update(scripts): update Falco description

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

.circleci/config.yml

@@ -1,85 +1,5 @@
 version: 2
 jobs:
-  # Build a statically linked Falco release binary using musl
-  # This build is 100% static, there are no host dependencies
-  "build/musl":
-    docker:
-      - image: alpine:3.12
-    steps:
-      - checkout:
-          path: /source-static/falco
-      - run:
-          name: Update base image
-          command: apk update
-      - run:
-          name: Install build dependencies
-          command: apk add g++ gcc cmake cmake make ncurses-dev git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
-      - run:
-          name: Prepare project
-          command: |
-            mkdir -p /build-static/release
-            cd /build-static/release
-            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
-      - run:
-          name: Build
-          command: |
-            cd /build-static/release
-            make -j4 all
-      - run:
-          name: Package
-          command: |
-            cd /build-static/release
-            make -j4 package
-      - run:
-          name: Run unit tests
-          command: |
-            cd /build-static/release
-            make tests
-      - run:
-          name: Prepare artifacts
-          command: |
-            mkdir -p /tmp/packages
-            cp /build-static/release/*.tar.gz /tmp/packages
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build-static/release
-            - source-static
-  # Build the minimal Falco
-  # This build only contains the Falco engine and the basic input/output.
-  "build/minimal":
-    docker:
-      - image: ubuntu:focal
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libncurses-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build-minimal
-            pushd build-minimal
-            cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build-minimal
-            make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build-minimal
-            make tests
-            popd
   # Build using ubuntu LTS
   # This build is dynamic, most dependencies are taken from the OS
   "build/ubuntu-focal":
@@ -282,21 +202,6 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
-  "tests/integration-static":
-    docker:
-      - image: falcosecurity/falco-tester:latest
-        environment:
-          SOURCE_DIR: "/source-static"
-          BUILD_DIR: "/build-static"
-          BUILD_TYPE: "release"
-          SKIP_PACKAGES_TESTS: "true"
-    steps:
-      - setup_remote_docker
-      - attach_workspace:
-          at: /
-      - run:
-          name: Execute integration tests
-          command: /usr/bin/entrypoint test
   "tests/driver-loader/integration":
     machine:
       image: ubuntu-1604:202004-01
@@ -306,33 +211,6 @@ jobs:
       - run:
           name: Execute driver-loader integration tests
           command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
-  # Code quality
-  "quality/static-analysis":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "release"
-    steps:
-      - run:
-          name: Install cppcheck
-          command: |
-            yum update -y
-            yum install epel-release -y
-            yum install cppcheck cppcheck-htmlreport -y
-      - checkout:
-          path: /source/falco
-      - run:
-          name: Prepare project
-          command: /usr/bin/entrypoint cmake
-      - run:
-          name: cppcheck
-          command: /usr/bin/entrypoint cppcheck
-      - run:
-          name: cppcheck html report
-          command: /usr/bin/entrypoint cppcheck_htmlreport
-      - store_artifacts:
-          path: /build/release/static-analysis-reports
-          destination: /static-analysis-reports
   # Sign rpm packages
   "rpm/sign":
     docker:
@@ -389,34 +267,10 @@ jobs:
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
       - run:
-          name: Publish bin-dev
+          name: Publish tgz-dev
           command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
-  # Clenup the Falco development release packages
-  "cleanup/packages-dev":
-    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
-    steps:
-      - checkout:
-          path: /source/falco
-      - run:
-          name: Prepare env
-          command: |
-            apk add --no-cache --update
-            apk add curl jq
-      - run:
-          name: Only keep the 10 most recent Falco development release tarballs
-          command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
-      - run:
-          name: Only keep the 50 most recent Falco development release RPMs
-          command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
-      - run:
-          name: Only keep the 50 most recent Falco development release DEBs
-          command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
   # Publish docker packages
   "publish/docker-dev":
     docker:
@@ -473,10 +327,10 @@ jobs:
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
             jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
       - run:
-          name: Publish bin
+          name: Publish tgz
           command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
   # Publish docker packages
   "publish/docker":
     docker:
@@ -518,8 +372,6 @@ workflows:
   version: 2
   build_and_test:
     jobs:
-      - "build/musl"
-      - "build/minimal"
       - "build/ubuntu-focal"
       - "build/ubuntu-focal-debug"
       - "build/ubuntu-bionic"
@@ -529,9 +381,6 @@ workflows:
       - "tests/integration":
           requires:
             - "build/centos7"
-      - "tests/integration-static":
-          requires:
-            - "build/musl"
       - "tests/driver-loader/integration":
           requires:
             - "build/centos7"
@@ -553,16 +402,6 @@ workflows:
               only: master
           requires:
             - "rpm/sign"
-            - "tests/integration-static"
-      - "cleanup/packages-dev":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "publish/packages-dev"
       - "publish/docker-dev":
           context: falco
           filters:
@@ -573,15 +412,8 @@ workflows:
           requires:
             - "publish/packages-dev"
             - "tests/driver-loader/integration"
-      - "quality/static-analysis"
   release:
     jobs:
-      - "build/musl":
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
       - "build/centos7":
           filters:
             tags:
@@ -600,7 +432,6 @@ workflows:
       - "publish/packages":
           context: falco
           requires:
-            - "build/musl"
             - "rpm/sign"
           filters:
             tags:

CHANGELOG.md

@@ -1,93 +1,6 @@
 # Change Log
 
-## v0.26.1
-
-Released on 2020-10-01
-
-### Major Changes
-
-* new: CLI flag `--alternate-lua-dir` to load Lua files from arbitrary paths [[#1419](https://github.com/falcosecurity/falco/pull/1419)] - [@admiral0](https://github.com/admiral0)
-
-
-### Rule Changes
-
-* rule(Delete or rename shell history): fix warnings/FPs + container teardown [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
-* rule(Write below root): ensure proc_name_exists too [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
-
-
-## v0.26.0
-
-Released on 2020-24-09
-
-### Major Changes
-
-* new: address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)] - [@mstemm](https://github.com/mstemm)
-* new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)] - [@leogr](https://github.com/leogr)
-* new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)] - [@fntlnz](https://github.com/fntlnz)
-* new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
-
-
-### Minor Changes
-
-* update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
-* update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
-* update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
-* docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
-* docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
-
-
-### Rule Changes
-
-* rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
-* rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
-* rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
-* rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)] - [@rung](https://github.com/rung)
-* rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
-* rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
-* rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)] - [@bgeesaman](https://github.com/bgeesaman)
-* rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)] - [@csschwe](https://github.com/csschwe)
-
-## v0.25.0
-
-Released on 2020-08-25
-
-### Major Changes
-
-* new(userspace/falco): print the Falco and driver versions at the very beginning of the output. [[#1303](https://github.com/falcosecurity/falco/pull/1303)] - [@leogr](https://github.com/leogr)
-* new: libyaml is now bundled in the release process. Users can now avoid installing libyaml directly when getting Falco from the official release. [[#1252](https://github.com/falcosecurity/falco/pull/1252)] - [@fntlnz](https://github.com/fntlnz)
-
-
-### Minor Changes
-
-* docs(test): step-by-step instructions to run integration tests locally [[#1313](https://github.com/falcosecurity/falco/pull/1313)] - [@leodido](https://github.com/leodido)
-* update: renameat2 syscall support [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
-* update: support for 5.8.x kernels [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
-
-
-### Bug Fixes
-
-* fix(userspace/falco): correct the fallback mechanism for loading the kernel module [[#1366](https://github.com/falcosecurity/falco/pull/1366)] - [@leogr](https://github.com/leogr)
-* fix(falco-driver-loader): script crashing when using arguments [[#1330](https://github.com/falcosecurity/falco/pull/1330)] - [@antoinedeschenes](https://github.com/antoinedeschenes)
-
-
-### Rule Changes
-
-* rule(macro user_trusted_containers): add `sysdig/node-image-analyzer` and `sysdig/agent-slim` [[#1321](https://github.com/falcosecurity/falco/pull/1321)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro falco_privileged_images): add `docker.io/falcosecurity/falco` [[#1326](https://github.com/falcosecurity/falco/pull/1326)] - [@nvanheuverzwijn](https://github.com/nvanheuverzwijn)
-* rule(EphemeralContainers Created): add new rule to detect ephemeral container created [[#1339](https://github.com/falcosecurity/falco/pull/1339)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro user_read_sensitive_file_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro user_trusted_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro user_privileged_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro falco_privileged_containers): append "/" to quay.io/sysdig [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(list falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(list falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(list k8s_containers): prepend docker.io to images [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(macro exe_running_docker_save): add better support for centos [[#1350](https://github.com/falcosecurity/falco/pull/1350)] - [@admiral0](https://github.com/admiral0)
-* rule(macro rename): add `renameat2` syscall [[#1359](https://github.com/falcosecurity/falco/pull/1359)] - [@leogr](https://github.com/leogr)
-* rule(Read sensitive file untrusted): add trusted images into whitelist [[#1327](https://github.com/falcosecurity/falco/pull/1327)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(Pod Created in Kube Namespace): add new list k8s_image_list as white list [[#1336](https://github.com/falcosecurity/falco/pull/1336)] - [@Kaizhe](https://github.com/Kaizhe)
-* rule(list allowed_k8s_users): add "kubernetes-admin" user [[#1323](https://github.com/falcosecurity/falco/pull/1323)] - [@leogr](https://github.com/leogr)
+This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
 ## v0.24.0
 

CMakeLists.txt

@@ -16,8 +16,6 @@ project(falco)
 
 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
-option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
-option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 
 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
@@ -52,15 +50,7 @@ else()
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
 
-if(MINIMAL_BUILD)
-  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
-endif()
-
-if(MUSL_OPTIMIZED_BUILD)
-  set(MUSL_FLAGS "-static -Os")
-endif()
-
-set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
+set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
 
 if(BUILD_WARNINGS_AS_ERRORS)
   set(CMAKE_SUPPRESSED_WARNINGS
@@ -133,13 +123,11 @@ ExternalProject_Add(
 # yaml-cpp
 include(yaml-cpp)
 
-if(NOT MINIMAL_BUILD)
-  # OpenSSL
-  include(OpenSSL)
+# OpenSSL
+include(OpenSSL)
 
-  # libcurl
-  include(cURL)
-endif()
+# libcurl
+include(cURL)
 
 # LuaJIT
 set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
@@ -206,30 +194,26 @@ ExternalProject_Add(
   BUILD_BYPRODUCTS ${TBB_LIB}
   INSTALL_COMMAND "")
 
-if(NOT MINIMAL_BUILD)
-  # civetweb
-  set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-  set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-  set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-  message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-  ExternalProject_Add(
-    civetweb
-    URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-    URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
-    CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
-    COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
-    BUILD_IN_SOURCE 1
-    BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
-    INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
-endif()
+# civetweb
+set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
+set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
+set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
+message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
+ExternalProject_Add(
+  civetweb
+  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
+  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
+  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
+  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
+  BUILD_IN_SOURCE 1
+  BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+  INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
 
 #string-view-lite
 include(DownloadStringViewLite)
 
-if(NOT MINIMAL_BUILD)
-  # gRPC
-  include(gRPC)
-endif()
+# gRPC
+include(gRPC)
 
 # sysdig
 include(sysdig)
@@ -237,13 +221,11 @@ include(sysdig)
 # Installation
 install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
 
-if(NOT MINIMAL_BUILD)
-  # Coverage
-  include(Coverage)
+# Coverage
+include(Coverage)
 
-  # Tests
-  add_subdirectory(test)
-endif()
+# Tests
+add_subdirectory(test)
 
 # Rules
 add_subdirectory(rules)
@@ -254,9 +236,6 @@ add_subdirectory(docker)
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
 
-# Static analysis
-include(static-analysis)
-
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)

README.md

@@ -74,7 +74,7 @@ To get involved with The Falco Project please visit [the community repository](h
 
 ### Contributing
 
-See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).
+See the [CONTRIBUTING.md](./CONTRIBUTING.md).
 
 ### Security Audit
 

RELEASE.md

@@ -4,21 +4,19 @@ Our release process is mostly automated, but we still need some manual steps to
 
 Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
 
-A release happens every two months ([as per community discussion](https://github.com/falcosecurity/community/blob/master/meeting-notes/2020-09-30.md#agenda)), and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
 
 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
 
 ## Pre-Release Checklist
 
-Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
-
 ### 1. Release notes
-- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
     - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
     - If the PR has no milestone, assign it to the milestone currently undergoing release
-- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYY-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) filter) and add them to the milestone currently undergoing release
-- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, fix them
+- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
 
 ### 2. Milestones
 
@@ -30,15 +28,14 @@ Before cutting a release we need to do some homework in the Falco repository. Th
     - If any, manually correct it then open an issue to automate version number bumping later
     - Versions table in the `README.md` update itself automatically
 - Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
-    - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
-- Add the latest changes on top the previous `CHANGELOG.md`
+- Add the lastest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
-- Close the completed milestone as soon as the PR is merged
+- Close the completed milestone as soon PR is merged
 
 ## Release
 
-Now assume `x.y.z` is the new version.
+Let `x.y.z` the new version.
 
 ### 1. Create a tag
 
@@ -61,29 +58,15 @@ Now assume `x.y.z` is the new version.
 - Use `x.y.z` both as tag version and release title
 - Use the following template to fill the release description:
     ```
-    <!-- Substitute x.y.z with the current release version -->
-
-    | Packages | Download                                                                                                                                               |
-    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm)        |
-    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
-    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
-
-    | Images                                                          |
-    | --------------------------------------------------------------- |
-    | `docker pull docker.io/falcosecurity/falco:_tag_`               |
-    | `docker pull docker.io/falcosecurity/falco-driver-loader:_tag_` |
-    | `docker pull docker.io/falcosecurity/falco-no-driver:_tag_`     |
-
     <!-- Copy the relevant part of the changelog here -->
 
     ### Statistics
 
-    | Merged PRs      | Number |
-    | --------------- | ------ |
-    | Not user-facing | x      |
-    | Release note    | x      |
-    | Total           | x      |
+    | Merged PRs        | Number  |
+    |-------------------|---------|
+    | Not user-facing   | x       |
+    | Release note      | x       |
+    | Total             | x       |
 
     <!-- Calculate stats and fill the above table -->
     ```

brand/README.md

@@ -15,21 +15,6 @@ There are 3 logos available for use in this directory. Use the primary logo unle
 
 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
 
-### Colors
-
-| Name      | PMS  | RGB         |
-|-----------|------|-------------|
-| Teal      | 3125 |   0 174 199 |
-| Cool Gray |   11 |  83  86  90 |
-| Black     |      |   0   0   0 |
-| Blue-Gray | 7700 |  22 92 125  |
-| Gold      | 1375 | 255 158  27 |
-| Orange    |  171 | 255  92  57 |
-| Emerald   | 3278 |   0 155 119 |
-| Green     |  360 | 108 194  74 |
-
-The primary colors are those in the first two rows.
-
 ### Slogan
 
 > Cloud Native Runtime Security

cmake/modules/CPackConfig.cmake

@@ -25,11 +25,7 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
 
-if(NOT CPACK_GENERATOR)
-    set(CPACK_GENERATOR DEB RPM TGZ)
-endif()
-
-message(STATUS "Using package generators: ${CPACK_GENERATOR}")
+set(CPACK_GENERATOR DEB RPM TGZ)
 
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
 set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")

cmake/modules/DownloadStringViewLite.cmake

@@ -15,7 +15,7 @@ include(ExternalProject)
 
 set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
 set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
-message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}")
+message(STATUS "Found string-view-lite: include: ${STRING_VIEW_LITE_INCLUDE}")
 
 ExternalProject_Add(
   string-view-lite

cmake/modules/gRPC.cmake

@@ -96,17 +96,12 @@ else()
   # that zlib will be very outdated
   set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
   set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
-  # we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely
-  # that c-ares will be very outdated
-  set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares")
-  set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a")
 
   message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
   message(
     STATUS
       "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
   message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
-  message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}")
   message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
 
   get_filename_component(PROTOC_DIR ${PROTOC} PATH)

cmake/modules/static-analysis.cmake

@@ -1,42 +0,0 @@
-# create the reports folder
-file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
-file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
-
-# cppcheck
-find_program(CPPCHECK cppcheck)
-find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
-
-if(NOT CPPCHECK)
-  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
-else()
-  message(STATUS "cppcheck found at: ${CPPCHECK}")
-  # we are aware that cppcheck can be run
-  # along with the software compilation in a single step
-  # using the CMAKE_CXX_CPPCHECK variables.
-  # However, for practical needs we want to keep the
-  # two things separated and have a specific target for it.
-  # Our cppcheck target reads the compilation database produced by CMake
-  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
-  add_custom_target(
-      cppcheck
-      COMMAND ${CPPCHECK}
-      "--enable=all"
-      "--force"
-      "--inconclusive"
-      "--inline-suppr" # allows to specify suppressions directly in source code
-      "--project=${CMAKE_CURRENT_BINARY_DIR}/compile_commands.json" # use the compilation database as source
-      "--quiet"
-      "--xml" # we want to generate a report
-      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
-      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
-  )
-endif() # CPPCHECK
-
-if(NOT CPPCHECK_HTMLREPORT)
-  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
-else()
-  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
-  add_custom_target(
-    cppcheck_htmlreport
-    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
-endif() # CPPCHECK_HTMLREPORT

cmake/modules/sysdig.cmake

@@ -17,9 +17,7 @@ set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
 # this needs to be here at the top
 if(USE_BUNDLED_DEPS)
   # explicitly force this dependency to use the bundled OpenSSL
-  if(NOT MINIMAL_BUILD)
-    set(USE_BUNDLED_OPENSSL ON)
-  endif()
+  set(USE_BUNDLED_OPENSSL ON)
   set(USE_BUNDLED_JQ ON)
 endif()
 
@@ -29,8 +27,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
 # -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2")
-  set(SYSDIG_CHECKSUM "SHA256=a737077543a6f3473ab306b424bcf7385d788149829ed1538252661b0f20d0f6")
+  set(SYSDIG_VERSION "ae104eb20ff0198a5dcb0c91cc36c86e7c3f25c7")
+  set(SYSDIG_CHECKSUM "SHA256=43d274e4ce16b0d0e4dd00aab78006c902f36070d1cbb22d12a2685134a2ae51")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
 
@@ -57,9 +55,6 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
 # Add libscap directory
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
-if(MUSL_OPTIMIZED_BUILD)
-  add_definitions(-DMUSL_OPTIMIZED)
-endif()
 add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
 
 # Add libsinsp directory
@@ -70,8 +65,5 @@ add_dependencies(sinsp tbb b64 luajit)
 set(CREATE_TEST_TARGETS OFF)
 
 if(USE_BUNDLED_DEPS)
-  add_dependencies(scap jq)
-  if(NOT MINIMAL_BUILD)
-    add_dependencies(scap curl grpc)
-  endif()
+  add_dependencies(scap grpc curl jq)
 endif()

docker/builder/root/usr/bin/entrypoint

@@ -34,7 +34,6 @@ case "$CMD" in
     -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
     -DCMAKE_INSTALL_PREFIX=/usr \
     -DBUILD_DRIVER="$BUILD_DRIVER" \
-    -DMINIMAL_BUILD="$MINIMAL_BUILD" \
     -DBUILD_BPF="$BUILD_BPF" \
     -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
     -DFALCO_VERSION="$FALCO_VERSION" \

docker/no-driver/Dockerfile

@@ -12,16 +12,47 @@ WORKDIR /
 
 ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
 
-RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
+RUN apt-get update -y && \
+    apt-get install -y binutils && \
+    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
     rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
     mv falco-${FALCO_VERSION}-x86_64 falco && \
-    rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader
+    strip falco/usr/bin/falco && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
 
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
     && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 
 FROM scratch
 
+COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
+    /lib/x86_64-linux-gnu/libc.so.6 \
+    /lib/x86_64-linux-gnu/libdl.so.2 \
+    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
+    /lib/x86_64-linux-gnu/libm.so.6 \
+    /lib/x86_64-linux-gnu/libnsl.so.1 \
+    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
+    /lib/x86_64-linux-gnu/libnss_files.so.2 \
+    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
+    /lib/x86_64-linux-gnu/libpthread.so.0 \
+    /lib/x86_64-linux-gnu/librt.so.1 \
+    /lib/x86_64-linux-gnu/libz.so.1 \
+    /lib/x86_64-linux-gnu/
+
+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
+    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
+
+COPY --from=ubuntu /etc/ld.so.cache \
+    /etc/nsswitch.conf \
+    /etc/ld.so.cache \
+    /etc/passwd \
+    /etc/group \
+    /etc/
+
+COPY --from=ubuntu /etc/default/nss /etc/default/nss
+COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+
 COPY --from=ubuntu /falco /
 
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/root/usr/bin/entrypoint

@@ -1,11 +1,9 @@
 #!/usr/bin/env bash
 
-set -u -o pipefail
-
-BUILD_DIR=${BUILD_DIR:-/build}
-SOURCE_DIR=${SOURCE_DIR:-/source}
-SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
+set -eu -o pipefail
 
+SOURCE_DIR=/source
+BUILD_DIR=/build
 CMD=${1:-test}
 shift
 
@@ -58,11 +56,9 @@ case "$CMD" in
     fi
 
     # build docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
-    fi
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
 
     # check that source directory contains Falco
     if [ ! -d "$SOURCE_DIR/falco/test" ]; then
@@ -73,14 +69,12 @@ case "$CMD" in
     # run tests
     echo "Running regression tests ..."
     cd "$SOURCE_DIR/falco/test"
-    SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
+    ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
 
     # clean docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        clean_image "deb"
-        clean_image "rpm"
-        clean_image "tar.gz"
-    fi
+    clean_image "deb"
+    clean_image "rpm"
+    clean_image "tar.gz"
     ;;
 "bash")
     CMD=/bin/bash

proposals/20200506-artifacts-scope-part-1.md

@@ -4,7 +4,7 @@ The **Falco Artifact Scope** proposal is divided in two parts:
 1. the Part 1 - *this document*: the State of Art of Falco artifacts
 2. the [Part 2](./20200506-artifacts-scope-part-2.md): the intended state moving forward
 
-## Summary
+## Summary 
 
 As a project we would like to support the following artifacts.
 
@@ -16,7 +16,7 @@ Inspired by many previous issues and many of the weekly community calls.
 
 ## Terms
 
-**falco**
+**falco** 
 
 *The Falco binary*
 
@@ -30,12 +30,12 @@ Inspired by many previous issues and many of the weekly community calls.
 
 **package**
 
-*An installable artifact that is operating system specific. All packages MUST be hosted on [bintray](https://bintray.com/falcosecurity).*
+*An installable artifact that is operating system specific. All packages MUST be hosted on bintray.*
 
 **image**
 
 *OCI compliant container image hosted on dockerhub with tags for every release and the current master branch.*
-
+ 
 
 # Packages
 
@@ -52,11 +52,11 @@ List of currently official container images (for X86 64bits only):
 
 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. |
-| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. |
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). |
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
+| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-slim](https://hub.docker.com/repository/docker/falcosecurity/falco),[falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
+| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
+| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
 
 **Note**: `falco-builder`, `falco-tester` (and the `docker/local` image which it's built on the fly by the `falco-tester` one) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
@@ -76,7 +76,7 @@ This new [contrib](https://github.com/falcosecurity/contrib) repository will be
 
 ### repository
 
-"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository.
+"_Incubating level_" projects such as [falco-exporter](https://github.com/falco-exporter) can be promoted from `contrib` to their own repository. 
 
 This is done as needed, and can best be measured by the need to cut a release and use the GitHub release features. Again, this is at the discretion of the Falco open source community.
 
@@ -92,7 +92,7 @@ The *Part 1* is mainly intended as a cleanup process.
 For each item not listed above, ask if it needs to be moved or deleted.
 After the cleanup process, all items will match the *Part 1* of this proposal.
 
-
+    
 ### Action Items
 
 Here are SOME of the items that would need to be done, for example:

proposals/20200818-artifacts-storage.md

@@ -1,83 +0,0 @@
-# Falco Artifacts Storage
-
-This document reflects the way we store the Falco artifacts.
-
-## Terms & Definitions
-
-- [Falco artifacts](./20200506-artifacts-scope-part-1.md)
-- Bintray: artifacts distribution platform
-
-## Packages
-
-The Falco packages are **automatically** built and sent to [bintray](https://bintray.com/falcosecurity) in the following cases:
-
-- a pull request gets merged into the master branch (**Falco development releases**)
-- a new Falco release (git tag) happens on the master branch (**Falco stable releases**)
-
-The only prerequisite is that the specific Falco source code builds successfully and that the tests pass.
-
-As per [Falco Artifacts Scope (#1)](./20200506-artifacts-scope-part-1.md) proposal we provide three kind of Falco packages:
-
-- DEB
-- RPM
-- Tarball
-
-Thus, we have three repositories for the Falco stable releases:
-
-- https://bintray.com/falcosecurity/deb
-- https://bintray.com/falcosecurity/rpm
-- https://bintray.com/falcosecurity/bin
-
-And three repositories for the Falco development releases:
-
-- https://bintray.com/falcosecurity/deb-dev
-- https://bintray.com/falcosecurity/rpm-dev
-- https://bintray.com/falcosecurity/bin-dev
-
-## Drivers
-
-The process of publishing a set of prebuilt Falco drivers is implemented by the **Drivers Build Grid (DBG)** in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository (`driverkit` directory).
-
-This process is driven by the configuration files (YAML) present in the `driverkit/config` directory in the [test-infra](https://github.com/falcosecurity/test-infra/tree/master/driverkit) repository.
-
-Each of these files represents a prebuilt driver (eventually two: kernel module and eBPF probe, when possible) that will be published on [bintray](https://bintray.com/falcosecurity) if it builds correctly.
-
-Every time the `driverkit/config` directory on the master branch has some changes from the previous commit the CI system, which you can find defined in the [.circleci/config.yml](https://github.com/falcosecurity/test-infra/blob/master/.circleci/config.yml) file, takes care of building and publishing all the drivers.
-
-The driver versions we ship prebuilt drivers for are:
-
-- the driver version associated with the last Falco stable version ([see here](https://github.com/falcosecurity/falco/blob/c4b7f17271d1a4ca533b2e672ecaaea5289ccdc5/cmake/modules/sysdig.cmake#L29))
-- the driver version associated with the penultimate Falco stable version
-
-The prebuilt drivers get published into [this](https://bintray.com/falcosecurity/driver) generic artifacts repository.
-
-You can also visualize the full list of prebuilt drivers by driver version visiting this [URL](https://dl.bintray.com/falcosecurity/driver).
-
-### Notice
-
-The generation of new prebuilt drivers takes usually place with a frequency of 1-2 weeks, on a **best-effort** basis.
-
-Thus, it can happen the list of available prebuilt drivers does not yet contain the driver version currently on Falco master.
-
-Nevertheless, this process is an open, auditable, and transparent one.
-
-So, by sending a pull-request towards [test-infra](https://github.com/falcosecurity/test-infra) repository containing the configuration YAML files you can help the Falco community stay on track.
-
-Some pull-requests you can look at to create your own are:
-
-- https://github.com/falcosecurity/test-infra/pull/165
-- https://github.com/falcosecurity/test-infra/pull/163
-- https://github.com/falcosecurity/test-infra/pull/162
-
-While, the documentation of the YAML configuration files can be found [here](https://github.com/falcosecurity/driverkit/blob/master/README.md).
-
-## Container images
-
-As per Falco packages, also the Falco official container images are **automatically** published to the [dockerhub](https://hub.docker.com/r/falcosecurity/falco).
-
-These images are built and published in two cases:
-
-- a pull request gets merged into the master branch (**Falco development releases**)
-- a new Falco release (git tag) happens (**Falco stable releases**)
-
-For a detailed explanation of the container images we build and ship look at the following [documentation](https://github.com/falcosecurity/falco/blob/master/docker/README.md).

proposals/20200901-artifacts-cleanup.md

@@ -1,102 +0,0 @@
-# Falco Artifacts Cleanup
-
-This document reflects when and how we clean up the Falco artifacts from their storage location.
-
-## Motivation
-
-The [bintray](https://bintray.com/falcosecurity) open-source plan offers 10GB free space for storing artifacts.
-
-They also kindly granted us an additional 5GB of free space.
-
-## Goal
-
-Keep the storage space usage under 15GB by cleaning up the [Falco artifacts](./20200506-artifacts-scope-part-1.md) from the [storage](./20200818-artifacts-storage).
-
-## Status
-
-To be implemented.
-
-## Packages
-
-### Tarballs from Falco master
-
-At the moment of writing this document, this kind of Falco package requires approx. 50MB (maximum detected size) of storage space.
-
-Since, historically, the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository is the less used one, this document proposes to keep only the last 10 **Falco development releases** it contains.
-
-This means that the [bin-dev](https://bintray.com/falcosecurity/bin-dev) repository will take at maximum 500MB of storage space.
-
-### DEB from Falco master
-
-At the moment of writing this document, this kind of Falco package requires approx. 5.1MB (maximum detected size) of storage space.
-
-Historically, every Falco release is composed by less than 50 merges (upper limit).
-
-So, to theoretically retain all the **Falco development releases** that led to a Falco stable release, this document proposes to keep the last 50 Falco DEB packages.
-
-This means that the [deb-dev](https://bintray.com/falcosecurity/deb-dev) repository will take at maximum 255MB of storage space.
-
-### RPM from Falco master
-
-At the moment of writing this document, this kind of Falco package requires approx. 4.3MB (maximum detected size) of storage space.
-
-For the same exact reasons explained above this document proposes to keep the last 50 Falco RPM packages.
-
-This means that the [rpm-dev](https://bintray.com/falcosecurity/rpm-dev) repository will take at maximum 215MB of storage space.
-
-### Stable releases
-
-This document proposes to retain all the stable releases.
-
-This means that all the Falco packages present in the Falco stable release repositories will be kept.
-
-The [bin](https://bintray.com/falcosecurity/bin) repository contains a Falco tarball package for every release.
-This means it grows in space of ~50MB each month.
-
-The [deb](https://bintray.com/falcosecurity/deb) repository contains a Falco DEB package for every release.
-This means it grows in space of ~5MB each month.
-
-The [rpm](https://bintray.com/falcosecurity/rpm) repository contains a Falco RPM package for every release.
-This means it grows in space of ~4.3MB each month.
-
-### Considerations
-
-Assuming the size of the packages does not surpass the numbers listed in the above sections, the **Falco development releases** will always take less that 1GB of artifacts storage space.
-
-Assuming 12 stable releases at year, at the current size of packages, the **Falco stable releases** will take approx. 720MB of storage space every year.
-
-### Implementation
-
-The Falco CI will have a new CI job - called `cleanup/packages-dev` - responsible for removing the **Falco development releases** depending on the above plan.
-
-This job will be triggered after the `publish/packages-dev` completed successfully.
-
-## Drivers
-
-As explained in the [Artifacts Storage](./20200818-artifacts-storage) proposal, we build the drivers for the **last two driver versions** associated with **latest Falco stable releases**.
-Then, we store those drivers into a [generic bintray repository](https://bintray.com/falcosecurity/driver) from which the installation process automatically downloads them, if suitable.
-
-This document proposes to implement a cleanup mechanism that deletes all the other driver versions available.
-
-At the moment of writing, considering only the last two driver versions (**ae104eb**, **85c8895**) associated with the latest Falco stable releases, we ship ~340 eBPF drivers, each accounting for ~3.1MB of storage space, and 1512 kernel modules (~3.1MB size each, too).
-
-Thus, we obtain an estimate of approx. 2.875GB for **each** driver version.
-
-This document proposes to only store the last two driver versions associates with the latest Falco stable releases. And deleting the other ones.
-
-This way, assuming the number of prebuilt drivers does not skyrocket, we can reasonably estimate the storage space used by prebuilt drivers to be around 6GB.
-
-Notice that, in case a Falco stable release will not depend on a new driver version, this means the last two driver versions will, in this case, cover more than the two Falco stable releases.
-
-### Archivation
-
-Since the process of building drivers is time and resource consuming, this document also proposes to move the driver versions in other storage facilities.
-
-The candidate is an AWS S3 bucket responsible for holding the deleted driver version files.
-
-### Implementation
-
-The [test-infra](https://github.com/falcosecurity/test-infra) CI, specifically its part dedicated to run the **Drivers Build Grid** that runs every time it detects changes into the `driverkit` directory of the [test-infra](https://github.com/falcosecurity/test-infra) repository,
-will have a new job - called `drivers/cleanup` - responsible for removing all the Falco driver versions except the last two.
-
-This job will be triggered after the `drivers/publish` completed successfully on the master branch.

rules/CMakeLists.txt

@@ -37,7 +37,8 @@ if(DEFINED FALCO_COMPONENT)
     COMPONENT "${FALCO_COMPONENT}"
     DESTINATION "${FALCO_ETC_DIR}"
     RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-# Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
+
+  # Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
 else()
   install(
     FILES falco_rules.yaml
@@ -56,8 +57,8 @@ else()
 
   install(
     FILES application_rules.yaml
-    DESTINATION "${FALCO_ETC_DIR}/rules.available"
+    DESTINATION "/etc/falco/rules.available"
     RENAME "${FALCO_APP_RULES_DEST_FILENAME}")
 
-  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
+  install(DIRECTORY DESTINATION "/etc/falco/rules.d")
 endif()

rules/falco_rules.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -23,7 +23,7 @@
 # change to this rules file, we'll uncomment this line and set it to
 # the falco engine version in use at the time.
 #
-- required_engine_version: 7
+#- required_engine_version: 2
 
 # Currently disabled as read/write are ignored syscalls. The nearly
 # similar open_write/open_read check for files being opened for
@@ -344,8 +344,8 @@
 # for efficiency.
 - macro: inbound_outbound
   condition: >
-    ((((evt.type in (accept,listen,connect) and evt.dir=<)) or
-     (fd.typechar = 4 or fd.typechar = 6)) and
+    (((evt.type in (accept,listen,connect) and evt.dir=<)) or
+     (fd.typechar = 4 or fd.typechar = 6) and
      (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
      (evt.rawres >= 0 or evt.res = EINPROGRESS))
 
@@ -368,7 +368,7 @@
 - rule: Disallowed SSH Connection
   desc: Detect any new ssh connection to a host other than those in an allowed group of hosts
   condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts
-  output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
+  output: Disallowed SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_remote_service]
 
@@ -399,7 +399,7 @@
     ((fd.sip in (allowed_outbound_destination_ipaddrs)) or
      (fd.snet in (allowed_outbound_destination_networks)) or
      (fd.sip.name in (allowed_outbound_destination_domains)))
-  output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
+  output: Disallowed outbound connection destination (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network]
 
@@ -422,7 +422,7 @@
     ((fd.cip in (allowed_inbound_source_ipaddrs)) or
      (fd.cnet in (allowed_inbound_source_networks)) or
      (fd.cip.name in (allowed_inbound_source_domains)))
-  output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
+  output: Disallowed inbound connection source (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network]
 
@@ -461,7 +461,7 @@
     and not proc.name in (shell_binaries)
     and not exe_running_docker_save
   output: >
-    a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
   tags: [file, mitre_persistence]
@@ -483,7 +483,7 @@
      fd.directory in (shell_config_directories)) and
     (not proc.name in (shell_binaries))
   output: >
-    a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
   tags: [file, mitre_discovery]
@@ -502,7 +502,7 @@
     consider_all_cron_jobs and
     not user_known_cron_jobs
   output: >
-    Cron jobs were scheduled to run (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
+    Cron jobs were scheduled to run (user=%user.name command=%proc.cmdline
     file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
@@ -512,8 +512,8 @@
 
 # When displaying container information in the output field, use
 # %container.info, without any leading term (file=%fd.name
-# %container.info user=%user.name user_loginuid=%user.loginuid, and not file=%fd.name
-# container=%container.info user=%user.name user_loginuid=%user.loginuid). The output will change
+# %container.info user=%user.name, and not file=%fd.name
+# container=%container.info user=%user.name). The output will change
 # based on the context and whether or not -pk/-pm/-pc was specified on
 # the command line.
 - macro: container
@@ -696,8 +696,8 @@
 - macro: run_by_foreman
   condition: >
     (user.name=foreman and
-     ((proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or
-     (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby))))
+     (proc.pname in (rake, ruby, scl) and proc.aname[5] in (tfm-rake,tfm-ruby)) or
+     (proc.pname=scl and proc.aname[2] in (tfm-rake,tfm-ruby)))
 
 - macro: java_running_sdjagent
   condition: proc.name=java and proc.cmdline contains sdjagent.jar
@@ -746,13 +746,6 @@
 - macro: runuser_reading_pam
   condition: (proc.name=runuser and fd.directory=/etc/pam.d)
 
-# CIS Linux Benchmark program
-- macro: linux_bench_reading_etc_shadow
-  condition: ((proc.aname[2]=linux-bench and
-               proc.name in (awk,cut,grep)) and
-              (fd.name=/etc/shadow or
-               fd.directory=/etc/pam.d))
-
 - macro: parent_ucf_writing_conf
   condition: (proc.pname=ucf and proc.aname[2]=frontend)
 
@@ -935,12 +928,10 @@
   items: [sources.list]
 
 - list: repository_directories
-  items: [/etc/apt/sources.list.d, /etc/yum.repos.d, /etc/apt]
+  items: [/etc/apt/sources.list.d, /etc/yum.repos.d]
 
 - macro: access_repositories
-  condition: (fd.directory in (repository_directories) or
-              (fd.name pmatch (repository_directories) and
-               fd.filename in (repository_files)))
+  condition: (fd.filename in (repository_files) or fd.directory in (repository_directories))
 
 - macro: modify_repositories
   condition: (evt.arg.newpath pmatch (repository_directories))
@@ -953,11 +944,10 @@
   condition: >
     ((open_write and access_repositories) or (modify and modify_repositories))
     and not package_mgmt_procs
-    and not package_mgmt_ancestor_procs
     and not exe_running_docker_save
     and not user_known_update_package_registry
   output: >
-    Repository files get updated (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
+    Repository files get updated (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
   priority:
     NOTICE
   tags: [filesystem, mitre_persistence]
@@ -978,7 +968,7 @@
     and not python_running_ms_oms
     and not user_known_write_below_binary_dir_activities
   output: >
-    File below a known binary directory opened for writing (user=%user.name user_loginuid=%user.loginuid
+    File below a known binary directory opened for writing (user=%user.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
   priority: ERROR
   tags: [filesystem, mitre_persistence]
@@ -1036,7 +1026,7 @@
     and not cloud_init_writing_ssh
     and not user_known_write_monitored_dir_conditions
   output: >
-    File below a monitored directory opened for writing (user=%user.name user_loginuid=%user.loginuid
+    File below a monitored directory opened for writing (user=%user.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
   priority: ERROR
   tags: [filesystem, mitre_persistence]
@@ -1059,7 +1049,7 @@
      not user_known_read_ssh_information_activities and
      not proc.name in (ssh_binaries))
   output: >
-    ssh-related file/directory read by non-ssh program (user=%user.name user_loginuid=%user.loginuid
+    ssh-related file/directory read by non-ssh program (user=%user.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline container_id=%container.id image=%container.image.repository)
   priority: ERROR
   tags: [filesystem, mitre_discovery]
@@ -1155,7 +1145,7 @@
 
 - macro: redis_writing_conf
   condition: >
-    (proc.name in (run-redis, redis-launcher.) and (fd.name=/etc/redis.conf or fd.name startswith /etc/redis))
+    (proc.name in (run-redis, redis-launcher.) and fd.name=/etc/redis.conf or fd.name startswith /etc/redis)
 
 - macro: openvpn_writing_conf
   condition: (proc.name in (openvpn,openvpn-entrypo) and fd.name startswith /etc/openvpn)
@@ -1183,10 +1173,7 @@
 
 - macro: calico_writing_conf
   condition: >
-    (((proc.name = calico-node) or
-      (container.image.repository=gcr.io/projectcalico-org/node and proc.name in (start_runit, cp)) or
-      (container.image.repository=gcr.io/projectcalico-org/cni and proc.name=sed))
-     and fd.name startswith /etc/calico)
+    (proc.name = calico-node and fd.name startswith /etc/calico)
 
 - macro: prometheus_conf_writing_conf
   condition: (proc.name=prometheus-conf and fd.name startswith /etc/prometheus/config_out)
@@ -1337,7 +1324,7 @@
 - rule: Write below etc
   desc: an attempt to write to any file below /etc
   condition: write_etc_common
-  output: "File below /etc opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
+  output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
   priority: ERROR
   tags: [filesystem, mitre_persistence]
 
@@ -1406,14 +1393,10 @@
 - macro: runc_writing_var_lib_docker
   condition: (proc.cmdline="runc:[1:CHILD] init" and evt.arg.filename startswith /var/lib/docker)
 
-- macro: mysqlsh_writing_state
-  condition: (proc.name=mysqlsh and fd.directory=/root/.mysqlsh)
-
 - rule: Write below root
   desc: an attempt to write to any file directly below / or /root
   condition: >
     root_dir and evt.dir = < and open_write
-    and proc_name_exists
     and not fd.name in (known_root_files)
     and not fd.directory pmatch (known_root_directories)
     and not exe_running_docker_save
@@ -1430,11 +1413,10 @@
     and not calico_writing_state
     and not rancher_writing_root
     and not runc_writing_exec_fifo
-    and not mysqlsh_writing_state
     and not known_root_conditions
     and not user_known_write_root_conditions
     and not user_known_write_below_root_activities
-  output: "File below / or /root opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
+  output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
   priority: ERROR
   tags: [filesystem, mitre_persistence]
 
@@ -1451,7 +1433,7 @@
     at startup to load initial state, but not afterwards.
   condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd" and not user_known_read_sensitive_files_activities
   output: >
-    Sensitive file opened for reading by trusted program after startup (user=%user.name user_loginuid=%user.loginuid
+    Sensitive file opened for reading by trusted program after startup (user=%user.name
     command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
   priority: WARNING
   tags: [filesystem, mitre_credential_access]
@@ -1493,9 +1475,7 @@
     and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries,
      cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries,
      vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries,
-     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries,
-     google_oslogin_
-     )
+     in.proftpd, mandb, salt-minion, postgres_mgmt_binaries)
     and not cmp_cp_by_passwd
     and not ansible_running_python
     and not proc.cmdline contains /usr/bin/mandb
@@ -1508,11 +1488,10 @@
     and not veritas_driver_script
     and not perl_running_centrifydc
     and not runuser_reading_pam
-    and not linux_bench_reading_etc_shadow
     and not user_known_read_sensitive_files_activities
     and not user_read_sensitive_file_containers
   output: >
-    Sensitive file opened for reading by non-trusted program (user=%user.name user_loginuid=%user.loginuid program=%proc.name
+    Sensitive file opened for reading by non-trusted program (user=%user.name program=%proc.name
     command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)
   priority: WARNING
   tags: [filesystem, mitre_credential_access, mitre_discovery]
@@ -1575,7 +1554,7 @@
     and not postgres_running_wal_e
     and not user_known_db_spawned_processes
   output: >
-    Database-related program spawned process other than itself (user=%user.name user_loginuid=%user.loginuid
+    Database-related program spawned process other than itself (user=%user.name
     program=%proc.cmdline parent=%proc.pname container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [process, database, mitre_execution]
@@ -1587,7 +1566,7 @@
   desc: an attempt to modify any file below a set of binary directories.
   condition: bin_dir_rename and modify and not package_mgmt_procs and not exe_running_docker_save and not user_known_modify_bin_dir_activities
   output: >
-    File below known binary directory renamed/removed (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
+    File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline
     pcmdline=%proc.pcmdline operation=%evt.type file=%fd.name %evt.args container_id=%container.id image=%container.image.repository)
   priority: ERROR
   tags: [filesystem, mitre_persistence]
@@ -1599,7 +1578,7 @@
   desc: an attempt to create a directory below a set of binary directories.
   condition: mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities
   output: >
-    Directory below known binary directory created (user=%user.name user_loginuid=%user.loginuid
+    Directory below known binary directory created (user=%user.name
     command=%proc.cmdline directory=%evt.arg.path container_id=%container.id image=%container.image.repository)
   priority: ERROR
   tags: [filesystem, mitre_persistence]
@@ -1628,7 +1607,6 @@
     as a part of creating a container) by calling setns.
   condition: >
     evt.type=setns and evt.dir=<
-    and proc_name_exists
     and not (container.id=host and proc.name in (docker_binaries, k8s_binaries, lxd_binaries, nsenter))
     and not proc.name in (sysdigcloud_binaries, sysdig, calico, oci-umount, cilium-cni, network_plugin_binaries)
     and not proc.name in (user_known_change_thread_namespace_binaries)
@@ -1644,7 +1622,7 @@
     and not weaveworks_scope
     and not user_known_change_thread_namespace_activities
   output: >
-    Namespace change (setns) by unexpected program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
+    Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
     parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   tags: [process, mitre_privilege_escalation, mitre_lateral_movement]
@@ -1790,7 +1768,7 @@
     and not run_by_appdynamics
     and not user_shell_container_exclusions
   output: >
-    Shell spawned by untrusted binary (user=%user.name user_loginuid=%user.loginuid shell=%proc.name parent=%proc.pname
+    Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
     cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]
     aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] container_id=%container.id image=%container.image.repository)
   priority: DEBUG
@@ -1865,29 +1843,11 @@
 # These container images are allowed to run with --privileged
 - list: falco_privileged_images
   items: [
-    docker.io/calico/node,
-    docker.io/cloudnativelabs/kube-router,
-    docker.io/docker/ucp-agent,
-    docker.io/falcosecurity/falco,
-    docker.io/mesosphere/mesos-slave,
-    docker.io/rook/toolbox,
-    docker.io/sysdig/falco,
-    docker.io/sysdig/sysdig,
-    falcosecurity/falco,
-    gcr.io/google_containers/kube-proxy,
-    gcr.io/google-containers/startup-script,
-    gcr.io/projectcalico-org/node,
-    gke.gcr.io/kube-proxy,
-    gke.gcr.io/gke-metadata-server,
-    gke.gcr.io/netd-amd64,
-    gcr.io/google-containers/prometheus-to-sd,
-    k8s.gcr.io/ip-masq-agent-amd64,
-    k8s.gcr.io/kube-proxy,
-    k8s.gcr.io/prometheus-to-sd,
-    quay.io/calico/node,
-    sysdig/falco,
-    sysdig/sysdig,
-    sematext_images
+    docker.io/sysdig/falco, docker.io/sysdig/sysdig,
+    gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node,
+    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
+    docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy,
+    docker.io/falcosecurity/falco, sysdig/falco, sysdig/sysdig, falcosecurity/falco
     ]
 
 - macro: falco_privileged_containers
@@ -1930,20 +1890,11 @@
   condition: (user_trusted_containers or
               container.image.repository in (trusted_images) or
               container.image.repository in (falco_sensitive_mount_images) or
-              container.image.repository startswith quay.io/sysdig/)
+              container.image.repository startswith quay.io/sysdig)
 
 # These container images are allowed to run with hostnetwork=true
 - list: falco_hostnetwork_images
-  items: [
-    gcr.io/google-containers/prometheus-to-sd,
-    gcr.io/projectcalico-org/typha,
-    gcr.io/projectcalico-org/node,
-    gke.gcr.io/gke-metadata-server,
-    gke.gcr.io/kube-proxy,
-    gke.gcr.io/netd-amd64,
-    k8s.gcr.io/ip-masq-agent-amd64
-    k8s.gcr.io/prometheus-to-sd,
-    ]
+  items: []
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to specify additional containers that are
@@ -1961,7 +1912,7 @@
     and container.privileged=true
     and not falco_privileged_containers
     and not user_privileged_containers
-  output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  output: Privileged container started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
   priority: INFO
   tags: [container, cis, mitre_privilege_escalation, mitre_lateral_movement]
 
@@ -2005,7 +1956,7 @@
     and sensitive_mount
     and not falco_sensitive_mount_containers
     and not user_sensitive_mount_containers
-  output: Container with sensitive mount started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
+  output: Container with sensitive mount started (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag mounts=%container.mounts)
   priority: INFO
   tags: [container, cis, mitre_lateral_movement]
 
@@ -2025,7 +1976,7 @@
   desc: >
     Detect the initial process started by a container that is not in a list of allowed containers.
   condition: container_started and container and not allowed_containers
-  output: Container started and not in allowed list (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
+  output: Container started and not in allowed list (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
   priority: WARNING
   tags: [container, mitre_lateral_movement]
 
@@ -2040,7 +1991,7 @@
 - rule: System user interactive
   desc: an attempt to run interactive commands by a system (i.e. non-login) user
   condition: spawned_process and system_users and interactive and not user_known_system_user_login
-  output: "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id image=%container.image.repository)"
+  output: "System user ran an interactive command (user=%user.name command=%proc.cmdline container_id=%container.id image=%container.image.repository)"
   priority: INFO
   tags: [users, mitre_remote_access_tools]
 
@@ -2057,7 +2008,7 @@
     and container_entrypoint
     and not user_expected_terminal_shell_in_container_conditions
   output: >
-    A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info
+    A shell was spawned in a container with an attached terminal (user=%user.name %container.info
     shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [container, shell, mitre_execution]
@@ -2133,7 +2084,7 @@
     and not user_expected_system_procs_network_activity_conditions
   output: >
     Known system binary sent/received network traffic
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
+    (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
@@ -2171,7 +2122,7 @@
     proc.env icontains HTTP_PROXY
   output: >
     Program run with disallowed HTTP_PROXY environment variable
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository)
+    (user=%user.name command=%proc.cmdline env=%proc.env parent=%proc.pname container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [host, users]
 
@@ -2194,7 +2145,7 @@
      and interpreted_procs)
   output: >
     Interpreted program received/listened for network traffic
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
+    (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
@@ -2205,7 +2156,7 @@
      and interpreted_procs)
   output: >
     Interpreted program performed outgoing network connection
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
+    (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
@@ -2246,7 +2197,7 @@
   condition: (inbound_outbound) and do_unexpected_udp_check and fd.l4proto=udp and not expected_udp_traffic
   output: >
     Unexpected UDP Traffic Seen
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
+    (user=%user.name command=%proc.cmdline connection=%fd.name proto=%fd.l4proto evt=%evt.type %evt.args container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
@@ -2305,7 +2256,7 @@
     and not nrpe_becoming_nagios
     and not user_known_non_sudo_setuid_conditions
   output: >
-    Unexpected setuid call by non-sudo, non-root program (user=%user.name user_loginuid=%user.loginuid cur_uid=%user.uid parent=%proc.pname
+    Unexpected setuid call by non-sudo, non-root program (user=%user.name cur_uid=%user.uid parent=%proc.pname
     command=%proc.cmdline uid=%evt.arg.uid container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [users, mitre_privilege_escalation]
@@ -2334,7 +2285,7 @@
     not user_known_user_management_activities
   output: >
     User management binary command run outside of container
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
+    (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])
   priority: NOTICE
   tags: [host, users, mitre_persistence]
 
@@ -2358,7 +2309,7 @@
     and not fd.name in (allowed_dev_files)
     and not fd.name startswith /dev/tty
     and not user_known_create_files_below_dev_activities
-  output: "File created below /dev by untrusted program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)"
+  output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)"
   priority: ERROR
   tags: [filesystem, mitre_persistence]
 
@@ -2476,7 +2427,7 @@
     and not package_mgmt_ancestor_procs
     and not user_known_package_manager_in_container
   output: >
-    Package management process launched in container (user=%user.name user_loginuid=%user.loginuid
+    Package management process launched in container (user=%user.name
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: ERROR
   tags: [process, mitre_persistence]
@@ -2490,7 +2441,7 @@
                               or proc.args contains "-c " or proc.args contains "--lua-exec"))
     )
   output: >
-    Netcat runs inside container that allows remote code execution (user=%user.name user_loginuid=%user.loginuid
+    Netcat runs inside container that allows remote code execution (user=%user.name
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: WARNING
   tags: [network, process, mitre_execution]
@@ -2503,7 +2454,7 @@
   condition: >
     spawned_process and container and network_tool_procs and not user_known_network_tool_activities
   output: >
-    Network tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
+    Network tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
     container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   tags: [network, process, mitre_discovery, mitre_exfiltration]
@@ -2523,7 +2474,7 @@
     network_tool_procs and
     not user_known_network_tool_activities
   output: >
-    Network tool launched on host (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname)
+    Network tool launched on host (user=%user.name command=%proc.cmdline parent_process=%proc.pname)
   priority: NOTICE
   tags: [network, process, mitre_discovery, mitre_exfiltration]
 
@@ -2559,7 +2510,7 @@
     )
   output: >
     Grep private keys or passwords activities found
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id container_name=%container.name
+    (user=%user.name command=%proc.cmdline container_id=%container.id container_name=%container.name
     image=%container.image.repository:%container.image.tag)
   priority:
     WARNING
@@ -2593,7 +2544,7 @@
     not trusted_logging_images and
     not allowed_clear_log_files
   output: >
-    Log files were tampered (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    Log files were tampered (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
   tags: [file, mitre_defense_evasion]
@@ -2611,12 +2562,13 @@
   desc: Detect process running to clear bulk data from disk
   condition: spawned_process and clear_data_procs and not user_known_remove_data_activities
   output: >
-    Bulk data has been removed from disk (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+    Bulk data has been removed from disk (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
   tags: [process, mitre_persistence]
 
-- macro: modify_shell_history
+- rule: Delete or rename shell history
+  desc: Detect shell history deletion
   condition: >
     (modify and (
       evt.arg.name contains "bash_history" or
@@ -2630,27 +2582,14 @@
       evt.arg.path contains "bash_history" or
       evt.arg.path contains "zsh_history" or
       evt.arg.path contains "fish_read_history" or
-      evt.arg.path endswith "fish_history"))
-
-- macro: truncate_shell_history
-  condition: >
+      evt.arg.path endswith "fish_history")) or
     (open_write and (
       fd.name contains "bash_history" or
       fd.name contains "zsh_history" or
       fd.name contains "fish_read_history" or
       fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
-
-- macro: var_lib_docker_filepath
-  condition: (evt.arg.name startswith /var/lib/docker or fd.name startswith /var/lib/docker)
-
-- rule: Delete or rename shell history
-  desc: Detect shell history deletion
-  condition: >
-    (modify_shell_history or truncate_shell_history) and
-       not var_lib_docker_filepath and
-       not proc.name in (docker_binaries)
   output: >
-    Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
+    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
   tags: [process, mitre_defense_evasion]
@@ -2663,7 +2602,7 @@
     ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or
      (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
   output: >
-    Shell history had been deleted or renamed (user=%user.name user_loginuid=%user.loginuid type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
+    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
   tags: [process, mitre_defense_evasion]
@@ -2691,7 +2630,7 @@
     and not exe_running_docker_save
     and not user_known_set_setuid_or_setgid_bit_conditions
   output: >
-    Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name user_loginuid=%user.loginuid process=%proc.name
+    Setuid or setgid bit is set via chmod (fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode user=%user.name process=%proc.name
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
@@ -2716,7 +2655,7 @@
     consider_hidden_file_creation and
     not user_known_create_hidden_file_activities
   output: >
-    Hidden file or directory created (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline
+    Hidden file or directory created (user=%user.name command=%proc.cmdline
     file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
@@ -2733,7 +2672,7 @@
   condition: >
     spawned_process and container and remote_file_copy_procs
   output: >
-    Remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
+    Remote file copy tool launched in container (user=%user.name command=%proc.cmdline parent_process=%proc.pname
     container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   tags: [network, process, mitre_lateral_movement, mitre_exfiltration]
@@ -2744,7 +2683,7 @@
     create_symlink and
     (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names))
   output: >
-    Symlinks created over senstivie files (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
+    Symlinks created over senstivie files (user=%user.name command=%proc.cmdline target=%evt.arg.target linkpath=%evt.arg.linkpath parent_process=%proc.pname)
   priority: NOTICE
   tags: [file, mitre_exfiltration]
 
@@ -2867,23 +2806,24 @@
 - rule: The docker client is executed in a container
   desc: Detect a k8s client tool executed inside a container
   condition: spawned_process and container and not user_known_k8s_client_container_parens and proc.name in (k8s_client_binaries)
-  output: "Docker or kubernetes client executed in container (user=%user.name user_loginuid=%user.loginuid %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)"
+  output: "Docker or kubernetes client executed in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline image=%container.image.repository:%container.image.tag)"
   priority: WARNING
   tags: [container, mitre_execution]
 
 
-# This rule is enabled by default. 
-# If you want to disable it, modify the following macro.
+# This rule is not enabled by default, as there are legitimate use
+# cases for raw packet. If you want to enable it, modify the
+# following macro.
 - macro: consider_packet_socket_communication
-  condition: (always_true)
+  condition: (never_true)
 
 - list: user_known_packet_socket_binaries
   items: []
 
 - rule: Packet socket created in container
-  desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation(CVE-2020-14386) by attacker.
+  desc: Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker.
   condition: evt.type=socket and evt.arg[0]=AF_PACKET and consider_packet_socket_communication and container and not proc.name in (user_known_packet_socket_binaries)
-  output: Packet socket was created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  output: Packet socket was created in a container (user=%user.name command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   tags: [network, mitre_discovery]
 
@@ -2922,7 +2862,7 @@
     k8s.ns.name in (namespace_scope_network_only_subnet)
   output: >
     Network connection outside local subnet
-    (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
+    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
      image=%container.image.repository namespace=%k8s.ns.name
      fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
   priority: WARNING
@@ -2962,7 +2902,7 @@
     not fd.sport in (authorized_server_port)
   output: >
     Network connection outside authorized port and binary
-    (command=%proc.cmdline connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
+    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
     image=%container.image.repository)
   priority: WARNING
   tags: [network]
@@ -2974,7 +2914,7 @@
   desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
   condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6") and not user_known_stand_streams_redirect_activities
   output: >
-    Redirect stdout/stdin to network connection (user=%user.name user_loginuid=%user.loginuid %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
+    Redirect stdout/stdin to network connection (user=%user.name %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
   priority: WARNING
 
 # The two Container Drift rules below will fire when a new executable is created in a container.
@@ -3003,7 +2943,7 @@
     ((evt.arg.mode contains "S_IXUSR") or
     (evt.arg.mode contains "S_IXGRP") or
     (evt.arg.mode contains "S_IXOTH"))
-  output: Drift detected (chmod), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
+  output: Drift detected (chmod), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
   priority: ERROR
 
 # ****************************************************************************
@@ -3019,7 +2959,7 @@
     not runc_writing_var_lib_docker and
     not user_known_container_drift_activities and
     evt.rawres>=0
-  output: Drift detected (open+create), new executable created in a container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
+  output: Drift detected (open+create), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
   priority: ERROR
 
 

rules/k8s_audit_rules.yaml

@@ -48,8 +48,6 @@
     "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
     "kubernetes-admin",
     vertical_pod_autoscaler_users,
-    cluster-autoscaler,
-    "system:addon-manager"
     ]
 
 - rule: Disallowed K8s User
@@ -244,48 +242,20 @@
   source: k8s_audit
   tags: [k8s]
 
-# Only defined for backwards compatibility. Use the more specific
-# user_allowed_kube_namespace_image_list instead.
 - list: user_trusted_image_list
   items: []
 
-- list: user_allowed_kube_namespace_image_list
-  items: [user_trusted_image_list]
-
-# Only defined for backwards compatibility. Use the more specific
-# allowed_kube_namespace_image_list instead.
 - list: k8s_image_list
-  items: []
+  items: [k8s.gcr.io/kube-apiserver, kope/kube-apiserver-healthcheck]
 
-- list: allowed_kube_namespace_image_list
-  items: [
-    gcr.io/google-containers/prometheus-to-sd,
-    gcr.io/projectcalico-org/node,
-    gke.gcr.io/addon-resizer,
-    gke.gcr.io/heapster,
-    gke.gcr.io/gke-metadata-server,
-    k8s.gcr.io/ip-masq-agent-amd64,
-    k8s.gcr.io/kube-apiserver,
-    gke.gcr.io/kube-proxy,
-    gke.gcr.io/netd-amd64,
-    k8s.gcr.io/addon-resizer
-    k8s.gcr.io/prometheus-to-sd,
-    k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
-    k8s.gcr.io/k8s-dns-kube-dns-amd64,
-    k8s.gcr.io/k8s-dns-sidecar-amd64,
-    k8s.gcr.io/metrics-server-amd64,
-    kope/kube-apiserver-healthcheck,
-    k8s_image_list
-    ]
-
-- macro: allowed_kube_namespace_pods
-  condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
-              ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
+- macro: trusted_pod
+  condition: (ka.req.pod.containers.image.repository in (user_trusted_image_list) or
+              ka.req.pod.containers.image.repository in (k8s_image_list))
 
 # Detect any new pod created in the kube-system namespace
 - rule: Pod Created in Kube Namespace
   desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
-  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
+  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not trusted_pod
   output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
@@ -311,8 +281,7 @@
 # normal operation.
 - rule: System ClusterRole Modified/Deleted
   desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
-  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
-             not ka.target.name in (system:coredns, system:managed-certificate-controller)
+  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and ka.target.name!="system:coredns"
   output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
   priority: WARNING
   source: k8s_audit

scripts/cleanup

@@ -1,61 +0,0 @@
-#!/usr/bin/env bash
-
-usage() {
-    echo "usage: $0 -p 0987654321 -r <deb-dev|rpm-dev|bin-dev>"
-    exit 1
-}
-
-user=poiana
-
-# Get the versions to delete.
-#
-# $1: repository to lookup
-# $2: number of versions to skip.
-get_versions() {
-    # The API endpoint returns the Falco package versions sort by most recent.
-    IFS=$'\n' read -r -d '' -a all < <(curl -s --header "Content-Type: application/json" "https://api.bintray.com/packages/falcosecurity/$1/falco" | jq -r '.versions | .[]' | tail -n "+$2")
-}
-
-# Remove all the versions (${all[@]} array).
-#
-# $1: repository containing the versions.
-rem_versions() {
-    for i in "${!all[@]}";
-    do
-        JFROG_CLI_LOG_LEVEL=DEBUG jfrog bt vd --quiet --user "${user}" --key "${pass}" "falcosecurity/$1/falco/${all[$i]}"
-    done
-}
-
-while getopts ":p::r:" opt; do
-    case "${opt}" in
-        p )
-          pass=${OPTARG}
-          ;;
-        r )
-          repo="${OPTARG}"
-          [[ "${repo}" == "deb-dev" || "${repo}" == "rpm-dev" || "${repo}" == "bin-dev" ]] || usage
-          ;;
-        : )
-          echo "invalid option: ${OPTARG} requires an argument" 1>&2
-          exit 1
-          ;;
-        \?)
-          echo "invalid option: ${OPTARG}" 1>&2
-          exit 1
-          ;;
-    esac
-done
-shift $((OPTIND-1))
-
-if [ -z "${pass}" ] || [ -z "${repo}" ]; then
-    usage
-fi
-
-skip=51
-if [[ "${repo}" == "bin-dev" ]]; then
-    skip=11
-fi
-
-get_versions "${repo}" ${skip}
-echo "number of versions to delete: ${#all[@]}"
-rem_versions "${repo}"

scripts/debian/falco

@@ -21,7 +21,7 @@
 # Required-Stop:     $remote_fs $syslog
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
-# Short-Description: Falco syscall activity monitoring agent
+# Short-Description: Falco Cloud Native runtime security
 # Description:       Falco is a system activity monitoring agent
 #                    driven by system calls with support for containers.
 ### END INIT INFO
@@ -62,11 +62,11 @@ do_start()
 	#   0 if daemon has been started
 	#   1 if daemon was already running
 	#   2 if daemon could not be started
+	if [ ! -d /sys/module/falco ]; then
+		/sbin/modprobe falco || exit 2
+	fi
 	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
 		|| return 1
-	if [ ! -d /sys/module/falco ]; then
-		/sbin/modprobe falco || exit 1
-	fi
 	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
 		$DAEMON_ARGS \
 		|| return 2

scripts/falco-driver-loader

@@ -143,41 +143,33 @@ load_kernel_module_compile() {
 	# skip dkms on UEK hosts because it will always fail
 	if [[ $(uname -r) == *uek* ]]; then
 		echo "* Skipping dkms install for UEK host"
-		return
-	fi
-
-	if ! hash dkms &>/dev/null; then
-		echo "* Skipping dkms install (dkms not found)"
-		return
-	fi
-
-	# try to compile using all the available gcc versions
-	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -r); do
-		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
-		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
-		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
-		chmod +x /tmp/falco-dkms-make
-		if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
-			echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
-			if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
-				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
-				exit 0
-			elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
-				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
-				exit 0
+	else
+		if hash dkms &>/dev/null; then
+				echo "* Trying to dkms install ${DRIVER_NAME} module"
+			if dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
+				echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
+				if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
+					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
+					exit 0
+				elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
+					echo "* Success: ${DRIVER_NAME} module found and loaded in dkms (xz)"
+					exit 0
+				else
+					echo "* Unable to insmod ${DRIVER_NAME} module"
+				fi
 			else
-				echo "* Unable to insmod ${DRIVER_NAME} module"
+				DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
+				if [ -f "${DKMS_LOG}" ]; then
+					echo "* Running dkms build failed, dumping ${DKMS_LOG}"
+					cat "${DKMS_LOG}"
+				else
+					echo "* Running dkms build failed, couldn't find ${DKMS_LOG}"
+				fi
 			fi
 		else
-			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
-			if [ -f "${DKMS_LOG}" ]; then
-				echo "* Running dkms build failed, dumping ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
-				cat "${DKMS_LOG}"
-			else
-				echo "* Running dkms build failed, couldn't find ${DKMS_LOG} (with GCC ${CURRENT_GCC})"
-			fi
+			echo "* Skipping dkms install (dkms not found)"
 		fi
-	done
+	fi
 }
 
 load_kernel_module_download() {

scripts/rpm/falco

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,10 +18,10 @@
 #
 
 #
-# falco syscall monitoring agent
+# Falco Cloud Native runtime security
 #
 # chkconfig:   2345 55 45
-# description: Falco syscall monitoring agent
+# description: Falco Cloud Native runtime security
 #
 
 ### BEGIN INIT INFO
@@ -52,10 +52,10 @@ start() {
     [ -x $exec ] || exit 5
     # [ -f $config ] || exit 6
     echo -n $"Starting $prog: "
-    daemon $exec --daemon --pidfile=$pidfile
     if [ ! -d /sys/module/falco ]; then
         /sbin/modprobe falco || return $?
     fi
+    daemon $exec --daemon --pidfile=$pidfile
     retval=$?
     echo
     [ $retval -eq 0 ] && touch $lockfile

test/rules/detect_connect_using_in.yaml

@@ -18,5 +18,5 @@
   desc: Detect any connect to the localhost network, using fd.net and the in operator
   condition: evt.type=connect and fd.net in ("127.0.0.1/24")
   output: Program connected to localhost network
-    (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline connection=%fd.name)
+    (user=%user.name command=%proc.cmdline connection=%fd.name)
   priority: INFO

test/run_regression_tests.sh

@@ -19,13 +19,6 @@ set -euo pipefail
 
 SCRIPT=$(readlink -f $0)
 SCRIPTDIR=$(dirname "$SCRIPT")
-SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
-
-# Trace file tarballs are now versioned. Any time a substantial change
-# is made that affects the interaction of rules+engine and the trace
-# files here, upload a new trace file zip file and change the version
-# suffix here.
-TRACE_FILES_VERSION=20200831
 
 function download_trace_files() {
     for TRACE in traces-positive traces-negative traces-info ; do
@@ -33,7 +26,7 @@ function download_trace_files() {
         if [ "$OPT_BRANCH" != "none" ]; then
         curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
         else
-        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$TRACE_FILES_VERSION.zip
+        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip
         fi
         unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
         rm -rf "$TRACE_DIR/$TRACE.zip"
@@ -98,13 +91,7 @@ function run_tests() {
     # as we're watching the return status when running avocado.
     set +e
     TEST_RC=0
-    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml)
-
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        suites+=($SCRIPTDIR/falco_tests_package.yaml)
-    fi
-    
-    for mult in "${suites[@]}"; do
+    for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml; do
         CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
         echo "Running $CMD"
         BUILD_DIR=${OPT_BUILD_DIR} $CMD

tests/CMakeLists.txt

@@ -14,11 +14,7 @@
 # License for the specific language governing permissions and limitations under
 # the License.
 #
-if(MINIMAL_BUILD)
-  set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp)
-else()
-  set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp)
-endif()
+set(FALCO_TESTS_SOURCES test_base.cpp engine/test_token_bucket.cpp engine/test_rulesets.cpp engine/test_falco_utils.cpp falco/test_webserver.cpp)
 
 set(FALCO_TESTED_LIBRARIES falco_engine)
 
@@ -39,25 +35,14 @@ if(FALCO_BUILD_TESTS)
   add_executable(falco_test ${FALCO_TESTS_SOURCES})
 
   target_link_libraries(falco_test PUBLIC ${FALCO_TESTED_LIBRARIES})
-
-  if(MINIMAL_BUILD)
-    target_include_directories(
-      falco_test
-      PUBLIC "${CATCH2_INCLUDE}"
-            "${FAKEIT_INCLUDE}"
-            "${PROJECT_SOURCE_DIR}/userspace/engine"
-            "${YAMLCPP_INCLUDE_DIR}"
-            "${PROJECT_SOURCE_DIR}/userspace/falco")
-  else()
-    target_include_directories(
-      falco_test
-      PUBLIC "${CATCH2_INCLUDE}"
-            "${FAKEIT_INCLUDE}"
-            "${PROJECT_SOURCE_DIR}/userspace/engine"
-            "${YAMLCPP_INCLUDE_DIR}"
-            "${CIVETWEB_INCLUDE_DIR}"
-            "${PROJECT_SOURCE_DIR}/userspace/falco")
-  endif()
+  target_include_directories(
+    falco_test
+    PUBLIC "${CATCH2_INCLUDE}"
+           "${FAKEIT_INCLUDE}"
+           "${PROJECT_SOURCE_DIR}/userspace/engine"
+           "${YAMLCPP_INCLUDE_DIR}"
+           "${CIVETWEB_INCLUDE_DIR}"
+           "${PROJECT_SOURCE_DIR}/userspace/falco")
   add_dependencies(falco_test catch2)
 
   include(CMakeParseArguments)

userspace/engine/CMakeLists.txt

@@ -27,32 +27,18 @@ if(USE_BUNDLED_DEPS)
   add_dependencies(falco_engine libyaml)
 endif()
 
-if(MINIMAL_BUILD)
-  target_include_directories(
-    falco_engine
-    PUBLIC
-      "${LUAJIT_INCLUDE}"
-      "${NJSON_INCLUDE}"
-      "${TBB_INCLUDE_DIR}"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
-      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
-      "${PROJECT_BINARY_DIR}/userspace/engine")
-else()
-  target_include_directories(
-    falco_engine
-    PUBLIC
-      "${LUAJIT_INCLUDE}"
-      "${NJSON_INCLUDE}"
-      "${CURL_INCLUDE_DIR}"
-      "${TBB_INCLUDE_DIR}"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
-      "${SYSDIG_SOURCE_DIR}/userspace/libscap"
-      "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
-      "${PROJECT_BINARY_DIR}/userspace/engine")
-endif()
+target_include_directories(
+  falco_engine
+  PUBLIC
+    "${LUAJIT_INCLUDE}"
+    "${NJSON_INCLUDE}"
+    "${CURL_INCLUDE_DIR}"
+    "${TBB_INCLUDE_DIR}"
+    "${STRING_VIEW_LITE_INCLUDE}"
+    "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp"
+    "${SYSDIG_SOURCE_DIR}/userspace/libscap"
+    "${SYSDIG_SOURCE_DIR}/userspace/libsinsp"
+    "${PROJECT_BINARY_DIR}/userspace/engine")
 
 target_link_libraries(falco_engine "${FALCO_SINSP_LIBRARY}" "${LPEG_LIB}" "${LYAML_LIB}" "${LIBYAML_LIB}")
 

userspace/engine/falco_engine_version.h

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2020 The Falco Authors.
+Copyright (C) 2019 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@ limitations under the License.
 
 // The version of rules/filter fields/etc supported by this falco
 // engine.
-#define FALCO_ENGINE_VERSION (7)
+#define FALCO_ENGINE_VERSION (6)
 
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used

userspace/falco/CMakeLists.txt

@@ -13,35 +13,32 @@
 
 configure_file("${SYSDIG_SOURCE_DIR}/userspace/sysdig/config_sysdig.h.in" config_sysdig.h)
 
-if(NOT MINIMAL_BUILD)
-  add_custom_command(
-    OUTPUT
-      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
-      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
-      ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
-    COMMENT "Generate gRPC API"
-    # Falco gRPC Version API
-    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-            ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
-    # Falco gRPC Outputs API
-    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-            ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-            ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
-    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
-endif()
+add_custom_command(
+  OUTPUT
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
+    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
+  COMMENT "Generate gRPC API"
+  # Falco gRPC Version API
+  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+          ${CMAKE_CURRENT_SOURCE_DIR}/version.proto
+  # Falco gRPC Outputs API
+  DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+          ${CMAKE_CURRENT_SOURCE_DIR}/schema.proto
+  COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
+          ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
+  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR})
 
-if(MINIMAL_BUILD)
 add_executable(
   falco
   configuration.cpp
@@ -50,109 +47,66 @@ add_executable(
   event_drops.cpp
   statsfilewriter.cpp
   falco.cpp
-  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp")
-else()
-  add_executable(
-    falco
-    configuration.cpp
-    logger.cpp
-    falco_outputs.cpp
-    event_drops.cpp
-    statsfilewriter.cpp
-    falco.cpp
-    "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
-    webserver.cpp
-    grpc_context.cpp
-    grpc_server_impl.cpp
-    grpc_request_context.cpp
-    grpc_server.cpp
-    ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
+  "${SYSDIG_SOURCE_DIR}/userspace/sysdig/fields_info.cpp"
+  webserver.cpp
+  grpc_context.cpp
+  grpc_server_impl.cpp
+  grpc_request_context.cpp
+  grpc_server.cpp
+  ${CMAKE_CURRENT_BINARY_DIR}/version.grpc.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
+  ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc)
 
-    add_dependencies(falco civetweb)
-endif()
-
-add_dependencies(falco string-view-lite)
+add_dependencies(falco civetweb string-view-lite)
 
 if(USE_BUNDLED_DEPS)
   add_dependencies(falco yamlcpp)
 endif()
 
-if(MINIMAL_BUILD)
-  target_include_directories(
-    falco
-    PUBLIC
-      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-      "${PROJECT_SOURCE_DIR}/userspace/engine"
-      "${PROJECT_BINARY_DIR}/userspace/falco"
-      "${PROJECT_BINARY_DIR}/driver/src"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${YAMLCPP_INCLUDE_DIR}"
-      "${CMAKE_CURRENT_BINARY_DIR}"
-      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
+target_include_directories(
+  falco
+  PUBLIC
+    "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
+    "${PROJECT_SOURCE_DIR}/userspace/engine"
+    "${PROJECT_BINARY_DIR}/userspace/falco"
+    "${PROJECT_BINARY_DIR}/driver/src"
+    "${STRING_VIEW_LITE_INCLUDE}"
+    "${YAMLCPP_INCLUDE_DIR}"
+    "${CIVETWEB_INCLUDE_DIR}"
+    "${OPENSSL_INCLUDE_DIR}"
+    "${GRPC_INCLUDE}"
+    "${GRPCPP_INCLUDE}"
+    "${PROTOBUF_INCLUDE}"
+    "${CMAKE_CURRENT_BINARY_DIR}"
+    "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
 
-  target_link_libraries(
-    falco
-    falco_engine
-    sinsp
-    "${LIBYAML_LIB}"
-    "${YAMLCPP_LIB}")
-else()
-  target_include_directories(
-    falco
-    PUBLIC
-      "${SYSDIG_SOURCE_DIR}/userspace/sysdig"
-      "${PROJECT_SOURCE_DIR}/userspace/engine"
-      "${PROJECT_BINARY_DIR}/userspace/falco"
-      "${PROJECT_BINARY_DIR}/driver/src"
-      "${STRING_VIEW_LITE_INCLUDE}"
-      "${YAMLCPP_INCLUDE_DIR}"
-      "${CIVETWEB_INCLUDE_DIR}"
-      "${OPENSSL_INCLUDE_DIR}"
-      "${GRPC_INCLUDE}"
-      "${GRPCPP_INCLUDE}"
-      "${PROTOBUF_INCLUDE}"
-      "${CMAKE_CURRENT_BINARY_DIR}"
-      "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
-
-  target_link_libraries(
-    falco
-    falco_engine
-    sinsp
-    "${GPR_LIB}"
-    "${GRPC_LIB}"
-    "${GRPCPP_LIB}"
-    "${PROTOBUF_LIB}"
-    "${OPENSSL_LIBRARY_SSL}"
-    "${OPENSSL_LIBRARY_CRYPTO}"
-    "${LIBYAML_LIB}"
-    "${YAMLCPP_LIB}"
-    "${CIVETWEB_LIB}")
-endif()
+target_link_libraries(
+  falco
+  falco_engine
+  sinsp
+  "${GPR_LIB}"
+  "${GRPC_LIB}"
+  "${GRPCPP_LIB}"
+  "${PROTOBUF_LIB}"
+  "${OPENSSL_LIBRARY_SSL}"
+  "${OPENSSL_LIBRARY_CRYPTO}"
+  "${LIBYAML_LIB}"
+  "${YAMLCPP_LIB}"
+  "${CIVETWEB_LIB}")
 
 configure_file(config_falco.h.in config_falco.h)
 
-if(NOT MINIMAL_BUILD)
-  add_custom_command(
-    TARGET falco
-    COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR}
-    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-    COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
-else()
-  MESSAGE(STATUS "Skipping engine fields checksum when building the minimal Falco.")
-endif()
+add_custom_command(
+  TARGET falco
+  COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/verify_engine_fields.sh ${CMAKE_SOURCE_DIR} ${OPENSSL_BINARY}
+  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+  COMMENT "Comparing engine fields checksum in falco_engine.h to actual fields")
 
-# strip the Falco binary when releasing using musl
-if(MUSL_OPTIMIZED_BUILD AND CMAKE_BUILD_TYPE STREQUAL "release")
-  add_custom_command(
-    TARGET falco
-    POST_BUILD
-    COMMAND ${CMAKE_STRIP} --strip-unneeded falco
-    COMMENT "Strip the Falco binary when releasing the musl build")
-endif()
+# add_custom_target(verify_engine_fields DEPENDS verify_engine_fields.sh falco_engine.h)
+
+# add_dependencies(verify_engine_fields falco)
 
 install(TARGETS falco DESTINATION ${FALCO_BIN_DIR})
 install(

userspace/falco/falco.cpp

@@ -43,10 +43,8 @@ limitations under the License.
 #include "falco_engine.h"
 #include "config_falco.h"
 #include "statsfilewriter.h"
-#ifndef MINIMAL_BUILD
 #include "webserver.h"
 #include "grpc_server.h"
-#endif
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 typedef function<void(sinsp* inspector)> open_t;
@@ -86,7 +84,6 @@ static void usage()
 	   " -h, --help                    Print this page\n"
 	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
 	   " -A                            Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
-	   " --alternate-lua-dir <path>    Specify an alternate path for loading Falco lua files\n"
 	   " -b, --print-base64            Print data buffers in base64.\n"
 	   "                               This is useful for encoding binary data that needs to be used over media designed to.\n"
 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
@@ -107,7 +104,6 @@ static void usage()
 	   "                               Can not be specified with -t.\n"
 	   " -e <events_file>              Read the events from <events_file> (in .scap format for sinsp events, or jsonl for\n"
 	   "                               k8s audit events) instead of tapping into live.\n"
-#ifndef MINIMAL_BUILD
 	   " -k <url>, --k8s-api <url>\n"
 	   "                               Enable Kubernetes support by connecting to the API server specified as argument.\n"
        "                               E.g. \"http://admin:password@127.0.0.1:8080\".\n"
@@ -121,18 +117,15 @@ static void usage()
 	   "                               for this option, it will be interpreted as the name of a file containing bearer token.\n"
 	   "                               Note that the format of this command-line option prohibits use of files whose names contain\n"
 	   "                               ':' or '#' characters in the file name.\n"
-#endif
 	   " -L                            Show the name and description of all rules and exit.\n"
 	   " -l <rule>                     Show the name and description of the rule with name <rule> and exit.\n"
 	   " --list [<source>]             List all defined fields. If <source> is provided, only list those fields for\n"
 	   "                               the source <source>. Current values for <source> are \"syscall\", \"k8s_audit\"\n"
-#ifndef MINIMAL_BUILD
 	   " -m <url[,marathon_url]>, --mesos-api <url[,marathon_url]>\n"
 	   "                               Enable Mesos support by connecting to the API server\n"
 	   "                               specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\".\n"
 	   "                               Marathon url is optional and defaults to Mesos address, port 8080.\n"
 	   "                               The API servers can also be specified via the environment variable FALCO_MESOS_API.\n"
-#endif
 	   " -M <num_seconds>              Stop collecting after <num_seconds> reached.\n"
 	   " -N                            When used with --list, only print field names.\n"
 	   " -o, --option <key>=<val>      Set the value of option <key> to <val>. Overrides values in configuration file.\n"
@@ -192,7 +185,6 @@ static void display_fatal_err(const string &msg)
 // Splitting into key=value or key.subkey=value will be handled by configuration class.
 std::list<string> cmdline_options;
 
-#ifndef MINIMAL_BUILD
 // Read a jsonl file containing k8s audit events and pass each to the engine.
 void read_k8s_audit_trace_file(falco_engine *engine,
 			       falco_outputs *outputs,
@@ -221,7 +213,6 @@ void read_k8s_audit_trace_file(falco_engine *engine,
 		}
 	}
 }
-#endif
 
 static std::string read_file(std::string filename)
 {
@@ -438,11 +429,9 @@ int falco_init(int argc, char **argv)
 	bool verbose = false;
 	bool names_only = false;
 	bool all_events = false;
-#ifndef MINIMAL_BUILD
 	string* k8s_api = 0;
 	string* k8s_api_cert = 0;
 	string* mesos_api = 0;
-#endif
 	string output_format = "";
 	uint32_t snaplen = 0;
 	bool replace_container_info = false;
@@ -472,45 +461,42 @@ int falco_init(int argc, char **argv)
 	double duration;
 	scap_stats cstats;
 
-#ifndef MINIMAL_BUILD
 	falco_webserver webserver;
 	falco::grpc::server grpc_server;
 	std::thread grpc_server_thread;
-#endif
 
 	static struct option long_options[] =
-		{
-			{"alternate-lua-dir", required_argument, 0},
-			{"cri", required_argument, 0},
-			{"daemon", no_argument, 0, 'd'},
-			{"disable-cri-async", no_argument, 0, 0},
-			{"disable-source", required_argument, 0},
-			{"help", no_argument, 0, 'h'},
-			{"ignored-events", no_argument, 0, 'i'},
-			{"k8s-api-cert", required_argument, 0, 'K'},
-			{"k8s-api", required_argument, 0, 'k'},
-			{"list", optional_argument, 0},
-			{"mesos-api", required_argument, 0, 'm'},
-			{"option", required_argument, 0, 'o'},
-			{"pidfile", required_argument, 0, 'P'},
-			{"print-base64", no_argument, 0, 'b'},
-			{"print", required_argument, 0, 'p'},
-			{"snaplen", required_argument, 0, 'S'},
-			{"stats-interval", required_argument, 0},
-			{"support", no_argument, 0},
-			{"unbuffered", no_argument, 0, 'U'},
-			{"userspace", no_argument, 0, 'u'},
-			{"validate", required_argument, 0, 'V'},
-			{"version", no_argument, 0, 0},
-			{"writefile", required_argument, 0, 'w'},
-			{0, 0, 0, 0}};
+	{
+		{"cri", required_argument, 0},
+        {"daemon", no_argument, 0, 'd'},
+        {"disable-cri-async", no_argument, 0, 0},
+        {"disable-source", required_argument, 0},
+        {"help", no_argument, 0, 'h'},
+        {"ignored-events", no_argument, 0, 'i'},
+        {"k8s-api-cert", required_argument, 0, 'K'},
+        {"k8s-api", required_argument, 0, 'k'},
+        {"list", optional_argument, 0},
+        {"mesos-api", required_argument, 0, 'm'},
+        {"option", required_argument, 0, 'o'},
+        {"pidfile", required_argument, 0, 'P'},
+        {"print-base64", no_argument, 0, 'b'},
+        {"print", required_argument, 0, 'p'},
+        {"snaplen", required_argument, 0, 'S'},
+        {"stats-interval", required_argument, 0},
+        {"support", no_argument, 0},
+        {"unbuffered", no_argument, 0, 'U'},
+        {"userspace", no_argument, 0, 'u'},
+        {"validate", required_argument, 0, 'V'},
+        {"version", no_argument, 0, 0},
+        {"writefile", required_argument, 0, 'w'},
+		{0, 0, 0, 0}
+	};
 
 	try
 	{
 		set<string> disabled_rule_substrings;
 		string substring;
 		string all_rules = "";
-		string alternate_lua_dir = FALCO_ENGINE_SOURCE_LUA_DIR;
 		set<string> disabled_rule_tags;
 		set<string> enabled_rule_tags;
 
@@ -544,10 +530,8 @@ int falco_init(int argc, char **argv)
 				break;
 			case 'e':
 				trace_filename = optarg;
-#ifndef MINIMAL_BUILD
 				k8s_api = new string();
 				mesos_api = new string();
-#endif
 				break;
 			case 'F':
 				list_flds = optarg;
@@ -555,25 +539,21 @@ int falco_init(int argc, char **argv)
 			case 'i':
 				print_ignored_events = true;
 				break;
-#ifndef MINIMAL_BUILD
 			case 'k':
 				k8s_api = new string(optarg);
 				break;
 			case 'K':
 				k8s_api_cert = new string(optarg);
 				break;
-#endif
 			case 'L':
 				describe_all_rules = true;
 				break;
 			case 'l':
 				describe_rule = optarg;
 				break;
-#ifndef MINIMAL_BUILD
 			case 'm':
 				mesos_api = new string(optarg);
 				break;
-#endif
 			case 'M':
 				duration_to_tot = atoi(optarg);
 				if(duration_to_tot <= 0)
@@ -688,16 +668,6 @@ int falco_init(int argc, char **argv)
 						disable_sources.insert(optarg);
 					}
 				}
-				else if (string(long_options[long_index].name)== "alternate-lua-dir")
-				{
-					if(optarg != NULL)
-					{
-						alternate_lua_dir = optarg;
-						if (alternate_lua_dir.back() != '/') {
-							alternate_lua_dir += '/';
-						}
-					}
-				}
 				break;
 
 			default:
@@ -733,7 +703,7 @@ int falco_init(int argc, char **argv)
 			return EXIT_SUCCESS;
 		}
 
-		engine = new falco_engine(true, alternate_lua_dir);
+		engine = new falco_engine();
 		engine->set_inspector(inspector);
 		engine->set_extra(output_format, replace_container_info);
 
@@ -977,8 +947,7 @@ int falco_init(int argc, char **argv)
 			      config.m_notifications_rate, config.m_notifications_max_burst,
 			      config.m_buffered_outputs,
 			      config.m_time_format_iso_8601,
-			      hostname,
-			      alternate_lua_dir);
+			      hostname);
 
 		if(!all_events)
 		{
@@ -1105,12 +1074,6 @@ int falco_init(int argc, char **argv)
 
 			if(!trace_is_scap)
 			{
-#ifdef MINIMAL_BUILD
-				// Note that the webserver is not available when MINIMAL_BUILD is defined.
-				fprintf(stderr, "Cannot use k8s audit events trace file with a minimal Falco build");
-				result = EXIT_FAILURE;
-				goto exit;
-#else
 				try {
 					string line;
 					nlohmann::json j;
@@ -1135,7 +1098,6 @@ int falco_init(int argc, char **argv)
 					result = EXIT_FAILURE;
 					goto exit;
 				}
-#endif
 			}
 		}
 		else
@@ -1181,14 +1143,11 @@ int falco_init(int argc, char **argv)
 					// Try to insert the Falco kernel module
 					if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
 					{
-						falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
+						falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting.\n");
 					}
 					open_f(inspector);
-				} 
-				else 
-				{
-					rethrow_exception(current_exception());
 				}
+				rethrow_exception(current_exception());
 			}
 		}
 
@@ -1206,7 +1165,6 @@ int falco_init(int argc, char **argv)
 
 		duration = ((double)clock()) / CLOCKS_PER_SEC;
 
-#ifndef MINIMAL_BUILD
 		//
 		// Run k8s, if required
 		//
@@ -1290,15 +1248,12 @@ int falco_init(int argc, char **argv)
 				grpc_server.run();
 			});
 		}
-#endif
 
 		if(!trace_filename.empty() && !trace_is_scap)
 		{
-#ifndef MINIMAL_BUILD			
 			read_k8s_audit_trace_file(engine,
 						  outputs,
 						  trace_filename);
-#endif
 		}
 		else
 		{
@@ -1344,14 +1299,12 @@ int falco_init(int argc, char **argv)
 		inspector->close();
 		engine->print_stats();
 		sdropmgr.print_stats();
-#ifndef MINIMAL_BUILD
 		webserver.stop();
 		if(grpc_server_thread.joinable())
 		{
 			grpc_server.shutdown();
 			grpc_server_thread.join();
 		}
-#endif
 	}
 	catch(exception &e)
 	{
@@ -1359,14 +1312,12 @@ int falco_init(int argc, char **argv)
 
 		result = EXIT_FAILURE;
 
-#ifndef MINIMAL_BUILD
 		webserver.stop();
 		if(grpc_server_thread.joinable())
 		{
 			grpc_server.shutdown();
 			grpc_server_thread.join();
 		}
-#endif
 	}
 
 exit:

userspace/falco/falco_outputs.cpp

@@ -14,9 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-#ifndef MINIMAL_BUILD
 #include <google/protobuf/util/time_util.h>
-#endif
 
 #include "falco_outputs.h"
 
@@ -24,19 +22,15 @@ limitations under the License.
 
 #include "formats.h"
 #include "logger.h"
-#ifndef MINIMAL_BUILD
 #include "falco_outputs_queue.h"
-#endif
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 using namespace std;
 
 const static struct luaL_reg ll_falco_outputs [] =
 {
-#ifndef MINIMAL_BUILD
 	{"handle_http", &falco_outputs::handle_http},
 	{"handle_grpc", &falco_outputs::handle_grpc},
-#endif
 	{NULL, NULL}
 };
 
@@ -78,8 +72,7 @@ falco_outputs::~falco_outputs()
 void falco_outputs::init(bool json_output,
 			 bool json_include_output_property,
 			 uint32_t rate, uint32_t max_burst, bool buffered,
-			 bool time_format_iso_8601, string hostname,
-			 const string& alternate_lua_dir)
+			 bool time_format_iso_8601, string hostname)
 {
 	// The engine must have been given an inspector by now.
 	if(!m_inspector)
@@ -89,7 +82,7 @@ void falco_outputs::init(bool json_output,
 
 	m_json_output = json_output;
 
-	falco_common::init(m_lua_main_filename.c_str(), alternate_lua_dir.c_str());
+	falco_common::init(m_lua_main_filename.c_str(), FALCO_SOURCE_LUA_DIR);
 
 	// Note that falco_formats is added to both the lua state used
 	// by the falco engine as well as the separate lua state used
@@ -266,7 +259,6 @@ void falco_outputs::reopen_outputs()
 	}
 }
 
-#ifndef MINIMAL_BUILD
 int falco_outputs::handle_http(lua_State *ls)
 {
 	CURL *curl = NULL;
@@ -377,4 +369,3 @@ int falco_outputs::handle_grpc(lua_State *ls)
 
 	return 1;
 }
-#endif

userspace/falco/falco_outputs.h

@@ -54,8 +54,7 @@ public:
 	void init(bool json_output,
 		  bool json_include_output_property,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
-		  bool time_format_iso_8601, std::string hostname,
-		  const std::string& alternate_lua_dir);
+		  bool time_format_iso_8601, std::string hostname);
 
 	void add_output(output_config oc);
 
@@ -75,10 +74,8 @@ public:
 
 	void reopen_outputs();
 
-#ifndef MINIMAL_BUILD
 	static int handle_http(lua_State *ls);
 	static int handle_grpc(lua_State *ls);
-#endif
 
 private:
 

userspace/falco/verify_engine_fields.sh

@@ -1,12 +1,19 @@
-#!/bin/env/bash
+#!/bin/sh
 
 set -euo pipefail
 
 SOURCE_DIR=$1
+OPENSSL=$2
 
-NEW_CHECKSUM=$(./falco --list -N | sha256sum | awk '{print $1}')
+if ! command -v "${OPENSSL}" version > /dev/null 2>&1; then
+    echo "No openssl command at ${OPENSSL}"
+    exit 1
+fi
+
+NEW_CHECKSUM=$(./falco --list -N | ${OPENSSL} dgst -sha256 | awk '{print $2}')
 CUR_CHECKSUM=$(grep FALCO_FIELDS_CHECKSUM "${SOURCE_DIR}/userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
 
+
 if [ "$NEW_CHECKSUM" != "$CUR_CHECKSUM" ]; then
     echo "Set of fields supported has changed (new checksum $NEW_CHECKSUM != old checksum $CUR_CHECKSUM)."
     echo "Update checksum and/or version in falco_engine_version.h."