_filepath and
+       not proc.name in (docker_binaries)
  output: >
    Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
  priority:
@@ -2717,10 +2738,18 @@
 - macro: remote_file_copy_procs
  condition: (proc.name in (remote_file_copy_binaries))

+# Users should overwrite this macro to specify conditions under which a
+# Custom condition for use of remote file copy tool in container
+- macro: user_known_remote_file_copy_activities
+  condition: (never_true)
+
 - rule: Launch Remote File Copy Tools in Container
  desc: Detect remote file copy tools launched in container
  condition: >
-    spawned_process and container and remote_file_copy_procs
+    spawned_process
+    and container
+    and remote_file_copy_procs
+    and not user_known_remote_file_copy_activities
  output: >
    Remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
    container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
@@ -2843,12 +2872,22 @@
 - list: k8s_client_binaries
  items: [docker, kubectl, crictl]

+- list: user_known_k8s_ns_kube_system_images
+  items: [
+      k8s.gcr.io/fluentd-gcp-scaler,
+      k8s.gcr.io/node-problem-detector/node-problem-detector
+  ]
+
+- list: user_known_k8s_images
+  items: [
+      mcr.microsoft.com/aks/hcp/hcp-tunnel-front
+  ]
+
 # Whitelist for known docker client binaries run inside container
 # - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE
 - macro: user_known_k8s_client_container
  condition: >
-    (k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler) or
-    container.image.repository=mcr.microsoft.com/aks/hcp/hcp-tunnel-front
+    (k8s.ns.name="kube-system" and container.image.repository in (user_known_k8s_ns_kube_system_images)) or container.image.repository in (user_known_k8s_images)

 - macro: user_known_k8s_client_container_parens
  condition: (user_known_k8s_client_container)
@@ -3011,6 +3050,41 @@
  output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
  priority: ERROR

+- list: c2_server_ip_list
+  items: []
+
+- rule: Outbound Connection to C2 Servers
+  desc: Detect outbound connection to command & control servers
+  condition: outbound and fd.sip in (c2_server_ip_list)
+  output: Outbound connection to C2 server (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
+  priority: WARNING
+  tags: [network]
+
+- list: white_listed_modules
+  items: []
+    
+- rule: Linux Kernel Module Injection Detected
+  desc: Detect kernel module was injected (from container).
+  condition: spawned_process and container and proc.name=insmod and not proc.args in (white_listed_modules)
+  output: Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args)
+  priority: WARNING
+  tags: [process]
+
+- list: run_as_root_image_list
+  items: []
+
+- macro: user_known_run_as_root_container
+  condition: (container.image.repository in (run_as_root_image_list))
+
+# The rule is disabled by default and should be enabled when non-root container policy has been applied.
+# Note the rule will not work as expected when usernamespace is applied, e.g. userns-remap is enabled.
+- rule: Container Run as Root User
+  desc: Detected container running as root user
+  condition: spawned_process and container and proc.vpid=1 and user.uid=0 and not user_known_run_as_root_container
+  enabled: false
+  output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  priority: INFO
+  tags: [container, process]

 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -49,7 +49,8 @@
    "kubernetes-admin",
    vertical_pod_autoscaler_users,
    cluster-autoscaler,
-    "system:addon-manager"
+    "system:addon-manager",
+    "cloud-controller-manager"
    ]

 - rule: Disallowed K8s User
@@ -536,7 +537,7 @@
  condition: >
    kevt 
    and non_system_user 
-    and ka.user.name in (admin_k8s_users) 
+    and ka.user.name in (full_admin_k8s_users)
    and not allowed_full_admin_users
  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
  priority: WARNING
--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -220,7 +220,7 @@ load_kernel_module() {
 	rmmod "${DRIVER_NAME}" 2>/dev/null
 	WAIT_TIME=0
 	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
+	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do 
 		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
 			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
 			break
@@ -232,7 +232,7 @@ load_kernel_module() {
 		sleep 1
 	done

-	if lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
+	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" > /dev/null 2>&1; then
 		echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
 		exit 0
 	fi
--- a/test/confs/program_output.yaml
+++ b/test/confs/program_output.yaml
@@ -41,4 +41,4 @@ stdout_output:

 program_output:
  enabled: true
-  program: cat > /tmp/falco_outputs/program_output.txt
+  program: cat >> /tmp/falco_outputs/program_output.txt
--- a/test/confs/stdout_output.yaml
+++ b/test/confs/stdout_output.yaml
@@ -0,0 +1,42 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# File containing Falco rules, loaded at startup.
+rules_file: /etc/falco_rules.yaml
+
+# Whether to output events in json or text
+json_output: false
+
+# Send information logs to stderr and/or syslog Note these are *not* security
+# notification logs! These are just Falco lifecycle (and possibly error) logs.
+log_stderr: false
+log_syslog: false
+
+# Where security notifications should go.
+# Multiple outputs can be enabled.
+
+syslog_output:
+  enabled: false
+
+file_output:
+  enabled: false
+
+stdout_output:
+  enabled: true
+
+program_output:
+  enabled: false
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -1,4 +1,4 @@
- #!/usr/bin/env python
+#!/usr/bin/env python
 #
 # Copyright (C) 2019 The Falco Authors.
 #
@@ -31,6 +31,7 @@ from avocado.utils import process
 from watchdog.observers import Observer
 from watchdog.events import PatternMatchingEventHandler

+
 class FalcoTest(Test):

    def setUp(self):
@@ -49,17 +50,20 @@ class FalcoTest(Test):
        self.stdout_is = self.params.get('stdout_is', '*', default='')
        self.stderr_is = self.params.get('stderr_is', '*', default='')

-        self.stdout_contains = self.params.get('stdout_contains', '*', default='')
+        self.stdout_contains = self.params.get(
+            'stdout_contains', '*', default='')

        if not isinstance(self.stdout_contains, list):
            self.stdout_contains = [self.stdout_contains]

-        self.stderr_contains = self.params.get('stderr_contains', '*', default='')
+        self.stderr_contains = self.params.get(
+            'stderr_contains', '*', default='')

        if not isinstance(self.stderr_contains, list):
            self.stderr_contains = [self.stderr_contains]

-        self.stdout_not_contains = self.params.get('stdout_not_contains', '*', default='')
+        self.stdout_not_contains = self.params.get(
+            'stdout_not_contains', '*', default='')

        if not isinstance(self.stdout_not_contains, list):
            if self.stdout_not_contains == '':
@@ -67,7 +71,8 @@ class FalcoTest(Test):
            else:
                self.stdout_not_contains = [self.stdout_not_contains]

-        self.stderr_not_contains = self.params.get('stderr_not_contains', '*', default='')
+        self.stderr_not_contains = self.params.get(
+            'stderr_not_contains', '*', default='')

        if not isinstance(self.stderr_not_contains, list):
            if self.stderr_not_contains == '':
@@ -83,15 +88,18 @@ class FalcoTest(Test):
            self.trace_file = os.path.join(build_dir, "test", self.trace_file)

        self.json_output = self.params.get('json_output', '*', default=False)
-        self.json_include_output_property = self.params.get('json_include_output_property', '*', default=True)
+        self.json_include_output_property = self.params.get(
+            'json_include_output_property', '*', default=True)
        self.all_events = self.params.get('all_events', '*', default=False)
        self.priority = self.params.get('priority', '*', default='debug')
-        self.rules_file = self.params.get('rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml'))
+        self.rules_file = self.params.get(
+            'rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml'))

        if not isinstance(self.rules_file, list):
            self.rules_file = [self.rules_file]

-        self.validate_rules_file = self.params.get('validate_rules_file', '*', default=False)
+        self.validate_rules_file = self.params.get(
+            'validate_rules_file', '*', default=False)

        if self.validate_rules_file == False:
            self.validate_rules_file = []
@@ -118,13 +126,15 @@ class FalcoTest(Test):
                file = os.path.join(self.basedir, file)
            self.rules_args = self.rules_args + "-r " + file + " "

-        self.conf_file = self.params.get('conf_file', '*', default=os.path.join(self.basedir, '../falco.yaml'))
+        self.conf_file = self.params.get(
+            'conf_file', '*', default=os.path.join(self.basedir, '../falco.yaml'))
        if not os.path.isabs(self.conf_file):
            self.conf_file = os.path.join(self.basedir, self.conf_file)

        self.run_duration = self.params.get('run_duration', '*', default='')

-        self.disabled_rules = self.params.get('disabled_rules', '*', default='')
+        self.disabled_rules = self.params.get(
+            'disabled_rules', '*', default='')

        if self.disabled_rules == '':
            self.disabled_rules = []
@@ -137,7 +147,8 @@ class FalcoTest(Test):
        for rule in self.disabled_rules:
            self.disabled_args = self.disabled_args + "-D " + rule + " "

-        self.detect_counts = self.params.get('detect_counts', '*', default=False)
+        self.detect_counts = self.params.get(
+            'detect_counts', '*', default=False)
        if self.detect_counts == False:
            self.detect_counts = {}
        else:
@@ -147,7 +158,8 @@ class FalcoTest(Test):
                    detect_counts[key] = value
            self.detect_counts = detect_counts

-        self.rules_warning = self.params.get('rules_warning', '*', default=False)
+        self.rules_warning = self.params.get(
+            'rules_warning', '*', default=False)
        if self.rules_warning == False:
            self.rules_warning = set()
        else:
@@ -172,9 +184,11 @@ class FalcoTest(Test):

        self.package = self.params.get('package', '*', default='None')

-        self.addl_docker_run_args = self.params.get('addl_docker_run_args', '*', default='')
+        self.addl_docker_run_args = self.params.get(
+            'addl_docker_run_args', '*', default='')

-        self.copy_local_driver = self.params.get('copy_local_driver', '*', default=False)
+        self.copy_local_driver = self.params.get(
+            'copy_local_driver', '*', default=False)

        # Used by possibly_copy_local_driver as well as docker run
        self.module_dir = os.path.expanduser("~/.falco")
@@ -197,9 +211,33 @@ class FalcoTest(Test):
                        os.makedirs(filedir)
            self.outputs = outputs

+        self.output_strictly_contains = self.params.get(
+            'output_strictly_contains', '*', default='')
+
+        if self.output_strictly_contains == '':
+            self.output_strictly_contains = {}
+        else:
+            output_strictly_contains = []
+            for item in self.output_strictly_contains:
+                for key, value in list(item.items()):
+                    output = {}
+                    output['actual'] = key
+                    output['expected'] = value
+                    output_strictly_contains.append(output)
+                    if not output['actual'] == 'stdout':
+                        # Clean up file from previous tests, if any
+                        if os.path.exists(output['actual']):
+                            os.remove(output['actual'])
+                        # Create the parent directory for the file if it doesn't exist.
+                        filedir = os.path.dirname(output['actual'])
+                        if not os.path.isdir(filedir):
+                            os.makedirs(filedir)
+            self.output_strictly_contains = output_strictly_contains
+
        self.grpcurl_res = None
        self.grpc_observer = None
-        self.grpc_address = self.params.get('address', 'grpc/*', default='/var/run/falco.sock')
+        self.grpc_address = self.params.get(
+            'address', 'grpc/*', default='/var/run/falco.sock')
        if self.grpc_address.startswith("unix://"):
            self.is_grpc_using_unix_socket = True
            self.grpc_address = self.grpc_address[len("unix://"):]
@@ -211,21 +249,22 @@ class FalcoTest(Test):
        self.grpc_results = self.params.get('results', 'grpc/*', default='')
        if self.grpc_results == '':
            self.grpc_results = []
-        else: 
+        else:
            if type(self.grpc_results) == str:
                self.grpc_results = [self.grpc_results]

        self.disable_tags = self.params.get('disable_tags', '*', default='')

        if self.disable_tags == '':
-            self.disable_tags=[]
+            self.disable_tags = []

        self.run_tags = self.params.get('run_tags', '*', default='')

        if self.run_tags == '':
-            self.run_tags=[]
+            self.run_tags = []

-        self.time_iso_8601 = self.params.get('time_iso_8601', '*', default=False)
+        self.time_iso_8601 = self.params.get(
+            'time_iso_8601', '*', default=False)

    def tearDown(self):
        if self.package != 'None':
@@ -244,7 +283,8 @@ class FalcoTest(Test):
        self.log.debug("Actual warning rules: {}".format(found_warning))

        if found_warning != self.rules_warning:
-            self.fail("Expected rules with warnings {} does not match actual rules with warnings {}".format(self.rules_warning, found_warning))
+            self.fail("Expected rules with warnings {} does not match actual rules with warnings {}".format(
+                self.rules_warning, found_warning))

    def check_rules_events(self, res):

@@ -255,50 +295,60 @@ class FalcoTest(Test):
            events = set(match.group(2).split(","))
            found_events[rule] = events

-        self.log.debug("Expected events for rules: {}".format(self.rules_events))
+        self.log.debug(
+            "Expected events for rules: {}".format(self.rules_events))
        self.log.debug("Actual events for rules: {}".format(found_events))

        for rule in list(found_events.keys()):
            if found_events.get(rule) != self.rules_events.get(rule):
-                self.fail("rule {}: expected events {} differs from actual events {}".format(rule, self.rules_events.get(rule), found_events.get(rule)))
+                self.fail("rule {}: expected events {} differs from actual events {}".format(
+                    rule, self.rules_events.get(rule), found_events.get(rule)))

    def check_detections(self, res):
        # Get the number of events detected.
        match = re.search('Events detected: (\d+)', res.stdout.decode("utf-8"))
        if match is None:
-            self.fail("Could not find a line 'Events detected: <count>' in falco output")
+            self.fail(
+                "Could not find a line 'Events detected: <count>' in falco output")

        events_detected = int(match.group(1))

        if not self.should_detect and events_detected > 0:
-            self.fail("Detected {} events when should have detected none".format(events_detected))
+            self.fail("Detected {} events when should have detected none".format(
+                events_detected))

        if self.should_detect:
            if events_detected == 0:
-                self.fail("Detected {} events when should have detected > 0".format(events_detected))
+                self.fail("Detected {} events when should have detected > 0".format(
+                    events_detected))

            for level in self.detect_level:
                level_line = '(?i){}: (\d+)'.format(level)
                match = re.search(level_line, res.stdout.decode("utf-8"))

                if match is None:
-                    self.fail("Could not find a line '{}: <count>' in falco output".format(level))
+                    self.fail(
+                        "Could not find a line '{}: <count>' in falco output".format(level))

                    events_detected = int(match.group(1))

                    if not events_detected > 0:
-                        self.fail("Detected {} events at level {} when should have detected > 0".format(events_detected, level))
+                        self.fail("Detected {} events at level {} when should have detected > 0".format(
+                            events_detected, level))

    def check_detections_by_rule(self, res):
        # Get the number of events detected for each rule. Must match the expected counts.
-        match = re.search('Triggered rules by rule name:(.*)', res.stdout.decode("utf-8"), re.DOTALL)
+        match = re.search('Triggered rules by rule name:(.*)',
+                          res.stdout.decode("utf-8"), re.DOTALL)
        if match is None:
-            self.fail("Could not find a block 'Triggered rules by rule name: ...' in falco output")
+            self.fail(
+                "Could not find a block 'Triggered rules by rule name: ...' in falco output")

        triggered_rules = match.group(1)

        for rule, count in list(self.detect_counts.items()):
-            expected = '\s{}: (\d+)'.format(re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
+            expected = '\s{}: (\d+)'.format(
+                re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
            match = re.search(expected, triggered_rules)

            if match is None:
@@ -307,9 +357,11 @@ class FalcoTest(Test):
                actual_count = int(match.group(1))

            if actual_count != count:
-                self.fail("Different counts for rule {}: expected={}, actual={}".format(rule, count, actual_count))
+                self.fail("Different counts for rule {}: expected={}, actual={}".format(
+                    rule, count, actual_count))
            else:
-                self.log.debug("Found expected count for rule {}: {}".format(rule, count))
+                self.log.debug(
+                    "Found expected count for rule {}: {}".format(rule, count))

    def check_outputs(self):
        for output in self.outputs:
@@ -324,7 +376,8 @@ class FalcoTest(Test):
                    found = True

            if found == False:
-                self.fail("Could not find a line '{}' in file '{}'".format(output['line'], output['file']))
+                self.fail("Could not find a line '{}' in file '{}'".format(
+                    output['line'], output['file']))

        return True

@@ -341,7 +394,27 @@ class FalcoTest(Test):
                        attrs = ['time', 'rule', 'priority']
                    for attr in attrs:
                        if not attr in obj:
-                            self.fail("Falco JSON object {} does not contain property \"{}\"".format(line, attr))
+                            self.fail(
+                                "Falco JSON object {} does not contain property \"{}\"".format(line, attr))
+
+    def check_output_strictly_contains(self, res):
+        for output in self.output_strictly_contains:
+            # Read the expected output (from a file) and actual output (either from a file or the stdout),
+            # then check if the actual one strictly contains the expected one.
+
+            expected = open(output['expected']).read()
+
+            if output['actual'] == 'stdout':
+                actual = res.stdout.decode("utf-8")
+            else:
+                actual = open(output['actual']).read()
+
+            if expected not in actual:
+                self.fail("Output '{}' does not strictly contains the expected content '{}'".format(
+                    output['actual'], output['expected']))
+                return False
+
+        return True

    def install_package(self):

@@ -360,35 +433,39 @@ class FalcoTest(Test):
                                         self.module_dir, self.addl_docker_run_args, image)

        elif self.package.endswith(".deb"):
-            self.falco_binary_path = '/usr/bin/falco';
+            self.falco_binary_path = '/usr/bin/falco'

            package_glob = "{}/{}".format(self.falcodir, self.package)

            matches = glob.glob(package_glob)

            if len(matches) != 1:
-                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}", package_glob, ",".join(matches))
+                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}",
+                          package_glob, ",".join(matches))

            package_path = matches[0]

            cmdline = "dpkg -i {}".format(package_path)
-            self.log.debug("Installing debian package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Installing debian package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)

        elif self.package.endswith(".rpm"):
-            self.falco_binary_path = '/usr/bin/falco';
+            self.falco_binary_path = '/usr/bin/falco'

            package_glob = "{}/{}".format(self.falcodir, self.package)

            matches = glob.glob(package_glob)

            if len(matches) != 1:
-                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}", package_glob, ",".join(matches))
+                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}",
+                          package_glob, ",".join(matches))

            package_path = matches[0]

            cmdline = "rpm -i --nodeps --noscripts {}".format(package_path)
-            self.log.debug("Installing centos package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Installing centos package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)

    def uninstall_package(self):
@@ -398,25 +475,29 @@ class FalcoTest(Test):

        elif self.package.endswith(".rpm"):
            cmdline = "rpm -e --noscripts --nodeps falco"
-            self.log.debug("Uninstalling centos package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Uninstalling centos package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)

        elif self.package.endswith(".deb"):
            cmdline = "dpkg --purge falco"
-            self.log.debug("Uninstalling debian package via \"{}\"".format(cmdline))
+            self.log.debug(
+                "Uninstalling debian package via \"{}\"".format(cmdline))
            res = process.run(cmdline, timeout=120, sudo=True)

    def possibly_copy_driver(self):
        # Remove the contents of ~/.falco regardless of copy_local_driver.
        self.log.debug("Checking for module dir {}".format(self.module_dir))
        if os.path.isdir(self.module_dir):
-            self.log.info("Removing files below directory {}".format(self.module_dir))
+            self.log.info(
+                "Removing files below directory {}".format(self.module_dir))
            for rmfile in glob.glob(self.module_dir + "/*"):
                self.log.debug("Removing file {}".format(rmfile))
                os.remove(rmfile)

        if self.copy_local_driver:
-            verlines = [str.strip() for str in subprocess.check_output([self.falco_binary_path, "--version"]).splitlines()]
+            verlines = [str.strip() for str in subprocess.check_output(
+                [self.falco_binary_path, "--version"]).splitlines()]
            verstr = verlines[0].decode("utf-8")
            self.log.info("verstr {}".format(verstr))
            falco_version = verstr.split(" ")[2]
@@ -428,10 +509,12 @@ class FalcoTest(Test):

            # falco-driver-loader has a more comprehensive set of ways to
            # find the config hash. We only look at /boot/config-<kernel release>
-            md5_output = subprocess.check_output(["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
+            md5_output = subprocess.check_output(
+                ["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
            config_hash = md5_output.split(" ")[0]

-            probe_filename = "falco-{}-{}-{}-{}.ko".format(falco_version, arch, kernel_release, config_hash)
+            probe_filename = "falco-{}-{}-{}-{}.ko".format(
+                falco_version, arch, kernel_release, config_hash)
            driver_path = os.path.join(self.falcodir, "driver", "falco.ko")
            module_path = os.path.join(self.module_dir, probe_filename)
            self.log.debug("Copying {} to {}".format(driver_path, module_path))
@@ -442,20 +525,22 @@ class FalcoTest(Test):
        if len(self.grpc_results) > 0:
            if not self.is_grpc_using_unix_socket:
                self.fail("This test suite supports gRPC with unix socket only")
-            
-            cmdline = "grpcurl -import-path ../userspace/falco " \
-                            "-proto {} -plaintext -unix {} " \
-                            "{}/{}".format(self.grpc_proto, self.grpc_address, self.grpc_service, self.grpc_method)
+
+            cmdline = "grpcurl -format text -import-path ../userspace/falco " \
+                "-proto {} -plaintext -unix {} " \
+                "{}/{}".format(self.grpc_proto, self.grpc_address,
+                               self.grpc_service, self.grpc_method)
            that = self
+
            class GRPCUnixSocketEventHandler(PatternMatchingEventHandler):
                def on_created(self, event):
                    # that.log.info("EVENT: {}", event)
                    that.grpcurl_res = process.run(cmdline)
-                    
+
            path = os.path.dirname(self.grpc_address)
            process.run("mkdir -p {}".format(path))
            event_handler = GRPCUnixSocketEventHandler(patterns=['*'],
-                                ignore_directories=True)
+                                                       ignore_directories=True)
            self.grpc_observer = Observer()
            self.grpc_observer.schedule(event_handler, path, recursive=False)
            self.grpc_observer.start()
@@ -470,19 +555,19 @@ class FalcoTest(Test):
            for exp_result in self.grpc_results:
                found = False
                for line in self.grpcurl_res.stdout.decode("utf-8").splitlines():
-                    match = re.search(exp_result, line)
-
-                    if match is not None:
+                    if exp_result in line:
                        found = True
+                        break

                if found == False:
-                    self.fail("Could not find a line '{}' in gRPC responses".format(exp_result))
-
+                    self.fail(
+                        "Could not find a line with '{}' in gRPC responses (protobuf text".format(exp_result))

    def test(self):
        self.log.info("Trace file %s", self.trace_file)

-        self.falco_binary_path = '{}/userspace/falco/falco'.format(self.falcodir)
+        self.falco_binary_path = '{}/userspace/falco/falco'.format(
+            self.falcodir)

        self.possibly_copy_driver()

@@ -501,9 +586,11 @@ class FalcoTest(Test):
        if self.psp_file != "":

            if not os.path.isfile(self.psp_conv_path):
-                self.log.info("Downloading {} to {}".format(self.psp_conv_url, self.psp_conv_path))
+                self.log.info("Downloading {} to {}".format(
+                    self.psp_conv_url, self.psp_conv_path))

-                urllib.request.urlretrieve(self.psp_conv_url, self.psp_conv_path)
+                urllib.request.urlretrieve(
+                    self.psp_conv_url, self.psp_conv_path)
                os.chmod(self.psp_conv_path, stat.S_IEXEC)

            conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
@@ -521,7 +608,6 @@ class FalcoTest(Test):
                psp_rules = myfile.read()
                self.log.debug("Converted Rules: {}".format(psp_rules))

-
        # Run falco
        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format(
            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority)
@@ -557,22 +643,26 @@ class FalcoTest(Test):
        for pattern in self.stderr_contains:
            match = re.search(pattern, res.stderr.decode("utf-8"))
            if match is None:
-                self.fail("Stderr of falco process did not contain content matching {}".format(pattern))
+                self.fail(
+                    "Stderr of falco process did not contain content matching {}".format(pattern))

        for pattern in self.stdout_contains:
            match = re.search(pattern, res.stdout.decode("utf-8"))
            if match is None:
-                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout.decode("utf-8"), pattern))
+                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(
+                    res.stdout.decode("utf-8"), pattern))

        for pattern in self.stderr_not_contains:
            match = re.search(pattern, res.stderr.decode("utf-8"))
            if match is not None:
-                self.fail("Stderr of falco process contained content matching {} when it should have not".format(pattern))
+                self.fail(
+                    "Stderr of falco process contained content matching {} when it should have not".format(pattern))

        for pattern in self.stdout_not_contains:
            match = re.search(pattern, res.stdout.decode("utf-8"))
            if match is not None:
-                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(res.stdout.decode("utf-8"), pattern))
+                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(
+                    res.stdout.decode("utf-8"), pattern))

        if res.exit_status != self.exit_status:
            self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(
@@ -590,6 +680,7 @@ class FalcoTest(Test):
            self.check_detections_by_rule(res)
        self.check_json_output(res)
        self.check_outputs()
+        self.check_output_strictly_contains(res)
        self.check_grpc()
        pass

--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2016-2018 The Falco Authors..
+# Copyright (C) 2020 The Falco Authors.
 #
 # This file is part of falco.
 #
@@ -652,25 +652,50 @@ trace_files: !mux
    trace_file: trace_files/cat_write.scap
    stdout_contains: "Warning An open was seen .cport=<NA> command=cat /dev/null."

-  file_output:
+  stdout_output_strict:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/stdout_output.yaml
+    trace_file: trace_files/cat_write.scap
+    time_iso_8601: true
+    output_strictly_contains:
+      - stdout: output_files/single_rule_with_cat_write.txt
+
+  stdout_output_json_strict:
+    json_output: True
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/stdout_output.yaml
+    trace_file: trace_files/cat_write.scap
+    time_iso_8601: true
+    output_strictly_contains:
+      - stdout: output_files/single_rule_with_cat_write.json
+
+  file_output_strict:
    detect: True
    detect_level: WARNING
    rules_file:
      - rules/single_rule.yaml
    conf_file: confs/file_output.yaml
    trace_file: trace_files/cat_write.scap
-    outputs:
-      - /tmp/falco_outputs/file_output.txt: Warning An open was seen
+    time_iso_8601: true
+    output_strictly_contains:
+      - /tmp/falco_outputs/file_output.txt: output_files/single_rule_with_cat_write.txt

-  program_output:
+  program_output_strict:
    detect: True
    detect_level: WARNING
    rules_file:
      - rules/single_rule.yaml
    conf_file: confs/program_output.yaml
    trace_file: trace_files/cat_write.scap
-    outputs:
-      - /tmp/falco_outputs/program_output.txt: Warning An open was seen
+    time_iso_8601: true
+    output_strictly_contains:
+      - /tmp/falco_outputs/program_output.txt: output_files/single_rule_with_cat_write.txt

  grpc_unix_socket_outputs:
    detect: True
@@ -680,13 +705,26 @@ trace_files: !mux
    conf_file: confs/grpc_unix_socket.yaml
    trace_file: trace_files/cat_write.scap
    run_duration: 5
+    time_iso_8601: true
    grpc:
      address: unix:///tmp/falco/falco.sock
      proto: outputs.proto
      service: falco.outputs.service
      method: get
+      # protobuf text format
      results:
-        - "Warning An open was seen"
+        - "seconds:1470327477 nanos:881781397"
+        - "priority: WARNING"
+        - "rule: \"open_from_cat\""
+        - "output: \"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)\""
+        # output fields
+        - "key: \"evt.time.iso8601\""
+        - "value: \"2016-08-04T16:17:57.881781397+0000\""
+        - "key: \"proc.cmdline\""
+        - "value: \"cat /dev/null\""
+        # For the hostname, since we don't know that beforehand,
+        # only check the field presence
+        - "hostname: "

  detect_counts:
    detect: True
--- a/test/output_files/single_rule_with_cat_write.json
+++ b/test/output_files/single_rule_with_cat_write.json
@@ -0,0 +1,8 @@
+{"output":"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time.iso8601":1470327477881781397,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time.iso8601":1470327477881785348,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time.iso8601":1470327477881796705,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time.iso8601":1470327477881799840,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time.iso8601":1470327477882003104,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time.iso8601":1470327477882008208,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time.iso8601":1470327477882045694,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time.iso8601":1470327477882054739,"proc.cmdline":"cat /dev/null"}}
--- a/test/output_files/single_rule_with_cat_write.txt
+++ b/test/output_files/single_rule_with_cat_write.txt
@@ -0,0 +1,8 @@
+2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)
--- a/test/run_regression_tests.sh
+++ b/test/run_regression_tests.sh
@@ -104,8 +104,12 @@ function run_tests() {
        suites+=($SCRIPTDIR/falco_tests_package.yaml)
    fi
    
+    XUNIT_DIR="${OPT_BUILD_DIR}/integration-tests-xunit"
+    mkdir -p "${XUNIT_DIR}"
+
    for mult in "${suites[@]}"; do
-        CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
+        XUNIT_FILE_NAME="${XUNIT_DIR}/$(basename "${mult}").xml"
+        CMD="avocado run --xunit ${XUNIT_FILE_NAME} --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
        echo "Running $CMD"
        BUILD_DIR=${OPT_BUILD_DIR} $CMD
        RC=$?
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -171,9 +171,8 @@ void falco_engine::load_rules(const string &rules_content, bool verbose, bool al
 					  m_ls);
 	}

-	// Note that falco_formats is added to both the lua state used
-	// by the falco engine as well as the separate lua state used
-	// by falco outputs.  Within the engine, only
+	// Note that falco_formats is added to the lua state used
+	// by the falco engine only. Within the engine, only
 	// formats.formatter is used, so we can unconditionally set
 	// json_output to false.
 	bool json_output = false;
--- a/userspace/engine/formats.cpp
+++ b/userspace/engine/formats.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,24 +20,19 @@ limitations under the License.
 #include "falco_engine.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

-
-sinsp* falco_formats::s_inspector = NULL;
+sinsp *falco_formats::s_inspector = NULL;
 falco_engine *falco_formats::s_engine = NULL;
 bool falco_formats::s_json_output = false;
 bool falco_formats::s_json_include_output_property = true;
-sinsp_evt_formatter_cache *falco_formats::s_formatters = NULL;
+std::unique_ptr<sinsp_evt_formatter_cache> falco_formats::s_formatters = NULL;

-const static struct luaL_reg ll_falco [] =
-{
-	{"formatter", &falco_formats::formatter},
-	{"free_formatter", &falco_formats::free_formatter},
-	{"free_formatters", &falco_formats::free_formatters},
-	{"format_event", &falco_formats::format_event},
-	{"resolve_tokens", &falco_formats::resolve_tokens},
-	{NULL,NULL}
-};
+const static struct luaL_Reg ll_falco[] =
+	{
+		{"formatter", &falco_formats::lua_formatter},
+		{"free_formatter", &falco_formats::lua_free_formatter},
+		{NULL, NULL}};

-void falco_formats::init(sinsp* inspector,
+void falco_formats::init(sinsp *inspector,
 			 falco_engine *engine,
 			 lua_State *ls,
 			 bool json_output,
@@ -47,15 +42,14 @@ void falco_formats::init(sinsp* inspector,
 	s_engine = engine;
 	s_json_output = json_output;
 	s_json_include_output_property = json_include_output_property;
-	if(!s_formatters)
-	{
-		s_formatters = new sinsp_evt_formatter_cache(s_inspector);
-	}
+
+	// todo(leogr): we should have used std::make_unique, but we cannot since it's not C++14
+	s_formatters = std::unique_ptr<sinsp_evt_formatter_cache>(new sinsp_evt_formatter_cache(s_inspector));

 	luaL_openlib(ls, "formats", ll_falco, 0);
 }

-int falco_formats::formatter(lua_State *ls)
+int falco_formats::lua_formatter(lua_State *ls)
 {
 	string source = luaL_checkstring(ls, -2);
 	string format = luaL_checkstring(ls, -1);
@@ -64,7 +58,7 @@ int falco_formats::formatter(lua_State *ls)
 	{
 		if(source == "syscall")
 		{
-			sinsp_evt_formatter* formatter;
+			sinsp_evt_formatter *formatter;
 			formatter = new sinsp_evt_formatter(s_inspector, format);
 			lua_pushlightuserdata(ls, formatter);
 		}
@@ -75,11 +69,11 @@ int falco_formats::formatter(lua_State *ls)
 			lua_pushlightuserdata(ls, formatter);
 		}
 	}
-	catch(sinsp_exception& e)
+	catch(sinsp_exception &e)
 	{
 		luaL_error(ls, "Invalid output format '%s': '%s'", format.c_str(), e.what());
 	}
-	catch(falco_exception& e)
+	catch(falco_exception &e)
 	{
 		luaL_error(ls, "Invalid output format '%s': '%s'", format.c_str(), e.what());
 	}
@@ -87,10 +81,10 @@ int falco_formats::formatter(lua_State *ls)
 	return 1;
 }

-int falco_formats::free_formatter(lua_State *ls)
+int falco_formats::lua_free_formatter(lua_State *ls)
 {
-	if (!lua_islightuserdata(ls, -1) ||
-	    !lua_isstring(ls, -2))
+	if(!lua_islightuserdata(ls, -1) ||
+	   !lua_isstring(ls, -2))

 	{
 		luaL_error(ls, "Invalid argument passed to free_formatter");
@@ -100,115 +94,75 @@ int falco_formats::free_formatter(lua_State *ls)

 	if(source == "syscall")
 	{
-		sinsp_evt_formatter *formatter = (sinsp_evt_formatter *) lua_topointer(ls, -1);
+		sinsp_evt_formatter *formatter = (sinsp_evt_formatter *)lua_topointer(ls, -1);
 		delete(formatter);
 	}
 	else
 	{
-		json_event_formatter *formatter = (json_event_formatter *) lua_topointer(ls, -1);
+		json_event_formatter *formatter = (json_event_formatter *)lua_topointer(ls, -1);
 		delete(formatter);
 	}

 	return 0;
 }

-int falco_formats::free_formatters(lua_State *ls)
+string falco_formats::format_event(const gen_event *evt, const std::string &rule, const std::string &source,
+				   const std::string &level, const std::string &format)
 {
-	if(s_formatters)
-	{
-		delete(s_formatters);
-		s_formatters = NULL;
-	}
-	return 0;
-}

-int falco_formats::format_event (lua_State *ls)
-{
 	string line;
 	string json_line;
-
-	if (!lua_isstring(ls, -1) ||
-	    !lua_isstring(ls, -2) ||
-	    !lua_isstring(ls, -3) ||
-	    !lua_isstring(ls, -4) ||
-	    !lua_islightuserdata(ls, -5)) {
-		lua_pushstring(ls, "Invalid arguments passed to format_event()");
-		lua_error(ls);
-	}
-	gen_event* evt = (gen_event*)lua_topointer(ls, 1);
-	const char *rule = (char *) lua_tostring(ls, 2);
-	const char *source = (char *) lua_tostring(ls, 3);
-	const char *level = (char *) lua_tostring(ls, 4);
-	const char *format = (char *) lua_tostring(ls, 5);
-
 	string sformat = format;

-	if(strcmp(source, "syscall") == 0)
+	if(strcmp(source.c_str(), "syscall") == 0)
 	{
-		try {
-			// This is "output"
-			s_formatters->tostring((sinsp_evt *) evt, sformat, &line);
+		// This is "output"
+		s_formatters->tostring((sinsp_evt *)evt, sformat, &line);

-			if(s_json_output)
-			{
-				sinsp_evt::param_fmt cur_fmt = s_inspector->get_buffer_format();
-				switch(cur_fmt)
-				{
-					case sinsp_evt::PF_NORMAL:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSON);
-						break;
-					case sinsp_evt::PF_EOLS:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONEOLS);
-						break;
-					case sinsp_evt::PF_HEX:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEX);
-						break;
-					case sinsp_evt::PF_HEXASCII:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEXASCII);
-						break;
-					case sinsp_evt::PF_BASE64:
-						s_inspector->set_buffer_format(sinsp_evt::PF_JSONBASE64);
-						break;
-					default:
-						// do nothing
-						break;
-				}
-				// This is output fields
-				s_formatters->tostring((sinsp_evt *) evt, sformat, &json_line);
-
-				// The formatted string might have a leading newline. If it does, remove it.
-				if (json_line[0] == '\n')
-				{
-					json_line.erase(0, 1);
-				}
-				s_inspector->set_buffer_format(cur_fmt);
-			}
-		}
-		catch (sinsp_exception& e)
+		if(s_json_output)
 		{
-			string err = "Invalid output format '" + sformat + "': '" + string(e.what()) + "'";
-			lua_pushstring(ls, err.c_str());
-			lua_error(ls);
+			sinsp_evt::param_fmt cur_fmt = s_inspector->get_buffer_format();
+			switch(cur_fmt)
+			{
+			case sinsp_evt::PF_NORMAL:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSON);
+				break;
+			case sinsp_evt::PF_EOLS:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONEOLS);
+				break;
+			case sinsp_evt::PF_HEX:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEX);
+				break;
+			case sinsp_evt::PF_HEXASCII:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEXASCII);
+				break;
+			case sinsp_evt::PF_BASE64:
+				s_inspector->set_buffer_format(sinsp_evt::PF_JSONBASE64);
+				break;
+			default:
+				// do nothing
+				break;
+			}
+			// This is output fields
+			s_formatters->tostring((sinsp_evt *)evt, sformat, &json_line);
+
+			// The formatted string might have a leading newline. If it does, remove it.
+			if(json_line[0] == '\n')
+			{
+				json_line.erase(0, 1);
+			}
+			s_inspector->set_buffer_format(cur_fmt);
 		}
 	}
 	else
 	{
-		try {
+		json_event_formatter formatter(s_engine->json_factory(), sformat);

-			json_event_formatter formatter(s_engine->json_factory(), sformat);
+		line = formatter.tostring((json_event *)evt);

-			line = formatter.tostring((json_event *) evt);
-
-			if(s_json_output)
-			{
-				json_line = formatter.tojson((json_event *) evt);
-			}
-		}
-		catch (exception &e)
+		if(s_json_output)
 		{
-			string err = "Invalid output format '" + sformat + "': '" + string(e.what()) + "'";
-			lua_pushstring(ls, err.c_str());
-			lua_error(ls);
+			json_line = formatter.tojson((json_event *)evt);
 		}
 	}

@@ -217,15 +171,16 @@ int falco_formats::format_event (lua_State *ls)
 	// message as well as the event time in ns. Use this to build
 	// a more detailed object containing the event time, rule,
 	// severity, full output, and fields.
-	if (s_json_output) {
+	if(s_json_output)
+	{
 		Json::Value event;
 		Json::FastWriter writer;
 		string full_line;

 		// Convert the time-as-nanoseconds to a more json-friendly ISO8601.
-		time_t evttime = evt->get_ts()/1000000000;
+		time_t evttime = evt->get_ts() / 1000000000;
 		char time_sec[20]; // sizeof "YYYY-MM-DDTHH:MM:SS"
-		char time_ns[12]; // sizeof ".sssssssssZ"
+		char time_ns[12];  // sizeof ".sssssssssZ"
 		string iso8601evttime;

 		strftime(time_sec, sizeof(time_sec), "%FT%T", gmtime(&evttime));
@@ -246,9 +201,9 @@ int falco_formats::format_event (lua_State *ls)

 		// Json::FastWriter may add a trailing newline. If it
 		// does, remove it.
-		if (full_line[full_line.length()-1] == '\n')
+		if(full_line[full_line.length() - 1] == '\n')
 		{
-			full_line.resize(full_line.length()-1);
+			full_line.resize(full_line.length() - 1);
 		}

 		// Cheat-graft the output from the formatter into this
@@ -261,24 +216,12 @@ int falco_formats::format_event (lua_State *ls)
 		line = full_line;
 	}

-	lua_pushstring(ls, line.c_str());
-	return 1;
+	return line.c_str();
 }

-int falco_formats::resolve_tokens(lua_State *ls)
+map<string, string> falco_formats::resolve_tokens(const gen_event *evt, const std::string &source, const std::string &format)
 {
-	if(!lua_isstring(ls, -1) ||
-	   !lua_isstring(ls, -2) ||
-	   !lua_islightuserdata(ls, -3))
-	{
-		lua_pushstring(ls, "Invalid arguments passed to resolve_tokens()");
-		lua_error(ls);
-	}
-	gen_event *evt = (gen_event *)lua_topointer(ls, 1);
-	string source = luaL_checkstring(ls, 2);
-	const char *format = (char *)lua_tostring(ls, 3);
 	string sformat = format;
-
 	map<string, string> values;
 	if(source == "syscall")
 	{
@@ -288,16 +231,7 @@ int falco_formats::resolve_tokens(lua_State *ls)
 	else
 	{
 		json_event_formatter json_formatter(s_engine->json_factory(), sformat);
-		values = json_formatter.tomap((json_event*) evt);
+		values = json_formatter.tomap((json_event *)evt);
 	}
-
-	lua_newtable(ls);
-	for(auto const& v : values)
-	{
-		lua_pushstring(ls, v.first.c_str());
-		lua_pushstring(ls, v.second.c_str());
-		lua_settable(ls, -3);
-	}
-
-	return 1;
+	return values;
 }
--- a/userspace/engine/formats.h
+++ b/userspace/engine/formats.h
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -18,7 +18,8 @@ limitations under the License.

 #include "sinsp.h"

-extern "C" {
+extern "C"
+{
 #include "lua.h"
 #include "lualib.h"
 #include "lauxlib.h"
@@ -31,31 +32,28 @@ class sinsp_evt_formatter;

 class falco_formats
 {
- public:
-	static void init(sinsp* inspector,
+public:
+	static void init(sinsp *inspector,
 			 falco_engine *engine,
 			 lua_State *ls,
 			 bool json_output,
 			 bool json_include_output_property);

 	// formatter = falco.formatter(format_string)
-	static int formatter(lua_State *ls);
+	static int lua_formatter(lua_State *ls);

 	// falco.free_formatter(formatter)
-	static int free_formatter(lua_State *ls);
+	static int lua_free_formatter(lua_State *ls);

-	// falco.free_formatters()
-	static int free_formatters(lua_State *ls);
+	static string format_event(const gen_event *evt, const std::string &rule, const std::string &source,
+				   const std::string &level, const std::string &format);

-	// formatted_string = falco.format_event(evt, formatter)
-	static int format_event(lua_State *ls);
+	static map<string, string> resolve_tokens(const gen_event *evt, const std::string &source,
+						  const std::string &format);

-	// resolve_tokens = falco.resolve_tokens(evt, formatter)
-	static int resolve_tokens(lua_State *ls);
-
-	static sinsp* s_inspector;
+	static sinsp *s_inspector;
 	static falco_engine *s_engine;
-	static sinsp_evt_formatter_cache *s_formatters;
+	static std::unique_ptr<sinsp_evt_formatter_cache> s_formatters;
 	static bool s_json_output;
 	static bool s_json_include_output_property;
 };
--- a/userspace/engine/rules.cpp
+++ b/userspace/engine/rules.cpp
@@ -26,15 +26,14 @@ extern "C" {
 #include "falco_engine.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

-const static struct luaL_reg ll_falco_rules [] =
-{
-	{"clear_filters", &falco_rules::clear_filters},
-	{"add_filter", &falco_rules::add_filter},
-	{"add_k8s_audit_filter", &falco_rules::add_k8s_audit_filter},
-	{"enable_rule", &falco_rules::enable_rule},
-	{"engine_version", &falco_rules::engine_version},
-	{NULL,NULL}
-};
+const static struct luaL_Reg ll_falco_rules[] =
+	{
+		{"clear_filters", &falco_rules::clear_filters},
+		{"add_filter", &falco_rules::add_filter},
+		{"add_k8s_audit_filter", &falco_rules::add_k8s_audit_filter},
+		{"enable_rule", &falco_rules::enable_rule},
+		{"engine_version", &falco_rules::engine_version},
+		{NULL, NULL}};

 falco_rules::falco_rules(sinsp* inspector,
 			 falco_engine *engine,
--- a/userspace/falco/CMakeLists.txt
+++ b/userspace/falco/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -11,117 +11,88 @@
 # specific language governing permissions and limitations under the License.
 #

-configure_file("${SYSDIG_SOURCE_DIR}/userspace/sysdig/config_sysdig.h.in" config_sysdig.h)
+configure_file(config_falco.h.in config_falco.h)

-if(NOT MINIMAL_BUILD)
-  add_custom_command(
-    OUTPUT
-      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
-    COMMENT "Generate gRPC API"
-    # Falco gRPC Version API
-    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-            ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    # Falco gRPC Outputs API
-    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-            ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-            ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
-endif()
-
-if(MINIMAL_BUILD)
-add_executable(
-  falco
+set(
+  FALCO_SOURCES
  configuration.cpp
  logger.cpp
  falco_outputs.cpp
+  outputs_file.cpp
+  outputs_program.cpp
+  outputs_stdout.cpp
+  outputs_syslog.cpp
  event_drops.cpp
  statsfilewriter.cpp
  falco.cpp
-  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp")
-else()
-  add_executable(
-    falco
-    configuration.cpp
-    logger.cpp
-    falco_outputs.cpp
-    event_drops.cpp
-    statsfilewriter.cpp
-    falco.cpp
-    "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
+  "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/fields_info.cpp"
+)
+
+set(
+  FALCO_INCLUDE_DIRECTORIES
+  "${PROJECT_SOURCE_DIR}/userspace/engine"
+  "${PROJECT_BINARY_DIR}/userspace/falco"
+  "${PROJECT_BINARY_DIR}/driver/src"
+  "${STRING_VIEW_LITE_INCLUDE}"
+  "${YAMLCPP_INCLUDE_DIR}"
+  "${CMAKE_CURRENT_BINARY_DIR}"
+  "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include"
+)
+
+set(
+  FALCO_DEPENDENCIES
+  string-view-lite
+  libyaml
+  b64
+  luajit
+  lpeg
+  lyaml
+)
+
+set(
+  FALCO_LIBRARIES
+  falco_engine
+  sinsp
+  "${LIBYAML_LIB}"
+  "${YAMLCPP_LIB}"
+)
+
+if(USE_BUNDLED_DEPS)
+  list(APPEND FALCO_DEPENDENCIES yamlcpp)
+endif()
+
+if(NOT MINIMAL_BUILD)
+  list(
+    APPEND FALCO_SOURCES
+    outputs_grpc.cpp
+    outputs_http.cpp
    webserver.cpp
    grpc_context.cpp
    grpc_server_impl.cpp
    grpc_request_context.cpp
    grpc_server.cpp
+    grpc_context.cpp
+    grpc_server_impl.cpp
    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+  )

-    add_dependencies(falco civetweb)
-endif()
+  list(
+    APPEND FALCO_INCLUDE_DIRECTORIES
+    "${CIVETWEB_INCLUDE_DIR}"
+    "${OPENSSL_INCLUDE_DIR}"
+    "${GRPC_INCLUDE}"
+    "${GRPCPP_INCLUDE}"
+    "${PROTOBUF_INCLUDE}"
+  )

-add_dependencies(falco string-view-lite)
+  list(APPEND FALCO_DEPENDENCIES civetweb)

-if(USE_BUNDLED_DEPS)
-  add_dependencies(falco yamlcpp)
-endif()
-
-if(MINIMAL_BUILD)
-  target_include_directories(
-    falco
-    PUBLIC
-      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-      "${PROJECT_SOURCE_DIR}/userspace/engine"
-      "${PROJECT_BINARY_DIR}/userspace/falco"
-      "${PROJECT_BINARY_DIR}/driver/src"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${YAMLCPP_INCLUDE_DIR}"
-      "${CMAKE_CURRENT_BINARY_DIR}"
-      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
-
-  target_link_libraries(
-    falco
-    falco_engine
-    sinsp
-    "${LIBYAML_LIB}"
-    "${YAMLCPP_LIB}")
-else()
-  target_include_directories(
-    falco
-    PUBLIC
-      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-      "${PROJECT_SOURCE_DIR}/userspace/engine"
-      "${PROJECT_BINARY_DIR}/userspace/falco"
-      "${PROJECT_BINARY_DIR}/driver/src"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${YAMLCPP_INCLUDE_DIR}"
-      "${CIVETWEB_INCLUDE_DIR}"
-      "${OPENSSL_INCLUDE_DIR}"
-      "${GRPC_INCLUDE}"
-      "${GRPCPP_INCLUDE}"
-      "${PROTOBUF_INCLUDE}"
-      "${CMAKE_CURRENT_BINARY_DIR}"
-      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
-
-  target_link_libraries(
-    falco
-    falco_engine
-    sinsp
+  list(
+    APPEND FALCO_LIBRARIES
    "${GPR_LIB}"
    "${GRPC_LIB}"
    "${GRPCPP_LIB}"
@@ -130,19 +101,66 @@ else()
    "${OPENSSL_LIBRARY_CRYPTO}"
    "${LIBYAML_LIB}"
    "${YAMLCPP_LIB}"
-    "${CIVETWEB_LIB}")
+    "${CIVETWEB_LIB}"
+  )
 endif()

-configure_file(config_falco.h.in config_falco.h)
+add_executable(
+  falco
+  ${FALCO_SOURCES}
+)
+
+add_dependencies(falco ${FALCO_DEPENDENCIES})
+
+target_link_libraries(
+  falco
+  ${FALCO_LIBRARIES}
+)
+
+target_include_directories(
+  falco
+  PUBLIC
+  ${FALCO_INCLUDE_DIRECTORIES}
+)

 if(NOT MINIMAL_BUILD)
  add_custom_command(
    TARGET falco
    COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-    COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
+    COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields"
+  )
 else()
-  MESSAGE(STATUS "Skipping engine fields checksum when building the minimal Falco.")
+  message(STATUS "Skipping engine fields checksum when building the minimal Falco.")
+endif()
+
+if(NOT MINIMAL_BUILD)
+  add_custom_command(
+    OUTPUT
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
+    COMMENT "Generate gRPC API"
+    # Falco gRPC Version API
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+    ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+    # Falco gRPC Outputs API
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
+    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+    ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+  )
 endif()

 # strip the Falco binary when releasing using musl
@@ -151,12 +169,8 @@ if(MUSL_OPTIMIZED_BUILD AND CMAKE_BUILD_TYPE STREQUAL "release")
    TARGET falco
    POST_BUILD
    COMMAND ${CMAKE_STRIP} --strip-unneeded falco
-    COMMENT "Strip the Falco binary when releasing the musl build")
+    COMMENT "Strip the Falco binary when releasing the musl build"
+  )
 endif()

 install(TARGETS falco DESTINATION ${FALCO_BIN_DIR})
-install(
-  DIRECTORY lua
-  DESTINATION ${FALCO_SHARE_DIR}
-  FILES_MATCHING
-  PATTERN *.lua)
--- a/userspace/falco/config_falco.h.in
+++ b/userspace/falco/config_falco.h.in
@@ -25,11 +25,9 @@ limitations under the License.
 #define FALCO_VERSION_PRERELEASE "@FALCO_VERSION_PRERELEASE@"
 #define FALCO_VERSION_BUILD "@FALCO_VERSION_BUILD@"

-#define FALCO_LUA_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}/lua/"
 #define FALCO_SOURCE_DIR "${PROJECT_SOURCE_DIR}"
 #define FALCO_SOURCE_CONF_FILE "${PROJECT_SOURCE_DIR}/falco.yaml"
 #define FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml"
-#define FALCO_SOURCE_LUA_DIR "${PROJECT_SOURCE_DIR}/userspace/falco/lua/"

 #define PROBE_NAME "@PROBE_NAME@"
 #define DRIVER_VERSION "@PROBE_VERSION@"
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -52,7 +52,7 @@ void falco_configuration::init(list<string> &cmdline_options)
 {
 	init_cmdline_options(cmdline_options);

-	falco_outputs::output_config stdout_output;
+	falco::outputs::config stdout_output;
 	stdout_output.name = "stdout";
 	m_outputs.push_back(stdout_output);
 }
@@ -81,7 +81,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 	m_json_output = m_config->get_scalar<bool>("json_output", false);
 	m_json_include_output_property = m_config->get_scalar<bool>("json_include_output_property", true);

-	falco_outputs::output_config file_output;
+	falco::outputs::config file_output;
 	file_output.name = "file";
 	if(m_config->get_scalar<bool>("file_output", "enabled", false))
 	{
@@ -99,21 +99,21 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		m_outputs.push_back(file_output);
 	}

-	falco_outputs::output_config stdout_output;
+	falco::outputs::config stdout_output;
 	stdout_output.name = "stdout";
 	if(m_config->get_scalar<bool>("stdout_output", "enabled", false))
 	{
 		m_outputs.push_back(stdout_output);
 	}

-	falco_outputs::output_config syslog_output;
+	falco::outputs::config syslog_output;
 	syslog_output.name = "syslog";
 	if(m_config->get_scalar<bool>("syslog_output", "enabled", false))
 	{
 		m_outputs.push_back(syslog_output);
 	}

-	falco_outputs::output_config program_output;
+	falco::outputs::config program_output;
 	program_output.name = "program";
 	if(m_config->get_scalar<bool>("program_output", "enabled", false))
 	{
@@ -131,7 +131,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 		m_outputs.push_back(program_output);
 	}

-	falco_outputs::output_config http_output;
+	falco::outputs::config http_output;
 	http_output.name = "http";
 	if(m_config->get_scalar<bool>("http_output", "enabled", false))
 	{
@@ -159,7 +159,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 	m_grpc_cert_chain = m_config->get_scalar<string>("grpc", "cert_chain", "/etc/falco/certs/server.crt");
 	m_grpc_root_certs = m_config->get_scalar<string>("grpc", "root_certs", "/etc/falco/certs/ca.crt");

-	falco_outputs::output_config grpc_output;
+	falco::outputs::config grpc_output;
 	grpc_output.name = "grpc";
 	// gRPC output is enabled only if gRPC server is enabled too
 	if(m_config->get_scalar<bool>("grpc_output", "enabled", true) && m_grpc_enabled)
@@ -176,6 +176,8 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio

 	falco_logger::set_level(m_log_level);

+	m_output_timeout = m_config->get_scalar<uint32_t>("output_timeout", 2000);
+
 	m_notifications_rate = m_config->get_scalar<uint32_t>("outputs", "rate", 1);
 	m_notifications_max_burst = m_config->get_scalar<uint32_t>("outputs", "max_burst", 1000);

--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@@ -37,7 +37,7 @@ public:
 	{
 		m_path = path;
 		YAML::Node config;
-		std::vector<falco_outputs::output_config> outputs;
+		std::vector<falco::outputs::config> outputs;
 		try
 		{
 			m_root = YAML::LoadFile(path);
@@ -196,7 +196,7 @@ public:
 	bool m_json_output;
 	bool m_json_include_output_property;
 	std::string m_log_level;
-	std::vector<falco_outputs::output_config> m_outputs;
+	std::vector<falco::outputs::config> m_outputs;
 	uint32_t m_notifications_rate;
 	uint32_t m_notifications_max_burst;

@@ -204,6 +204,7 @@ public:

 	bool m_buffered_outputs;
 	bool m_time_format_iso_8601;
+	uint32_t m_output_timeout;

 	bool m_grpc_enabled;
 	uint32_t m_grpc_threadiness;
--- a/userspace/falco/event_drops.cpp
+++ b/userspace/falco/event_drops.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -15,6 +15,7 @@ limitations under the License.
 */

 #include "event_drops.h"
+#include "falco_common.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

 syscall_evt_drop_mgr::syscall_evt_drop_mgr():
@@ -137,7 +138,7 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now, scap_stats &delta, bool

 		case ACT_ALERT:
 			m_outputs->handle_msg(now,
-					      falco_outputs::PRIORITY_CRITICAL,
+					      falco_common::PRIORITY_CRITICAL,
 					      msg,
 					      rule,
 					      output_fields);
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -36,7 +36,7 @@ limitations under the License.
 #include "logger.h"
 #include "utils.h"
 #include "chisel.h"
-#include "sysdig.h"
+#include "fields_info.h"

 #include "event_drops.h"
 #include "configuration.h"
@@ -86,6 +86,7 @@ static void usage()
 	   " -h, --help                    Print this page\n"
 	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
 	   " -A                            Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
+	   " --alternate-lua-dir <path>    Specify an alternate path for loading Falco lua files\n"
 	   " -b, --print-base64            Print data buffers in base64.\n"
 	   "                               This is useful for encoding binary data that needs to be used over media designed to.\n"
 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
@@ -478,37 +479,38 @@ int falco_init(int argc, char **argv)
 #endif

 	static struct option long_options[] =
-	{
-		{"cri", required_argument, 0},
-        {"daemon", no_argument, 0, 'd'},
-        {"disable-cri-async", no_argument, 0, 0},
-        {"disable-source", required_argument, 0},
-        {"help", no_argument, 0, 'h'},
-        {"ignored-events", no_argument, 0, 'i'},
-        {"k8s-api-cert", required_argument, 0, 'K'},
-        {"k8s-api", required_argument, 0, 'k'},
-        {"list", optional_argument, 0},
-        {"mesos-api", required_argument, 0, 'm'},
-        {"option", required_argument, 0, 'o'},
-        {"pidfile", required_argument, 0, 'P'},
-        {"print-base64", no_argument, 0, 'b'},
-        {"print", required_argument, 0, 'p'},
-        {"snaplen", required_argument, 0, 'S'},
-        {"stats-interval", required_argument, 0},
-        {"support", no_argument, 0},
-        {"unbuffered", no_argument, 0, 'U'},
-        {"userspace", no_argument, 0, 'u'},
-        {"validate", required_argument, 0, 'V'},
-        {"version", no_argument, 0, 0},
-        {"writefile", required_argument, 0, 'w'},
-		{0, 0, 0, 0}
-	};
+		{
+			{"alternate-lua-dir", required_argument, 0},
+			{"cri", required_argument, 0},
+			{"daemon", no_argument, 0, 'd'},
+			{"disable-cri-async", no_argument, 0, 0},
+			{"disable-source", required_argument, 0},
+			{"help", no_argument, 0, 'h'},
+			{"ignored-events", no_argument, 0, 'i'},
+			{"k8s-api-cert", required_argument, 0, 'K'},
+			{"k8s-api", required_argument, 0, 'k'},
+			{"list", optional_argument, 0},
+			{"mesos-api", required_argument, 0, 'm'},
+			{"option", required_argument, 0, 'o'},
+			{"pidfile", required_argument, 0, 'P'},
+			{"print-base64", no_argument, 0, 'b'},
+			{"print", required_argument, 0, 'p'},
+			{"snaplen", required_argument, 0, 'S'},
+			{"stats-interval", required_argument, 0},
+			{"support", no_argument, 0},
+			{"unbuffered", no_argument, 0, 'U'},
+			{"userspace", no_argument, 0, 'u'},
+			{"validate", required_argument, 0, 'V'},
+			{"version", no_argument, 0, 0},
+			{"writefile", required_argument, 0, 'w'},
+			{0, 0, 0, 0}};

 	try
 	{
 		set<string> disabled_rule_substrings;
 		string substring;
 		string all_rules = "";
+		string alternate_lua_dir = FALCO_ENGINE_SOURCE_LUA_DIR;
 		set<string> disabled_rule_tags;
 		set<string> enabled_rule_tags;

@@ -686,6 +688,16 @@ int falco_init(int argc, char **argv)
 						disable_sources.insert(optarg);
 					}
 				}
+				else if (string(long_options[long_index].name)== "alternate-lua-dir")
+				{
+					if(optarg != NULL)
+					{
+						alternate_lua_dir = optarg;
+						if (alternate_lua_dir.back() != '/') {
+							alternate_lua_dir += '/';
+						}
+					}
+				}
 				break;

 			default:
@@ -721,7 +733,7 @@ int falco_init(int argc, char **argv)
 			return EXIT_SUCCESS;
 		}

-		engine = new falco_engine();
+		engine = new falco_engine(true, alternate_lua_dir);
 		engine->set_inspector(inspector);
 		engine->set_extra(output_format, replace_container_info);

@@ -750,8 +762,7 @@ int falco_init(int argc, char **argv)
 			}
 		}

-		outputs = new falco_outputs(engine);
-		outputs->set_inspector(inspector);
+		outputs = new falco_outputs();

 		// Some combinations of arguments are not allowed.
 		if (daemon && pidfilename == "") {
@@ -959,9 +970,9 @@ int falco_init(int argc, char **argv)
 			hostname = c_hostname;
 		}

-
 		outputs->init(config.m_json_output,
 			      config.m_json_include_output_property,
+			      config.m_output_timeout,
 			      config.m_notifications_rate, config.m_notifications_max_burst,
 			      config.m_buffered_outputs,
 			      config.m_time_format_iso_8601,
--- a/userspace/falco/falco_outputs.cpp
+++ b/userspace/falco/falco_outputs.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -24,24 +24,22 @@ limitations under the License.

 #include "formats.h"
 #include "logger.h"
+#include "watchdog.h"
+
+#include "outputs_file.h"
+#include "outputs_program.h"
+#include "outputs_stdout.h"
+#include "outputs_syslog.h"
 #ifndef MINIMAL_BUILD
-#include "falco_outputs_queue.h"
+#include "outputs_http.h"
+#include "outputs_grpc.h"
 #endif
+
 #include "banned.h" // This raises a compilation error when certain functions are used

 using namespace std;

-const static struct luaL_reg ll_falco_outputs [] =
-{
-#ifndef MINIMAL_BUILD
-	{"handle_http", &falco_outputs::handle_http},
-	{"handle_grpc", &falco_outputs::handle_grpc},
-#endif
-	{NULL, NULL}
-};
-
-falco_outputs::falco_outputs(falco_engine *engine):
-	m_falco_engine(engine),
+falco_outputs::falco_outputs():
 	m_initialized(false),
 	m_buffered(true),
 	m_json_output(false),
@@ -52,52 +50,37 @@ falco_outputs::falco_outputs(falco_engine *engine):

 falco_outputs::~falco_outputs()
 {
-	// Note: The assert()s in this destructor were previously places where
-	//       exceptions were thrown.  C++11 doesn't allow destructors to
-	//       emit exceptions; if they're thrown, they'll trigger a call
-	//       to 'terminate()'.  To maintain similar behavior, the exceptions
-	//       were replace with calls to 'assert()'
 	if(m_initialized)
 	{
-		lua_getglobal(m_ls, m_lua_output_cleanup.c_str());
-		if(!lua_isfunction(m_ls, -1))
+		this->stop_worker();
+		for(auto o : m_outputs)
 		{
-			falco_logger::log(LOG_ERR, std::string("No function ") + m_lua_output_cleanup + " found. ");
-			assert(nullptr == "Missing lua cleanup function in ~falco_outputs");
-		}
-
-		if(lua_pcall(m_ls, 0, 0, 0) != 0)
-		{
-			const char *lerr = lua_tostring(m_ls, -1);
-			falco_logger::log(LOG_ERR, std::string("lua_pcall failed, err: ") + lerr);
-			assert(nullptr == "lua_pcall failed in ~falco_outputs");
+			delete o;
 		}
 	}
 }

 void falco_outputs::init(bool json_output,
-			 bool json_include_output_property,
-			 uint32_t rate, uint32_t max_burst, bool buffered,
-			 bool time_format_iso_8601, string hostname)
+		  bool json_include_output_property,
+		  uint32_t timeout,
+		  uint32_t rate, uint32_t max_burst, bool buffered,
+		  bool time_format_iso_8601, std::string hostname)
 {
-	// The engine must have been given an inspector by now.
-	if(!m_inspector)
+	// Cannot be initialized more than one time.
+	if(m_initialized)
 	{
-		throw falco_exception("No inspector provided");
+		throw falco_exception("falco_outputs already initialized");
 	}

 	m_json_output = json_output;

-	falco_common::init(m_lua_main_filename.c_str(), FALCO_SOURCE_LUA_DIR);
+	// Note that falco_formats is already initialized by the engine,
+	// and the following json options are not used within the engine.
+	// So we can safely update them.
+	falco_formats::s_json_output = json_output;
+	falco_formats::s_json_include_output_property = json_include_output_property;

-	// Note that falco_formats is added to both the lua state used
-	// by the falco engine as well as the separate lua state used
-	// by falco outputs.
-	falco_formats::init(m_inspector, m_falco_engine, m_ls, json_output, json_include_output_property);
-
-	falco_logger::init(m_ls);
-
-	luaL_openlib(m_ls, "c_outputs", ll_falco_outputs, 0);
+	m_timeout = std::chrono::milliseconds(timeout);

 	m_notifications_tb.init(rate, max_burst);

@@ -105,43 +88,60 @@ void falco_outputs::init(bool json_output,
 	m_time_format_iso_8601 = time_format_iso_8601;
 	m_hostname = hostname;

+	m_worker_thread = std::thread(&falco_outputs::worker, this);
+
 	m_initialized = true;
 }

-void falco_outputs::add_output(output_config oc)
+// This function has to be called after init() since some configuration settings
+// need to be passed to the output plugins. Then, although the worker has started,
+// the worker is still on hold, waiting for a message.
+// Thus it is still safe to call add_output() before any message has been enqueued.
+void falco_outputs::add_output(falco::outputs::config oc)
 {
-	uint8_t nargs = 3;
-	lua_getglobal(m_ls, m_lua_add_output.c_str());
-
-	if(!lua_isfunction(m_ls, -1))
+	if(!m_initialized)
 	{
-		throw falco_exception("No function " + m_lua_add_output + " found. ");
-	}
-	lua_pushstring(m_ls, oc.name.c_str());
-	lua_pushnumber(m_ls, (m_buffered ? 1 : 0));
-	lua_pushnumber(m_ls, (m_time_format_iso_8601 ? 1 : 0));
-
-	// If we have options, build up a lua table containing them
-	if(oc.options.size())
-	{
-		nargs = 4;
-		lua_createtable(m_ls, 0, oc.options.size());
-
-		for(auto it = oc.options.cbegin(); it != oc.options.cend(); ++it)
-		{
-			lua_pushstring(m_ls, (*it).second.c_str());
-			lua_setfield(m_ls, -2, (*it).first.c_str());
-		}
+		throw falco_exception("cannot add output: falco_outputs not initialized yet");
 	}

-	if(lua_pcall(m_ls, nargs, 0, 0) != 0)
+	falco::outputs::abstract_output *oo;
+
+	if(oc.name == "file")
 	{
-		const char *lerr = lua_tostring(m_ls, -1);
-		throw falco_exception(string(lerr));
+		oo = new falco::outputs::output_file();
 	}
+	else if(oc.name == "program")
+	{
+		oo = new falco::outputs::output_program();
+	}
+	else if(oc.name == "stdout")
+	{
+		oo = new falco::outputs::output_stdout();
+	}
+	else if(oc.name == "syslog")
+	{
+		oo = new falco::outputs::output_syslog();
+	}
+#ifndef MINIMAL_BUILD
+	else if(oc.name == "http")
+	{
+		oo = new falco::outputs::output_http();
+	}
+	else if(oc.name == "grpc")
+	{
+		oo = new falco::outputs::output_grpc();
+	}
+#endif
+	else
+	{
+		throw falco_exception("Output not supported: " + oc.name);
+	}
+
+	oo->init(oc, m_buffered, m_hostname);
+	m_outputs.push_back(oo);
 }

-void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,
+void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
 				 falco_common::priority_type priority, string &format)
 {
 	if(!m_notifications_tb.claim())
@@ -150,70 +150,96 @@ void falco_outputs::handle_event(gen_event *ev, string &rule, string &source,
 		return;
 	}

-	std::lock_guard<std::mutex> guard(m_ls_semaphore);
-	lua_getglobal(m_ls, m_lua_output_event.c_str());
+	falco_outputs::ctrl_msg cmsg = {};
+	cmsg.ts = evt->get_ts();
+	cmsg.priority = priority;
+	cmsg.source = source;
+	cmsg.rule = rule;

-	if(lua_isfunction(m_ls, -1))
+	string sformat;
+	if(source == "syscall")
 	{
-		lua_pushlightuserdata(m_ls, ev);
-		lua_pushstring(m_ls, rule.c_str());
-		lua_pushstring(m_ls, source.c_str());
-		lua_pushstring(m_ls, falco_common::priority_names[priority].c_str());
-		lua_pushnumber(m_ls, priority);
-		lua_pushstring(m_ls, format.c_str());
-		lua_pushstring(m_ls, m_hostname.c_str());
-
-		if(lua_pcall(m_ls, 7, 0, 0) != 0)
+		if(m_time_format_iso_8601)
 		{
-			const char *lerr = lua_tostring(m_ls, -1);
-			string err = "Error invoking function output: " + string(lerr);
-			throw falco_exception(err);
+			sformat = "*%evt.time.iso8601: " + falco_common::priority_names[priority];
+		}
+		else
+		{
+			sformat = "*%evt.time: " + falco_common::priority_names[priority];
 		}
 	}
 	else
 	{
-		throw falco_exception("No function " + m_lua_output_event + " found in lua compiler module");
+		if(m_time_format_iso_8601)
+		{
+			sformat = "*%jevt.time.iso8601: " + falco_common::priority_names[priority];
+		}
+		else
+		{
+			sformat = "*%jevt.time: " + falco_common::priority_names[priority];
+		}
 	}
+
+	// if format starts with a *, remove it, as we added our own prefix
+	if(format[0] == '*')
+	{
+		sformat += " " + format.substr(1, format.length() - 1);
+	}
+	else
+	{
+		sformat += " " + format;
+	}
+
+	cmsg.msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat);
+	cmsg.fields = falco_formats::resolve_tokens(evt, source, sformat);
+
+	cmsg.type = ctrl_msg_type::CTRL_MSG_OUTPUT;
+	m_queue.push(cmsg);
 }

-void falco_outputs::handle_msg(uint64_t now,
+void falco_outputs::handle_msg(uint64_t ts,
 			       falco_common::priority_type priority,
 			       std::string &msg,
 			       std::string &rule,
 			       std::map<std::string, std::string> &output_fields)
 {
-	std::string full_msg;
+	falco_outputs::ctrl_msg cmsg = {};
+	cmsg.ts = ts;
+	cmsg.priority = priority;
+	cmsg.source = "internal";
+	cmsg.rule = rule;
+	cmsg.fields = output_fields;

 	if(m_json_output)
 	{
 		nlohmann::json jmsg;

 		// Convert the time-as-nanoseconds to a more json-friendly ISO8601.
-		time_t evttime = now / 1000000000;
+		time_t evttime = ts / 1000000000;
 		char time_sec[20]; // sizeof "YYYY-MM-DDTHH:MM:SS"
 		char time_ns[12];  // sizeof ".sssssssssZ"
 		string iso8601evttime;

 		strftime(time_sec, sizeof(time_sec), "%FT%T", gmtime(&evttime));
-		snprintf(time_ns, sizeof(time_ns), ".%09luZ", now % 1000000000);
+		snprintf(time_ns, sizeof(time_ns), ".%09luZ", ts % 1000000000);
 		iso8601evttime = time_sec;
 		iso8601evttime += time_ns;

 		jmsg["output"] = msg;
-		jmsg["priority"] = "Critical";
+		jmsg["priority"] = falco_common::priority_names[priority];
 		jmsg["rule"] = rule;
 		jmsg["time"] = iso8601evttime;
 		jmsg["output_fields"] = output_fields;

-		full_msg = jmsg.dump();
+		cmsg.msg = jmsg.dump();
 	}
 	else
 	{
 		std::string timestr;
 		bool first = true;

-		sinsp_utils::ts_to_string(now, &timestr, false, true);
-		full_msg = timestr + ": " + falco_common::priority_names[LOG_CRIT] + " " + msg + " (";
+		sinsp_utils::ts_to_string(ts, &timestr, false, true);
+		cmsg.msg = timestr + ": " + falco_common::priority_names[priority] + " " + msg + " (";
 		for(auto &pair : output_fields)
 		{
 			if(first)
@@ -222,158 +248,95 @@ void falco_outputs::handle_msg(uint64_t now,
 			}
 			else
 			{
-				full_msg += " ";
+				cmsg.msg += " ";
 			}
-			full_msg += pair.first + "=" + pair.second;
+			cmsg.msg += pair.first + "=" + pair.second;
 		}
-		full_msg += ")";
+		cmsg.msg += ")";
 	}

-	std::lock_guard<std::mutex> guard(m_ls_semaphore);
-	lua_getglobal(m_ls, m_lua_output_msg.c_str());
-	if(lua_isfunction(m_ls, -1))
-	{
-		lua_pushstring(m_ls, full_msg.c_str());
-		lua_pushstring(m_ls, falco_common::priority_names[priority].c_str());
-		lua_pushnumber(m_ls, priority);
+	cmsg.type = ctrl_msg_type::CTRL_MSG_OUTPUT;
+	m_queue.push(cmsg);
+}

-		if(lua_pcall(m_ls, 3, 0, 0) != 0)
-		{
-			const char *lerr = lua_tostring(m_ls, -1);
-			string err = "Error invoking function output: " + string(lerr);
-			throw falco_exception(err);
-		}
-	}
-	else
-	{
-		throw falco_exception("No function " + m_lua_output_msg + " found in lua compiler module");
-	}
+void falco_outputs::cleanup_outputs()
+{
+	this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_CLEANUP);
 }

 void falco_outputs::reopen_outputs()
 {
-	lua_getglobal(m_ls, m_lua_output_reopen.c_str());
-	if(!lua_isfunction(m_ls, -1))
-	{
-		throw falco_exception("No function " + m_lua_output_reopen + " found. ");
-	}
+	this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_REOPEN);
+}

-	if(lua_pcall(m_ls, 0, 0, 0) != 0)
+void falco_outputs::stop_worker()
+{
+	watchdog<void *> wd;
+	wd.start([&](void *) -> void {
+		falco_logger::log(LOG_NOTICE, "output channels still blocked, discarding all remaining notifications\n");
+		m_queue.clear();
+		this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_STOP);
+	});
+	wd.set_timeout(m_timeout, nullptr);
+
+	this->push(falco_outputs::ctrl_msg_type::CTRL_MSG_STOP);
+	if(m_worker_thread.joinable())
 	{
-		const char *lerr = lua_tostring(m_ls, -1);
-		throw falco_exception(string(lerr));
+		m_worker_thread.join();
 	}
 }

-#ifndef MINIMAL_BUILD
-int falco_outputs::handle_http(lua_State *ls)
+inline void falco_outputs::push(ctrl_msg_type cmt)
 {
-	CURL *curl = NULL;
-	CURLcode res = CURLE_FAILED_INIT;
-	struct curl_slist *slist1;
-	slist1 = NULL;
+	falco_outputs::ctrl_msg cmsg = {};
+	cmsg.type = cmt;
+	m_queue.push(cmsg);
+}

-	if(!lua_isstring(ls, -1) ||
-	   !lua_isstring(ls, -2))
+// todo(leogr,leodido): this function is not supposed to throw exceptions, and with "noexcept",
+// the program is terminated if that occurs. Although that's the wanted behavior,
+// we still need to improve the error reporting since some inner functions can throw exceptions.
+void falco_outputs::worker() noexcept
+{
+	watchdog<std::string> wd;
+	wd.start([&](std::string payload) -> void {
+		falco_logger::log(LOG_CRIT, "\"" + payload + "\" output timeout, all output channels are blocked\n");
+	});
+
+	auto timeout = m_timeout;
+
+	falco_outputs::ctrl_msg cmsg;
+	do
 	{
-		lua_pushstring(ls, "Invalid arguments passed to handle_http()");
-		lua_error(ls);
-	}
+		// Block until a message becomes available.
+		m_queue.pop(cmsg);

-	string url = (char *)lua_tostring(ls, 1);
-	string msg = (char *)lua_tostring(ls, 2);
-
-	curl = curl_easy_init();
-	if(curl)
-	{
-		slist1 = curl_slist_append(slist1, "Content-Type: application/json");
-		curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1);
-		curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
-		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg.c_str());
-		curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);
-
-		res = curl_easy_perform(curl);
-
-		if(res != CURLE_OK)
+		for(const auto o : m_outputs)
 		{
-			falco_logger::log(LOG_ERR, "libcurl error: " + string(curl_easy_strerror(res)));
+			wd.set_timeout(timeout, o->get_name());
+			try
+			{
+				switch(cmsg.type)
+				{
+					case ctrl_msg_type::CTRL_MSG_OUTPUT:
+						o->output(&cmsg);
+						break;
+					case ctrl_msg_type::CTRL_MSG_CLEANUP:
+					case ctrl_msg_type::CTRL_MSG_STOP:
+						o->cleanup();
+						break;
+					case ctrl_msg_type::CTRL_MSG_REOPEN:
+						o->reopen();
+						break;
+					default:
+						falco_logger::log(LOG_DEBUG, "Outputs worker received an unknown message type\n");	
+				}
+			}
+			catch(const exception &e)
+			{
+				falco_logger::log(LOG_ERR, o->get_name() + ": " + string(e.what()) + "\n");
+			}
 		}
-		curl_easy_cleanup(curl);
-		curl = NULL;
-		curl_slist_free_all(slist1);
-		slist1 = NULL;
-	}
-	return 1;
+		wd.cancel_timeout();
+	} while(cmsg.type != ctrl_msg_type::CTRL_MSG_STOP);
 }
-
-int falco_outputs::handle_grpc(lua_State *ls)
-{
-	// check parameters
-	if(!lua_islightuserdata(ls, -8) ||
-	   !lua_isstring(ls, -7) ||
-	   !lua_isstring(ls, -6) ||
-	   !lua_isstring(ls, -5) ||
-	   !lua_isstring(ls, -4) ||
-	   !lua_istable(ls, -3) ||
-	   !lua_isstring(ls, -2) ||
-	   !lua_istable(ls, -1))
-	{
-		lua_pushstring(ls, "Invalid arguments passed to handle_grpc()");
-		lua_error(ls);
-	}
-
-	falco::outputs::response grpc_res;
-
-	// time
-	gen_event *evt = (gen_event *)lua_topointer(ls, 1);
-	auto timestamp = grpc_res.mutable_time();
-	*timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(evt->get_ts());
-
-	// rule
-	auto rule = grpc_res.mutable_rule();
-	*rule = (char *)lua_tostring(ls, 2);
-
-	// source
-	falco::schema::source s = falco::schema::source::SYSCALL;
-	string sstr = (char *)lua_tostring(ls, 3);
-	if(!falco::schema::source_Parse(sstr, &s))
-	{
-		lua_pushstring(ls, "Unknown source passed to to handle_grpc()");
-		lua_error(ls);
-	}
-	grpc_res.set_source(s);
-
-	// priority
-	falco::schema::priority p = falco::schema::priority::EMERGENCY;
-	string pstr = (char *)lua_tostring(ls, 4);
-	if(!falco::schema::priority_Parse(pstr, &p))
-	{
-		lua_pushstring(ls, "Unknown priority passed to to handle_grpc()");
-		lua_error(ls);
-	}
-	grpc_res.set_priority(p);
-
-	// output
-	auto output = grpc_res.mutable_output();
-	*output = (char *)lua_tostring(ls, 5);
-
-	// output fields
-	auto &fields = *grpc_res.mutable_output_fields();
-
-	lua_pushnil(ls); // so that lua_next removes it from stack and puts (k, v) on it
-	while(lua_next(ls, 6) != 0)
-	{
-		fields[lua_tostring(ls, -2)] = lua_tostring(ls, -1);
-		lua_pop(ls, 1); // remove value, keep key for lua_next
-	}
-	lua_pop(ls, 1); // pop table
-
-	// hostname
-	auto host = grpc_res.mutable_hostname();
-	*host = (char *)lua_tostring(ls, 7);
-
-	falco::outputs::queue::get().push(grpc_res);
-
-	return 1;
-}
-#endif
--- a/userspace/falco/falco_outputs.h
+++ b/userspace/falco/falco_outputs.h
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,84 +19,81 @@ limitations under the License.
 #include <memory>
 #include <map>

-extern "C" {
-#include "lua.h"
-#include "lualib.h"
-#include "lauxlib.h"
-}
-
 #include "gen_filter.h"
 #include "json_evt.h"
 #include "falco_common.h"
 #include "token_bucket.h"
 #include "falco_engine.h"
+#include "outputs.h"
+#include "tbb/concurrent_queue.h"

 //
 // This class acts as the primary interface between a program and the
 // falco output engine. The falco rules engine is implemented by a
 // separate class falco_engine.
 //
-
-class falco_outputs : public falco_common
+class falco_outputs
 {
 public:
-	falco_outputs(falco_engine *engine);
+	falco_outputs();
 	virtual ~falco_outputs();

-	// The way to refer to an output (file, syslog, stdout, etc.)
-	// An output has a name and set of options.
-	struct output_config
-	{
-		std::string name;
-		std::map<std::string, std::string> options;
-	};
-
 	void init(bool json_output,
 		  bool json_include_output_property,
+		  uint32_t timeout,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
 		  bool time_format_iso_8601, std::string hostname);

-	void add_output(output_config oc);
+	void add_output(falco::outputs::config oc);

-	//
-	// ev is an event that has matched some rule. Pass the event
-	// to all configured outputs.
-	//
-	void handle_event(gen_event *ev, std::string &rule, std::string &source,
+	// Format then send the event to all configured outputs (`evt` is an event that has matched some rule).
+	void handle_event(gen_event *evt, std::string &rule, std::string &source,
 			  falco_common::priority_type priority, std::string &format);

-	// Send a generic message to all outputs. Not necessarily associated with any event.
+	// Format then send a generic message to all outputs. Not necessarily associated with any event.
 	void handle_msg(uint64_t now,
 			falco_common::priority_type priority,
 			std::string &msg,
 			std::string &rule,
-			std::map<std::string,std::string> &output_fields);
+			std::map<std::string, std::string> &output_fields);
+
+	void cleanup_outputs();

 	void reopen_outputs();

-#ifndef MINIMAL_BUILD
-	static int handle_http(lua_State *ls);
-	static int handle_grpc(lua_State *ls);
-#endif
-
 private:
-
-	falco_engine *m_falco_engine;
-
 	bool m_initialized;

+	std::vector<falco::outputs::abstract_output *> m_outputs;
+
 	// Rate limits notifications
 	token_bucket m_notifications_tb;

 	bool m_buffered;
 	bool m_json_output;
 	bool m_time_format_iso_8601;
+	std::chrono::milliseconds m_timeout;
 	std::string m_hostname;

-	std::string m_lua_add_output = "add_output";
-	std::string m_lua_output_event = "output_event";
-	std::string m_lua_output_msg = "output_msg";
-	std::string m_lua_output_cleanup = "output_cleanup";
-	std::string m_lua_output_reopen = "output_reopen";
-	std::string m_lua_main_filename = "output.lua";
+	enum ctrl_msg_type
+	{
+		CTRL_MSG_STOP = 0,
+		CTRL_MSG_OUTPUT = 1,
+		CTRL_MSG_CLEANUP = 2,
+		CTRL_MSG_REOPEN = 3,
+	};
+
+	struct ctrl_msg : falco::outputs::message
+	{
+		ctrl_msg_type type;
+	};
+
+	typedef tbb::concurrent_bounded_queue<ctrl_msg> falco_outputs_cbq;
+
+	falco_outputs_cbq m_queue;
+
+	std::thread m_worker_thread;
+	inline void push(ctrl_msg_type cmt);
+	void worker() noexcept;
+	void stop_worker();
 };
--- a/userspace/falco/falco_outputs_queue.h
+++ b/userspace/falco/falco_outputs_queue.h
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors
+Copyright (C) 2020 The Falco Authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -21,9 +21,9 @@ limitations under the License.

 namespace falco
 {
-namespace outputs
+namespace grpc
 {
-typedef tbb::concurrent_queue<response> response_cq;
+typedef tbb::concurrent_queue<outputs::response> response_cq;

 class queue
 {
@@ -34,12 +34,12 @@ public:
 		return instance;
 	}

-	bool try_pop(response& res)
+	bool try_pop(outputs::response& res)
 	{
 		return m_queue.try_pop(res);
 	}

-	void push(response& res)
+	void push(outputs::response& res)
 	{
 		m_queue.push(res);
 	}
@@ -56,5 +56,5 @@ public:
 	queue(queue const&) = delete;
 	void operator=(queue const&) = delete;
 };
-} // namespace output
+} // namespace grpc
 } // namespace falco
--- a/userspace/falco/grpc_server_impl.cpp
+++ b/userspace/falco/grpc_server_impl.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors
+Copyright (C) 2020 The Falco Authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@ limitations under the License.

 #include "config_falco.h"
 #include "grpc_server_impl.h"
-#include "falco_outputs_queue.h"
+#include "grpc_queue.h"
 #include "logger.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

@@ -44,7 +44,7 @@ void falco::grpc::server_impl::get(const stream_context& ctx, const outputs::req
 	// m_status == stream_context::STREAMING?
 	// todo(leodido) > set m_stream

-	ctx.m_has_more = outputs::queue::get().try_pop(res);
+	ctx.m_has_more = queue::get().try_pop(res);
 }

 void falco::grpc::server_impl::sub(const bidi_context& ctx, const outputs::request& req, outputs::response& res)
@@ -61,7 +61,7 @@ void falco::grpc::server_impl::sub(const bidi_context& ctx, const outputs::reque
 	// m_status == stream_context::STREAMING?
 	// todo(leodido) > set m_stream

-	ctx.m_has_more = outputs::queue::get().try_pop(res);
+	ctx.m_has_more = queue::get().try_pop(res);
 }

 void falco::grpc::server_impl::version(const context& ctx, const version::request&, version::response& res)
--- a/userspace/falco/logger.cpp
+++ b/userspace/falco/logger.cpp
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,25 +16,13 @@ limitations under the License.

 #include <ctime>
 #include "logger.h"
-#include "chisel_api.h"

 #include "falco_common.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

-const static struct luaL_reg ll_falco [] =
-{
-	{"syslog", &falco_logger::syslog},
-	{NULL,NULL}
-};
-
 int falco_logger::level = LOG_INFO;
 bool falco_logger::time_format_iso_8601 = false;

-void falco_logger::init(lua_State *ls)
-{
-	luaL_openlib(ls, "falco", ll_falco, 0);
-}
-
 void falco_logger::set_time_format_iso_8601(bool val)
 {
 	falco_logger::time_format_iso_8601 = val;
@@ -81,19 +69,6 @@ void falco_logger::set_level(string &level)
 }


-int falco_logger::syslog(lua_State *ls) {
-	int priority = luaL_checknumber(ls, 1);
-
-	if (priority > LOG_DEBUG) {
-		return luaL_argerror(ls, 1, "falco.syslog: priority must be a number between 0 and 7");
-	}
-
-	const char *msg = luaL_checkstring(ls, 2);
-	::syslog(priority, "%s", msg);
-
-	return 0;
-}
-
 bool falco_logger::log_stderr = true;
 bool falco_logger::log_syslog = true;

--- a/userspace/falco/logger.h
+++ b/userspace/falco/logger.h
@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2020 The Falco Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,25 +19,15 @@ limitations under the License.
 #include "sinsp.h"
 #include <syslog.h>

-extern "C" {
-#include "lua.h"
-#include "lualib.h"
-#include "lauxlib.h"
-}
-
 class falco_logger
 {
 public:
-	static void init(lua_State *ls);

 	static void set_time_format_iso_8601(bool val);

 	// Will throw exception if level is unknown.
 	static void set_level(string &level);

-	// value = falco.syslog(level, message)
-	static int syslog(lua_State *ls);
-
 	static void log(int priority, const string msg);

 	static int level;
--- a/userspace/falco/lua/.gitignore
+++ b/userspace/falco/lua/.gitignore
@@ -1 +0,0 @@
-lyaml*
--- a/userspace/falco/lua/output.lua
+++ b/userspace/falco/lua/output.lua
@@ -1,271 +0,0 @@
-- Copyright (C) 2019 The Falco Authors.
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
--     http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
-
-local mod = {}
-
-local outputs = {}
-
-function mod.stdout(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   mod.stdout_message(priority, priority_num, msg, options)
-end
-
-function mod.stdout_message(priority, priority_num, msg, options)
-   if options.buffered == 0 then
-      io.stdout:setvbuf "no"
-   end
-   print(msg)
-end
-
-function mod.stdout_cleanup()
-   io.stdout:flush()
-end
-
-- Note: not actually closing/reopening stdout
-function mod.stdout_reopen(options)
-end
-
-function mod.file_validate(options)
-   if (not type(options.filename) == "string") then
-      error("File output needs to be configured with a valid filename")
-   end
-
-   local file, err = io.open(options.filename, "a+")
-   if file == nil then
-      error("Error with file output: " .. err)
-   end
-   file:close()
-end
-
-function mod.file_open(options)
-   if ffile == nil then
-      ffile = io.open(options.filename, "a+")
-      if options.buffered == 0 then
-         ffile:setvbuf "no"
-      end
-   end
-end
-
-function mod.file(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   mod.file_message(priority, priority_num, msg, options)
-end
-
-function mod.file_message(priority, priority_num, msg, options)
-   if options.keep_alive == "true" then
-      mod.file_open(options)
-   else
-      ffile = io.open(options.filename, "a+")
-   end
-
-   ffile:write(msg, "\n")
-
-   if options.keep_alive == nil or options.keep_alive ~= "true" then
-      ffile:close()
-      ffile = nil
-   end
-end
-
-function mod.file_cleanup()
-   if ffile ~= nil then
-      ffile:flush()
-      ffile:close()
-      ffile = nil
-   end
-end
-
-function mod.file_reopen(options)
-   if options.keep_alive == "true" then
-      mod.file_cleanup()
-      mod.file_open(options)
-   end
-end
-
-function mod.syslog(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   mod.syslog_message(priority, priority_num, msg, options)
-end
-
-function mod.syslog_message(priority, priority_num, msg, options)
-   falco.syslog(priority_num, msg)
-end
-
-function mod.syslog_cleanup()
-end
-
-function mod.syslog_reopen()
-end
-
-function mod.program_open(options)
-   if pfile == nil then
-      pfile = io.popen(options.program, "w")
-      if options.buffered == 0 then
-         pfile:setvbuf "no"
-      end
-   end
-end
-
-function mod.program(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   mod.program_message(priority, priority_num, msg, options)
-end
-
-function mod.program_message(priority, priority_num, msg, options)
-   -- XXX Ideally we'd check that the program ran
-   -- successfully. However, the luajit we're using returns true even
-   -- when the shell can't run the program.
-
-   -- Note: options are all strings
-   if options.keep_alive == "true" then
-      mod.program_open(options)
-   else
-      pfile = io.popen(options.program, "w")
-   end
-
-   pfile:write(msg, "\n")
-
-   if options.keep_alive == nil or options.keep_alive ~= "true" then
-      pfile:close()
-      pfile = nil
-   end
-end
-
-function mod.program_cleanup()
-   if pfile ~= nil then
-      pfile:flush()
-      pfile:close()
-      pfile = nil
-   end
-end
-
-function mod.program_reopen(options)
-   if options.keep_alive == "true" then
-      mod.program_cleanup()
-      mod.program_open(options)
-   end
-end
-
-function mod.http(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   mod.http_message(priority, priority_num, msg, options)
-end
-
-function mod.http_message(priority, priority_num, msg, options)
-   c_outputs.handle_http(options.url, msg)
-end
-
-function mod.http_cleanup()
-end
-
-function mod.http_reopen()
-end
-
-function mod.grpc(event, rule, source, priority, priority_num, msg, format, hostname, options)
-   fields = formats.resolve_tokens(event, source, format)
-   c_outputs.handle_grpc(event, rule, source, priority, msg, fields, hostname, options)
-end
-
-function mod.grpc_message(priority, priority_num, msg, options)
-   -- todo(fntlnz, leodido) > gRPC does not support subscribing to dropped events yet
-end
-
-
-function mod.grpc_cleanup()
-end
-
-function mod.grpc_reopen()
-end
-
-function output_event(event, rule, source, priority, priority_num, format, hostname)
-   -- If format starts with a *, remove it, as we're adding our own
-   -- prefix here.
-   if format:sub(1, 1) == "*" then
-      format = format:sub(2)
-   end
-
-   -- time_format_iso_8601 will be the same for all output channels
-   time_format_iso_8601 = 0
-
-   for index, o in ipairs(outputs) do
-      time_format_iso_8601 = o.options.time_format_iso_8601
-      break
-   end
-
-   if source == "syscall" then
-      if time_format_iso_8601 == 1 then
-         format = "*%evt.time.iso8601: " .. priority .. " " .. format
-      else
-         format = "*%evt.time: " .. priority .. " " .. format
-      end
-   else
-      if time_format_iso_8601 == 1 then
-         format = "*%jevt.time.iso8601: " .. priority .. " " .. format
-      else
-         format = "*%jevt.time: " .. priority .. " " .. format
-      end
-   end
-
-   msg = formats.format_event(event, rule, source, priority, format)
-
-   for index, o in ipairs(outputs) do
-      o.output(event, rule, source, priority, priority_num, msg, format, hostname, o.options)
-   end
-end
-
-function output_msg(msg, priority, priority_num)
-   for index, o in ipairs(outputs) do
-      o.message(priority, priority_num, msg, o.options)
-   end
-end
-
-function output_cleanup()
-   formats.free_formatters()
-   for index, o in ipairs(outputs) do
-      o.cleanup()
-   end
-end
-
-function output_reopen()
-   for index, o in ipairs(outputs) do
-      o.reopen(o.options)
-   end
-end
-
-function add_output(output_name, buffered, time_format_iso_8601, options)
-   if not (type(mod[output_name]) == "function") then
-      error("rule_loader.add_output(): invalid output_name: " .. output_name)
-   end
-
-   -- outputs can optionally define a validation function so that we don't
-   -- find out at runtime (when an event finally matches a rule!) that the options are invalid
-   if (type(mod[output_name .. "_validate"]) == "function") then
-      mod[output_name .. "_validate"](options)
-   end
-
-   if options == nil then
-      options = {}
-   end
-
-   options.buffered = buffered
-   options.time_format_iso_8601 = time_format_iso_8601
-
-   table.insert(
-      outputs,
-      {
-         output = mod[output_name],
-         cleanup = mod[output_name .. "_cleanup"],
-         reopen = mod[output_name .. "_reopen"],
-         message = mod[output_name .. "_message"],
-         options = options
-      }
-   )
-end
-
-return mod
--- a/userspace/falco/lua/test.lua
+++ b/userspace/falco/lua/test.lua
@@ -1,44 +0,0 @@
-- Copyright (C) 2019 The Falco Authors.
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
--     http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
-
-local parser = require "parser"
-
-if #arg ~= 1 then
-    print("Usage: test.lua <string>")
-    os.exit(1)
-end
-
-local macros = {}
-local ast
-
-local function doit(line)
-   ast = parser.parse_filter(line)
-
-   if not ast then
-      print("error", error_msg)
-      os.exit(1)
-   end
-
-end
-for str in string.gmatch(arg[1], "([^;]+)") do
-   doit(str)
-end
-
-if (ast and ast.type) then
-   parser.print_ast(ast)
-end
-
-os.exit(0)
-
--- a/userspace/falco/outputs.h
+++ b/userspace/falco/outputs.h
@@ -0,0 +1,94 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include <string>
+#include <map>
+
+#include "falco_common.h"
+#include "gen_filter.h"
+
+namespace falco
+{
+namespace outputs
+{
+
+//
+// The way to refer to an output (file, syslog, stdout, etc.)
+// An output has a name and set of options.
+//
+struct config
+{
+	std::string name;
+	std::map<std::string, std::string> options;
+};
+
+//
+// The message to be outputted. It can either refer to:
+//  - an event that has matched some rule,
+//  - or a generic message (e.g., a drop alert).
+//
+struct message
+{
+	uint64_t ts;
+	falco_common::priority_type priority;
+	std::string msg;
+	std::string rule;
+	std::string source;
+	map<std::string, std::string> fields;
+};
+
+//
+// This class acts as the primary interface for implementing
+// a Falco output class.
+//
+
+class abstract_output
+{
+public:
+	virtual ~abstract_output() {}
+
+	void init(config oc, bool buffered, std::string hostname)
+	{
+		m_oc = oc;
+		m_buffered = buffered;
+		m_hostname = hostname;
+	}
+
+	// Return the output's name as per its configuration.
+	const std::string get_name() const
+	{
+		return m_oc.name;
+	}
+
+	// Output a message.
+	virtual void output(const message *msg) = 0;
+
+	// Possibly close the output and open it again.
+	virtual void reopen() {}
+
+	// Possibly flush the output.
+	virtual void cleanup() {}
+
+protected:
+	config m_oc;
+	bool m_buffered;
+	std::string m_hostname;
+};
+
+} // namespace outputs
+} // namespace falco
--- a/userspace/falco/outputs_file.cpp
+++ b/userspace/falco/outputs_file.cpp
@@ -0,0 +1,57 @@
+/*
+Copyright (C) 2020 The Falco Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "outputs_file.h"
+#include <iostream>
+#include <fstream>
+#include "banned.h" // This raises a compilation error when certain functions are used
+
+void falco::outputs::output_file::open_file()
+{
+	if(!m_buffered)
+	{
+		m_outfile.rdbuf()->pubsetbuf(0, 0);
+	}
+	if(!m_outfile.is_open())
+	{
+		m_outfile.open(m_oc.options["filename"], fstream::app);
+	}
+}
+
+void falco::outputs::output_file::output(const message *msg)
+{
+	open_file();
+	m_outfile << msg->msg + "\n";
+
+	if(m_oc.options["keep_alive"] != "true")
+	{
+		cleanup();
+	}
+}
+
+void falco::outputs::output_file::cleanup()
+{
+	if(m_outfile.is_open())
+	{
+		m_outfile.close();
+	}
+}
+
+void falco::outputs::output_file::reopen()
+{
+	cleanup();
+	open_file();
+}
--- a/userspace/falco/outputs_file.h
+++ b/userspace/falco/outputs_file.h
@@ -0,0 +1,43 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "outputs.h"
+#include <iostream>
+#include <fstream>
+
+namespace falco
+{
+namespace outputs
+{
+
+class output_file : public abstract_output
+{
+	void output(const message *msg);
+
+	void cleanup();
+
+	void reopen();
+
+private:
+	void open_file();
+
+	std::ofstream m_outfile;
+};
+
+} // namespace outputs
+} // namespace falco
--- a/userspace/falco/outputs_grpc.cpp
+++ b/userspace/falco/outputs_grpc.cpp
@@ -0,0 +1,68 @@
+/*
+Copyright (C) 2020 The Falco Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <google/protobuf/util/time_util.h>
+#include "outputs_grpc.h"
+#include "grpc_queue.h"
+#include "falco_common.h"
+#include "formats.h"
+#include "banned.h" // This raises a compilation error when certain functions are used
+
+void falco::outputs::output_grpc::output(const message *msg)
+{
+	falco::outputs::response grpc_res;
+
+	// time
+	auto timestamp = grpc_res.mutable_time();
+	*timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(msg->ts);
+
+	// rule
+	auto r = grpc_res.mutable_rule();
+	*r = msg->rule;
+
+	// source
+	falco::schema::source s = falco::schema::source::SYSCALL;
+	if(!falco::schema::source_Parse(msg->source, &s))
+	{
+		throw falco_exception("Unknown source passed to output_grpc::output()");
+	}
+	grpc_res.set_source(s);
+
+	// priority
+	falco::schema::priority p = falco::schema::priority::EMERGENCY;
+	if(!falco::schema::priority_Parse(falco_common::priority_names[msg->priority], &p))
+	{
+		throw falco_exception("Unknown priority passed to output_grpc::output()");
+	}
+	grpc_res.set_priority(p);
+
+	// output
+	auto output = grpc_res.mutable_output();
+	*output = msg->msg;
+
+	// output fields
+	auto &fields = *grpc_res.mutable_output_fields();
+	for(const auto &kv : msg->fields)
+	{
+		fields[kv.first] = kv.second;
+	}
+
+	// hostname
+	auto host = grpc_res.mutable_hostname();
+	*host = m_hostname;
+
+	falco::grpc::queue::get().push(grpc_res);
+}
--- a/userspace/falco/outputs_grpc.h
+++ b/userspace/falco/outputs_grpc.h
@@ -0,0 +1,32 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "outputs.h"
+
+namespace falco
+{
+namespace outputs
+{
+
+class output_grpc : public abstract_output
+{
+	void output(const message *msg);
+};
+
+} // namespace outputs
+} // namespace falco
--- a/userspace/falco/outputs_http.cpp
+++ b/userspace/falco/outputs_http.cpp
@@ -0,0 +1,48 @@
+/*
+Copyright (C) 2020 The Falco Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "outputs_http.h"
+#include "logger.h"
+#include "banned.h" // This raises a compilation error when certain functions are used
+
+void falco::outputs::output_http::output(const message *msg)
+{
+	CURL *curl = NULL;
+	CURLcode res = CURLE_FAILED_INIT;
+	struct curl_slist *slist1;
+	slist1 = NULL;
+
+	curl = curl_easy_init();
+	if(curl)
+	{
+		slist1 = curl_slist_append(slist1, "Content-Type: application/json");
+		curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1);
+		curl_easy_setopt(curl, CURLOPT_URL, m_oc.options["url"].c_str());
+		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg->msg.c_str());
+		curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);
+
+		res = curl_easy_perform(curl);
+
+		if(res != CURLE_OK)
+		{
+			falco_logger::log(LOG_ERR, "libcurl error: " + string(curl_easy_strerror(res)));
+		}
+		curl_easy_cleanup(curl);
+		curl = NULL;
+		curl_slist_free_all(slist1);
+		slist1 = NULL;
+	}
+}
--- a/userspace/falco/outputs_http.h
+++ b/userspace/falco/outputs_http.h
@@ -0,0 +1,32 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "outputs.h"
+
+namespace falco
+{
+namespace outputs
+{
+
+class output_http : public abstract_output
+{
+	void output(const message *msg);
+};
+
+} // namespace outputs
+} // namespace falco
--- a/userspace/falco/outputs_program.cpp
+++ b/userspace/falco/outputs_program.cpp
@@ -0,0 +1,59 @@
+/*
+Copyright (C) 2020 The Falco Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "outputs_program.h"
+#include <stdio.h>
+#include "banned.h" // This raises a compilation error when certain functions are used
+
+void falco::outputs::output_program::open_pfile()
+{
+	if(m_pfile == nullptr)
+	{
+		m_pfile = popen(m_oc.options["program"].c_str(), "w");
+
+		if(!m_buffered)
+		{
+			setvbuf(m_pfile, NULL, _IONBF, 0);
+		}
+	}
+}
+
+void falco::outputs::output_program::output(const message *msg)
+{
+	open_pfile();
+
+	fprintf(m_pfile, "%s\n", msg->msg.c_str());
+
+	if(m_oc.options["keep_alive"] != "true")
+	{
+		cleanup();
+	}
+}
+
+void falco::outputs::output_program::cleanup()
+{
+	if(m_pfile != nullptr)
+	{
+		pclose(m_pfile);
+		m_pfile = nullptr;
+	}
+}
+
+void falco::outputs::output_program::reopen()
+{
+	cleanup();
+	open_pfile();
+}
--- a/userspace/falco/outputs_program.h
+++ b/userspace/falco/outputs_program.h
@@ -0,0 +1,41 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "outputs.h"
+
+namespace falco
+{
+namespace outputs
+{
+
+class output_program : public abstract_output
+{
+	void output(const message *msg);
+
+	void cleanup();
+
+	void reopen();
+
+private:
+	void open_pfile();
+
+	FILE *m_pfile;
+};
+
+} // namespace outputs
+} // namespace falco
--- a/userspace/falco/outputs_stdout.cpp
+++ b/userspace/falco/outputs_stdout.cpp
@@ -0,0 +1,39 @@
+/*
+Copyright (C) 2020 The Falco Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "outputs_stdout.h"
+#include <iostream>
+#include "banned.h" // This raises a compilation error when certain functions are used
+
+void falco::outputs::output_stdout::output(const message *msg)
+{
+	//
+	// By default, the stdout stream is fully buffered or line buffered
+	// (if the stream can be determined to refer to an interactive device, e.g. in a TTY).
+	// Just enable automatic flushing when unbuffered output is desired.
+	// Note that it is set every time since other writings to the stdout can disable it.
+	//
+	if(!m_buffered)
+	{
+		std::cout << std::unitbuf;
+	}
+	std::cout << msg->msg + "\n";
+}
+
+void falco::outputs::output_stdout::cleanup()
+{
+	std::cout.flush();
+}
--- a/userspace/falco/outputs_stdout.h
+++ b/userspace/falco/outputs_stdout.h
@@ -0,0 +1,34 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "outputs.h"
+
+namespace falco
+{
+namespace outputs
+{
+
+class output_stdout : public abstract_output
+{
+	void output(const message *msg);
+
+	void cleanup();
+};
+
+} // namespace outputs
+} // namespace falco
--- a/userspace/falco/outputs_syslog.cpp
+++ b/userspace/falco/outputs_syslog.cpp
@@ -0,0 +1,25 @@
+/*
+Copyright (C) 2020 The Falco Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "outputs_syslog.h"
+#include <syslog.h>
+#include "banned.h" // This raises a compilation error when certain functions are used
+
+void falco::outputs::output_syslog::output(const message *msg)
+{
+	// Syslog output should not have any trailing newline
+	::syslog(msg->priority, "%s", msg->msg.c_str());
+}
--- a/userspace/falco/outputs_syslog.h
+++ b/userspace/falco/outputs_syslog.h
@@ -0,0 +1,32 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "outputs.h"
+
+namespace falco
+{
+namespace outputs
+{
+
+class output_syslog : public abstract_output
+{
+	void output(const message *msg);
+};
+
+} // namespace outputs
+} // namespace falco
--- a/userspace/falco/schema.proto
+++ b/userspace/falco/schema.proto
@@ -57,4 +57,7 @@ enum source {
  k8s_audit = 1;
  K8s_audit = 1;
  K8S_audit = 1;
+  INTERNAL = 2;
+  internal = 2;
+  Internal = 2;
 }
--- a/userspace/falco/watchdog.h
+++ b/userspace/falco/watchdog.h
@@ -0,0 +1,96 @@
+/*
+Copyright (C) 2020 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <chrono>
+#include <thread>
+#include <functional>
+#include <atomic>
+
+template<typename _T>
+class watchdog
+{
+public:
+	watchdog():
+		m_timeout(nullptr),
+		m_is_running(false)
+	{
+	}
+
+	~watchdog()
+	{
+		stop();
+	}
+
+	void start(std::function<void(_T)> cb,
+		   std::chrono::milliseconds resolution = std::chrono::milliseconds(100))
+	{
+		stop();
+		m_is_running.store(true, std::memory_order_release);
+		m_thread = std::thread([this, cb, resolution]() {
+			const auto no_deadline = time_point{};
+			timeout_data curr;
+			while(m_is_running.load(std::memory_order_acquire))
+			{
+				auto t = m_timeout.exchange(nullptr, std::memory_order_release);
+				if(t)
+				{
+					curr = *t;
+					delete t;
+				}
+				if(curr.deadline != no_deadline && curr.deadline < std::chrono::steady_clock::now())
+				{
+					cb(curr.payload);
+					curr.deadline = no_deadline;
+				}
+				std::this_thread::sleep_for(resolution);
+			}
+		});
+	}
+
+	void stop()
+	{
+		if(m_is_running.load(std::memory_order_acquire))
+		{
+			m_is_running.store(false, std::memory_order_release);
+			if(m_thread.joinable())
+			{
+				m_thread.join();
+			}
+			delete m_timeout.exchange(nullptr, std::memory_order_release);
+		}
+	}
+
+	inline void set_timeout(std::chrono::milliseconds timeout, _T payload) noexcept
+	{
+		delete m_timeout.exchange(new timeout_data{std::chrono::steady_clock::now() + timeout, payload}, std::memory_order_release);
+	}
+
+	inline void cancel_timeout() noexcept
+	{
+		delete m_timeout.exchange(new timeout_data, std::memory_order_release);
+	}
+
+private:
+	typedef std::chrono::time_point<std::chrono::steady_clock> time_point;
+	struct timeout_data
+	{
+		time_point deadline;
+		_T payload;
+	};
+	std::atomic<timeout_data *> m_timeout;
+	std::atomic<bool> m_is_running;
+	std::thread m_thread;
+};
				`@@ -1 +0,0 @@`
				<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 708.41 374.92"><defs><style>.cls-1{fill:#00b4c8;}</style></defs><title>Falco horizontal logo_teal2</title><g id="fqqZXT"><path class="cls-1" d="M204.69,154.4Q151.5,208,98,261.25a48.42,48.42,0,0,1-5.27,4.87c-2.55,1.89-5.34,2-7.65-.45s-1.51-5,.41-7.06c4.6-4.94,9.35-9.74,14.13-14.5q52.56-52.31,105.14-104.59c3.35-3.34,18.05,7.52,21.58,11.1"/><path class="cls-1" d="M215.06,171.36c-.15,2.14-1.54,3.55-2.93,4.94l-87.82,87.79c-2.75,2.74-6,5.42-9.46,1.68-3.15-3.39-.5-6.44,2.06-9q43.44-43.44,86.89-86.87c2.21-2.22,4.58-4.23,8-3A4.61,4.61,0,0,1,215.06,171.36Z"/><path class="cls-1" d="M70.93,71c2.42-.09,4.09,1.31,5.64,2.87q41.82,41.79,83.61,83.59c2.6,2.61,5,5.74,1.69,9s-6.41,1-9-1.66Q111,123,69.25,81.2c-2.09-2.1-3.72-4.39-2.45-7.53A4.34,4.34,0,0,1,70.93,71Z"/><path class="cls-1" d="M203.42,268c-5,1-8.9-1.34-12.45-5-6.35-6.61-12.87-13-19.41-19.46-3.85-3.8-4-7.41-.14-11.28,11.14-11.07,22.21-22.21,33.35-33.29,2.45-2.44,5.43-4.49,8.55-1.55,3.48,3.29,1.19,6.41-1.39,9-8.74,8.84-17.44,17.73-26.4,26.35-3.4,3.27-3.93,5.72-.19,9.06,4.22,3.78,8.13,7.91,12,12,2.54,2.68,5.35,4.25,9.18,4.11s8.28-.12,8.16,5.09c-.12,5-4.74,4.8-8.4,5.14A21,21,0,0,1,203.42,268Z"/><path class="cls-1" d="M148.7,178.36c-.75,3.49-2.68,5.6-6.43,4.36a13,13,0,0,1-4.74-3.31q-30.11-30-60.1-60a23.14,23.14,0,0,1-2.56-3c-1.72-2.42-1.88-5,.3-7.11s4.84-1.76,7,.26c3.65,3.42,7.17,7,10.71,10.53q25.65,25.64,51.28,51.3C146.12,173.37,148.49,175.13,148.7,178.36Z"/><path class="cls-1" d="M133.74,192.93a4.9,4.9,0,0,1-2.53,4.29,5.37,5.37,0,0,1-6.63-.95c-3.35-3.1-6.57-6.34-9.8-9.57q-14.34-14.3-28.61-28.63a34.27,34.27,0,0,1-4.17-5,4.57,4.57,0,0,1,.36-6,5,5,0,0,1,6-1.12,11.65,11.65,0,0,1,3.7,2.58q19.44,19.33,38.79,38.76C132.4,188.85,133.77,190.54,133.74,192.93Z"/></g><path class="cls-1" d="M413.15,190.86a25.57,25.57,0,0,0-10.35-6.63,46.78,46.78,0,0,0-16-2.37A83.35,83.35,0,0,0,372,183.12a75.16,75.16,0,0,0-10.58,2.53l2.37,15.48a53.47,53.47,0,0,1,9-2.21A72.44,72.44,0,0,1,385,198a22.61,22.61,0,0,1,8.13,1.26,13,13,0,0,1,5.22,3.56,13.23,13.23,0,0,1,2.76,5.29,24.6,24.6,0,0,1,.79,6.32v3.16a61.65,61.65,0,0,0-7.42-1.34,57.43,57.43,0,0,0-6.64-.4,61.45,61.45,0,0,0-13,1.35,32.26,32.26,0,0,0-11,4.42,22.7,22.7,0,0,0-7.51,8,24.09,24.09,0,0,0-2.76,12A28.39,28.39,0,0,0,356,254.05a21.6,21.6,0,0,0,6.79,8.22,28.56,28.56,0,0,0,10.51,4.58,60.24,60.24,0,0,0,13.58,1.42A137.25,137.25,0,0,0,407,266.93c5.94-.9,10.4-1.66,13.35-2.29V214.56a50.84,50.84,0,0,0-1.66-13.35A24.93,24.93,0,0,0,413.15,190.86Zm-11.3,61.3a71.4,71.4,0,0,1-13.43.94q-7.26,0-11.53-2.6t-4.26-9.4a10,10,0,0,1,1.57-5.77,10.67,10.67,0,0,1,4.19-3.55,20.18,20.18,0,0,1,5.85-1.74,43.43,43.43,0,0,1,6.39-.47,42.23,42.23,0,0,1,6.64.47,37,37,0,0,1,4.58,1Z"/><path class="cls-1" d="M461.38,248.44a9.27,9.27,0,0,1-2-4,26.17,26.17,0,0,1-.55-5.85V143.94l-19.12,3.16v95.1a40.74,40.74,0,0,0,1.35,11,17.57,17.57,0,0,0,4.66,8.06,21.71,21.71,0,0,0,8.92,5,52,52,0,0,0,14.14,1.89l2.69-15.8a29.78,29.78,0,0,1-6.24-1.34A8.76,8.76,0,0,1,461.38,248.44Z"/><path class="cls-1" d="M532.2,251.05a49.24,49.24,0,0,1-9.64.95q-13.11,0-18.64-7.19t-5.53-19.51q0-12.8,5.85-19.83t17.06-7a40.4,40.4,0,0,1,8.92.95,43.38,43.38,0,0,1,7.51,2.37l4.1-15.64a57.88,57.88,0,0,0-22.11-4.26,42.15,42.15,0,0,0-17.06,3.31,37.35,37.35,0,0,0-12.88,9.17,40.64,40.64,0,0,0-8.14,13.82,50.82,50.82,0,0,0-2.84,17.14,56.83,56.83,0,0,0,2.53,17.3A37.22,37.22,0,0,0,489,256.34a34.82,34.82,0,0,0,13,9,47.83,47.83,0,0,0,18.4,3.24,68.05,68.05,0,0,0,13.19-1.27,39.84,39.84,0,0,0,9.56-2.84l-2.69-15.8A45,45,0,0,1,532.2,251.05Z"/><path class="cls-1" d="M625.77,207.37a40.7,40.7,0,0,0-8.14-13.67,35.23,35.23,0,0,0-12.56-8.76,40.93,40.93,0,0,0-16-3.08,40.34,40.34,0,0,0-16,3.08,36.32,36.32,0,0,0-12.56,8.76,39.88,39.88,0,0,0-8.21,13.67,51.31,51.31,0,0,0-2.93,17.77A52,52,0,0,0,552.31,243a40.47,40.47,0,0,0,8.13,13.75,36.57,36.57,0,0,0,12.48,8.85A40.14,40.14,0,0,0,589,268.74a40.69,40.69,0,0,0,16.19-3.15,36.32,36.32,0,0,0,12.56-8.85A39.7,39.7,0,0,0,625.85,243a53.47,53.47,0,0,0,2.84-17.85A51.55,51.55,0,0,0,625.77,207.37Zm-22,37.52q-5.29,7.28-14.77,7.27t-14.77-7.27q-5.29-7.26-5.3-19.75,0-12.31,5.3-19.51T589,198.44q9.48,0,14.77,7.19t5.29,19.51Q609.1,237.62,603.81,244.89Z"/><path class="cls-1" d="M347.24,218h-47.8v50.57H279.65V150h75.89v15.88h-56.1v36.23h47.8Z"/></svg>