wip

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
wip
2026-03-20 11:42:06 +00:00 · 2023-04-04 09:43:23 +02:00 · 2023-04-04 09:43:22 +02:00 · 2023-04-03 20:05:46 +02:00 · 2023-03-30 19:08:33 +02:00 · 2023-03-30 19:08:33 +02:00
197 changed files with 7045 additions and 8661 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -3,56 +3,60 @@ jobs:
  "build-arm64":
    machine:
      enabled: true
-      image: ubuntu-2004:202101-01
-    resource_class: arm.medium
+      image: ubuntu-2204:2022.10.2
+    resource_class: arm.large
    steps:
+
+      # Install dependencies to build the modern BPF probe skeleton.
+      - run:
+          name: Install deps ⛓️
+          command: |
+            sudo apt update
+            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
+            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
+            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
+            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
+            cd bpftool
+            git submodule update --init
+            cd src && sudo make install
+
+      # Path to the source code
      - checkout:
          path: /tmp/source-arm64/falco
+
+      # Build the skeleton
      - run:
-          name: Prepare project
+          name: Build modern BPF skeleton 🐝
          command: |
-            mkdir -p /tmp/build-arm64 && mkdir -p /tmp/build-arm64/release && \
-            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
-              falcosecurity/falco-builder:latest \
-              cmake
+            mkdir -p /tmp/source-arm64/falco/skeleton-build
+            cd /tmp/source-arm64/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
+            make ProbeSkeleton
+
+      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
+      # This dockerfile returns as output:
+      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
+      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
      - run:
-          name: Build
+          name: Build Falco packages 🏗️
          command: |
-            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
-              falcosecurity/falco-builder:latest \
-              all
-      - run:
-          name: Run unit tests
-          command: |
-            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
-              falcosecurity/falco-builder:latest \
-              tests
-      - run:
-          name: Build packages
-          command: |
-            docker run -e BUILD_TYPE="release" -it -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
-              falcosecurity/falco-builder:latest \
-              package
-      - run:
-          name: Prepare Artifacts
-          command: |
-            mkdir -p /tmp/packages
-            cp /tmp/build-arm64/release/*.deb /tmp/packages
-            cp /tmp/build-arm64/release/*.tar.gz /tmp/packages
-            cp /tmp/build-arm64/release/*.rpm /tmp/packages
+            DOCKER_BUILDKIT=1 docker build -f /tmp/source-arm64/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off" --build-arg DEST_BUILD_DIR=/build-arm64/release /tmp/source-arm64/falco
+
      - store_artifacts:
          path: /tmp/packages
          destination: /packages
+
      - persist_to_workspace:
          root: /tmp
          paths:
            - build-arm64/release
            - source-arm64
+
  # Build a statically linked Falco release binary using musl
  # This build is 100% static, there are no host dependencies
  "build-musl":
    docker:
-      - image: alpine:3.12
+      - image: alpine:3.17
+    resource_class: large
    steps:
      - checkout:
          path: /source-static/falco
@@ -61,28 +65,23 @@ jobs:
          command: apk update
      - run:
          name: Install build dependencies
-          command: apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
+          command: apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
      - run:
          name: Prepare project
          command: |
            mkdir -p /build-static/release
            cd /build-static/release
-            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
+            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
      - run:
          name: Build
          command: |
            cd /build-static/release
-            make -j4 all
+            make -j6 all
      - run:
          name: Package
          command: |
            cd /build-static/release
-            make -j4 package
-      - run:
-          name: Run unit tests
-          command: |
-            cd /build-static/release
-            make tests
+            make -j6 package
      - run:
          name: Prepare artifacts
          command: |
@@ -96,43 +95,58 @@ jobs:
          paths:
            - build-static/release
            - source-static
-  # Build using our own builder base image using centos 7
+
  # This build is static, dependencies are bundled in the Falco binary
  "build-centos7":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "release"
+    machine:
+      enabled: true
+      image: ubuntu-2204:2022.10.2
+    resource_class: large
    steps:
-      - checkout:
-          path: /source/falco
+
+      # Install dependencies to build the modern BPF probe skeleton.
      - run:
-          name: Prepare project
-          command: /usr/bin/entrypoint cmake
-      - run:
-          name: Build
-          command: /usr/bin/entrypoint all
-      - run:
-          name: Run unit tests
-          command: /usr/bin/entrypoint tests
-      - run:
-          name: Build packages
-          command: /usr/bin/entrypoint package
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build/release
-            - source
-      - run:
-          name: Prepare artifacts
+          name: Install deps ⛓️
          command: |
-            mkdir -p /tmp/packages
-            cp /build/release/*.deb /tmp/packages
-            cp /build/release/*.tar.gz /tmp/packages
-            cp /build/release/*.rpm /tmp/packages
+            sudo apt update
+            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
+            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
+            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
+            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
+            cd bpftool
+            git submodule update --init
+            cd src && sudo make install
+
+      # Path for the source code
+      - checkout:
+          path: /tmp/source/falco
+
+      - run:
+          name: Build modern BPF skeleton 🐝
+          command: |
+            mkdir -p /tmp/source/falco/skeleton-build
+            cd /tmp/source/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
+            make ProbeSkeleton
+
+      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
+      # This dockerfile returns as output:
+      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
+      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
+      - run:
+          name: Build Falco packages 🏗️
+          command: |
+            DOCKER_BUILDKIT=1 docker build -f /tmp/source/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off" --build-arg DEST_BUILD_DIR=/build/release /tmp/source/falco
+
      - store_artifacts:
          path: /tmp/packages
          destination: /packages
+
+      - persist_to_workspace:
+          root: /tmp
+          paths:
+            - build/release
+            - source
+
  # Execute integration tests based on the build results coming from the "build-centos7" job
  "tests-integration":
    docker:
@@ -194,37 +208,11 @@ jobs:
      - run:
          name: Execute driver-loader integration tests
          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
-  # Code quality
-  "quality-static-analysis":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "release"
-    steps:
-      - run:
-          name: Install cppcheck
-          command: |
-            yum update -y
-            yum install epel-release -y
-            yum install cppcheck cppcheck-htmlreport -y
-      - checkout:
-          path: /source/falco
-      - run:
-          name: Prepare project
-          command: /usr/bin/entrypoint cmake
-      - run:
-          name: cppcheck
-          command: /usr/bin/entrypoint cppcheck
-      - run:
-          name: cppcheck html report
-          command: /usr/bin/entrypoint cppcheck_htmlreport
-      - store_artifacts:
-          path: /build/release/static-analysis-reports
-          destination: /static-analysis-reports
+
  # Sign rpm packages
  "rpm-sign":
    docker:
-      - image: falcosecurity/falco-builder:latest
+      - image: docker.io/centos:7
    steps:
      - attach_workspace:
          at: /
@@ -232,7 +220,7 @@ jobs:
          name: Install rpmsign
          command: |
            yum update -y
-            yum install rpm-sign -y
+            yum install rpm-sign expect which -y
      - run:
          name: Prepare
          command: |
@@ -265,6 +253,7 @@ jobs:
          paths:
            - build/release/*.rpm
            - build-arm64/release/*.rpm
+
  # Publish the dev packages
  "publish-packages-dev":
    docker:
@@ -555,7 +544,7 @@ jobs:
          name: Build and publish no-driver
          command: |
            cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} \
              -t "falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}" \
              -t falcosecurity/falco-no-driver:x86_64-latest \
              -t "falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim" \
@@ -569,7 +558,7 @@ jobs:
          name: Build and publish falco
          command: |
            cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} \
              -t "falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
              -t "falcosecurity/falco:x86_64-latest" \
              -t "public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
@@ -624,7 +613,7 @@ jobs:
          name: Build and publish falco
          command: |
            cd /tmp/source-arm64/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${CIRCLE_TAG} \
+            docker buildx build --push --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} \
              -t "falcosecurity/falco:aarch64-${CIRCLE_TAG}" \
              -t "falcosecurity/falco:aarch64-latest" \
              -t "public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG}" \
@@ -754,7 +743,6 @@ workflows:
      - "build-musl"
      - "build-arm64"
      - "build-centos7"
-      - "quality-static-analysis"
      - "tests-integration":
          requires:
            - "build-centos7"
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,8 +1,7 @@
-<!--  Thanks for sending a pull request!  Here are some tips for you:
-
-1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
+<!--  Thanks for sending a pull request! Here are some tips for you:
+1. If this is your first time, please read our contributor guidelines in the https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md file.
 2. Please label this pull request according to what type of issue you are addressing.
-3. . Please add a release note!
+3. Please add a release note!
 4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
 -->

@@ -24,12 +23,6 @@

 > /kind release

-> If contributing rules or changes to rules, please make sure to also uncomment one of the following line:
-
-> /kind rule-update
-
-> /kind rule-create
-
 <!--
 Please remove the leading whitespace before the `/kind <>` you uncommented.
 -->
@@ -42,8 +35,6 @@ Please remove the leading whitespace before the `/kind <>` you uncommented.

 > /area engine

-> /area rules
-
 > /area tests

 > /area proposals
@@ -71,11 +62,13 @@ Fixes #
 **Does this PR introduce a user-facing change?**:

 <!--
-If no, just write "NONE" in the release-note block below.
-If yes, a release note is required:
-Enter your extended release note in the block below.
-If the PR requires additional action from users switching to the new release, prepend the string "action required:".
-For example, `action required: change the API interface of the rule engine`.
+If NO, just write "NONE" in the release-note block below.
+
+If YES, a release note is required, enter your release note in the block below. 
+The convention is the same as for commit messages: https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md#commit-convention
+If the PR introduces non-backward compatible changes, please add a line starting with "BREAKING CHANGE:" and describe what changed.
+For example, `BREAKING CHANGE: the API interface of the rule engine has changed`.
+Your note will be included in the changelog.
 -->

 ```release-note
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,24 @@
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+version: 2
+
+updates:
+  - package-ecosystem: gitsubmodule
+    schedule:
+      interval: "daily"
+    directory: /
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,7 @@ jobs:
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}

      - name: Update base image
        run: sudo apt update -y
@@ -25,7 +26,7 @@ jobs:
        run: |
          mkdir build-minimal
          pushd build-minimal
-          cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
+          cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DBUILD_FALCO_UNIT_TESTS=On ..
          popd

      - name: Build
@@ -37,7 +38,7 @@ jobs:
      - name: Run unit tests
        run: |
          pushd build-minimal
-          make tests
+          sudo ./unit_tests/falco_unit_tests 
          popd

  build-ubuntu-focal:
@@ -47,6 +48,7 @@ jobs:
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}

      - name: Update base image
        run: sudo apt update -y
@@ -58,7 +60,7 @@ jobs:
        run: |
          mkdir build
          pushd build
-          cmake -DBUILD_BPF=On ..
+          cmake -DBUILD_BPF=On -DBUILD_FALCO_UNIT_TESTS=On ..
          popd

      - name: Build
@@ -70,7 +72,7 @@ jobs:
      - name: Run unit tests
        run: |
          pushd build
-          make tests
+          sudo ./unit_tests/falco_unit_tests 
          popd

  build-ubuntu-focal-debug:
@@ -80,6 +82,7 @@ jobs:
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}

      - name: Update base image
        run: sudo apt update -y
@@ -91,7 +94,7 @@ jobs:
        run: |
          mkdir build
          pushd build
-          cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
+          cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On -DBUILD_FALCO_UNIT_TESTS=On ..
          popd

      - name: Build
@@ -103,68 +106,5 @@ jobs:
      - name: Run unit tests
        run: |
          pushd build
-          make tests
+          sudo ./unit_tests/falco_unit_tests 
          popd
-
-  build-ubuntu-bionic:
-    runs-on: ubuntu-18.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-$(uname -r) pkg-config autoconf libtool libelf-dev -y
-
-      - name: Prepare project
-        run: |
-          mkdir build
-          pushd build
-          cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
-          popd
-
-      - name: Build
-        run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
-
-      - name: Run unit tests
-        run: |
-          pushd build
-          make tests
-          popd
-
-  build-centos7-debug:
-    runs-on: ubuntu-latest
-    container:
-      image: falcosecurity/falco-builder:latest
-      env:
-        BUILD_TYPE: "debug"
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          path: falco
-
-      - name: Link falco repo to /source/falco
-        run: |
-          mkdir -p /source
-          ln -s "$GITHUB_WORKSPACE/falco" /source/falco
-  
-      - name: Prepare project
-        run: /usr/bin/entrypoint cmake
-
-      - name: Build
-        run: /usr/bin/entrypoint all
-
-      - name: Run unit tests
-        run: /usr/bin/entrypoint tests
-
-      - name: Build packages
-        run: /usr/bin/entrypoint package
--- a/.github/workflows/images_bumper.yml
+++ b/.github/workflows/images_bumper.yml
@@ -0,0 +1,64 @@
+name: Builder and Tester Images Bumper
+
+on:
+  push:
+    branches: [master]
+
+jobs:
+  paths-filter:
+    runs-on: ubuntu-latest
+    outputs:
+      builder_changed: ${{ steps.filter.outputs.builder }}
+      tester_changed: ${{ steps.filter.outputs.tester }}
+    steps:
+    - uses: actions/checkout@v2
+    - uses: dorny/paths-filter@v2
+      id: filter
+      with:
+        filters: |
+          builder:
+            - 'docker/builder/**'
+          tester:
+            - 'docker/tester/**'
+
+  update-builder-tester-images:
+    runs-on: ubuntu-22.04
+    needs: paths-filter
+    if: needs.paths-filter.outputs.builder_changed == 'true' || needs.paths-filter.outputs.tester_changed == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_SECRET }}
+          
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: 'amd64,arm64'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      
+      - name: Build and push new builder image
+        if: needs.paths-filter.outputs.builder_changed == 'true'
+        uses: docker/build-push-action@v3
+        with:
+          context: docker/builder
+          platforms: linux/amd64,linux/arm64
+          tags: latest
+          push: true
+
+      - name: Build and push new tester image
+        if: needs.paths-filter.outputs.tester_changed == 'true'
+        uses: docker/build-push-action@v3
+        with:
+          context: docker/tester
+          platforms: linux/amd64,linux/arm64
+          tags: latest
+          push: true
--- a/.github/workflows/staticanalysis.yaml
+++ b/.github/workflows/staticanalysis.yaml
@@ -0,0 +1,31 @@
+name: StaticAnalysis
+on:
+  pull_request:
+jobs:
+  staticanalysis:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout ⤵️
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Install build dependencies ⛓️
+        run: |
+          sudo apt update -y
+          sudo apt install build-essential git cppcheck cmake -y
+
+      - name: Build and run cppcheck 🏎️
+        run: |
+          mkdir build
+          cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DCMAKE_BUILD_TYPE="release" -DBUILD_BPF=Off -DBUILD_DRIVER=Off ..
+          make -j4 cppcheck
+          make -j4 cppcheck_htmlreport
+
+      - name: Upload reports ⬆️
+        uses: actions/upload-artifact@v3
+        with:
+          name: static-analysis-reports
+          path: ./build/static-analysis-reports
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,4 @@
+[submodule "submodules/falcosecurity-rules"]
+	path = submodules/falcosecurity-rules
+	url = https://github.com/falcosecurity/rules.git
+	branch = main
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -24,6 +24,8 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.

+* [Deckhouse](https://deckhouse.io/) - Deckhouse Platform presents to you the opportunity to create homogeneous Kubernetes clusters anywhere and handles comprehensive, automagical management for them. It supplies all the add-ons you need for auto-scaling, observability, security, and service mesh. Falco is used as a part of the [runtime-audit-engine](https://deckhouse.io/documentation/latest/modules/650-runtime-audit-engine/) module to provide threats detection and enforce security compliance out of the box. By pairing with [shell-operator](https://github.com/flant/shell-operator) Falco can be configured by Kubernetes Custom Resources.
+
 * [Fairwinds](https://fairwinds.com/) - [Fairwinds Insights](https://fairwinds.com/insights), Kubernetes governance software, integrates Falco to offer a single pane of glass view into potential security incidents. Insights adds out-of-the-box integrations and rules filter to reduce alert fatigue and improve security response. The platform adds security prevention, detection, and response capabilities to your existing Kubernetes infrastructure. Security and DevOps teams benefit from a centralized view of container security vulnerability scanning and runtime container security.

 * [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.
@@ -39,7 +41,7 @@ This is a list of production adopters of Falco (in alphabetical order):
 * [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
  * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/

-* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).  
+* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).

 * [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.

@@ -70,6 +72,8 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call driver. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.

+* [Xenit AB](https://xenit.se/contact/) Xenit is a growth company with services within cloud and digital transformation. We provide an open-source Kubernetes framework that we leverage to help our customers get their applications to production as quickly and as securely as possible. We use Falco's detection capabilities to identify anomalous behaviour within our clusters in both Azure and AWS.
+
 ## Projects that use Falco libs

 * [R6/Phoenix](https://r6security.com/) is an attack surface protection company that uses moving target defense to provide fully automated, proactive and devops friendly security to its customers. There are a set of policies you can add to enable the moving target defense capabilities. Some of them are triggered by a combination of Falco's findings. You can kill, restart and rename pods according to the ever changing policies.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,132 @@
 # Change Log

+## v0.34.1
+
+Released on 2023-02-20
+
+### Minor Changes
+
+* fix(userspace/engine): correctly bump FALCO_ENGINE_VERSION after introduction of new fields [[#2418](https://github.com/falcosecurity/falco/pull/2418)] - [@loresuso](https://github.com/loresuso/)
+
+### Non user-facing changes
+
+* fix(dockerfile/no-driver): install ca-certificates [[#2412](https://github.com/falcosecurity/falco/pull/2412)] - [@alacuku](https://github.com/alacuku)
+
+## v0.34.0
+
+Released on 2023-02-07
+
+### Major Changes
+
+* BREAKING CHANGE: if you relied upon `application_rules.yaml` you can download it from https://github.com/falcosecurity/rules/tree/main/rules and manually install it. [[#2389](https://github.com/falcosecurity/falco/pull/2389)] - [@leogr](https://github.com/leogr)
+
+* new(rules): New rule to detect attempts to inject code into a process using PTRACE [[#2226](https://github.com/falcosecurity/falco/pull/2226)] - [@Brucedh](https://github.com/Brucedh)
+* new(engine): Also include exact locations for rule condition compile errors (missing macros, etc). [[#2216](https://github.com/falcosecurity/falco/pull/2216)] - [@mstemm](https://github.com/mstemm)
+* new(scripts): Support older RHEL distros in falco-driver-loader script [[#2312](https://github.com/falcosecurity/falco/pull/2312)] - [@gentooise](https://github.com/gentooise)
+* new(scripts): add `falcoctl` config into Falco package [[#2390](https://github.com/falcosecurity/falco/pull/2390)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(userspace/falco): [EXPERIMENTAL] allow modern bpf probe to assign more than one CPU to a single ring buffer [[#2363](https://github.com/falcosecurity/falco/pull/2363)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(userspace/falco): add webserver endpoint for retrieving internal version numbers [[#2356](https://github.com/falcosecurity/falco/pull/2356)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* new(falco): add --version-json to print version information in json format [[#2331](https://github.com/falcosecurity/falco/pull/2331)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(scripts): support multiple drivers in systemd units [[#2242](https://github.com/falcosecurity/falco/pull/2242)] - [@FedeDP](https://github.com/FedeDP)
+* new(scripts): add bottlerocket support in falco-driver-loader [[#2318](https://github.com/falcosecurity/falco/pull/2318)] - [@FedeDP](https://github.com/FedeDP)
+* new(falco): add more version fields to --support and --version [[#2325](https://github.com/falcosecurity/falco/pull/2325)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(config): explicitly add the `simulate_drops` config [[#2260](https://github.com/falcosecurity/falco/pull/2260)] - [@Andreagit97](https://github.com/Andreagit97)
+
+
+### Minor Changes
+
+* build: upgrade to `falcoctl` v0.4.0 [[#2406](https://github.com/falcosecurity/falco/pull/2406)] - [@loresuso](https://github.com/loresuso)
+* update(userspace): change `modern_bpf.cpus_for_each_syscall_buffer` default value [[#2404](https://github.com/falcosecurity/falco/pull/2404)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(build): update falcoctl to 0.3.0 [[#2401](https://github.com/falcosecurity/falco/pull/2401)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(build): update falcoctl to 0.3.0-rc7 [[#2396](https://github.com/falcosecurity/falco/pull/2396)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(cmake): bump libs to 0.10.3 [[#2392](https://github.com/falcosecurity/falco/pull/2392)] - [@FedeDP](https://github.com/FedeDP)
+* build: `/etc/falco/rules.available` has been deprecated [[#2389](https://github.com/falcosecurity/falco/pull/2389)] - [@leogr](https://github.com/leogr)
+* build: `application_rules.yaml` is not shipped anymore with Falco [[#2389](https://github.com/falcosecurity/falco/pull/2389)] - [@leogr](https://github.com/leogr)
+* build: upgrade k8saudit plugin to v0.5.0 [[#2381](https://github.com/falcosecurity/falco/pull/2381)] - [@leogr](https://github.com/leogr)
+* build: upgrade cloudtrail plugin to v0.6.0 [[#2381](https://github.com/falcosecurity/falco/pull/2381)] - [@leogr](https://github.com/leogr)
+* new!: ship falcoctl inside Falco [[#2345](https://github.com/falcosecurity/falco/pull/2345)] - [@FedeDP](https://github.com/FedeDP)
+* refactor: remove rules and add submodule to falcosecurity/rules [[#2359](https://github.com/falcosecurity/falco/pull/2359)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(scripts): add option for regenerating signatures of all dev and release packages [[#2364](https://github.com/falcosecurity/falco/pull/2364)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: print JSON version output when json_output is enabled [[#2351](https://github.com/falcosecurity/falco/pull/2351)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(cmake): updated libs to 0.10.1 tag. [[#2362](https://github.com/falcosecurity/falco/pull/2362)] - [@FedeDP](https://github.com/FedeDP)
+* Install the certificates of authorities in falco:no-driver docker image [[#2355](https://github.com/falcosecurity/falco/pull/2355)] - [@Issif](https://github.com/Issif)
+* update: Mesos support is now deprecated and will be removed in the next version. [[#2328](https://github.com/falcosecurity/falco/pull/2328)] - [@leogr](https://github.com/leogr)
+* update(scripts/falco-driver-loader): optimize the resiliency of module download script for air-gapped environments [[#2336](https://github.com/falcosecurity/falco/pull/2336)] - [@Dentrax](https://github.com/Dentrax)
+* doc(userspace): provide users with a correct message when some syscalls are not defined [[#2329](https://github.com/falcosecurity/falco/pull/2329)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(ci): update ci jobs to generate Falco images with the modern BPF probe [[#2320](https://github.com/falcosecurity/falco/pull/2320)] - [@Andreagit97](https://github.com/Andreagit97)
+* rules: add Falco container lists [[#2290](https://github.com/falcosecurity/falco/pull/2290)] - [@oscr](https://github.com/oscr)
+* rules(macro: private_key_or_password): now also check for OpenSSH private keys [[#2284](https://github.com/falcosecurity/falco/pull/2284)] - [@oscr](https://github.com/oscr)
+* update(cmake): bump libs and driver to latest RC. [[#2302](https://github.com/falcosecurity/falco/pull/2302)] - [@FedeDP](https://github.com/FedeDP)
+* Ensure that a ruleset object is copied properly in falco_engine::add_source(). [[#2271](https://github.com/falcosecurity/falco/pull/2271)] - [@mstemm](https://github.com/mstemm)
+* update(userspace/falco): enable using zlib with webserver [[#2125](https://github.com/falcosecurity/falco/pull/2125)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(falco): add container-gvisor and kubernetes-gvisor print options [[#2288](https://github.com/falcosecurity/falco/pull/2288)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup: always use bundled libz and libelf in BUNDLED_DEPS mode. [[#2277](https://github.com/falcosecurity/falco/pull/2277)] - [@FedeDP](https://github.com/FedeDP)
+* update: updated libs and driver to version dd443b67c6b04464cb8ee2771af8ada8777e7fac [[#2277](https://github.com/falcosecurity/falco/pull/2277)] - [@FedeDP](https://github.com/FedeDP)
+* update(falco.yaml): `open_params` under plugins configuration is now trimmed from surrounding whitespace [[#2267](https://github.com/falcosecurity/falco/pull/2267)] - [@yardenshoham](https://github.com/yardenshoham)
+
+
+### Bug Fixes
+
+* fix(engine): Avoid crash related to caching syscall source when the falco engine uses multiple sources at the same time. [[#2272](https://github.com/falcosecurity/falco/pull/2272)] - [@mstemm](https://github.com/mstemm)
+* fix(scripts): use falco-driver-loader only into install scripts [[#2391](https://github.com/falcosecurity/falco/pull/2391)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/falco): fix grpc server shutdown [[#2350](https://github.com/falcosecurity/falco/pull/2350)] - [@FedeDP](https://github.com/FedeDP)
+* fix(docker/falco): trust latest GPG key [[#2365](https://github.com/falcosecurity/falco/pull/2365)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/engine): improve rule loading validation results [[#2344](https://github.com/falcosecurity/falco/pull/2344)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix: graceful error handling for macros/lists reference loops [[#2311](https://github.com/falcosecurity/falco/pull/2311)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Rule Changes
+
+* rules(tagging): enhanced rules tagging for inventory / threat modeling [[#2167](https://github.com/falcosecurity/falco/pull/2167)] - [@incertum](https://github.com/incertum)
+* rule(Outbound Connection to C2 Server): Update the "Outbound connection to C2 server" rule to match both FQDN and IP addresses. Prior to this change, the rule only matched IP addresses and not FQDN. [[#2241](https://github.com/falcosecurity/falco/pull/2241)] - [@Nicolas-Peiffer](https://github.com/Nicolas-Peiffer)
+* rule(Execution from /dev/shm): new rule to detect execution from /dev/shm [[#2225](https://github.com/falcosecurity/falco/pull/2225)] - [@AlbertoPellitteri](https://github.com/AlbertoPellitteri)
+* rule(Find AWS Credentials): new rule to detect executions looking for AWS credentials [[#2224](https://github.com/falcosecurity/falco/pull/2224)] - [@AlbertoPellitteri](https://github.com/AlbertoPellitteri)
+* rule(Linux Kernel Module Injection Detected): improve insmod detection within container using CAP_SYS_MODULE [[#2305](https://github.com/falcosecurity/falco/pull/2305)] - [@loresuso](https://github.com/loresuso)
+* rule(Read sensitive file untrusted): let salt-call read sensitive files [[#2291](https://github.com/falcosecurity/falco/pull/2291)] - [@vin01](https://github.com/vin01)
+* rule(macro: rpm_procs): let salt-call write to rpm database [[#2291](https://github.com/falcosecurity/falco/pull/2291)] - [@vin01](https://github.com/vin01)
+
+
+### Non user-facing changes
+
+* fix(ci): fix rpm sign job dependencies [[#2324](https://github.com/falcosecurity/falco/pull/2324)] - [@cappellinsamuele](https://github.com/cappellinsamuele)
+* chore(userspace): add `njson` lib as a dependency for `falco_engine` [[#2316](https://github.com/falcosecurity/falco/pull/2316)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(scripts): force rpm postinstall script to always show dialog, even on upgrade [[#2405](https://github.com/falcosecurity/falco/pull/2405)] - [@FedeDP](https://github.com/FedeDP)
+* fix(scripts): fixed falcoctl config install dir. [[#2399](https://github.com/falcosecurity/falco/pull/2399)] - [@FedeDP](https://github.com/FedeDP)
+* fix(scripts): make /usr writable [[#2398](https://github.com/falcosecurity/falco/pull/2398)] - [@therealbobo](https://github.com/therealbobo)
+* fix(scripts): driver loader insmod [[#2388](https://github.com/falcosecurity/falco/pull/2388)] - [@FedeDP](https://github.com/FedeDP)
+* update(systemd): solve some issues with systemd unit [[#2385](https://github.com/falcosecurity/falco/pull/2385)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(cmake): upgrade falcoctl to v0.3.0-rc6 [[#2383](https://github.com/falcosecurity/falco/pull/2383)] - [@leogr](https://github.com/leogr)
+* docs(.github): rules are no longer in this repo [[#2382](https://github.com/falcosecurity/falco/pull/2382)] - [@leogr](https://github.com/leogr)
+* update(CI): mitigate frequent failure in CircleCI jobs [[#2375](https://github.com/falcosecurity/falco/pull/2375)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace): use the right path for the `cpus_for_each_syscall_buffer` config [[#2378](https://github.com/falcosecurity/falco/pull/2378)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(scripts): fixed incorrect bash var expansion [[#2367](https://github.com/falcosecurity/falco/pull/2367)] - [@therealbobo](https://github.com/therealbobo)
+* update(CI): upgrade toolchain in modern falco builder dockerfile [[#2337](https://github.com/falcosecurity/falco/pull/2337)] - [@Andreagit97](https://github.com/Andreagit97)
+* cleanup(ci): move static analysis job from circle CI to GHA [[#2332](https://github.com/falcosecurity/falco/pull/2332)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(falco): update cpp-httplib to 0.11.3 [[#2327](https://github.com/falcosecurity/falco/pull/2327)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(script): makes user able to pass custom option to driver-loade… [[#1901](https://github.com/falcosecurity/falco/pull/1901)] - [@andreabonanno](https://github.com/andreabonanno)
+* cleanup(ci): remove some unused jobs and remove some `falco-builder` reference where possible [[#2322](https://github.com/falcosecurity/falco/pull/2322)] - [@Andreagit97](https://github.com/Andreagit97)
+* docs(proposal): new artifacts distribution proposal [[#2304](https://github.com/falcosecurity/falco/pull/2304)] - [@leogr](https://github.com/leogr)
+* fix(cmake): properly fetch dev version by appending latest Falco tag, delta between master and tag, and hash [[#2292](https://github.com/falcosecurity/falco/pull/2292)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump certifi from 2020.4.5.1 to 2022.12.7 in /test [[#2313](https://github.com/falcosecurity/falco/pull/2313)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: remove string view lite [[#2307](https://github.com/falcosecurity/falco/pull/2307)] - [@leogr](https://github.com/leogr)
+* new(CHANGELOG): add entry for 0.33.1 (in master branch this time) [[#2303](https://github.com/falcosecurity/falco/pull/2303)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(docs): add overview and versioning sections to falco release.md [[#2205](https://github.com/falcosecurity/falco/pull/2205)] - [@incertum](https://github.com/incertum)
+* Add Xenit AB to adopters [[#2285](https://github.com/falcosecurity/falco/pull/2285)] - [@NissesSenap](https://github.com/NissesSenap)
+* fix(userspace/falco): verify engine fields only for syscalls [[#2281](https://github.com/falcosecurity/falco/pull/2281)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(output): do not print syscall_buffer_size when gvisor is enabled [[#2283](https://github.com/falcosecurity/falco/pull/2283)] - [@alacuku](https://github.com/alacuku)
+* fix(engine): fix warning about redundant std::move [[#2286](https://github.com/falcosecurity/falco/pull/2286)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(scripts): force falco-driver-loader script to try to compile the driver anyway even on unsupported platforms [[#2219](https://github.com/falcosecurity/falco/pull/2219)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): fixed version bucket for release jobs. [[#2266](https://github.com/falcosecurity/falco/pull/2266)] - [@FedeDP](https://github.com/FedeDP)
+
+## v0.33.1
+
+Released on 2022-11-24
+
+### Minor Changes
+
+* update(falco): fix container-gvisor and kubernetes-gvisor print options [[#2288](https://github.com/falcosecurity/falco/pull/2288)]
+* Update libs to 0.9.2, fixing potential CLBO on gVisor+Kubernetes and crash with eBPF when some CPUs are offline [[#2299](https://github.com/falcosecurity/falco/pull/2299)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
 ## v0.33.0

 Released on 2022-10-19
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -18,6 +18,7 @@ option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary"
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
+option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF)

 # gVisor is currently only supported on Linux x86_64
 if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
@@ -148,16 +149,7 @@ include(falcosecurity-libs)
 include(jq)

 # nlohmann-json
-set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
-message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
-set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
-ExternalProject_Add(
-  njson
-  URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
-  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
+include(njson)

 # b64
 include(b64)
@@ -181,9 +173,6 @@ include(cxxopts)
 # One TBB
 include(tbb)

-#string-view-lite
-include(DownloadStringViewLite)
-
 if(NOT MINIMAL_BUILD)
  include(zlib)
  include(cares)
@@ -204,7 +193,7 @@ if(NOT MINIMAL_BUILD)
 endif()

 # Rules
-add_subdirectory(rules)
+include(rules)

 # Dockerfiles
 add_subdirectory(docker)
@@ -225,11 +214,16 @@ set(FALCO_BIN_DIR bin)
 add_subdirectory(scripts)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
-add_subdirectory(tests)

 if(NOT MUSL_OPTIMIZED_BUILD)
  include(plugins)
 endif()

+include(falcoctl)
+
 # Packages configuration
 include(CPackConfig)
+
+if(BUILD_FALCO_UNIT_TESTS)
+  add_subdirectory(unit_tests)
+endif()
--- a/README.md
+++ b/README.md
@@ -80,6 +80,8 @@ For example, Falco can easily detect incidents including but not limited to:
 - A standard system binary, such as `ls`, is making an outbound network connection.
 - A privileged pod is started in a Kubernetes cluster.

+The official Falco rules are maintained and released in [falcosecurity/rules](https://github.com/falcosecurity/rules/). That repository also contains the Falco rules inventory [document](https://github.com/falcosecurity/rules/blob/main/rules_inventory/rules_overview.md), which provides additional details around the default rules Falco ships with.
+
 ## Installing Falco

 If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -1,18 +1,79 @@
 # Falco Release Process

-Our release process is mostly automated, but we still need some manual steps to initiate and complete it.

-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+## Overview
+
+This document provides the process to create a new Falco release. In addition, it provides information about the versioning of the Falco components. At a high level each Falco release consists of the following main components:
+
+- Falco binary (userspace)
+- Falco kernel driver object files (kernel space)
+    - Option 1: Kernel module (`.ko` files)
+    - Option 2: eBPF (`.o` files)
+- Falco config and primary rules `.yaml` files (userspace)
+- Falco plugins (userspace - optional)
+
+One nice trait about releasing separate artifacts for userspace and kernel space is that Falco is amenable to supporting a large array of environments, that is, multiple kernel versions, distros and architectures (see `libs` [driver - kernel version support matrix](https://github.com/falcosecurity/libs#drivers-officially-supported-architectures)). The Falco project manages the release of both the Falco userspace binary and pre-compiled Falco kernel drivers for the most popular kernel versions and distros. The build and publish process is managed by the [test-infra](https://github.com/falcosecurity/test-infra) repo. The Falco userspace executable includes bundled dependencies, so that it can be run from anywhere.
+
+The Falco project also publishes all sources for each component. In fact, sources are included in the Falco release in the same way as some plugins (k8saudit and cloudtrail) as well as the rules that are shipped together with Falco. This empowers the end user to audit the integrity of the project as well as build kernel drivers for custom kernels or not officially supported kernels / distros (see [driverkit](https://github.com/falcosecurity/driverkit) for more information). While the Falco project is deeply embedded into an ecosystem of supporting [Falco sub-projects](https://github.com/falcosecurity/evolution) that aim to make the deployment of Falco easy, user-friendly, extendible and cloud-native, core Falco is split across two repos, [falco](https://github.com/falcosecurity/falco) (this repo) and [libs](https://github.com/falcosecurity/libs). The `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines. More details are provided in the [Falco Components Versioning](#falco-components-versioning) section.
+
+Finally, the release process follows a transparent process described in more detail in the following sections and the official [Falco docs](https://falco.org/) contain rich information around building, installing and using Falco.
+
+
+### Falco Binaries, Rules and Sources Artifacts - Quick Links
+
+The Falco project publishes all sources and the Falco userspace binaries as GitHub releases.
+
+- [Falco Releases](https://github.com/falcosecurity/falco/releases)
+    - `tgz`, `rpm` and `deb` Falco binary packages (contains sources, including driver sources, Falco rules as well as k8saudit and cloudtrail plugins)
+    - `tgz`, `zip` source code
+- [Libs Releases](https://github.com/falcosecurity/libs/releases)
+    - `tgz`, `zip` source code
+- [Driver Releases](https://github.com/falcosecurity/libs/releases), marked with `+driver` [build metadata](https://semver.org/). 
+    - `tgz`, `zip` source code
+- [Falco Rules Releases](https://github.com/falcosecurity/rules/releases)
+    - `tgz`, `zip` source code, each ruleset is tagged separately in a mono-repo fashion, see the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md)
+
+
+Alternatively Falco binaries or plugins can be downloaded from the Falco Artifacts repo.
+
+- [Falco Artifacts Repo Packages Root](https://download.falco.org/?prefix=packages/)
+- [Falco Artifacts Repo Plugins Root](https://download.falco.org/?prefix=plugins/)
+
+
+### Falco Drivers Artifacts Repo - Quick Links
+
+
+The Falco project publishes all drivers for each release for all popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers or for example the eBPF verifier are not perfect. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
+
+- [Falco Artifacts Repo Drivers Root](https://download.falco.org/?prefix=driver/)
+    - Option 1: Kernel module (`.ko` files) - all under same driver version directory
+    - Option 2: eBPF (`.o` files) - all under same driver version directory
+
+
+### Timeline

 Falco releases are due to happen 3 times per year. Our current schedule sees a new release by the end of January, May, and September each year. Hotfix releases can happen whenever it's needed.

+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+
+
+### Procedures
+
+The release process is mostly automated requiring only a few manual steps to initiate and complete it.
+
 Moreover, we need to assign owners for each release (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community).

-Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
+At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order:
+
+- [1 - 3] `libs` (+ `driver`) and `plugins` components releases
+- [4] Falco driver pre-compiled object files push to Falco's Artifacts repo
+- [5] Falco userspace binary release
+
+Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.  

 ## Pre-Release Checklist

-Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
+Prior to cutting a release the following preparatory steps should take 5 minutes using the GitHub UI.

 ### 1. Release notes
 - Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
@@ -26,7 +87,19 @@ Before cutting a release we need to do some homework in the Falco repository. Th

 - Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone

-### 3. Release PR
+
+### 3. Release branch
+
+Assuming we are releasing a non-patch version (like: Falco 0.34.0), a new release branch needs to be created.  
+Its naming will be `release/M.m.x`; for example: `release/0.34.x`.  
+The same branch will then be used for any eventual cherry pick for patch releases.  
+
+For patch releases, instead, the `release/M.m.x` branch should already be in place; no more steps are needed.  
+Double check that any PR that should be part of the tag has been cherry-picked from master!
+
+### 4. Release PR
+
+The release PR is meant to be made against the respective `release/M.m.x` branch, **then cherry-picked on master**.  

 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
    - If any, manually correct it then open an issue to automate version number bumping later
@@ -37,21 +110,22 @@ Before cutting a release we need to do some homework in the Falco repository. Th
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
- Close the completed milestone as soon as the PR is merged
+- Close the completed milestone as soon as the PR is merged into the release branch
+- Cherry pick the PR on master too

 ## Release

-Now assume `x.y.z` is the new version.
+Assume `M.m.p` is the new version.

 ### 1. Create a tag

- Once the release PR has got merged, and the CI has done its job on the master, git tag the new release
+- Once the release PR has got merged both on the release branch and on master, and the master CI has done its job, git tag the new release on the release branch:

    ```
    git pull
-    git checkout master
-    git tag x.y.z
-    git push origin x.y.z
+    git checkout release/M.m.x
+    git tag M.m.p
+    git push origin M.m.p
    ```

 > **N.B.**: do NOT use an annotated tag. For reference https://git-scm.com/book/en/v2/Git-Basics-Tagging
@@ -61,26 +135,26 @@ Now assume `x.y.z` is the new version.
 ### 2. Update the GitHub release

 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
- Use `x.y.z` both as tag version and release title
+- Use `M.m.p` both as tag version and release title
 - Use the following template to fill the release description:
    ```
-    <!-- Substitute x.y.z with the current release version -->
+    <!-- Substitute M.m.p with the current release version -->

    | Packages | Download                                                                                                                                               |
    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-    | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-x86_64.rpm)        |
-    | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-x86_64.deb) |
-    | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-x.y.z-x86_64.tar.gz) |
-    | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-aarch64.rpm)        |
-    | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-aarch64.deb) |
-    | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/aarch64/falco-x.y.z-aarch64.tar.gz) |
+    | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-x86_64.rpm)        |
+    | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-x86_64.deb) |
+    | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-M.m.p-x86_64.tar.gz) |
+    | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-aarch64.rpm)        |
+    | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-aarch64.deb) |
+    | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/aarch64/falco-M.m.p-aarch64.tar.gz) |

    | Images                                                                      |
    | --------------------------------------------------------------------------- |
-    | `docker pull docker.io/falcosecurity/falco:x.y.z`                           |
-    | `docker pull public.ecr.aws/falcosecurity/falco:x.y.z`                      |
-    | `docker pull docker.io/falcosecurity/falco-driver-loader:x.y.z`             |
-    | `docker pull docker.io/falcosecurity/falco-no-driver:x.y.z`                 |
+    | `docker pull docker.io/falcosecurity/falco:M.m.p`                           |
+    | `docker pull public.ecr.aws/falcosecurity/falco:M.m.p`                      |
+    | `docker pull docker.io/falcosecurity/falco-driver-loader:M.m.p`             |
+    | `docker pull docker.io/falcosecurity/falco-no-driver:M.m.p`                 |

    <changelog>

@@ -109,7 +183,7 @@ For each release we archive the meeting notes in git for historical purposes.

 - The notes from the Falco meetings can be [found here](https://hackmd.io/3qYPnZPUQLGKCzR14va_qg).
    - Note: There may be other notes from working groups that can optionally be added as well as needed.
- - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-x.y.z.md`
+ - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-M.m.p.md`
 - Open up a pull request with the new change.


@@ -121,3 +195,45 @@ Announce the new release to the world!
 - Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
 - Let folks in the slack #falco channel know about a new release came out
 - IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
+
+
+## Falco Components Versioning
+
+This section provides more details around the versioning of all components that make up core Falco. It can also be a useful guide for the uninitiated to be more informed about Falco's source. Because the `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines, the [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) is an excellent additional resource. In addition, the [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) provides similar details around Falco's plugins. `SHA256` checksums are provided throughout Falco's source code to empower the end user to perform integrity checks. All Falco releases also contain the sources as part of the packages.
+
+
+### Falco repo (this repo)
+- Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.
+- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax or `falco --list -N | sha256sum` has changed. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The primary idea behind the hash is that when new filter / display fields (see currently supported [Falco fields](https://falco.org/docs/rules/supported-fields/)) are introduced a version bump indicates that this field was not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules.
+- During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable Libs version is used (read below).
+- Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release.
+- At release time Plugin, Libs and Driver versions are compatible with Falco.
+- If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with (read more below under Libs).
+
+
+```
+Falco version: x.y.z (sem-ver like)
+Libs version:  x.y.z (sem-ver like)
+Plugin API:    x.y.z (sem-ver like)
+Engine:        x
+Driver:
+  API version:    x.y.z (sem-ver)
+  Schema version: x.y.z (sem-ver)
+  Default driver: x.y.z+driver (sem-ver like, indirectly encodes compatibility range in addition to default version Falco is shipped with)
+```
+
+
+### Libs repo
+- Libs version is a git tag (`x.y.z`) and when building Falco the libs version is set via the `FALCOSECURITY_LIBS_VERSION` flag (see above).
+- Driver version itself is not directly tied to the Falco binary as opposed to the libs version being part of the source code used to compile Falco's userspace binary. This is because of the strict separation between userspace and kernel space artifacts, so things become a bit more interesting here. This is why the concept of a `Default driver` has been introduced to still implicitly declare the compatible driver versions. For example, if the default driver version is `2.0.0+driver`, Falco works with all driver versions >= 2.0.0 and < 3.0.0. This is a consequence of how the driver version is constructed starting from the `Driver API version` and `Driver Schema version`. Driver API and Schema versions are explained in the respective [libs driver doc](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md) -> Falco's `driver-loader` will always fetch the default driver, therefore a Falco release is always "shipped" with the driver version corresponding to the default driver.
+- See [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) for more information.
+
+### Plugins repo
+
+- Plugins version is a git tag (`x.y.z`)
+- See [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) for more information.
+
+### Rules repo
+- Rulesets are versioned individually through git tags
+- See [rules release doc](https://github.com/falcosecurity/rules/blob/main/RELEASE.md) for more information.
+- See [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) for more information about plugins rulesets.
--- a/audits/SECURITY_AUDIT_2023_01_23-01-1097-LIV.pdf
+++ b/audits/SECURITY_AUDIT_2023_01_23-01-1097-LIV.pdf
--- a/cmake/cpack/CMakeCPackOptions.cmake
+++ b/cmake/cpack/CMakeCPackOptions.cmake
@@ -1,13 +1,11 @@
-if(CPACK_GENERATOR MATCHES "DEB")
+if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-endif()
-
-if(CPACK_GENERATOR MATCHES "RPM")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-custom.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falcoctl-artifact-follow.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()

 if(CPACK_GENERATOR MATCHES "TGZ")
--- a/cmake/cpack/debian/conffiles
+++ b/cmake/cpack/debian/conffiles
@@ -1,3 +1,3 @@
 /etc/falco/falco.yaml
-/etc/falco/rules.available/application_rules.yaml
+/etc/falco/falcoctl.yaml
 /etc/falco/falco_rules.local.yaml
--- a/cmake/modules/Catch.cmake
+++ b/cmake/modules/Catch.cmake
@@ -1,159 +0,0 @@
-# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
-# https://cmake.org/licensing for details.
-
-#[=======================================================================[.rst:
-Catch
-----
-
-This module defines a function to help use the Catch test framework.
-
-The :command:`catch_discover_tests` discovers tests by asking the compiled test
-executable to enumerate its tests.  This does not require CMake to be re-run
-when tests change.  However, it may not work in a cross-compiling environment,
-and setting test properties is less convenient.
-
-This command is intended to replace use of :command:`add_test` to register
-tests, and will create a separate CTest test for each Catch test case.  Note
-that this is in some cases less efficient, as common set-up and tear-down logic
-cannot be shared by multiple test cases executing in the same instance.
-However, it provides more fine-grained pass/fail information to CTest, which is
-usually considered as more beneficial.  By default, the CTest test name is the
-same as the Catch name; see also ``TEST_PREFIX`` and ``TEST_SUFFIX``.
-
-.. command:: catch_discover_tests
-
-  Automatically add tests with CTest by querying the compiled test executable
-  for available tests::
-
-    catch_discover_tests(target
-                         [TEST_SPEC arg1...]
-                         [EXTRA_ARGS arg1...]
-                         [WORKING_DIRECTORY dir]
-                         [TEST_PREFIX prefix]
-                         [TEST_SUFFIX suffix]
-                         [PROPERTIES name1 value1...]
-                         [TEST_LIST var]
-    )
-
-  ``catch_discover_tests`` sets up a post-build command on the test executable
-  that generates the list of tests by parsing the output from running the test
-  with the ``--list-test-names-only`` argument.  This ensures that the full
-  list of tests is obtained.  Since test discovery occurs at build time, it is
-  not necessary to re-run CMake when the list of tests changes.
-  However, it requires that :prop_tgt:`CROSSCOMPILING_EMULATOR` is properly set
-  in order to function in a cross-compiling environment.
-
-  Additionally, setting properties on tests is somewhat less convenient, since
-  the tests are not available at CMake time.  Additional test properties may be
-  assigned to the set of tests as a whole using the ``PROPERTIES`` option.  If
-  more fine-grained test control is needed, custom content may be provided
-  through an external CTest script using the :prop_dir:`TEST_INCLUDE_FILES`
-  directory property.  The set of discovered tests is made accessible to such a
-  script via the ``<target>_TESTS`` variable.
-
-  The options are:
-
-  ``target``
-    Specifies the Catch executable, which must be a known CMake executable
-    target.  CMake will substitute the location of the built executable when
-    running the test.
-
-  ``TEST_SPEC arg1...``
-    Specifies test cases, wildcarded test cases, tags and tag expressions to
-    pass to the Catch executable with the ``--list-test-names-only`` argument.
-
-  ``EXTRA_ARGS arg1...``
-    Any extra arguments to pass on the command line to each test case.
-
-  ``WORKING_DIRECTORY dir``
-    Specifies the directory in which to run the discovered test cases.  If this
-    option is not provided, the current binary directory is used.
-
-  ``TEST_PREFIX prefix``
-    Specifies a ``prefix`` to be prepended to the name of each discovered test
-    case.  This can be useful when the same test executable is being used in
-    multiple calls to ``catch_discover_tests()`` but with different
-    ``TEST_SPEC`` or ``EXTRA_ARGS``.
-
-  ``TEST_SUFFIX suffix``
-    Similar to ``TEST_PREFIX`` except the ``suffix`` is appended to the name of
-    every discovered test case.  Both ``TEST_PREFIX`` and ``TEST_SUFFIX`` may
-    be specified.
-
-  ``PROPERTIES name1 value1...``
-    Specifies additional properties to be set on all tests discovered by this
-    invocation of ``catch_discover_tests``.
-
-  ``TEST_LIST var``
-    Make the list of tests available in the variable ``var``, rather than the
-    default ``<target>_TESTS``.  This can be useful when the same test
-    executable is being used in multiple calls to ``catch_discover_tests()``.
-    Note that this variable is only available in CTest.
-
-#]=======================================================================]
-
-# ------------------------------------------------------------------------------
-function(catch_discover_tests TARGET)
-  cmake_parse_arguments("" "" "TEST_PREFIX;TEST_SUFFIX;WORKING_DIRECTORY;TEST_LIST" "TEST_SPEC;EXTRA_ARGS;PROPERTIES"
-                        ${ARGN})
-
-  if(NOT _WORKING_DIRECTORY)
-    set(_WORKING_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}")
-  endif()
-  if(NOT _TEST_LIST)
-    set(_TEST_LIST ${TARGET}_TESTS)
-  endif()
-
-  # Generate a unique name based on the extra arguments
-  string(SHA1 args_hash "${_TEST_SPEC} ${_EXTRA_ARGS}")
-  string(SUBSTRING ${args_hash} 0 7 args_hash)
-
-  # Define rule to generate test list for aforementioned test executable
-  set(ctest_include_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_include-${args_hash}.cmake")
-  set(ctest_tests_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_tests-${args_hash}.cmake")
-  get_property(
-    crosscompiling_emulator
-    TARGET ${TARGET}
-    PROPERTY CROSSCOMPILING_EMULATOR)
-  add_custom_command(
-    TARGET ${TARGET}
-    POST_BUILD
-    BYPRODUCTS "${ctest_tests_file}"
-    COMMAND
-      "${CMAKE_COMMAND}" -D "TEST_TARGET=${TARGET}" -D "TEST_EXECUTABLE=$<TARGET_FILE:${TARGET}>" -D
-      "TEST_EXECUTOR=${crosscompiling_emulator}" -D "TEST_WORKING_DIR=${_WORKING_DIRECTORY}" -D
-      "TEST_SPEC=${_TEST_SPEC}" -D "TEST_EXTRA_ARGS=${_EXTRA_ARGS}" -D "TEST_PROPERTIES=${_PROPERTIES}" -D
-      "TEST_PREFIX=${_TEST_PREFIX}" -D "TEST_SUFFIX=${_TEST_SUFFIX}" -D "TEST_LIST=${_TEST_LIST}" -D
-      "CTEST_FILE=${ctest_tests_file}" -P "${_CATCH_DISCOVER_TESTS_SCRIPT}"
-    VERBATIM)
-
-  file(
-    WRITE "${ctest_include_file}"
-    "if(EXISTS \"${ctest_tests_file}\")\n" "  include(\"${ctest_tests_file}\")\n" "else()\n"
-    "  add_test(${TARGET}_NOT_BUILT-${args_hash} ${TARGET}_NOT_BUILT-${args_hash})\n" "endif()\n")
-
-  if(NOT ${CMAKE_VERSION} VERSION_LESS "3.10.0")
-    # Add discovered tests to directory TEST_INCLUDE_FILES
-    set_property(
-      DIRECTORY
-      APPEND
-      PROPERTY TEST_INCLUDE_FILES "${ctest_include_file}")
-  else()
-    # Add discovered tests as directory TEST_INCLUDE_FILE if possible
-    get_property(
-      test_include_file_set
-      DIRECTORY
-      PROPERTY TEST_INCLUDE_FILE
-      SET)
-    if(NOT ${test_include_file_set})
-      set_property(DIRECTORY PROPERTY TEST_INCLUDE_FILE "${ctest_include_file}")
-    else()
-      message(FATAL_ERROR "Cannot set more than one TEST_INCLUDE_FILE")
-    endif()
-  endif()
-
-endfunction()
-
-# ######################################################################################################################
-
-set(_CATCH_DISCOVER_TESTS_SCRIPT ${CMAKE_CURRENT_LIST_DIR}/CatchAddTests.cmake)
--- a/cmake/modules/CatchAddTests.cmake
+++ b/cmake/modules/CatchAddTests.cmake
@@ -1,61 +0,0 @@
-# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
-# https://cmake.org/licensing for details.
-
-set(prefix "${TEST_PREFIX}")
-set(suffix "${TEST_SUFFIX}")
-set(spec ${TEST_SPEC})
-set(extra_args ${TEST_EXTRA_ARGS})
-set(properties ${TEST_PROPERTIES})
-set(script)
-set(suite)
-set(tests)
-
-function(add_command NAME)
-  set(_args "")
-  foreach(_arg ${ARGN})
-    if(_arg MATCHES "[^-./:a-zA-Z0-9_]")
-      set(_args "${_args} [==[${_arg}]==]") # form a bracket_argument
-    else()
-      set(_args "${_args} ${_arg}")
-    endif()
-  endforeach()
-  set(script
-      "${script}${NAME}(${_args})\n"
-      PARENT_SCOPE)
-endfunction()
-
-# Run test executable to get list of available tests
-if(NOT EXISTS "${TEST_EXECUTABLE}")
-  message(FATAL_ERROR "Specified test executable '${TEST_EXECUTABLE}' does not exist")
-endif()
-execute_process(
-  COMMAND ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" ${spec} --list-test-names-only
-  OUTPUT_VARIABLE output
-  RESULT_VARIABLE result)
-# Catch --list-test-names-only reports the number of tests, so 0 is... surprising
-if(${result} EQUAL 0)
-  message(WARNING "Test executable '${TEST_EXECUTABLE}' contains no tests!\n")
-elseif(${result} LESS 0)
-  message(FATAL_ERROR "Error running test executable '${TEST_EXECUTABLE}':\n" "  Result: ${result}\n"
-                      "  Output: ${output}\n")
-endif()
-
-string(REPLACE "\n" ";" output "${output}")
-
-# Parse output
-foreach(line ${output})
-  set(test ${line})
-  # use escape commas to handle properly test cases with commands inside the name
-  string(REPLACE "," "\\," test_name ${test})
-  # ...and add to script
-  add_command(add_test "${prefix}${test}${suffix}" ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" "${test_name}" ${extra_args})
-  add_command(set_tests_properties "${prefix}${test}${suffix}" PROPERTIES WORKING_DIRECTORY "${TEST_WORKING_DIR}"
-              ${properties})
-  list(APPEND tests "${prefix}${test}${suffix}")
-endforeach()
-
-# Create a list of all discovered tests, which users may use to e.g. set properties on the tests
-add_command(set ${TEST_LIST} ${tests})
-
-# Write CTest script
-file(WRITE "${CTEST_FILE}" "${script}")
--- a/cmake/modules/DownloadCatch.cmake
+++ b/cmake/modules/DownloadCatch.cmake
@@ -1,27 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-include(ExternalProject)
-
-set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)
-
-set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.13.9.tar.gz URL_HASH
-                       SHA256=06dbc7620e3b96c2b69d57bf337028bf245a211b3cddb843835bfe258f427a52)
-
-ExternalProject_Add(
-  catch2
-  PREFIX ${CMAKE_BINARY_DIR}/catch2-prefix
-  ${CATCH_EXTERNAL_URL}
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/catch2-prefix/src/catch2/single_include/catch2/catch.hpp
-                  ${CATCH2_INCLUDE}/catch.hpp)
--- a/cmake/modules/DownloadFakeIt.cmake
+++ b/cmake/modules/DownloadFakeIt.cmake
@@ -1,28 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-include(ExternalProject)
-
-set(FAKEIT_INCLUDE ${CMAKE_BINARY_DIR}/fakeit-prefix/include)
-
-set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.9.tar.gz URL_HASH
-                        SHA256=dc4ee7b17a84c959019b92c20fce6dc9426e9e170b6edf84db6cb2e188520cd7)
-
-ExternalProject_Add(
-  fakeit-external
-  PREFIX ${CMAKE_BINARY_DIR}/fakeit-prefix
-  ${FAKEIT_EXTERNAL_URL}
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND
-    ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/fakeit-prefix/src/fakeit-external/single_header/catch/fakeit.hpp
-    ${FAKEIT_INCLUDE}/fakeit.hpp)
--- a/cmake/modules/DownloadStringViewLite.cmake
+++ b/cmake/modules/DownloadStringViewLite.cmake
@@ -1,30 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-include(ExternalProject)
-
-set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
-set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
-message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}")
-
-ExternalProject_Add(
-  string-view-lite
-  PREFIX ${STRING_VIEW_LITE_PREFIX}
-  GIT_REPOSITORY "https://github.com/martinmoene/string-view-lite.git"
-  GIT_TAG "v1.4.0"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  UPDATE_COMMAND ""
-  INSTALL_COMMAND
-    ${CMAKE_COMMAND} -E copy ${STRING_VIEW_LITE_PREFIX}/src/string-view-lite/include/nonstd/string_view.hpp
-    ${STRING_VIEW_LITE_INCLUDE}/nonstd/string_view.hpp)
--- a/cmake/modules/FindMakedev.cmake
+++ b/cmake/modules/FindMakedev.cmake
@@ -1,31 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-# This module is used to understand where the makedev function is defined in the glibc in use. see 'man 3 makedev'
-# Usage: In your CMakeLists.txt include(FindMakedev)
-#
-# In your source code:
-#
-# #if HAVE_SYS_MKDEV_H #include <sys/mkdev.h> #endif #ifdef HAVE_SYS_SYSMACROS_H #include <sys/sysmacros.h> #endif
-#
-include(${CMAKE_ROOT}/Modules/CheckIncludeFile.cmake)
-
-check_include_file("sys/mkdev.h" HAVE_SYS_MKDEV_H)
-check_include_file("sys/sysmacros.h" HAVE_SYS_SYSMACROS_H)
-
-if(HAVE_SYS_MKDEV_H)
-  add_definitions(-DHAVE_SYS_MKDEV_H)
-endif()
-if(HAVE_SYS_SYSMACROS_H)
-  add_definitions(-DHAVE_SYS_SYSMACROS_H)
-endif()
--- a/cmake/modules/GetFalcoVersion.cmake
+++ b/cmake/modules/GetFalcoVersion.cmake
@@ -16,18 +16,39 @@ include(GetGitRevisionDescription)

 # Create the falco version variable according to git index
 if(NOT FALCO_VERSION)
-  string(STRIP "${FALCO_HASH}" FALCO_HASH)
  # Try to obtain the exact git tag
  git_get_exact_tag(FALCO_TAG)
  if(NOT FALCO_TAG)
-    # Obtain the closest tag
-    git_describe(FALCO_VERSION "--always" "--tags" "--abbrev=7")
-    # Fallback version
-    if(FALCO_VERSION MATCHES "NOTFOUND$")
-      set(FALCO_VERSION "0.0.0")
-    endif()
-    # Format FALCO_VERSION to be semver with prerelease and build part
-    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+      # Obtain the closest tag
+      git_describe(FALCO_VERSION "--always" "--tags" "--abbrev=7")
+      string(REGEX MATCH "^[0-9]+.[0-9]+.[0-9]+$" FALCO_TAG ${FALCO_VERSION})
+      if(FALCO_VERSION MATCHES "NOTFOUND$" OR FALCO_TAG STREQUAL "")
+        # Fetch current hash
+        get_git_head_revision(refspec FALCO_HASH)
+        if(NOT FALCO_HASH OR FALCO_HASH MATCHES "NOTFOUND$")
+          set(FALCO_VERSION "0.0.0")
+        else()
+          # Obtain the closest tag
+          git_get_latest_tag(FALCO_LATEST_TAG)
+          if(NOT FALCO_LATEST_TAG OR FALCO_LATEST_TAG MATCHES "NOTFOUND$")
+            set(FALCO_VERSION "0.0.0")
+          else()
+            # Compute commit delta since tag
+            git_get_delta_from_tag(FALCO_DELTA ${FALCO_LATEST_TAG} ${FALCO_HASH})
+            if(NOT FALCO_DELTA OR FALCO_DELTA MATCHES "NOTFOUND$")
+              set(FALCO_VERSION "0.0.0")
+            else()
+              # Cut hash to 7 bytes
+              string(SUBSTRING ${FALCO_HASH} 0 7 FALCO_HASH)
+              # Format FALCO_VERSION to be semver with prerelease and build part
+              set(FALCO_VERSION
+                    "${FALCO_LATEST_TAG}-${FALCO_DELTA}+${FALCO_HASH}")
+            endif()
+          endif()
+        endif()
+      endif()
+      # Format FALCO_VERSION to be semver with prerelease and build part
+      string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
  else()
    # A tag has been found: use it as the Falco version
    set(FALCO_VERSION "${FALCO_TAG}")
--- a/cmake/modules/GetGitRevisionDescription.cmake
+++ b/cmake/modules/GetGitRevisionDescription.cmake
@@ -86,29 +86,36 @@ function(get_git_head_revision _refspecvar _hashvar)
      PARENT_SCOPE)
 endfunction()

-function(git_describe _var)
+function(git_get_latest_tag _var)
  if(NOT GIT_FOUND)
    find_package(Git QUIET)
  endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-        "GIT-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-        "HEAD-HASH-NOTFOUND"
-        PARENT_SCOPE)
+
+  # We use git describe --tags `git rev-list --tags --max-count=1`
+  execute_process(COMMAND
+          "${GIT_EXECUTABLE}"
+          rev-list
+          --tags
+          --max-count=1
+          WORKING_DIRECTORY
+          "${CMAKE_CURRENT_SOURCE_DIR}"
+          COMMAND tail -n1
+          RESULT_VARIABLE
+          res
+          OUTPUT_VARIABLE
+          tag_hash
+          ERROR_QUIET
+          OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(out "${tag_hash}-${res}-NOTFOUND" PARENT_SCOPE)
    return()
  endif()

  execute_process(COMMAND
    "${GIT_EXECUTABLE}"
    describe
-    ${hash}
-    ${ARGN}
+    --tags
+    ${tag_hash}
    WORKING_DIRECTORY
    "${CMAKE_CURRENT_SOURCE_DIR}"
    RESULT_VARIABLE
@@ -120,10 +127,108 @@ function(git_describe _var)
  if(NOT res EQUAL 0)
    set(out "${out}-${res}-NOTFOUND")
  endif()
+  set(${_var} "${out}" PARENT_SCOPE)
+endfunction()
+
+function(git_get_delta_from_tag _var tag hash)
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+
+  # Count commits in HEAD
+  execute_process(COMMAND
+    "${GIT_EXECUTABLE}"
+    rev-list
+    --count
+    ${hash}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_counter_head
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "HEADCOUNT-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+
+  # Count commits in latest tag
+  execute_process(COMMAND
+    "${GIT_EXECUTABLE}"
+    rev-list
+    --count
+    ${tag}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_counter_tag
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "TAGCOUNT-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+
+  execute_process(COMMAND
+    expr
+    ${out_counter_head} - ${out_counter_tag}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_delta
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "DELTA-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+  set(${_var} "${out_delta}" PARENT_SCOPE)
+endfunction()
+
+function(git_describe _var)
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+  get_git_head_revision(refspec hash)
+  if(NOT GIT_FOUND)
+    set(${_var}
+            "GIT-NOTFOUND"
+            PARENT_SCOPE)
+    return()
+  endif()
+  if(NOT hash)
+    set(${_var}
+            "HEAD-HASH-NOTFOUND"
+            PARENT_SCOPE)
+    return()
+  endif()
+
+  execute_process(COMMAND
+          "${GIT_EXECUTABLE}"
+          describe
+          ${hash}
+          ${ARGN}
+          WORKING_DIRECTORY
+          "${CMAKE_CURRENT_SOURCE_DIR}"
+          RESULT_VARIABLE
+          res
+          OUTPUT_VARIABLE
+          out
+          ERROR_QUIET
+          OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(out "${out}-${res}-NOTFOUND")
+  endif()

  set(${_var}
-      "${out}"
-      PARENT_SCOPE)
+          "${out}"
+          PARENT_SCOPE)
 endfunction()

 function(git_get_exact_tag _var)
--- a/cmake/modules/cpp-httplib.cmake
+++ b/cmake/modules/cpp-httplib.cmake
@@ -24,8 +24,8 @@ else()

 	ExternalProject_Add(cpp-httplib
 		PREFIX "${PROJECT_BINARY_DIR}/cpp-httplib-prefix"
-		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.10.4.tar.gz"
-		URL_HASH "SHA256=7719ff9f309c807dd8a574048764836b6a12bcb7d6ae9e129e7e4289cfdb4bd4"
+		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.11.3.tar.gz"
+		URL_HASH "SHA256=799b2daa0441d207f6cd1179ae3a34869722084a434da6614978be1682c1e12d"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ""
 		INSTALL_COMMAND "")	
--- a/cmake/modules/driver.cmake
+++ b/cmake/modules/driver.cmake
@@ -26,8 +26,8 @@ else()
  # In case you want to test against another driver version (or branch, or commit) just pass the variable -
  # ie., `cmake -DDRIVER_VERSION=dev ..`
  if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "3.0.1+driver")
-    set(DRIVER_CHECKSUM "SHA256=f50003043c804aa21990560de02db42e203ee09d050112a4a5dd2b05f22a8a6c")
+    set(DRIVER_VERSION "79f9664cde383950bc084ca1d4230afe79509242")
+    # set(DRIVER_CHECKSUM "SHA256=4d390bdde2c061491cb73d5703a2e0db7bd681a4738b4a9e50252fff3628dd29")
  endif()

  # cd /path/to/build && cmake /path/to/source
--- a/cmake/modules/falcoctl.cmake
+++ b/cmake/modules/falcoctl.cmake
@@ -0,0 +1,36 @@
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+include(ExternalProject)
+
+string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
+
+set(FALCOCTL_VERSION "0.4.0")
+
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(FALCOCTL_SYSTEM_PROC_GO "amd64")
+    set(FALCOCTL_HASH "13c88e612efe955bc014918a7af30bae28dc5ba99b2962af57e36b1b87f527f9")
+else() # aarch64
+    set(FALCOCTL_SYSTEM_PROC_GO "arm64")
+    set(FALCOCTL_HASH "0f8898853e99a2cd1b4dd6b161e8545cf20ce0e3ce79cddc539f6002257d5de5")
+endif()
+
+ExternalProject_Add(
+        falcoctl
+        URL "https://github.com/falcosecurity/falcoctl/releases/download/v${FALCOCTL_VERSION}/falcoctl_${FALCOCTL_VERSION}_${FALCOCTL_SYSTEM_NAME}_${FALCOCTL_SYSTEM_PROC_GO}.tar.gz"
+        URL_HASH "SHA256=${FALCOCTL_HASH}"
+        CONFIGURE_COMMAND ""
+        BUILD_COMMAND ""
+        INSTALL_COMMAND "")
+
+install(PROGRAMS "${PROJECT_BINARY_DIR}/falcoctl-prefix/src/falcoctl/falcoctl" DESTINATION "${FALCO_BIN_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
--- a/cmake/modules/falcosecurity-libs.cmake
+++ b/cmake/modules/falcosecurity-libs.cmake
@@ -27,8 +27,8 @@ else()
  # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
  if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.9.0")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=5319a1b6a72eba3d9524cf084be5fc2ed81e3e90b3bee8edbe58b8646af0cbcb")
+    set(FALCOSECURITY_LIBS_VERSION "79f9664cde383950bc084ca1d4230afe79509242")
+    # set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=4d390bdde2c061491cb73d5703a2e0db7bd681a4738b4a9e50252fff3628dd29")
  endif()

  # cd /path/to/build && cmake /path/to/source
--- a/cmake/modules/njson.cmake
+++ b/cmake/modules/njson.cmake
@@ -0,0 +1,34 @@
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+#
+# nlohmann-json
+#
+if(NJSON_INCLUDE)
+    # Adding the custom target we can use it with `add_dependencies()`
+    if(NOT TARGET njson)
+        add_custom_target(njson)
+    endif()
+else()
+    # We always use the bundled version
+    set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
+    set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
+    ExternalProject_Add(
+        njson
+        URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
+        URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
+        CONFIGURE_COMMAND ""
+        BUILD_COMMAND ""
+        INSTALL_COMMAND "")
+    message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
+endif()
--- a/cmake/modules/plugins.cmake
+++ b/cmake/modules/plugins.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -19,11 +19,11 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME)
    set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
 endif()

-set(PLUGIN_K8S_AUDIT_VERSION "0.4.0")
+set(PLUGIN_K8S_AUDIT_VERSION "0.5.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_K8S_AUDIT_HASH "ded0b5419f40084547620ccc48b19768e5e89457b85cfe8fbe496ca72267a3a4")
+    set(PLUGIN_K8S_AUDIT_HASH "c4abb288df018940be8e548340a74d39623b69142304e01523ea189bc698bc80")
 else() # aarch64
-    set(PLUGIN_K8S_AUDIT_HASH "775cba666612114bc5b0c36f2e3c4557f5adbffcca2d77e72be87c6fcbf51ceb")
+    set(PLUGIN_K8S_AUDIT_HASH "3bcc849d9f95a3fa519b4592d0947149e492b530fb935a3f98f098e234b7baa7")
 endif()

 ExternalProject_Add(
@@ -39,18 +39,18 @@ install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/
 ExternalProject_Add(
  k8saudit-rules
  URL "https://download.falco.org/plugins/stable/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
-  URL_HASH "SHA256=53948fac0345e718d673142a992ac820135f771141dfaa9719c7575ac8ae6878"
+  URL_HASH "SHA256=4383c69ba0ad63a127667c05618c37effc5297e6a7e68a1492acb0e48386540e"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")

 install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")

-set(PLUGIN_CLOUDTRAIL_VERSION "0.6.0")
+set(PLUGIN_CLOUDTRAIL_VERSION "0.7.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_CLOUDTRAIL_HASH "80e0c33f30c01a90efb7e9a671d978ff9679c462e3105020238abf31230e49a9")
+    set(PLUGIN_CLOUDTRAIL_HASH "85d94d8f5915804d5a30ff2f056e51de27d537f1fd1115050b4f4be6d32588cf")
 else() # aarch64
-    set(PLUGIN_CLOUDTRAIL_HASH "a3e739932e66d44be848a68857fa15f56134d5246a1b9ab912c81f91b68fb23f")
+    set(PLUGIN_CLOUDTRAIL_HASH "61ae471ee41e76680da9ab66f583d1ec43a2e48fbad8c157caecef56e4aa5fb7")
 endif()

 ExternalProject_Add(
@@ -66,7 +66,7 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu
 ExternalProject_Add(
  cloudtrail-rules
  URL "https://download.falco.org/plugins/stable/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
-  URL_HASH "SHA256=e0dccb7b0f1d24b1e526a33ffd973ea5f2ac2879dbc999e119419ebfd24305ff"
+  URL_HASH "SHA256=c805be29ddc14fbffa29f7d6ee4f7e968a3bdb42da5f5483e5e6de273e8850c8"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")
--- a/cmake/modules/rules.cmake
+++ b/cmake/modules/rules.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -11,8 +11,26 @@
 # specific language governing permissions and limitations under the License.
 #

-# GNU standard installation directories' definitions
 include(GNUInstallDirs)
+include(ExternalProject)
+
+# falco_rules.yaml
+set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-0.1.0")
+set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=0d3705a4650f09d10e7831b16e7af59c1da34ff19e788896e9ee77010014db4d")
+set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
+ExternalProject_Add(
+  falcosecurity-rules-falco
+  URL "https://download.falco.org/rules/${FALCOSECURITY_RULES_FALCO_VERSION}.tar.gz"
+  URL_HASH "${FALCOSECURITY_RULES_FALCO_CHECKSUM}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND ""
+  TEST_COMMAND ""
+)
+
+# falco_rules.local.yaml
+set(FALCOSECURITY_RULES_LOCAL_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-local-prefix/falco_rules.local.yaml")
+file(WRITE "${FALCOSECURITY_RULES_LOCAL_PATH}" "# Your custom rules!\n")

 if(NOT DEFINED FALCO_ETC_DIR)
  set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
@@ -21,40 +39,32 @@ endif()
 if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
  set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
  set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
-  set(FALCO_APP_RULES_DEST_FILENAME "application_rules.yaml")
 endif()

-
 if(DEFINED FALCO_COMPONENT) # Allow a slim version of Falco to be embedded in other projects, intentionally *not* installing all rulesets.
  install(
-    FILES falco_rules.yaml
+    FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
    COMPONENT "${FALCO_COMPONENT}"
    DESTINATION "${FALCO_ETC_DIR}"
    RENAME "${FALCO_RULES_DEST_FILENAME}")

  install(
-    FILES falco_rules.local.yaml
+    FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
    COMPONENT "${FALCO_COMPONENT}"
    DESTINATION "${FALCO_ETC_DIR}"
    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
 else() # Default Falco installation
  install(
-    FILES falco_rules.yaml
+    FILES "${FALCOSECURITY_RULES_FALCO_PATH}"
    DESTINATION "${FALCO_ETC_DIR}"
    RENAME "${FALCO_RULES_DEST_FILENAME}"
    COMPONENT "${FALCO_COMPONENT_NAME}")

  install(
-    FILES falco_rules.local.yaml
+    FILES "${FALCOSECURITY_RULES_LOCAL_PATH}"
    DESTINATION "${FALCO_ETC_DIR}"
    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
    COMPONENT "${FALCO_COMPONENT_NAME}")

-  install(
-    FILES application_rules.yaml
-    DESTINATION "${FALCO_ETC_DIR}/rules.available"
-    RENAME "${FALCO_APP_RULES_DEST_FILENAME}"
-    COMPONENT "${FALCO_COMPONENT_NAME}")
-
  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d" COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()
--- a/cmake/modules/yaml-cpp.cmake
+++ b/cmake/modules/yaml-cpp.cmake
@@ -19,6 +19,7 @@ if(NOT USE_BUNDLED_DEPS)
  else()
    message(FATAL_ERROR "Couldn't find system yamlcpp")
  endif()
+  add_custom_target(yamlcpp)
 else()
  set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
  message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
--- a/docker/builder/Dockerfile
+++ b/docker/builder/Dockerfile
@@ -22,7 +22,7 @@ ENV CMAKE_VERSION=${CMAKE_VERSION}

 # build toolchain
 RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel rpm-build libyaml-devel" && \
+    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel rpm-build libyaml-devel" && \
    yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
    rpm -V $INSTALL_PKGS

--- a/docker/builder/README.md
+++ b/docker/builder/README.md
@@ -0,0 +1,8 @@
+# Builder folder
+
+* We use `Dockerfile` to build the `centos7` Falco builder image.
+* We use `modern-falco-builder.Dockerfile` to build Falco with the modern probe and return it as a Dockerfile output. This Dockerfile doesn't generate a Docker image but returns as output (through the `--output` command):
+  * Falco `tar.gz`.
+  * Falco `deb` package.
+  * Falco `rpm` package.
+  * Falco build directory, used by other CI jobs.
--- a/docker/builder/modern-falco-builder.Dockerfile
+++ b/docker/builder/modern-falco-builder.Dockerfile
@@ -0,0 +1,60 @@
+
+FROM centos:7 AS build-stage
+
+# To build Falco you need to pass the cmake option
+ARG CMAKE_OPTIONS=""
+ARG MAKE_JOBS=6
+
+# Install all the dependencies
+WORKDIR /
+
+RUN yum -y install centos-release-scl; \
+    yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++; \
+    source scl_source enable devtoolset-9; \
+    yum install -y git wget make m4 rpm-build
+
+# With some previous cmake versions it fails when downloading `zlib` with curl in the libs building phase
+RUN curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz; \
+    gzip -d /tmp/cmake.tar.gz; \
+    tar -xpf /tmp/cmake.tar --directory=/tmp; \
+    cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr; \
+    rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/
+
+# Copy Falco folder from the build context
+COPY . /source
+WORKDIR /build/release
+
+RUN source scl_source enable devtoolset-9; \
+    cmake ${CMAKE_OPTIONS} /source; \
+    make falco -j${MAKE_JOBS}
+RUN make package
+
+# We need `make all` for integration tests.
+RUN make all -j${MAKE_JOBS}
+
+FROM scratch AS export-stage
+
+ARG DEST_BUILD_DIR="/build"
+
+COPY --from=build-stage /build/release/falco-*.tar.gz /packages/
+COPY --from=build-stage /build/release/falco-*.deb /packages/
+COPY --from=build-stage /build/release/falco-*.rpm /packages/
+
+# This is what we need for integration tests. We don't export all the build directory
+# outside the container since its size is almost 6 GB, we export only what is strictly necessary
+# for integration tests.
+# This is just a workaround to fix the CI build until we replace our actual testing framework.
+COPY --from=build-stage /build/release/cloudtrail-plugin-prefix ${DEST_BUILD_DIR}/cloudtrail-plugin-prefix
+COPY --from=build-stage /build/release/cloudtrail-rules-prefix ${DEST_BUILD_DIR}/cloudtrail-rules-prefix
+COPY --from=build-stage /build/release/falcosecurity-rules-falco-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-falco-prefix
+COPY --from=build-stage /build/release/falcosecurity-rules-local-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-local-prefix
+COPY --from=build-stage /build/release/json-plugin-prefix ${DEST_BUILD_DIR}/json-plugin-prefix
+COPY --from=build-stage /build/release/k8saudit-plugin-prefix ${DEST_BUILD_DIR}/k8saudit-plugin-prefix
+COPY --from=build-stage /build/release/k8saudit-rules-prefix ${DEST_BUILD_DIR}/k8saudit-rules-prefix
+COPY --from=build-stage /build/release/scripts ${DEST_BUILD_DIR}/scripts
+COPY --from=build-stage /build/release/test ${DEST_BUILD_DIR}/test
+COPY --from=build-stage /build/release/userspace/falco/falco ${DEST_BUILD_DIR}/userspace/falco/falco
+COPY --from=build-stage /build/release/userspace/falco/config_falco.h ${DEST_BUILD_DIR}/userspace/falco/config_falco.h
+COPY --from=build-stage /build/release/falco-*.tar.gz ${DEST_BUILD_DIR}/
+COPY --from=build-stage /build/release/falco-*.deb ${DEST_BUILD_DIR}/
+COPY --from=build-stage /build/release/falco-*.rpm ${DEST_BUILD_DIR}/
--- a/docker/falco/Dockerfile
+++ b/docker/falco/Dockerfile
@@ -88,7 +88,7 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc

-RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
+RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
 	&& apt-get update -y \
 	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -6,7 +6,7 @@ ARG VERSION_BUCKET=bin
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}

-RUN apt-get -y update && apt-get -y install gridsite-clients curl
+RUN apt-get -y update && apt-get -y install gridsite-clients curl ca-certificates

 WORKDIR /

@@ -27,6 +27,8 @@ LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation

+RUN apt-get -y update && apt-get -y install ca-certificates
+
 ENV HOST_ROOT /host
 ENV HOME /root

--- a/docker/tester/Dockerfile
+++ b/docker/tester/Dockerfile
@@ -15,7 +15,7 @@ RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
    fi;

-RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
+RUN dnf install -y python-pip python docker findutils jq unzip sed curl && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
--- a/falco.yaml
+++ b/falco.yaml
@@ -150,6 +150,7 @@ syscall_event_drops:
    - alert
  rate: .03333
  max_burst: 1
+  simulate_drops: false

 # Falco uses a shared buffer between the kernel and userspace to receive
 # the events (eg., system call information) in userspace.
@@ -169,6 +170,13 @@ syscall_event_drops:
 syscall_event_timeouts:
  max_consecutives: 1000

+# Enabling this option allows Falco to drop failed syscalls exit events
+# in the kernel driver before the event is pushed onto the ring buffer.
+# This can enable some small optimization both in CPU usage and ring buffer usage,
+# possibly leading to lower number of event losses.
+# Be careful: enabling it also means losing a bit of visibility on the system.
+syscall_drop_failed_exit: false
+
 # --- [Description]
 #
 # This is an index that controls the dimension of the syscall buffers.
@@ -224,6 +232,73 @@ syscall_event_timeouts:

 syscall_buf_size_preset: 4

+############## [EXPERIMENTAL] Modern BPF probe specific ##############
+# Please note: these configs regard only the modern BPF probe. They
+# are experimental so they could change over releases.
+#
+# `cpus_for_each_syscall_buffer`
+#
+# --- [Description]
+#
+# This is an index that controls how many CPUs you want to assign to a single
+# syscall buffer (ring buffer). By default, every syscall buffer is associated to
+# 2 CPUs, so the mapping is 1:2. The modern BPF probe allows you to choose different
+# mappings, for example, 1:1 would mean a syscall buffer for each CPU.
+#
+# --- [Usage]
+#
+# You can choose between different indexes: from `0` to `MAX_NUMBER_ONLINE_CPUs`.
+# `0` is a special value and it means a single syscall buffer shared between all
+# your online CPUs. `0` has the same effect as `MAX_NUMBER_ONLINE_CPUs`, the rationale
+# is that `0` allows you to create a single buffer without knowing the number of online
+# CPUs on your system.
+# Let's consider an example to better understand it:
+#
+# Consider a system with 7 online CPUs:
+#
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
+#
+# - `1` means a syscall buffer for each CPU so 7 buffers
+#
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
+#                   |     |  |        |  |  |  |
+#       BUFFERs     0     1  2        3  4  5  6
+#
+# - `2` (Default value) means a syscall buffer for each CPU pair, so 4 buffers
+#
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
+#                   |     |  |        |  |  |  |
+#       BUFFERs     0     0  1        1  2  2  3
+#
+# Please note that we need 4 buffers, 3 buffers are associated with CPU pairs, the last
+# one is mapped with just 1 CPU since we have an odd number of CPUs.
+#
+# - `0` or `MAX_NUMBER_ONLINE_CPUs` mean a syscall buffer shared between all CPUs, so 1 buffer
+#
+#          CPUs     0  X  2  3  X  X  6  7  8  9   (X means offline CPU)
+#                   |     |  |        |  |  |  |
+#       BUFFERs     0     0  0        0  0  0  0
+#
+# Moreover you can combine this param with `syscall_buf_size_preset`
+# index, for example, you could create a huge single syscall buffer
+# shared between all your online CPUs of 512 MB (so `syscall_buf_size_preset=10`).
+#
+# --- [Suggestions]
+#
+# We chose index `2` (so one syscall buffer for each CPU pair) as default because the modern bpf probe
+# follows a different memory allocation strategy with respect to the other 2 drivers (bpf and kernel module).
+# By the way, you are free to find the preferred configuration for your system.
+# Considering a fixed `syscall_buf_size_preset` and so a fixed buffer dimension:
+# - a lower number of buffers can speed up your system (lower memory footprint)
+# - a too lower number of buffers could increase contention in the kernel causing an
+#   overall slowdown of the system.
+# If you don't have huge events throughputs and you are not experimenting with tons of drops
+# you can try to reduce the number of buffers to have a lower memory footprint
+
+modern_bpf:
+  cpus_for_each_syscall_buffer: 2
+############## [EXPERIMENTAL] Modern BPF probe specific ##############
+
 # Falco continuously monitors outputs performance. When an output channel does not allow
 # to deliver an alert within a given deadline, an error is reported indicating
 # which output is blocking notifications.
@@ -282,10 +357,17 @@ file_output:
 stdout_output:
  enabled: true

-# Falco contains an embedded webserver that is used to implement an health
-# endpoint for checking if Falco is up and running. These config options control
-# the behavior of that webserver. By default, the webserver is enabled and
-# the endpoint is /healthz.
+# Falco supports an embedded webserver and exposes the following endpoints:
+# - /healthz: health endpoint useful for checking if Falco is up and running
+#   (the endpoint name is configurable).
+# - /versions: responds with a JSON object containing version numbers of the
+#   internal Falco components (similar output as `falco --version -o json_output=true`).
+# 
+# # NOTE: the /versions endpoint is useful to other services (such as falcoctl)
+# to retrieve info about a running Falco instance. Make sure the webserver is
+# enabled if you're using falcoctl either locally or with Kubernetes.
+# 
+# The following options control the behavior of that webserver (enabled by default).
 #
 # The ssl_certificate is a combination SSL Certificate and corresponding
 # key contained in a single file. You can generate a key/cert as follows:
@@ -326,6 +408,15 @@ http_output:
  enabled: false
  url: http://some.url
  user_agent: "falcosecurity/falco"
+  # Tell Falco to not verify the remote server.
+  insecure: false
+  # Path to the CA certificate that can verify the remote server. 
+  ca_cert: ""
+  # Path to a specific file that will be used as the CA certificate store.
+  ca_bundle: ""
+  # Path to a folder that will be used as the CA certificate store. CA certificate need to be
+  # stored as indivitual PEM files in this directory.
+  ca_path: "/etc/ssl/certs"

 # Falco supports running a gRPC server with two main binding types
 # 1. Over the network with mandatory mutual TLS authentication (mTLS)
@@ -367,3 +458,89 @@ metadata_download:
  max_mb: 100
  chunk_wait_us: 1000
  watch_freq_sec: 1
+
+
+# base_syscalls ! Use with caution, read carefully !
+#
+# --- [Description]
+#
+# With this option you are in full control of the set of syscalls that
+# Falco will enable in the kernel for active tracing.
+
+# All syscalls and events from each enabled Falco rule are activated
+# even when choosing this option. This option allows you to define a
+# set of base syscalls that will be activated in addition to the
+# syscalls defined in the rules.
+#
+# You may ask yourself why do we need to activate syscalls in addition to the rules?
+#
+# Falco requires a set of syscalls to build up state in userspace. This is because for
+# example when spawning a new process or creating a network connection more than one syscall
+# is involved. Furthermore, properties of a process during its life time can be modified
+# by syscalls. Falco takes care of this by activating more syscalls than the ones defined
+# in the rules and by managing a smart process cache table in userspace.
+# Processes are purged when a process exits.
+#
+# Looking back to what this option does, it activates all syscalls from the rules
+# (including resolved macros) and the ones specified here.
+#
+# This puts the end user in the driver seat to tell Falco what it needs, but if not used correctly
+# Falco logs may be incomplete or wrong or Falco won't work at all. This option however can be
+# very useful to lower CPU utilization and allowing you to tailor Falco to specific environments
+# according to your organization's threat model and cost budget.
+#
+# !!! When NOT using this option, Falco defaults to adding a static (more verbose) set of syscalls
+# in addition to the rules system calls Falco needs for its state engine build-up and life-cycle management.
+#
+# `base_syscalls.repair` is an experimental alternative to Falco's default state engine enforcement.
+# `base_syscalls.repair` is designed to be the most resourceful option to ensure Falco runs correctly
+# while activating a most minimal set of additional syscalls. The recommendations listed in the suggestions
+# section is effectively what `base_syscalls.repair` is doing in an automated manner. `base_syscalls.repair`
+# can be used with an empty custom set.
+#
+# --- [Usage]
+#
+# List of system calls names (<syscall-name>) plus negative ("!<syscall-name>") notation supported.
+#
+# base_syscalls.repair: <bool>
+# base_syscalls.custom_set: [<syscall-name>, <syscall-name>, "!<syscall-name>"]
+#
+#
+# --- [Suggestions]
+#
+# Here are a few recommendations that may help you.
+# Setting `base_syscalls.repair: true` automates these recommendations for you.
+#
+# Consider to at minimum add the following syscalls regardless of the syscalls used in the rules.
+#
+# [clone, clone3, fork, vfork, execve, execveat, close]
+#
+# This is because some Falco fields for an execve* system call are retrieved
+# from the associated `clone`, `clone3`, `fork`, `vfork` syscall when spawning a
+# new process. The `close` system call is used to purge file descriptors from Falco's
+# internal thread / process cache table and should always be added when you have
+# rules around file descriptors.
+# (e.g. open, openat, openat2, socket, connect, accept, accept4 ... and many more)
+#
+# When network syscalls are used in rules we recommend to at minimum set
+#
+# [clone, clone3, fork, vfork, execve, execveat, close, socket, bind, getsockopt]
+#
+# It turns out that while you can log `connect` or `accept*` syscalls without the
+# socket system call, the log however would not contain the ip tuples.
+# For `listen` and `accept*` system calls you also need the `bind` system call.
+#
+# Lastly, if you care about the correct `uid`, `gid` or `sid`, `pgid` of a process when the
+# running process opens a file or makes a network connection, consider adding the following syscalls:
+#
+# setresuid, setsid, setuid, setgid, setpgid, setresgid, setsid, capset, chdir, chroot, fchdir
+#
+# We recommend to only exclude syscalls, e.g. "!mprotect" if you need a fast deployment update
+# (overriding rules), else remove unwanted syscalls from the Falco rules.
+#
+# Passing `-o "log_level=debug"` to Falco's cmd args during a dry-run will print the
+# final set of syscalls to STDOUT.
+
+base_syscalls:
+  repair: false
+  custom_set: []
--- a/proposals/20221129-artifacts-distribution.md
+++ b/proposals/20221129-artifacts-distribution.md
@@ -0,0 +1,173 @@
+# Artifacts distribution
+
+This proposal aims to define guidelines for the official distribution of artifacts published by Falcosecurity. 
+
+Therefore, to create a unified management of the distribution of artifacts, this document supersedes (for the parts concerning the distributions of artifacts) proposals [Falco Artifacts Scope - Part 1](https://github.com/falcosecurity/falco/blob/master/proposals/20200506-artifacts-scope-part-1.md), [Falco Artifacts Scope - Part 2](https://github.com/falcosecurity/falco/blob/master/proposals/20200506-artifacts-scope-part-2.md), and [Falco Drivers Storage S3](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md) and also extends and generalizes the proposal [Falco Rules and Plugin distribution](https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md) for [falcoctl](https://github.com/falcosecurity/falcoctl).
+
+## Goals
+
+- Allow users to consume artifacts in a consistent way
+- Define official artifacts
+- Unify distribution mechanism, infrastructure and tooling
+- Provide generic guidelines applicable to any artifact to be distributed
+
+## Non-Goals
+
+- Infra/CI implementation details
+- Supply chain security topics
+
+## Proposal
+
+With officially supported artifacts, we mean that set of artifacts published 
+by Falcosecurity as part of Falco or its ecosystem.
+
+At the time of writing, the Falcosecurity organization distributes several kinds of artifacts in the form of files or container images. They include:
+- Installation packages
+- Helm charts
+- Drivers (eg, kmod, eBPF)
+- Rule files
+- Plugins
+- Other kinds may be added in the future.
+
+Features shipped with **official artifacts are intended for general availability(GA)**, unless otherwise specified (eg. if experimental or non-production ready features are present, they must be indicated in the release notes). 
+
+The same artifacts can be distributed via multiple distribution channels, and each channel can be mirrored. **The [falco.org](https://falco.org/) website must list all official distribution channels and mirrors**. Any distribution channel not listed on our official website must not be considered part of the official distribution. However, maintainers can still use other channels for experimentation or incubating projects eventually.
+
+### Distribution channels
+
+#### HTTP Distribution
+
+Distributing artifacts as plain files via HTTP is mostly intended for **humans, simple and legacy clients** (e.g., a shell script that downloads a file). 
+
+The allowed publishing channels are:
+- **[download.falco.org](https://download.falco.org/)** where most of the file artifacts lives
+- **endpoints made available by GitHub** for the Falcosecurity organization (e.g., release download URL, GitHub pages, etc.).
+
+Typically, all official artifacts that can be shipped as plain files should be published at [download.falco.org](https://download.falco.org/) and available for download. 
+
+Using the GitHub platform is allowed as an alternative assuming that artifacts are published under the Falcosecurity organization and the GitHub platform usage limitations are being respected (a notable example is publishing a [Helm chart index file using GitHub pages](https://falcosecurity.github.io/charts/)).
+
+It is allowed to publish other non-official artifacts (for example, [development builds](https://download.falco.org/?prefix=packages/bin-dev/)), taking that those are correctly denoted.
+
+Introducing other HTTP channels is discouraged. Providing mirrors is discouraged unless required for technical reasons.
+
+#### OCI Distribution
+
+Some artifacts are in the form of Open Container Initiative (OCI) images and require OCI registries to be distributed. Nevertheless, since the [OCI Distribution Spec](https://specs.opencontainers.org/distribution-spec/?v=v1.0.0) allows any content, even regular files can be stored in OCI registries and distributed likewise. Notably, the [Helm project in early 2022 started storing charts in OCI](https://helm.sh/blog/storing-charts-in-oci/) registries. One our tool [falcoctl did the same](https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md) later.
+
+Distributing artifacts via OCI registries is intended for all compatible consumers (i.e., [falcoctl](https://github.com/falcosecurity/falcoctl)). It is **allowed and encouraged for any artifacts**. All official artifacts should be published so.
+
+The allowed publishing channels are:
+
+
+| Registry | Name | Account URL |
+| -------- | -------- | -------- |
+| `docker.io`    | Docker Hub     | https://hub.docker.com/u/falcosecurity |
+| `ghcr.io`    | Github Packages Container registry     | https://github.com/orgs/falcosecurity/packages |
+
+
+Both channels are equivalent and may publish the same artifacts. However, for historical reasons and to avoid confusion, the **`docker.io` registry should only be used for container images** and not for other kinds of artifacts (e.g., plugins, rules, etc.).
+
+
+Mirrors are allowed and encouraged if they facilitate artifacts consumption by our users. This proposal reccomends to enable mirrors on the major public OCI registry, such as [Amazon ECR](https://gallery.ecr.aws/) (which is already implentend in our infra at the time of writing).
+
+
+Official **channels and mirrors must be listed at [falco.org](https://falco.org/)**. 
+
+It is allowed to publish other non-official artifacts, even using image tags, taking that those are correctly denoted.
+
+
+#### Other channels
+
+At the time of writing, no other distribution channels are present or needed. However, in case a new kind of artifact will require a particular distribution mechanism (for example, in case an existing package manager system need to consume the artifact using its protocol), the rule of thumb is first to use the available GitHub features for the Falcosecurity organization, if possible. Users will quickly recognize the association between the artifact and the publisher (i.e., falcosecurity), and for that reason is usually preferable.
+
+In all other cases, introducing a new distribution channel must require extensive discussion among maintainers. Nevertheless, **introducing too many distribution channels is discouraged** because it disperses the effort and can mislead users. 
+
+
+### Publishing
+
+#### Source repository
+
+Artifacts must always be built starting from the originating source code and thru an auditable and reproducible process that runs on our infra. It's recommended that the naming and versioning of the published artifact consistently match the originating repository's naming and versioning. For example, the package `falco-0.33.0-x86_64.tar.gz` must match the source code of the git tag [0.33.0](https://github.com/falcosecurity/falco/tree/0.33.0) of the [falco](https://github.com/falcosecurity/falco) repository.
+
+It's recommended that **each repository publish only one kind of artifact** associated with it. 
+
+Exceptions are allowed for:
+ - mono repos (notably [charts](https://github.com/falcosecurity/charts) and [plugins](https://github.com/falcosecurity/plugins)), 
+ - or whenever technical constraints impose a different approach (notably, our Driver Build Grid lives on [test-infra](https://github.com/falcosecurity/test-infra), but the source code is in [libs](https://github.com/falcosecurity/libs)).
+
+Exceptions should be documented to avoid the users and contributors might be confused.
+
+#### Namespacing
+
+As a general rule, to avoid name clashing among different projects under the Falcosecurity organization, all **published artifacts should reflect the originating repository name** in their publishing URL. For example, all artifacts generated by the [falcosecurity/plugins](https://github.com/falcosecurity/plugins) repository should have `falcosecurity/plugins` as the URL's base path.
+
+Exceptions are allowed for:
+- legacy and already published artifacts (to avoid disruption);
+- justified technical reasons.
+
+#### Versioning
+
+All published artifacts must be labeled with version numbers following the **[Semantic Versioning 2 specification](https://semver.org/)**.
+
+For the [HTTP Distribution](#http-distribution), the version number must be reflected in the file name (including build metadata like the targeted arch and platform).
+
+For the [OCI Distribution](#oci-distribution), the version number must be reflected in the image tag (build metadata may be avoided if included in the manifest).
+
+### Tooling
+
+Tooling is essential to deliver a consistent and straightforward UX to our users since the limited set of distribution channels is acceptable to provide just one (or a limited set of) tool(s) capable of working with various artifacts published by the Falcosecurity organization.
+
+In this regard, this proposal follows up the [Falco Rules and Plugin distribution](https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md) proposal and recommends to use of **[falcoctl](https://github.com/falcosecurity/falcoctl) as the tool to managing artifacts specifically intended for Falco**. The tool's design should consider that other kinds of artifacts may be added in the future.
+
+Likewise, relying on existing **third-party tools for generic or well-known kinds of artifacts** (for example, Helm charts) is recommended.
+
+### Ecosystem
+
+Compatibility with other tools on the broader cloud native ecosystem should be considered when dealing with artifacts and their distribution.
+
+It is also recommended to use third-party solutions and projects that facilitate our users' discovery of published artifacts (for example, https://artifacthub.io/).
+
+
+## Action items
+
+The following subsections indicate major action items to be executed in order to transition from the current to the desiderate state of the art, as noted in this proposal.
+
+### Move [Falco rules](https://github.com/falcosecurity/falco/tree/master/rules) to their own repo
+
+Falco rules files (i.e., the ruleset for the data source syscall) are currently only distributed in bundles with Falco. However, now falcoctl can manage rules artifacts so that we can ship them separately.
+
+The benefits of having rules living in their repository are:
+  - dedicated versioning
+  - rules release will not be tied anymore to a Falco release (e.g., no need to wait for the scheduled Falco release to publish a new rule aiming to detect the latest published CVE)
+  - consistent installation/update mechanism with other rulesets (plugins rules are already published in their repository and can be consumed by falcoctl)
+
+Note that this change will not introduce a breaking change: Falco will continue shipping the default ruleset by including the published ruleset package.
+
+### Make `falcoctl` official
+
+Considering the centrality of falcoctl for managing official artifacts for Falco, the falcoctl project must be promoted to "Official" status, and its repository assumed to be [core](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md#core-repositories).
+
+### Deprecate `falco-driver-loader`
+
+At the time of writing, `falco-driver-loader` is a shell script shipped in a bundle with Falco that has the responsibility of installing a driver by either downloading it from our distribution channels or trying to build it on-the-fly.
+
+Our experience showed all the limitations of this approach, and it's now clear that such as script is hard to maintain. Furthermore, its responsibility overlaps with our aim to use `falcoctl` as the tool for managing artifacts.
+
+Thus, this proposal mandates to deprecate of `falco-driver-loader` in favor of `falcoctl.`
+
+However, to avoid user disruption and breaking legacy use case, it's recommended to provide still a faced script that exposes the same command line usage of `falco-driver-loader` but forward its execution to the new tool `falcoctl`.
+
+This implicitly requires that `falcoctl` be shipped in a bundle with Falco.
+
+### Update the documentation
+
+This proposal mandates making use of official documentation (i.e., falco.org) to state official items, such as artifacts, distribution channels, and mirrors.
+
+For that reason, it becomes imperative to update the documentation periodically concerning the list of officially supported distribution channels and mirrors.
+
+### Usage of GitHub Packages
+
+Since GitHub is the primary platform where the Falcosecurity organization hosts its code and infrastructure, its provided features should be preferred whenever possible.
+
+This proposal recommends using the GitHub Packages feature when the need to distribute a new kind of artifact arises. Such as convention should be adopted among all repositories of the organization.
--- a/1
+++ b/1
@@ -0,0 +1 @@
+./submodules/falcosecurity-rules/rules
--- a/rules/OWNERS
+++ b/rules/OWNERS
@@ -1,10 +0,0 @@
-approvers:
-  - mstemm
-reviewers:
-  - leodido
-  - fntlnz
-  - mfdii
-  - kaizhe
-  - darryk10
-labels:
-  - area/rules
--- a/rules/application_rules.yaml
+++ b/rules/application_rules.yaml
@@ -1,188 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
- required_engine_version: 2
-
-################################################################
-# By default all application-related rules are disabled for
-# performance reasons. Depending on the application(s) you use,
-# uncomment the corresponding rule definitions for
-# application-specific activity monitoring.
-################################################################
-
-# Elasticsearch ports
- macro: elasticsearch_cluster_port
-  condition: fd.sport=9300
- macro: elasticsearch_api_port
-  condition: fd.sport=9200
- macro: elasticsearch_port
-  condition: elasticsearch_cluster_port or elasticsearch_api_port
-
-# - rule: Elasticsearch unexpected network inbound traffic
-#   desc: inbound network traffic to elasticsearch on a port other than the standard ports
-#   condition: user.name = elasticsearch and inbound and not elasticsearch_port
-#   output: "Inbound network traffic to Elasticsearch on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-# - rule: Elasticsearch unexpected network outbound traffic
-#   desc: outbound network traffic from elasticsearch on a port other than the standard ports
-#   condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port
-#   output: "Outbound network traffic from Elasticsearch on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-
-# ActiveMQ ports
- macro: activemq_cluster_port
-  condition: fd.sport=61616
- macro: activemq_web_port
-  condition: fd.sport=8161
- macro: activemq_port
-  condition: activemq_web_port or activemq_cluster_port
-
-# - rule: Activemq unexpected network inbound traffic
-#   desc: inbound network traffic to activemq on a port other than the standard ports
-#   condition: user.name = activemq and inbound and not activemq_port
-#   output: "Inbound network traffic to ActiveMQ on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-# - rule: Activemq unexpected network outbound traffic
-#   desc: outbound network traffic from activemq on a port other than the standard ports
-#   condition: user.name = activemq and outbound and not activemq_cluster_port
-#   output: "Outbound network traffic from ActiveMQ on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-
-# Cassandra ports
-# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
- macro: cassandra_thrift_client_port
-  condition: fd.sport=9160
- macro: cassandra_cql_port
-  condition: fd.sport=9042
- macro: cassandra_cluster_port
-  condition: fd.sport=7000
- macro: cassandra_ssl_cluster_port
-  condition: fd.sport=7001
- macro: cassandra_jmx_port
-  condition: fd.sport=7199
- macro: cassandra_port
-  condition: >
-    cassandra_thrift_client_port or
-    cassandra_cql_port or cassandra_cluster_port or
-    cassandra_ssl_cluster_port or cassandra_jmx_port
-
-# - rule: Cassandra unexpected network inbound traffic
-#   desc: inbound network traffic to cassandra on a port other than the standard ports
-#   condition: user.name = cassandra and inbound and not cassandra_port
-#   output: "Inbound network traffic to Cassandra on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-# - rule: Cassandra unexpected network outbound traffic
-#   desc: outbound network traffic from cassandra on a port other than the standard ports
-#   condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)
-#   output: "Outbound network traffic from Cassandra on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-# Couchdb ports
-# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
- macro: couchdb_httpd_port
-  condition: fd.sport=5984
- macro: couchdb_httpd_ssl_port
-  condition: fd.sport=6984
-# xxx can't tell what clustering ports are used. not writing rules for this
-# yet.
-
-# Fluentd ports
- macro: fluentd_http_port
-  condition: fd.sport=9880
- macro: fluentd_forward_port
-  condition: fd.sport=24224
-
-# - rule: Fluentd unexpected network inbound traffic
-#   desc: inbound network traffic to fluentd on a port other than the standard ports
-#   condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port)
-#   output: "Inbound network traffic to Fluentd on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-# - rule: Tdagent unexpected network outbound traffic
-#   desc: outbound network traffic from fluentd on a port other than the standard ports
-#   condition: user.name = td-agent and outbound and not fluentd_forward_port
-#   output: "Outbound network traffic from Fluentd on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-# Gearman ports
-# http://gearman.org/protocol/
-# - rule: Gearman unexpected network outbound traffic
-#   desc: outbound network traffic from gearman on a port other than the standard ports
-#   condition: user.name = gearman and outbound and outbound and not fd.sport = 4730
-#   output: "Outbound network traffic from Gearman on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-# Zookeeper
- macro: zookeeper_port
-  condition: fd.sport = 2181
-
-# Kafka ports
-# - rule: Kafka unexpected network inbound traffic
-#   desc: inbound network traffic to kafka on a port other than the standard ports
-#   condition: user.name = kafka and inbound and fd.sport != 9092
-#   output: "Inbound network traffic to Kafka on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-# Memcached ports
-# - rule: Memcached unexpected network inbound traffic
-#   desc: inbound network traffic to memcached on a port other than the standard ports
-#   condition: user.name = memcached and inbound and fd.sport != 11211
-#   output: "Inbound network traffic to Memcached on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-# - rule: Memcached unexpected network outbound traffic
-#   desc: any outbound network traffic from memcached. memcached never initiates outbound connections.
-#   condition: user.name = memcached and outbound
-#   output: "Unexpected Memcached outbound connection (connection=%fd.name)"
-#   priority: WARNING
-
-
-# MongoDB ports
- macro: mongodb_server_port
-  condition: fd.sport = 27017
- macro: mongodb_shardserver_port
-  condition: fd.sport = 27018
- macro: mongodb_configserver_port
-  condition: fd.sport = 27019
- macro: mongodb_webserver_port
-  condition: fd.sport = 28017
-
-# - rule: Mongodb unexpected network inbound traffic
-#   desc: inbound network traffic to mongodb on a port other than the standard ports
-#   condition: >
-#     user.name = mongodb and inbound and not (mongodb_server_port or
-#     mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port)
-#   output: "Inbound network traffic to MongoDB on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-# MySQL ports
-# - rule: Mysql unexpected network inbound traffic
-#   desc: inbound network traffic to mysql on a port other than the standard ports
-#   condition: user.name = mysql and inbound and fd.sport != 3306
-#   output: "Inbound network traffic to MySQL on unexpected port (connection=%fd.name)"
-#   priority: WARNING
-
-# - rule: HTTP server unexpected network inbound traffic
-#   desc: inbound network traffic to a http server program on a port other than the standard ports
-#   condition: proc.name in (http_server_binaries) and inbound and fd.sport != 80 and fd.sport != 443
-#   output: "Inbound network traffic to HTTP Server on unexpected port (connection=%fd.name)"
-#   priority: WARNING
--- a/rules/falco_rules.local.yaml
+++ b/rules/falco_rules.local.yaml
@@ -1,30 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-####################
-# Your custom rules!
-####################
-
-# Add new rules, like this one
-# - rule: The program "sudo" is run in a container
-#   desc: An event will trigger every time you run sudo in a container
-#   condition: evt.type = execve and evt.dir=< and container.id != host and proc.name = sudo
-#   output: "Sudo run in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
-#   priority: ERROR
-#   tags: [users, container]
-
-# Or override/append to any rule, macro, or list from the Default Rules
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -15,28 +15,39 @@
 # limitations under the License.
 #

-configure_file(debian/postinst.in debian/postinst)
-configure_file(debian/postrm.in debian/postrm)
-configure_file(debian/prerm.in debian/prerm)
+# Systemd
+file(MAKE_DIRECTORY ${PROJECT_BINARY_DIR}/scripts/systemd)
+configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-bpf.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-modern-bpf.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falco-custom.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)
+configure_file("${PROJECT_SOURCE_DIR}/scripts/systemd/falcoctl-artifact-follow.service"
+		"${PROJECT_BINARY_DIR}/scripts/systemd" COPYONLY)

-file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
+# Debian
+configure_file(debian/postinst.in debian/postinst COPYONLY)
+configure_file(debian/postrm.in debian/postrm COPYONLY)
+configure_file(debian/prerm.in debian/prerm COPYONLY)

-file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
-
-configure_file(rpm/postinstall.in rpm/postinstall)
-configure_file(rpm/postuninstall.in rpm/postuninstall)
-configure_file(rpm/preuninstall.in rpm/preuninstall)
-
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
-
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
-	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+# Rpm
+configure_file(rpm/postinstall.in rpm/postinstall COPYONLY)
+configure_file(rpm/postuninstall.in rpm/postuninstall COPYONLY)
+configure_file(rpm/preuninstall.in rpm/preuninstall COPYONLY)

 configure_file(falco-driver-loader falco-driver-loader @ONLY)

+# Install Falcoctl config file
+if(NOT DEFINED FALCOCTL_ETC_DIR)
+	set(FALCOCTL_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falcoctl")
+endif()
+install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/falcoctl/falcoctl.yaml DESTINATION "${FALCOCTL_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
+
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	install(PROGRAMS ${PROJECT_BINARY_DIR}/scripts/falco-driver-loader
 		DESTINATION ${FALCO_BIN_DIR} COMPONENT "${FALCO_COMPONENT_NAME}")
--- a/scripts/debian/falco_inject_kmod.service
+++ b/scripts/debian/falco_inject_kmod.service
@@ -1,13 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security
-Documentation=https://falco.org/docs/
-Before=falco.service
-Wants=falco.service
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/sbin/modprobe falco
-
-[Install]
-WantedBy=multi-user.target
--- a/scripts/debian/postinst.in
+++ b/scripts/debian/postinst.in
@@ -15,60 +15,85 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+
+chosen_driver=
+
+# Every time we call this script we want to stat from a clean state.
+echo "[POST-INSTALL] Disable all possible 'falco' services:"
+systemctl --system stop 'falco-kmod.service' || true
+systemctl --system stop 'falco-bpf.service' || true
+systemctl --system stop 'falco-modern-bpf.service' || true
+systemctl --system stop 'falco-custom.service' || true
+systemctl --system stop 'falcoctl-artifact-follow.service' || true
+systemctl --system disable 'falco-kmod.service' || true
+systemctl --system disable 'falco-bpf.service' || true
+systemctl --system disable 'falco-modern-bpf.service' || true
+systemctl --system disable 'falco-custom.service' || true
+systemctl --system disable 'falcoctl-artifact-follow.service' || true
+
+# unmask falcoctl if it was masked
+systemctl --system unmask falcoctl-artifact-follow.service || true
+
+if [ "$1" = "configure" ]; then
+        if [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
+          # If dialog is installed, create a dialog to let users choose the correct driver for them
+          CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
+                1 "Manual configuration (no unit is started)" \
+                2 "Kmod" \
+                3 "eBPF" \
+                4 "Modern eBPF" \
+                2>&1 >/dev/tty)
+          case $CHOICE in
+                  2)
+                      chosen_driver="kmod"
+                      ;;
+                  3)
+                      chosen_driver="bpf"
+                      ;;
+                  4)
+                      chosen_driver="modern-bpf"
+                      ;;
+          esac
+          if [ -n "$chosen_driver" ]; then
+            CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to follow automatic ruleset updates?" 10 40 2 \
+                    1 "Yes" \
+                    2 "No" \
+                    2>&1 >/dev/tty)
+            case $CHOICE in
+                2)
+                # we don't want falcoctl enabled, we mask it
+                systemctl --system mask falcoctl-artifact-follow.service || true
+                ;;
+            esac
+          fi
+          clear
+        fi
+fi
+
 set -e

-DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
-DKMS_VERSION="@DRIVER_VERSION@"
-NAME="@PACKAGE_NAME@"
+echo "[POST-INSTALL] Trigger deamon-reload:"
+systemctl --system daemon-reload || true

-postinst_found=0
-
-case "$1" in
-	configure)
-		for DKMS_POSTINST in /usr/lib/dkms/common.postinst /usr/share/$DKMS_PACKAGE_NAME/postinst; do
-			if [ -f $DKMS_POSTINST ]; then
-				$DKMS_POSTINST $DKMS_PACKAGE_NAME $DKMS_VERSION /usr/share/$DKMS_PACKAGE_NAME "" $2
-				postinst_found=1
-				break
-			fi
-		done
-		if [ "$postinst_found" -eq 0 ]; then
-			echo "ERROR: DKMS version is too old and $DKMS_PACKAGE_NAME was not"
-			echo "built with legacy DKMS support."
-			echo "You must either rebuild $DKMS_PACKAGE_NAME with legacy postinst"
-			echo "support or upgrade DKMS to a more current version."
-			exit 1
-		fi
-	;;
+# If needed, try to load/compile the driver through falco-driver-loader
+case "$chosen_driver" in
+    "kmod")
+      # Only compile for kmod, in this way we use dkms
+      echo "[POST-INSTALL] Call 'falco-driver-loader --compile module':"
+      falco-driver-loader --compile module
+      ;;
+    "bpf")
+      echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"
+      falco-driver-loader bpf
+      ;;
 esac

-# Based off what debhelper dh_systemd_enable/13.3.4 would have added
-# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
-
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        # This will only remove masks created by d-s-h on package removal.
-        deb-systemd-helper unmask 'falco.service' >/dev/null || true
-
-        # was-enabled defaults to true, so new installations run enable.
-        if deb-systemd-helper --quiet was-enabled 'falco.service'; then
-                # Enables the unit on first installation, creates new
-                # symlinks on upgrades if the unit file has changed.
-                deb-systemd-helper enable 'falco.service' >/dev/null || true
-        else
-                # Update the statefile to add new symlinks (if any), which need to be
-                # cleaned up on purge. Also remove old symlinks.
-                deb-systemd-helper update-state 'falco.service' >/dev/null || true
-        fi
-fi
-
-if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-        if [ -d /run/systemd/system ]; then
-                systemctl --system daemon-reload >/dev/null || true
-                if [ -n "$2" ]; then
-                        _dh_action=restart
-                else
-                        _dh_action=start
-                fi
-                deb-systemd-invoke $_dh_action 'falco.service' >/dev/null || true
+        if [ -n "$chosen_driver" ]; then
+            # we do this in 2 steps because `enable --now` is not always supported
+            echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
+            systemctl --system enable "falco-$chosen_driver.service" || true
+            echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
+            systemctl --system start "falco-$chosen_driver.service" || true           
        fi
 fi
--- a/scripts/debian/postrm.in
+++ b/scripts/debian/postrm.in
@@ -22,18 +22,13 @@
 set -e

 if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        systemctl --system daemon-reload >/dev/null || true
-fi
+        echo "[POST-REMOVE] Disable all Falco services:"
+        systemctl --system disable 'falco-kmod.service' || true
+        systemctl --system disable 'falco-bpf.service' || true
+        systemctl --system disable 'falco-modern-bpf.service' || true
+        systemctl --system disable 'falco-custom.service' || true
+        systemctl --system disable 'falcoctl-artifact-follow.service' || true

-if [ "$1" = "remove" ]; then
-        if [ -x "/usr/bin/deb-systemd-helper" ]; then
-                deb-systemd-helper mask 'falco.service' >/dev/null || true
-        fi
-fi
-
-if [ "$1" = "purge" ]; then
-        if [ -x "/usr/bin/deb-systemd-helper" ]; then
-                deb-systemd-helper purge 'falco.service' >/dev/null || true
-                deb-systemd-helper unmask 'falco.service' >/dev/null || true
-        fi
+        echo "[POST-REMOVE] Trigger deamon-reload:"
+        systemctl --system daemon-reload || true
 fi
--- a/scripts/debian/prerm.in
+++ b/scripts/debian/prerm.in
@@ -21,12 +21,16 @@ set -e
 # ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
 # Currently running falco service uses the driver, so stop it before driver cleanup

-if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
-        deb-systemd-invoke stop 'falco.service' >/dev/null || true
-fi
-
 case "$1" in
-	remove|upgrade|deconfigure)
-		/usr/bin/falco-driver-loader --clean
-	;;
+    remove|upgrade|deconfigure)
+      echo "[PRE-REMOVE] Stop all Falco services:"
+      systemctl --system stop 'falco-kmod.service' || true
+      systemctl --system stop 'falco-bpf.service' || true
+      systemctl --system stop 'falco-modern-bpf.service' || true
+      systemctl --system stop 'falco-custom.service' || true
+      systemctl --system stop 'falcoctl-artifact-follow.service' || true
+
+      echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
+      falco-driver-loader --clean
+    ;;
 esac
--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -113,9 +113,11 @@ get_target_id() {
 	elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
 		# Older CentOS distros
 		OS_ID=centos
+	elif [ -f "${HOST_ROOT}/etc/redhat-release" ]; then
+		# Older RHEL distros
+		OS_ID=rhel
 	else
-		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
-		exit 1
+		return 1
 	fi

 	# Overwrite the OS_ID if /etc/VERSION file is present.
@@ -160,10 +162,21 @@ get_target_id() {
 			exit 1
 		fi
 		;;
+	("bottlerocket")
+		TARGET_ID="${OS_ID}"
+		# variant_id has been sourced from os-release. Get only the first variant part
+		if [[ -n ${VARIANT_ID} ]];  then
+			# take just first part (eg: VARIANT_ID=aws-k8s-1.15 -> aws)
+			VARIANT_ID_CUT=${VARIANT_ID%%-*}
+		fi
+		# version_id has been sourced from os-release. Build a kernel version like: 1_1.11.0-aws
+		KERNEL_VERSION="1_${VERSION_ID}-${VARIANT_ID_CUT}"
+		;;
 	(*)
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		;;
 	esac
+	return 0
 }

 flatcar_relocate_tools() {
@@ -211,7 +224,13 @@ load_kernel_module_compile() {
 	fi

 	# Try to compile using all the available gcc versions
-	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -n -r -k 2 -t -); do
+	for CURRENT_GCC in $(ls "$(dirname "$(which gcc)")"/gcc*); do
+		# Filter away gcc-{ar,nm,...}
+		# Only gcc compiler has `-print-search-dirs` option.
+		${CURRENT_GCC} -print-search-dirs 2>&1 | grep "install:"
+		if [ "$?" -ne "0" ]; then
+			continue
+		fi
 		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
 		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
 		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
@@ -232,14 +251,13 @@ load_kernel_module_compile() {
 				return
 			fi
 			echo "* ${DRIVER_NAME} module found: ${KO_FILE}"
-			echo "* Trying insmod"
+			echo "* Trying to insmod"
 			chcon -t modules_object_t "$KO_FILE" > /dev/null 2>&1 || true
 			if insmod "$KO_FILE" > /dev/null 2>&1; then
 				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
 				exit 0
-			else
-				echo "* Unable to insmod ${DRIVER_NAME} module"
 			fi
+			echo "* Unable to insmod ${DRIVER_NAME} module"
 		else
 			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
 			if [ -f "${DKMS_LOG}" ]; then
@@ -253,21 +271,18 @@ load_kernel_module_compile() {
 }

 load_kernel_module_download() {
-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	local URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)

 	echo "* Trying to download a prebuilt ${DRIVER_NAME} module from ${URL}"
-	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
+	if curl -L --create-dirs ${FALCO_DRIVER_CURL_OPTIONS} -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "* Download succeeded"
 		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
 		if insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}"; then
 			echo "* Success: ${DRIVER_NAME} module found and inserted"
 			exit 0
-		else
-			>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
-		fi	
+		fi
+		>&2 echo "Unable to insmod the prebuilt ${DRIVER_NAME} module"
 	else
 		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
 		return
@@ -374,8 +389,6 @@ load_kernel_module() {

 	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"

-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 	echo "* Filename '${FALCO_KERNEL_MODULE_FILENAME}' is composed of:"
 	print_filename_components
@@ -488,7 +501,7 @@ load_bpf_probe_compile() {
 		mkdir -p /tmp/kernel
 		cd /tmp/kernel || exit
 		cd "$(mktemp -d -p /tmp/kernel)" || exit
-		if ! curl -L -o kernel-sources.tgz --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
+		if ! curl -L -o kernel-sources.tgz --create-dirs ${FALCO_DRIVER_CURL_OPTIONS} "${BPF_KERNEL_SOURCES_URL}"; then
 			>&2 echo "Unable to download the kernel sources"
 			return
 		fi
@@ -530,7 +543,7 @@ load_bpf_probe_download() {

 	echo "* Trying to download a prebuilt eBPF probe from ${URL}"

-	if ! curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" "${URL}"; then
+	if ! curl -L --create-dirs ${FALCO_DRIVER_CURL_OPTIONS} -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" "${URL}"; then
 		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} eBPF probe"
 		return 1
 	fi
@@ -544,8 +557,6 @@ load_bpf_probe() {
 		mount -t debugfs nodev /sys/kernel/debug
 	fi

-	get_target_id
-
 	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
 	echo "* Filename '${BPF_PROBE_FILENAME}' is composed of:"
 	print_filename_components
@@ -604,6 +615,7 @@ print_usage() {
 	echo "  DRIVERS_REPO             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
 	echo "  DRIVER_NAME              specify a different name for the driver"
 	echo "  DRIVER_INSECURE_DOWNLOAD whether you want to allow insecure downloads or not"
+	echo "  DRIVER_CURL_OPTIONS      specify additional options to be passed to curl command used to download Falco drivers"
 	echo ""
 	echo "Versions:"
 	echo "  Falco version  ${FALCO_VERSION}"
@@ -623,13 +635,15 @@ KERNEL_VERSION=$(uname -v | sed 's/#\([[:digit:]]\+\).*/\1/')

 DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}

+FALCO_DRIVER_CURL_OPTIONS="-fsS --connect-timeout 5 --max-time 60 --retry 3 --retry-max-time 120"
+
 if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
 then
-	FALCO_DRIVER_CURL_OPTIONS=-fsSk
-else
-	FALCO_DRIVER_CURL_OPTIONS=-fsS
+	FALCO_DRIVER_CURL_OPTIONS+=" -k"
 fi

+FALCO_DRIVER_CURL_OPTIONS+=" "${DRIVER_CURL_OPTIONS}
+
 if [[ -z "$MAX_RMMOD_WAIT" ]]; then
 	MAX_RMMOD_WAIT=60
 fi
@@ -638,6 +652,8 @@ DRIVER_VERSION=${DRIVER_VERSION:-"@DRIVER_VERSION@"}
 DRIVER_NAME=${DRIVER_NAME:-"@DRIVER_NAME@"}
 FALCO_VERSION="@FALCO_VERSION@"

+TARGET_ID="placeholder" # when no target id can be fetched, we try to build the driver from source anyway, using a placeholder name
+
 DRIVER="module"
 if [ -v FALCO_BPF_PROBE ]; then
 	DRIVER="bpf"
@@ -711,6 +727,18 @@ if [ -z "$source_only" ]; then
 		exit 1
 	fi

+	get_target_id
+	res=$?
+	if [ $res != 0 ]; then
+		if [ -n "$ENABLE_COMPILE" ]; then
+			ENABLE_DOWNLOAD=
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community. Trying to compile anyway."
+		else
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community."
+			exit 1
+		fi
+	fi
+
 	if [ -n "$clean" ]; then
 		if [ -n "$has_opts" ]; then
 			>&2 echo "Cannot use --clean with other options"
--- a/scripts/falcoctl/falcoctl.yaml
+++ b/scripts/falcoctl/falcoctl.yaml
@@ -0,0 +1,9 @@
+artifact:
+  follow:
+    every: 6h0m0s
+    falcoVersions: http://localhost:8765/versions
+    refs:
+    - falco-rules:0
+indexes:
+- name: falcosecurity
+  url: https://falcosecurity.github.io/falcoctl/index.yaml
--- a/scripts/publish-deb
+++ b/scripts/publish-deb
@@ -2,7 +2,7 @@
 set -e

 usage() {
-    echo "usage: $0 -f <package_x86_64.deb> -f <package_aarch64.deb> -r <deb|deb-dev>"
+    echo "usage: $0 -f <package_x86_64.deb> -f <package_aarch64.deb> -r <deb|deb-dev> [-s]"
    exit 1
 }

@@ -21,6 +21,18 @@ join_arr() {
  echo "$*"
 }

+# Updates the signature of a DEB package in the local repository
+#
+# $1: path of the repository.
+# $2: suite (eg. "stable")
+# $3: path of the DEB file.
+sign_deb() {
+    pushd $1/$2 > /dev/null
+    rm -f $(basename -- $3).asc
+    gpg --detach-sign --digest-algo SHA256 --armor $(basename -- $3)
+    popd > /dev/null
+}
+
 # Add a package to the local DEB repository
 #
 # $1: path of the repository.
@@ -28,10 +40,7 @@ join_arr() {
 # $3: path of the DEB file.
 add_deb() {
    cp -f $3 $1/$2
-    pushd $1/$2 > /dev/null
-    rm -f $(basename -- $3).asc
-    gpg --detach-sign --digest-algo SHA256 --armor $(basename -- $3)
-    popd > /dev/null
+    sign_deb $1 $2 $3

    # Get package architecture from dpkg
    local arch=$(dpkg --info $3 |  awk '/Architecture/ {printf "%s", $2}')
@@ -54,6 +63,27 @@ falco_arch_from_deb_arch() {
    esac  
 }

+# Sign the local DEB repository
+#
+# $1: path of the repository
+# $2: suite (eg. "stable")
+sign_repo() {
+    local release_dir=dists/$2
+    pushd $1 > /dev/null
+
+    # release signature - Release.gpg file
+    gpg --detach-sign --digest-algo SHA256 --armor ${release_dir}/Release
+    rm -f ${release_dir}/Release.gpg
+    mv ${release_dir}/Release.asc ${release_dir}/Release.gpg
+    
+    # release signature - InRelease file
+    gpg --armor --sign --clearsign --digest-algo SHA256 ${release_dir}/Release
+    rm -f ${release_dir}/InRelease
+    mv ${release_dir}/Release.asc ${release_dir}/InRelease
+
+    popd > /dev/null
+}
+
 # Update the local DEB repository
 #
 # $1: path of the repository
@@ -88,21 +118,11 @@ update_repo() {
      -o APT::FTPArchive::Release::Architectures="$(join_arr , "${architectures[@]}")" \
      ${release_dir} > ${release_dir}/Release

-    # release signature - Release.gpg file
-    gpg --detach-sign --digest-algo SHA256 --armor ${release_dir}/Release
-    rm -f ${release_dir}/Release.gpg
-    mv ${release_dir}/Release.asc ${release_dir}/Release.gpg
-    
-    # release signature - InRelease file
-    gpg --armor --sign --clearsign --digest-algo SHA256 ${release_dir}/Release
-    rm -f ${release_dir}/InRelease
-    mv ${release_dir}/Release.asc ${release_dir}/InRelease
-
    popd > /dev/null
 }

 # parse options
-while getopts ":f::r:" opt; do
+while getopts ":f::r::s" opt; do
    case "${opt}" in
        f )
          files+=("${OPTARG}")
@@ -111,6 +131,9 @@ while getopts ":f::r:" opt; do
          repo="${OPTARG}"
          [[ "${repo}" == "deb" || "${repo}" == "deb-dev" ]] || usage
          ;;
+        s )
+          sign_all="true"
+          ;;
        : )
          echo "invalid option: ${OPTARG} requires an argument" 1>&2
          exit 1
@@ -124,7 +147,7 @@ done
 shift $((OPTIND-1))

 # check options
-if [ ${#files[@]} -eq 0 ] || [ -z "${repo}" ]; then
+if ([ ${#files[@]} -eq 0 ] && [ -z "${sign_all}" ]) || [ -z "${repo}" ]; then
    usage
 fi

@@ -147,24 +170,45 @@ echo "Fetching ${s3_bucket_repo}..."
 mkdir -p ${tmp_repo_path}
 aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive

-# update the repo
-for file in "${files[@]}"; do
-  echo "Adding ${file}..."
-  add_deb ${tmp_repo_path} ${debSuite} ${file}
-done
-update_repo ${tmp_repo_path} ${debSuite}
+# update signatures for all existing packages
+if [ "${sign_all}" ]; then
+  for file in ${tmp_repo_path}/${debSuite}/*; do
+    if [ -f "$file" ]; then # exclude directories, symlinks, etc...
+      if [[ ! $file == *.asc ]]; then # exclude signature files
+        package=$(basename -- ${file})
+        echo "Signing ${package}..."
+        sign_deb ${tmp_repo_path} ${debSuite} ${file}

-# publish
-for file in "${files[@]}"; do
-  package=$(basename -- ${file})
-  echo "Publishing ${package} to ${s3_bucket_repo}..."
-  aws s3 cp ${tmp_repo_path}/${debSuite}/${package} ${s3_bucket_repo}/${debSuite}/${package} --acl public-read
-  aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
+        echo "Syncing ${package}.asc to ${s3_bucket_repo}..."
+        aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
+      fi
+    fi
+  done
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/*.asc
+  sign_repo ${tmp_repo_path} ${debSuite}
+fi

-  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}
-  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}.asc
-done
+# update the repo by adding new packages
+if ! [ ${#files[@]} -eq 0 ]; then
+  for file in "${files[@]}"; do
+    echo "Adding ${file}..."
+    add_deb ${tmp_repo_path} ${debSuite} ${file}
+  done
+  update_repo ${tmp_repo_path} ${debSuite}
+  sign_repo ${tmp_repo_path} ${debSuite}
+
+  # publish
+  for file in "${files[@]}"; do
+    package=$(basename -- ${file})
+    echo "Publishing ${package} to ${s3_bucket_repo}..."
+    aws s3 cp ${tmp_repo_path}/${debSuite}/${package} ${s3_bucket_repo}/${debSuite}/${package} --acl public-read
+    aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
+
+    aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}
+    aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}.asc
+  done
+fi

 # sync dists
 aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*
--- a/scripts/publish-rpm
+++ b/scripts/publish-rpm
@@ -2,7 +2,7 @@
 set -e

 usage() {
-    echo "usage: $0 -f <package_x86_64.rpm> -f <package_aarch64.rpm> -r <rpm|rpm-dev>"
+    echo "usage: $0 -f <package_x86_64.rpm> -f <package_aarch64.rpm> -r <rpm|rpm-dev> [-s]"
    exit 1
 }

@@ -14,15 +14,33 @@ check_program() {
  fi
 }

+# Updates the signature of a RPM package in the local repository
+#
+# $1: path of the repository.
+# $2: path of the RPM file.
+sign_rpm() {
+    pushd $1 > /dev/null
+    rm -f $(basename -- $2).asc
+    gpg --detach-sign --digest-algo SHA256 --armor $(basename -- $2)
+    popd > /dev/null
+}
+
 # Add a package to the local RPM repository
 #
 # $1: path of the repository.
 # $2: path of the RPM file.
 add_rpm() {
    cp -f $2 $1
+    sign_rpm $1 $2
+}
+
+# Sign the local RPM repository
+#
+# $1: path of the repository.
+sign_repo() {
    pushd $1 > /dev/null
-    rm -f $(basename -- $2).asc
-    gpg --detach-sign --digest-algo SHA256 --armor $(basename -- $2)
+    rm -f repodata/repomd.xml.asc
+    gpg --detach-sign --digest-algo SHA256 --armor repodata/repomd.xml
    popd > /dev/null
 }

@@ -32,14 +50,11 @@ add_rpm() {
 update_repo() {
    pushd $1 > /dev/null
    createrepo --update --no-database .
-    rm -f repodata/repomd.xml.asc
-    gpg --detach-sign --digest-algo SHA256 --armor repodata/repomd.xml
    popd > /dev/null
 }

-
 # parse options
-while getopts ":f::r:" opt; do
+while getopts ":f::r::s" opt; do
    case "${opt}" in
        f )
          files+=("${OPTARG}")
@@ -48,6 +63,9 @@ while getopts ":f::r:" opt; do
          repo="${OPTARG}"
          [[ "${repo}" == "rpm" || "${repo}" == "rpm-dev" ]] || usage
          ;;
+        s )
+          sign_all="true"
+          ;;
        : )
          echo "invalid option: ${OPTARG} requires an argument" 1>&2
          exit 1
@@ -60,7 +78,7 @@ while getopts ":f::r:" opt; do
 done
 shift $((OPTIND-1))

-if [ ${#files[@]} -eq 0 ] || [ -z "${repo}" ]; then
+if ([ ${#files[@]} -eq 0 ] && [ -z "${sign_all}" ]) || [ -z "${repo}" ]; then
    usage
 fi

@@ -79,24 +97,45 @@ echo "Fetching ${s3_bucket_repo}..."
 mkdir -p ${tmp_repo_path}
 aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive

-# update the repo
-for file in "${files[@]}"; do
-  echo "Adding ${file}..."
-  add_rpm ${tmp_repo_path} ${file}
-done
-update_repo ${tmp_repo_path}
+# update signatures for all existing packages
+if [ "${sign_all}" ]; then
+  for file in ${tmp_repo_path}/*; do
+    if [ -f "$file" ]; then # exclude directories, symlinks, etc...
+      if [[ ! $file == *.asc ]]; then # exclude signature files
+        package=$(basename -- ${file})
+        echo "Signing ${package}..."
+        sign_rpm ${tmp_repo_path} ${file}

-# publish
-for file in "${files[@]}"; do
-  package=$(basename -- ${file})
-  echo "Publishing ${package} to ${s3_bucket_repo}..."
-  aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
-  aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
+        echo "Syncing ${package}.asc to ${s3_bucket_repo}..."
+        aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
+      fi
+    fi
+  done
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/*.asc
+  sign_repo ${tmp_repo_path}
+fi

-  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
-  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
-done
+# update the repo by adding new packages
+if ! [ ${#files[@]} -eq 0 ]; then
+  for file in "${files[@]}"; do
+    echo "Adding ${file}..."
+    add_rpm ${tmp_repo_path} ${file}
+  done
+  update_repo ${tmp_repo_path}
+  sign_repo ${tmp_repo_path}
+
+  # publish
+  for file in "${files[@]}"; do
+    package=$(basename -- ${file})
+    echo "Publishing ${package} to ${s3_bucket_repo}..."
+    aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
+    aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
+
+    aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
+    aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
+  done
+fi

 # sync repodata
 aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*
--- a/scripts/rpm/falco_inject_kmod.service
+++ b/scripts/rpm/falco_inject_kmod.service
@@ -1,13 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security
-Documentation=https://falco.org/docs/
-Before=falco.service
-Wants=falco.service
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/sbin/modprobe falco
-
-[Install]
-WantedBy=multi-user.target
--- a/scripts/rpm/postinstall.in
+++ b/scripts/rpm/postinstall.in
@@ -14,22 +14,78 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+
+chosen_driver=
+
+# Every time we call this script we want to stat from a clean state.
+echo "[POST-INSTALL] Disable all possible enabled 'falco' service:"
+systemctl --system stop 'falco-kmod.service' || true
+systemctl --system stop 'falco-bpf.service' || true
+systemctl --system stop 'falco-modern-bpf.service' || true
+systemctl --system stop 'falco-custom.service' || true
+systemctl --system stop 'falcoctl-artifact-follow.service' || true
+systemctl --system disable 'falco-kmod.service' || true
+systemctl --system disable 'falco-bpf.service' || true
+systemctl --system disable 'falco-modern-bpf.service' || true
+systemctl --system disable 'falco-custom.service' || true
+systemctl --system disable 'falcoctl-artifact-follow.service' || true
+
+# unmask falcoctl if it was masked
+systemctl --system unmask falcoctl-artifact-follow.service || true
+
+if [ $1 -ge 1 ]; then
+        if [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then
+            # If dialog is installed, create a dialog to let users choose the correct driver for them
+            CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \
+                    1 "Manual configuration (no unit is started)" \
+                    2 "Kmod" \
+                    3 "eBPF" \
+                    4 "Modern eBPF" \
+                    2>&1 >/dev/tty)
+            case $CHOICE in
+                2)
+                    chosen_driver="kmod"
+                    ;;
+                3)
+                    chosen_driver="bpf"
+                    ;;
+                4)
+                    chosen_driver="modern-bpf"
+                    ;;
+            esac
+            if [ -n "$chosen_driver" ]; then
+              CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to follow automatic ruleset updates?" 10 40 2 \
+                      1 "Yes" \
+                      2 "No" \
+                      2>&1 >/dev/tty)
+              case $CHOICE in
+                  2)
+                      # we don't want falcoctl enabled, we mask it
+                      systemctl --system mask falcoctl-artifact-follow.service || true
+                  ;;
+              esac
+            fi
+            clear
+        fi
+fi
+
 set -e

-mod_version="@DRIVER_VERSION@"
-dkms add -m falco -v $mod_version --rpm_safe_upgrade
-if [ `uname -r | grep -c "BOOT"` -eq 0 ] && [ -e /lib/modules/`uname -r`/build/include ]; then
-	dkms build -m falco -v $mod_version
-	dkms install --force -m falco -v $mod_version
-elif [ `uname -r | grep -c "BOOT"` -gt 0 ]; then
-	echo -e ""
-	echo -e "Module build for the currently running kernel was skipped since you"
-	echo -e "are running a BOOT variant of the kernel."
-else
-	echo -e ""
-	echo -e "Module build for the currently running kernel was skipped since the"
-	echo -e "kernel source for this kernel does not seem to be installed."
-fi
+echo "[POST-INSTALL] Trigger deamon-reload:"
+systemctl --system daemon-reload || true
+
+# If needed, try to load/compile the driver through falco-driver-loader
+case "$chosen_driver" in
+    "kmod")
+      # Only compile for kmod, in this way we use dkms
+      echo "[POST-INSTALL] Call 'falco-driver-loader --compile module':"
+      falco-driver-loader --compile module
+      ;;
+    "bpf")
+      echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"
+      falco-driver-loader bpf
+      ;;
+esac

 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
@@ -38,27 +94,14 @@ fi
 # systemd_post macro expands to
 # if postinst:
 #   `systemd-update-helper install-system-units <service>`
-%systemd_post 'falco.service'
+%systemd_post "falco-$chosen_driver.service"

-# post install mirrored from .deb
-if [ $1 -eq 1 ]; then
-        # This will only remove masks created on package removal.
-        /usr/bin/systemctl --system unmask 'falco.service' >/dev/null || true
-
-        # enable falco on installation
-        # note: DEB postinstall script checks for changed symlinks
-        /usr/bin/systemctl --system enable 'falco.service' >/dev/null || true
-
-        # start falco on installation
-        /usr/bin/systemctl --system start 'falco.service' >/dev/null || true
-fi
-
-# post upgrade mirrored from .deb
-if [ $1 -gt 1 ]; then
-    if [ -d /run/systemd/system ]; then
-        /usr/bin/systemctl --system daemon-reload >/dev/null || true
-
-        # restart falco on upgrade if service is already running
-        /usr/bin/systemctl --system condrestart 'falco.service' >/dev/null || true
-    fi
+# post install/upgrade mirrored from .deb
+if [ $1 -ge 1 ]; then
+        if [ -n "$chosen_driver" ]; then
+            echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
+            systemctl --system enable "falco-$chosen_driver.service" || true
+            echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
+            systemctl --system start "falco-$chosen_driver.service" || true
+        fi
 fi
--- a/scripts/rpm/postuninstall.in
+++ b/scripts/rpm/postuninstall.in
@@ -17,17 +17,14 @@

 set -e

-# post uninstall mirrored from .deb
-if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then
-        /usr/bin/systemctl --system daemon-reload >/dev/null || true
-        /usr/bin/systemctl --system mask 'falco.service' >/dev/null || true
+if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
+        echo "[POST-REMOVE] Disable all Falco services:"
+        systemctl --system disable 'falco-kmod.service'|| true
+        systemctl --system disable 'falco-bpf.service' || true
+        systemctl --system disable 'falco-modern-bpf.service' || true
+        systemctl --system disable 'falco-custom.service' || true
+        systemctl --system disable 'falcoctl-artifact-follow.service' || true
+
+        echo "[POST-REMOVE] Trigger deamon-reload:"
+        systemctl --system daemon-reload || true
 fi
-
-# validate rpm macros by `rpm -qp --scripts <rpm>`
-# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
-#                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
-
-# systemd_postun_with_restart macro expands to
-# if package upgrade, not uninstall:
-#   `systemd-update-helper mark-restart-system-units <service>`
-%systemd_postun_with_restart 'falco.service'
--- a/scripts/rpm/preuninstall.in
+++ b/scripts/rpm/preuninstall.in
@@ -16,14 +16,16 @@
 #
 set -e

-# pre uninstall mirrored from .deb
 # Currently running falco service uses the driver, so stop it before driver cleanup
-if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
-        # stop falco service before uninstall
-        /usr/bin/systemctl --system stop 'falco.service' >/dev/null || true
-fi
+echo "[PRE-REMOVE] Stop all Falco services:"
+systemctl --system stop 'falco-kmod.service' || true
+systemctl --system stop 'falco-bpf.service' || true
+systemctl --system stop 'falco-modern-bpf.service' || true
+systemctl --system stop 'falco-custom.service' || true
+systemctl --system stop 'falcoctl-artifact-follow.service' || true

-/usr/bin/falco-driver-loader --clean
+echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
+falco-driver-loader --clean

 # validate rpm macros by `rpm -qp --scripts <rpm>`
 # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
@@ -32,4 +34,8 @@ fi
 # systemd_preun macro expands to
 # if preuninstall:
 #  `systemd-update-helper remove-system-units <service>`
-%systemd_preun 'falco.service'
+%systemd_preun 'falco-kmod.service'
+%systemd_preun 'falco-bpf.service'
+%systemd_preun 'falco-modern-bpf.service'
+%systemd_preun 'falco-custom.service'
+%systemd_preun 'falcoctl-artifact-follow.service'
--- a/scripts/systemd/falco-bpf.service
+++ b/scripts/systemd/falco-bpf.service
@@ -1,14 +1,14 @@
 [Unit]
-Description=Falco: Container Native Runtime Security
+Description=Falco: Container Native Runtime Security with ebpf
 Documentation=https://falco.org/docs/
-After=falco_inject_kmod.service
-Requires=falco_inject_kmod.service
+Before=falcoctl-artifact-follow.service
+Wants=falcoctl-artifact-follow.service

 [Service]
 Type=simple
 User=root
+Environment=FALCO_BPF_PROBE=
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
-ExecStopPost=/sbin/rmmod falco
 UMask=0077
 TimeoutSec=30
 RestartSec=15s
@@ -18,7 +18,6 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null
--- a/scripts/systemd/falco-custom.service
+++ b/scripts/systemd/falco-custom.service
@@ -1,14 +1,13 @@
 [Unit]
-Description=Falco: Container Native Runtime Security
+Description=Falco: Container Native Runtime Security with custom configuration
 Documentation=https://falco.org/docs/
-After=falco_inject_kmod.service
-Requires=falco_inject_kmod.service
+Before=falcoctl-artifact-follow.service
+Wants=falcoctl-artifact-follow.service

 [Service]
 Type=simple
-User=root
+User=%u
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
-ExecStopPost=/sbin/rmmod falco
 UMask=0077
 TimeoutSec=30
 RestartSec=15s
@@ -18,9 +17,9 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null

 [Install]
 WantedBy=multi-user.target
--- a/scripts/systemd/falco-kmod-inject.service
+++ b/scripts/systemd/falco-kmod-inject.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Falco: Container Native Runtime Security with kmod, inject.
+Documentation=https://falco.org/docs/
+PartOf=falco-kmod.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+User=root
+ExecStart=/sbin/modprobe falco
+ExecStop=/sbin/rmmod falco
--- a/scripts/systemd/falco-kmod.service
+++ b/scripts/systemd/falco-kmod.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=Falco: Container Native Runtime Security with kmod
+Documentation=https://falco.org/docs/
+After=falco-kmod-inject.service
+Requires=falco-kmod-inject.service
+Before=falcoctl-artifact-follow.service
+Wants=falcoctl-artifact-follow.service
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+ReadWriteDirectories=/sys/module/falco
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null
+
+[Install]
+WantedBy=multi-user.target
+Alias=falco.service
--- a/scripts/systemd/falco-modern-bpf.service
+++ b/scripts/systemd/falco-modern-bpf.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=Falco: Container Native Runtime Security with modern ebpf
+Documentation=https://falco.org/docs/
+Before=falcoctl-artifact-follow.service
+Wants=falcoctl-artifact-follow.service
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid --modern-bpf
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+StandardOutput=null
+
+[Install]
+WantedBy=multi-user.target
--- a/scripts/systemd/falcoctl-artifact-follow.service
+++ b/scripts/systemd/falcoctl-artifact-follow.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=Falcoctl Artifact Follow: automatic artifacts update service
+Documentation=https://falco.org/docs/
+PartOf=falco-bpf.service falco-kmod.service falco-modern-bpf.service falco-custom.service
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/bin/falcoctl artifact follow --allowed-types=rulesfile
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectSystem=true
+ReadWriteDirectories=/usr/share/falco
+ProtectKernelTunables=true
+RestrictRealtime=true
+
+[Install]
+WantedBy=multi-user.target
--- a/submodules/falcosecurity-rules
+++ b/submodules/falcosecurity-rules
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -1,4 +1,6 @@
 add_subdirectory(trace_files)

-add_subdirectory(plugins)
-add_subdirectory(confs/plugins)
+if(NOT MUSL_OPTIMIZED_BUILD)
+    add_subdirectory(plugins)
+    add_subdirectory(confs/plugins)
+endif()
--- a/test/falco_k8s_audit_tests.yaml
+++ b/test/falco_k8s_audit_tests.yaml
@@ -21,7 +21,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
      - ./rules/k8s_audit/engine_v4/allow_only_apache_container.yaml
    detect_counts:
@@ -33,7 +33,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
      - ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
@@ -44,7 +44,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
    detect_counts:
      - Create Privileged Pod: 1
@@ -55,7 +55,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
@@ -66,7 +66,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
@@ -76,7 +76,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
    detect_counts:
      - Create HostNetwork Pod: 1
@@ -87,7 +87,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
@@ -99,7 +99,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_namespace_foo.yaml
    detect_counts:
@@ -111,7 +111,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_namespace_foo.yaml
      - ./rules/k8s_audit/allow_user_some-user.yaml
@@ -124,7 +124,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_only_apache_container.yaml
    detect_counts:
@@ -136,7 +136,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
@@ -147,7 +147,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create Privileged Pod: 1
@@ -159,7 +159,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create Privileged Pod: 1
@@ -171,7 +171,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create Privileged Pod: 1
@@ -182,7 +182,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
@@ -192,7 +192,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
@@ -201,7 +201,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
@@ -212,7 +212,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create Sensitive Mount Pod: 1
@@ -224,7 +224,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create Sensitive Mount Pod: 1
@@ -235,7 +235,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
@@ -245,7 +245,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
@@ -254,7 +254,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
@@ -265,7 +265,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Create HostNetwork Pod: 1
@@ -276,7 +276,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
@@ -286,7 +286,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
@@ -295,7 +295,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/trust_nginx_container.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
@@ -306,7 +306,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
    detect_counts:
@@ -318,7 +318,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
@@ -329,7 +329,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
    detect_counts:
@@ -341,7 +341,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
@@ -352,7 +352,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Anonymous Request Allowed: 1
@@ -364,7 +364,7 @@ trace_files: !mux
    detect_level: NOTICE
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Attach/Exec Pod: 1
@@ -376,7 +376,7 @@ trace_files: !mux
    detect_level: NOTICE
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Attach/Exec Pod: 1
@@ -388,7 +388,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_user_some-user.yaml
    detect_counts:
@@ -400,7 +400,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_namespace_foo.yaml
      - ./rules/k8s_audit/disallow_kactivity.yaml
@@ -412,7 +412,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Pod Created in Kube Namespace: 1
@@ -424,7 +424,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Pod Created in Kube Namespace: 1
@@ -436,7 +436,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Service Account Created in Kube Namespace: 1
@@ -448,7 +448,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Service Account Created in Kube Namespace: 1
@@ -460,7 +460,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - System ClusterRole Modified/Deleted: 1
@@ -472,7 +472,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - System ClusterRole Modified/Deleted: 1
@@ -484,7 +484,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - Attach to cluster-admin Role: 1
@@ -496,7 +496,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - ClusterRole With Wildcard Created: 1
@@ -508,7 +508,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - ClusterRole With Wildcard Created: 1
@@ -520,7 +520,7 @@ trace_files: !mux
    detect_level: NOTICE
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - ClusterRole With Write Privileges Created: 1
@@ -532,7 +532,7 @@ trace_files: !mux
    detect_level: WARNING
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - ClusterRole With Pod Exec Created: 1
@@ -544,7 +544,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Deployment Created: 1
@@ -556,7 +556,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Deployment Deleted: 1
@@ -568,7 +568,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Service Created: 1
@@ -580,7 +580,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Service Deleted: 1
@@ -592,7 +592,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s ConfigMap Created: 1
@@ -604,7 +604,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s ConfigMap Deleted: 1
@@ -616,7 +616,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
      - ./rules/k8s_audit/allow_namespace_foo.yaml
      - ./rules/k8s_audit/allow_user_some-user.yaml
@@ -630,7 +630,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Namespace Deleted: 1
@@ -642,7 +642,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Serviceaccount Created: 1
@@ -654,7 +654,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Serviceaccount Deleted: 1
@@ -666,7 +666,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Role/Clusterrole Created: 1
@@ -678,7 +678,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Role/Clusterrole Deleted: 1
@@ -690,7 +690,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Role/Clusterrolebinding Created: 1
@@ -702,7 +702,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Role/Clusterrolebinding Deleted: 1
@@ -714,7 +714,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Secret Created: 1
@@ -727,7 +727,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service_account_token_secret.json
@@ -737,7 +737,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_kube_system_secret.json
@@ -747,7 +747,7 @@ trace_files: !mux
    detect_level: INFO
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    detect_counts:
      - K8s Secret Deleted: 1
@@ -758,7 +758,7 @@ trace_files: !mux
    detect: False
    enable_source: k8s_audit
    rules_file:
-      - ../rules/falco_rules.yaml
+      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/fal_01_003.json
@@ -773,4 +773,4 @@ trace_files: !mux
    detect_counts:
      - json_pointer_example: 1
    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -99,7 +99,7 @@ class FalcoTest(Test):
        self.addl_cmdline_opts = self.params.get('addl_cmdline_opts', '*', default='')
        self.enable_source = self.params.get('enable_source', '*', default='')
        self.rules_file = self.params.get(
-            'rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml'))
+            'rules_file', '*', default='BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml')

        if not isinstance(self.rules_file, list):
            self.rules_file = [self.rules_file]
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -358,6 +358,16 @@ trace_files: !mux
    validate_rules_file:
      - rules/invalid_macro_without_condition.yaml
    trace_file: trace_files/cat_write.scap
+  
+  invalid_macro_loop:
+    exit_status: 1
+    validate_errors:
+      - item_type: macro
+        item_name: macro_a
+        code: LOAD_ERR_VALIDATE
+        message_contains: "reference loop in macro"
+    validate_rules_file:
+      - rules/invalid_macro_loop.yaml

  invalid_rule_without_output:
    exit_status: 1
@@ -403,6 +413,16 @@ trace_files: !mux
      - rules/list_append_failure.yaml
    trace_file: trace_files/cat_write.scap

+  invalid_list_loop:
+    exit_status: 1
+    validate_errors:
+      - item_type: rule
+        item_name: sample rule
+        code: LOAD_ERR_COMPILE_CONDITION
+        message: "unknown event type list_a"
+    validate_rules_file:
+      - rules/invalid_list_loop.yaml
+
  invalid_rule_append_dangling:
    exit_status: 1
    validate_errors:
@@ -604,7 +624,7 @@ trace_files: !mux

  disabled_and_enabled_rules_1:
    exit_status: 1
-    stderr_contains: "Runtime error: You can not specify both disabled .-D/-T. and enabled .-t. rules. Exiting."
+    stderr_contains: "Error: You can not specify both disabled .-D/-T. and enabled .-t. rules"
    disable_tags: [a]
    run_tags: [a]
    rules_file:
@@ -613,7 +633,7 @@ trace_files: !mux

  disabled_and_enabled_rules_2:
    exit_status: 1
-    stderr_contains: "Runtime error: You can not specify both disabled .-D/-T. and enabled .-t. rules. Exiting."
+    stderr_contains: "Error: You can not specify both disabled .-D/-T. and enabled .-t. rules"
    disabled_rules:
      - "open.*"
    run_tags: [a]
--- a/test/plugins/test_extract.cpp
+++ b/test/plugins/test_extract.cpp
@@ -17,7 +17,7 @@ limitations under the License.
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <plugin_info.h>
+#include <engine/source_plugin/plugin_info.h>

 static const char *pl_required_api_version = PLUGIN_API_VERSION_STR;
 static const char *pl_name_base            = "test_extract";
--- a/test/plugins/test_source.cpp
+++ b/test/plugins/test_source.cpp
@@ -18,7 +18,7 @@ limitations under the License.
 #include <stdio.h>
 #include <stdlib.h>

-#include <plugin_info.h>
+#include <engine/source_plugin/plugin_info.h>

 static const char *pl_required_api_version = PLUGIN_API_VERSION_STR;
 static uint32_t    pl_id                   = 999;
--- a/test/requirements.txt
+++ b/test/requirements.txt
@@ -1,6 +1,6 @@
 avocado-framework==69.0
 avocado-framework-plugin-varianter-yaml-to-mux==69.0
-certifi==2020.4.5.1
+certifi==2022.12.7
 chardet==3.0.4
 idna==2.9
 pathtools==0.1.2
--- a/test/rules/invalid_list_loop.yaml
+++ b/test/rules/invalid_list_loop.yaml
@@ -0,0 +1,17 @@
+- list: list_a
+  items: [open]
+
+- list: list_b
+  items: [list_a]
+
+- list: list_a
+  items: [list_b]
+
+- macro: macro_a
+  condition: evt.type in (list_a)
+
+- rule: sample rule
+  priority: WARNING
+  output: test
+  desc: testdesc
+  condition: macro_a
--- a/test/rules/invalid_macro_loop.yaml
+++ b/test/rules/invalid_macro_loop.yaml
@@ -0,0 +1,8 @@
+- macro: macro_a
+  condition: evt.type=open
+
+- macro: macro_b
+  condition: macro_a
+
+- macro: macro_a
+  condition: macro_b
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -1,76 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not
-# use this file except in compliance with the License. You may obtain a copy of
-# the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations under
-# the License.
-#
-set(
-  FALCO_TESTS_SOURCES
-  test_base.cpp
-  engine/test_rulesets.cpp
-  engine/test_falco_utils.cpp
-  engine/test_filter_macro_resolver.cpp
-  engine/test_filter_evttype_resolver.cpp
-  engine/test_filter_warning_resolver.cpp
-  engine/test_plugin_requirements.cpp
-  falco/test_configuration.cpp
-)
-
-set(FALCO_TESTED_LIBRARIES falco_engine ${YAMLCPP_LIB})
-
-SET(FALCO_TESTS_ARGUMENTS "" CACHE STRING "Test arguments to pass to the Falco test suite")
-
-option(FALCO_BUILD_TESTS "Determines whether to build tests." ON)
-
-if(FALCO_BUILD_TESTS)
-  enable_testing()
-  if(NOT TARGET catch)
-    include(DownloadCatch)
-  endif()
-
-  if(NOT TARGET fakeit)
-    include(DownloadFakeIt)
-  endif()
-
-  add_executable(falco_test ${FALCO_TESTS_SOURCES})
-
-  target_link_libraries(falco_test PUBLIC ${FALCO_TESTED_LIBRARIES})
-
-  if(MINIMAL_BUILD)
-    target_include_directories(
-      falco_test
-      PUBLIC "${CATCH2_INCLUDE}"
-            "${FAKEIT_INCLUDE}"
-            "${PROJECT_SOURCE_DIR}/userspace/engine"
-            "${PROJECT_BINARY_DIR}/userspace/falco"
-            "${YAMLCPP_INCLUDE_DIR}"
-            "${PROJECT_SOURCE_DIR}/userspace/falco")
-  else()
-    target_include_directories(
-      falco_test
-      PUBLIC "${CATCH2_INCLUDE}"
-            "${FAKEIT_INCLUDE}"
-            "${PROJECT_SOURCE_DIR}/userspace/engine"
-            "${PROJECT_BINARY_DIR}/userspace/falco"
-            "${YAMLCPP_INCLUDE_DIR}"
-            "${PROJECT_SOURCE_DIR}/userspace/falco")
-  endif()
-  add_dependencies(falco_test catch2)
-
-  include(CMakeParseArguments)
-  include(CTest)
-  include(Catch)
-  catch_discover_tests(falco_test)
-  separate_arguments(FALCO_TESTS_ARGUMENTS)
-  add_custom_target(tests COMMAND ${CMAKE_CTEST_COMMAND} ${FALCO_TESTS_ARGUMENTS} DEPENDS falco_test)
-endif()
--- a/tests/OWNERS
+++ b/tests/OWNERS
@@ -1,2 +0,0 @@
-labels:
-  - area/tests
--- a/tests/README.md
+++ b/tests/README.md
@@ -1,57 +0,0 @@
-# Falco unit tests
-
-This folder contains the unit-tests suite for Falco.
-The framework we use for unit-tests is [Catch2](https://github.com/catchorg/Catch2), while the one we use for mocking is [FakeIt](https://github.com/eranpeer/FakeIt).
-
-
-## How to write tests
-
-When you want to test a new file or test a non tested file, remember four steps:
-
- The folder structure here is the same as the one in the `userspace` folder, so `userspace/engine` becomes `tests/engine`.
- We call test files with this format `test_<original-file-name>.cpp`
- Update the `CMakeLists.txt` file to include your file in `FALCO_TESTS_SOURCES` and change the `FALCO_TESTED_LIBRARIES` accordingly. You might also need to add dependencies, in that case, look at `target_link_libraries` and `target_include_directories`
- If you are unsure on how to write tests, refer to our existing tests in this folder and to the [Catch2](https://github.com/catchorg/Catch2/tree/master/docs) documentation.
-
-## How to execute tests
-
-The suite can be configured with `cmake` and run with `make`.
-
-
-In the root folder of Falco, after creating the build directory:
-
-```bash
-cd falco
-mkdir build
-cd build
-```
-
-You can prepare the tests with:
-
-```
-cmake ..
-```
-
-Optionally, you can customize the test suite by passing custom arguments like the examples below:
-
-**filter all tests containing the word ctor**
-
-```bash
-cmake -DFALCO_TESTS_ARGUMENTS:STRING="-R ctor" ..
-```
-
-**verbose execution**
-
-```bash
-cmake -DFALCO_TESTS_ARGUMENTS:STRING="-V" ..
-```
-
-
-To see a list of all the custom arguments you may pass, execute `ctest --help` in your terminal.
-
-
-Once you are ready, you can run your configuration with:
-
-```bash
-make tests
-```
--- a/tests/engine/test_falco_utils.cpp
+++ b/tests/engine/test_falco_utils.cpp
@@ -1,53 +0,0 @@
-/*
-Copyright (C) 2020 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-#include "falco_utils.h"
-#include <nonstd/string_view.hpp>
-#include <catch.hpp>
-
-TEST_CASE("is_unix_scheme matches", "[utils]")
-{
-	SECTION("rvalue")
-	{
-		bool res = falco::utils::network::is_unix_scheme("unix:///run/falco/falco.sock");
-		REQUIRE(res);
-	}
-
-	SECTION("std::string")
-	{
-		std::string url("unix:///run/falco/falco.sock");
-		bool res = falco::utils::network::is_unix_scheme(url);
-		REQUIRE(res);
-	}
-
-	SECTION("char[]")
-	{
-		char url[] = "unix:///run/falco/falco.sock";
-		bool res = falco::utils::network::is_unix_scheme(url);
-		REQUIRE(res);
-	}
-}
-
-TEST_CASE("is_unix_scheme does not match", "[utils]")
-{
-	bool res = falco::utils::network::is_unix_scheme("something:///run/falco/falco.sock");
-	REQUIRE_FALSE(res);
-}
-
-TEST_CASE("is_unix_scheme only matches scheme at the start of the string", "[utils]")
-{
-	bool res = falco::utils::network::is_unix_scheme("/var/run/unix:///falco.sock");
-	REQUIRE_FALSE(res);
-}
--- a/tests/engine/test_filter_evttype_resolver.cpp
+++ b/tests/engine/test_filter_evttype_resolver.cpp
@@ -1,237 +0,0 @@
-/*
-Copyright (C) 2021 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-*/
-
-#include "filter_evttype_resolver.h"
-#include <catch.hpp>
-#include <sinsp.h>
-#include <filter/parser.h>
-
-using namespace std;
-using namespace libsinsp::filter;
-
-string to_string(set<uint16_t> s)
-{
-	string out = "[";
-	for(auto &val : s)
-	{
-        out += out.size() == 1 ? "" : ", ";
-		out += to_string(val);
-	}
-	out += "]";
-	return out;
-}
-
-void compare_evttypes(std::unique_ptr<ast::expr> f, set<uint16_t> &expected)
-{
-    set<uint16_t> actual;
-    filter_evttype_resolver().evttypes(f.get(), actual);
-    for(auto &etype : expected)
-    {
-        REQUIRE(actual.find(etype) != actual.end());
-    }
-    for(auto &etype : actual)
-    {
-        REQUIRE(expected.find(etype) != expected.end());
-    }
-}
-
-std::unique_ptr<ast::expr> compile(const string &fltstr)
-{
-    return libsinsp::filter::parser(fltstr).parse();
-}
-
-TEST_CASE("Should find event types from filter", "[rule_loader]")
-{
-    set<uint16_t> openat_only{
-        PPME_SYSCALL_OPENAT_E, PPME_SYSCALL_OPENAT_X,
-		PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X };
-
-	set<uint16_t> close_only{
-		PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X };
-
-	set<uint16_t> openat_close{
-        PPME_SYSCALL_OPENAT_E, PPME_SYSCALL_OPENAT_X,
-        PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X,
-        PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X };
-
-	set<uint16_t> not_openat;
-	set<uint16_t> not_openat_close;
-	set<uint16_t> not_close;
-	set<uint16_t> all_events;
-	set<uint16_t> no_events;
-
-    for(uint32_t i = 2; i < PPM_EVENT_MAX; i++)
-    {
-        // Skip events that are unused.
-        if(sinsp::is_unused_event(i))
-        {
-            continue;
-        }
-
-        all_events.insert(i);
-        if(openat_only.find(i) == openat_only.end())
-        {
-            not_openat.insert(i);
-        }
-        if(openat_close.find(i) == openat_close.end())
-        {
-            not_openat_close.insert(i);
-        }
-        if (close_only.find(i) == close_only.end())
-        {
-            not_close.insert(i);
-        }
-    }
-
-    SECTION("evt_type_eq")
-    {
-        auto f = compile("evt.type=openat");
-        compare_evttypes(std::move(f), openat_only);
-    }
-
-    SECTION("evt_type_in")
-    {
-        auto f = compile("evt.type in (openat, close)");
-        compare_evttypes(std::move(f), openat_close);
-    }
-
-    SECTION("evt_type_ne")
-    {
-        auto f = compile("evt.type!=openat");
-        compare_evttypes(std::move(f), not_openat);
-    }
-
-    SECTION("not_evt_type_eq")
-    {
-        auto f = compile("not evt.type=openat");
-        compare_evttypes(std::move(f), not_openat);
-    }
-
-    SECTION("not_evt_type_in")
-    {
-        auto f = compile("not evt.type in (openat, close)");
-        compare_evttypes(std::move(f), not_openat_close);
-    }
-
-    SECTION("not_evt_type_ne")
-    {
-        auto f = compile("not evt.type != openat");
-        compare_evttypes(std::move(f), openat_only);
-    }
-
-    SECTION("evt_type_or")
-    {
-        auto f = compile("evt.type=openat or evt.type=close");
-        compare_evttypes(std::move(f), openat_close);
-    }
-
-    SECTION("not_evt_type_or")
-    {
-        auto f = compile("evt.type!=openat or evt.type!=close");
-        compare_evttypes(std::move(f), all_events);
-    }
-
-    SECTION("evt_type_or_ne")
-    {
-        auto f = compile("evt.type=close or evt.type!=openat");
-        compare_evttypes(std::move(f), not_openat);
-    }
-
-    SECTION("evt_type_and")
-    {
-        auto f = compile("evt.type=close and evt.type=openat");
-        compare_evttypes(std::move(f), no_events);
-    }
-
-    SECTION("evt_type_and_non_evt_type")
-    {
-        auto f = compile("evt.type=openat and proc.name=nginx");
-        compare_evttypes(std::move(f), openat_only);
-    }
-
-    SECTION("evt_type_and_non_evt_type_not")
-    {
-        auto f = compile("evt.type=openat and not proc.name=nginx");
-        compare_evttypes(std::move(f), openat_only);
-    }
-
-    SECTION("evt_type_and_nested")
-    {
-        auto f = compile("evt.type=openat and (proc.name=nginx)");
-        compare_evttypes(std::move(f), openat_only);
-    }
-
-    SECTION("evt_type_and_nested_multi")
-    {
-        auto f = compile("evt.type=openat and (evt.type=close and proc.name=nginx)");
-        compare_evttypes(std::move(f), no_events);
-    }
-
-    SECTION("non_evt_type")
-    {
-        auto f = compile("proc.name=nginx");
-        compare_evttypes(std::move(f), all_events);
-    }
-
-    SECTION("non_evt_type_or")
-    {
-        auto f = compile("evt.type=openat or proc.name=nginx");
-        compare_evttypes(std::move(f), all_events);
-    }
-
-    SECTION("non_evt_type_or_nested_first")
-    {
-        auto f = compile("(evt.type=openat) or proc.name=nginx");
-        compare_evttypes(std::move(f), all_events);
-    }
-
-    SECTION("non_evt_type_or_nested_second")
-    {
-        auto f = compile("evt.type=openat or (proc.name=nginx)");
-        compare_evttypes(std::move(f), all_events);
-    }
-
-    SECTION("non_evt_type_or_nested_multi")
-    {
-        auto f = compile("evt.type=openat or (evt.type=close and proc.name=nginx)");
-        compare_evttypes(std::move(f), openat_close);
-    }
-
-    SECTION("non_evt_type_or_nested_multi_not")
-    {
-        auto f = compile("evt.type=openat or not (evt.type=close and proc.name=nginx)");
-        compare_evttypes(std::move(f), not_close);
-    }
-
-    SECTION("non_evt_type_and_nested_multi_not")
-    {
-        auto f = compile("evt.type=openat and not (evt.type=close and proc.name=nginx)");
-        compare_evttypes(std::move(f), openat_only);
-    }
-
-    SECTION("ne_and_and")
-    {
-        auto f = compile("evt.type!=openat and evt.type!=close");
-        compare_evttypes(std::move(f), not_openat_close);
-    }
-
-    SECTION("not_not")
-    {
-        auto f = compile("not (not evt.type=openat)");
-        compare_evttypes(std::move(f), openat_only);
-    }
-}
--- a/tests/engine/test_filter_macro_resolver.cpp
+++ b/tests/engine/test_filter_macro_resolver.cpp
@@ -1,253 +0,0 @@
-/*
-Copyright (C) 2020 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include "filter_macro_resolver.h"
-#include <catch.hpp>
-
-using namespace std;
-using namespace libsinsp::filter::ast;
-
-TEST_CASE("Should resolve macros on a filter AST", "[rule_loader]")
-{
-	string macro_name = "test_macro";
-
-	SECTION("in the general case")
-	{
-		std::shared_ptr<expr> macro = std::move(
-			unary_check_expr::create("test.field", "", "exists"));
-
-		std::vector<std::unique_ptr<expr>> filter_and;
-		filter_and.push_back(unary_check_expr::create("evt.name", "", "exists"));
-		filter_and.push_back(not_expr::create(value_expr::create(macro_name)));
-		std::shared_ptr<expr> filter = std::move(and_expr::create(filter_and));
-
-		std::vector<std::unique_ptr<expr>> expected_and;
-		expected_and.push_back(unary_check_expr::create("evt.name", "", "exists"));
-		expected_and.push_back(not_expr::create(clone(macro.get())));
-		std::shared_ptr<expr> expected = std::move(and_expr::create(expected_and));
-
-		filter_macro_resolver resolver;
-		resolver.set_macro(macro_name, macro);
-
-		// first run
-		REQUIRE(resolver.run(filter) == true);
-		REQUIRE(resolver.get_resolved_macros().size() == 1);
-		REQUIRE(*resolver.get_resolved_macros().begin() == macro_name);
-		REQUIRE(resolver.get_unknown_macros().empty());
-		REQUIRE(filter->is_equal(expected.get()));
-
-		// second run
-		REQUIRE(resolver.run(filter) == false);
-		REQUIRE(resolver.get_resolved_macros().empty());
-		REQUIRE(resolver.get_unknown_macros().empty());
-		REQUIRE(filter->is_equal(expected.get()));
-	}
-
-	SECTION("with a single node")
-	{
-		std::shared_ptr<expr> macro = std::move(
-			unary_check_expr::create("test.field", "", "exists"));
-
-		std::shared_ptr<expr> filter = std::move(value_expr::create(macro_name));
-
-		filter_macro_resolver resolver;
-		resolver.set_macro(macro_name, macro);
-
-		// first run
-		expr* old_filter_ptr = filter.get();
-		REQUIRE(resolver.run(filter) == true);
-		REQUIRE(filter.get() != old_filter_ptr);
-		REQUIRE(resolver.get_resolved_macros().size() == 1);
-		REQUIRE(*resolver.get_resolved_macros().begin() == macro_name);
-		REQUIRE(resolver.get_unknown_macros().empty());
-		REQUIRE(filter->is_equal(macro.get()));
-
-		// second run
-		old_filter_ptr = filter.get();
-		REQUIRE(resolver.run(filter) == false);
-		REQUIRE(filter.get() == old_filter_ptr);
-		REQUIRE(resolver.get_resolved_macros().empty());
-		REQUIRE(resolver.get_unknown_macros().empty());
-		REQUIRE(filter->is_equal(macro.get()));
-	}
-
-	SECTION("with multiple macros")
-	{
-		string a_macro_name = macro_name + "_1";
-		string b_macro_name = macro_name + "_2";
-
-		std::shared_ptr<expr> a_macro = std::move(
-			unary_check_expr::create("one.field", "", "exists"));
-		std::shared_ptr<expr> b_macro = std::move(
-			unary_check_expr::create("another.field", "", "exists"));
-
-		std::vector<std::unique_ptr<expr>> filter_or;
-		filter_or.push_back(value_expr::create(a_macro_name));
-		filter_or.push_back(value_expr::create(b_macro_name));
-		std::shared_ptr<expr> filter = std::move(or_expr::create(filter_or));
-
-		std::vector<std::unique_ptr<expr>> expected_or;
-		expected_or.push_back(clone(a_macro.get()));
-		expected_or.push_back(clone(b_macro.get()));
-		std::shared_ptr<expr>  expected_filter = std::move(or_expr::create(expected_or));
-
-		filter_macro_resolver resolver;
-		resolver.set_macro(a_macro_name, a_macro);
-		resolver.set_macro(b_macro_name, b_macro);
-
-		// first run
-		REQUIRE(resolver.run(filter) == true);
-		REQUIRE(resolver.get_resolved_macros().size() == 2);
-		REQUIRE(resolver.get_resolved_macros().find(a_macro_name)
-				!= resolver.get_resolved_macros().end());
-		REQUIRE(resolver.get_resolved_macros().find(b_macro_name)
-				!= resolver.get_resolved_macros().end());
-		REQUIRE(resolver.get_unknown_macros().empty());
-		REQUIRE(filter->is_equal(expected_filter.get()));
-
-		// second run
-		REQUIRE(resolver.run(filter) == false);
-		REQUIRE(resolver.get_resolved_macros().empty());
-		REQUIRE(resolver.get_unknown_macros().empty());
-		REQUIRE(filter->is_equal(expected_filter.get()));
-	}
-
-	SECTION("with nested macros")
-	{
-		string a_macro_name = macro_name + "_1";
-		string b_macro_name = macro_name + "_2";
-
-		std::vector<std::unique_ptr<expr>> a_macro_and;
-		a_macro_and.push_back(unary_check_expr::create("one.field", "", "exists"));
-		a_macro_and.push_back(value_expr::create(b_macro_name));
-		std::shared_ptr<expr> a_macro = std::move(and_expr::create(a_macro_and));
-
-		std::shared_ptr<expr> b_macro = std::move(
-			unary_check_expr::create("another.field", "", "exists"));
-
-		std::shared_ptr<expr> filter = std::move(value_expr::create(a_macro_name));
-
-		std::vector<std::unique_ptr<expr>> expected_and;
-		expected_and.push_back(unary_check_expr::create("one.field", "", "exists"));
-		expected_and.push_back(unary_check_expr::create("another.field", "", "exists"));
-		std::shared_ptr<expr> expected_filter = std::move(and_expr::create(expected_and));
-
-		filter_macro_resolver resolver;
-		resolver.set_macro(a_macro_name, a_macro);
-		resolver.set_macro(b_macro_name, b_macro);
-
-		// first run
-		REQUIRE(resolver.run(filter) == true);
-		REQUIRE(resolver.get_resolved_macros().size() == 2);
-		REQUIRE(resolver.get_resolved_macros().find(a_macro_name)
-				!= resolver.get_resolved_macros().end());
-		REQUIRE(resolver.get_resolved_macros().find(b_macro_name)
-				!= resolver.get_resolved_macros().end());
-		REQUIRE(resolver.get_unknown_macros().empty());
-		REQUIRE(filter->is_equal(expected_filter.get()));
-
-		// second run
-		REQUIRE(resolver.run(filter) == false);
-		REQUIRE(resolver.get_resolved_macros().empty());
-		REQUIRE(resolver.get_unknown_macros().empty());
-		REQUIRE(filter->is_equal(expected_filter.get()));
-	}
-}
-
-TEST_CASE("Should find unknown macros", "[rule_loader]")
-{
-	string macro_name = "test_macro";
-
-	SECTION("in the general case")
-	{
-		std::vector<std::unique_ptr<expr>> filter_and;
-		filter_and.push_back(unary_check_expr::create("evt.name", "", "exists"));
-		filter_and.push_back(not_expr::create(value_expr::create(macro_name)));
-		std::shared_ptr<expr> filter = std::move(and_expr::create(filter_and));
-
-		filter_macro_resolver resolver;
-		REQUIRE(resolver.run(filter) == false);
-		REQUIRE(resolver.get_unknown_macros().size() == 1);
-		REQUIRE(*resolver.get_unknown_macros().begin() == macro_name);
-		REQUIRE(resolver.get_resolved_macros().empty());
-	}
-
-	SECTION("with nested macros")
-	{
-		string a_macro_name = macro_name + "_1";
-		string b_macro_name = macro_name + "_2";
-
-		std::vector<std::unique_ptr<expr>> a_macro_and;
-		a_macro_and.push_back(unary_check_expr::create("one.field", "", "exists"));
-		a_macro_and.push_back(value_expr::create(b_macro_name));
-		std::shared_ptr<expr> a_macro = std::move(and_expr::create(a_macro_and));
-
-		std::shared_ptr<expr> filter = std::move(value_expr::create(a_macro_name));
-		auto expected_filter = clone(a_macro.get());
-
-		filter_macro_resolver resolver;
-		resolver.set_macro(a_macro_name, a_macro);
-
-		// first run
-		REQUIRE(resolver.run(filter) == true);
-		REQUIRE(resolver.get_resolved_macros().size() == 1);
-		REQUIRE(*resolver.get_resolved_macros().begin() == a_macro_name);
-		REQUIRE(resolver.get_unknown_macros().size() == 1);
-		REQUIRE(*resolver.get_unknown_macros().begin() == b_macro_name);
-		REQUIRE(filter->is_equal(expected_filter.get()));
-	}
-}
-
-TEST_CASE("Should undefine macro", "[rule_loader]")
-{
-	string macro_name = "test_macro";
-	std::shared_ptr<expr> macro = std::move(unary_check_expr::create("test.field", "", "exists"));
-	std::shared_ptr<expr> a_filter = std::move(value_expr::create(macro_name));
-	std::shared_ptr<expr> b_filter = std::move(value_expr::create(macro_name));
-	filter_macro_resolver resolver;
-
-	resolver.set_macro(macro_name, macro);
-	REQUIRE(resolver.run(a_filter) == true);
-	REQUIRE(resolver.get_resolved_macros().size() == 1);
-	REQUIRE(*resolver.get_resolved_macros().begin() == macro_name);
-	REQUIRE(resolver.get_unknown_macros().empty());
-	REQUIRE(a_filter->is_equal(macro.get()));
-
-	resolver.set_macro(macro_name, NULL);
-	REQUIRE(resolver.run(b_filter) == false);
-	REQUIRE(resolver.get_resolved_macros().empty());
-	REQUIRE(resolver.get_unknown_macros().size() == 1);
-	REQUIRE(*resolver.get_unknown_macros().begin() == macro_name);
-}
-
-// checks that the macro AST is cloned and not shared across resolved filters
-TEST_CASE("Should clone macro AST", "[rule_loader]")
-{
-	string macro_name = "test_macro";
-	std::shared_ptr<unary_check_expr> macro = std::move(unary_check_expr::create("test.field", "", "exists"));
-	std::shared_ptr<expr> filter = std::move(value_expr::create(macro_name));
-	filter_macro_resolver resolver;
-	
-	resolver.set_macro(macro_name, macro);
-	REQUIRE(resolver.run(filter) == true);
-	REQUIRE(resolver.get_resolved_macros().size() == 1);
-	REQUIRE(*resolver.get_resolved_macros().begin() == macro_name);
-	REQUIRE(resolver.get_unknown_macros().empty());
-	REQUIRE(filter->is_equal(macro.get()));
-
-	macro->field = "another.field";
-	REQUIRE(!filter->is_equal(macro.get()));
-}
--- a/tests/engine/test_filter_warning_resolver.cpp
+++ b/tests/engine/test_filter_warning_resolver.cpp
@@ -1,45 +0,0 @@
-/*
-Copyright (C) 2020 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include "filter_warning_resolver.h"
-#include <catch.hpp>
-
-static bool warns(const std::string& condition)
-{
-	std::set<falco::load_result::warning_code> w;
-	auto ast = libsinsp::filter::parser(condition).parse();
-	filter_warning_resolver().run(ast.get(), w);
-	return !w.empty();
-}
-
-TEST_CASE("Should spot warnings in filtering conditions", "[rule_loader]")
-{
-	SECTION("for unsafe usage of <NA> in k8s audit fields")
-	{
-		REQUIRE(false == warns("ka.field exists"));
-		REQUIRE(false == warns("some.field = <NA>"));
-		REQUIRE(true == warns("jevt.field = <NA>"));
-		REQUIRE(true == warns("ka.field = <NA>"));
-		REQUIRE(true == warns("ka.field == <NA>"));
-		REQUIRE(true == warns("ka.field != <NA>"));
-		REQUIRE(true == warns("ka.field in (<NA>)"));
-		REQUIRE(true == warns("ka.field in (otherval, <NA>)"));
-		REQUIRE(true == warns("ka.field intersects (<NA>)"));
-		REQUIRE(true == warns("ka.field intersects (otherval, <NA>)"));
-		REQUIRE(true == warns("ka.field pmatch (<NA>)"));
-		REQUIRE(true == warns("ka.field pmatch (otherval, <NA>)"));
-	}
-}
--- a/tests/engine/test_plugin_requirements.cpp
+++ b/tests/engine/test_plugin_requirements.cpp
@@ -1,269 +0,0 @@
-/*
-Copyright (C) 2022 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include <memory>
-#include <catch.hpp>
-#include "falco_engine.h"
-
-static void check_requirements(
-        bool expect_success,
-        const std::vector<falco_engine::plugin_version_requirement>& plugins,
-        const std::string& ruleset_content)
-{
-    std::string err;
-    std::unique_ptr<falco_engine> e(new falco_engine());
-    falco::load_result::rules_contents_t c = {{"test", ruleset_content}};
-
-    auto res = e->load_rules(c.begin()->second, c.begin()->first);
-    if (!res->successful())
-    {
-        if (expect_success)
-        {
-            FAIL(res->as_string(false, c));
-        }
-        return;
-    }
-
-    if (!e->check_plugin_requirements(plugins, err))
-    {
-        if (expect_success)
-        {
-            FAIL(err);
-        }
-    }
-    else if (!expect_success)
-    {
-        FAIL("unexpected successful plugin requirements check");
-    }
-}
-
-TEST_CASE("check_plugin_requirements must accept", "[rule_loader]")
-{
-    SECTION("no requirement")
-    {
-        check_requirements(true, {{"k8saudit", "0.1.0"}}, "");
-    }
-
-    SECTION("single plugin")
-    {
-        check_requirements(true, {{"k8saudit", "0.1.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
-        )");
-    }
-
-    SECTION("single plugin newer version")
-    {
-        check_requirements(true, {{"k8saudit", "0.2.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
-        )");
-    }
-
-    SECTION("multiple plugins")
-    {
-        check_requirements(true, {{"k8saudit", "0.1.0"}, {"json", "0.3.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
-  - name: json
-    version: 0.3.0
-        )");
-    }
-
-    SECTION("single plugin multiple versions")
-    {
-        check_requirements(true, {{"k8saudit", "0.2.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.2.0
-        )");
-    }
-
-    SECTION("single plugin with alternatives")
-    {
-        check_requirements(true, {{"k8saudit-other", "0.5.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
-    alternatives:
-      - name: k8saudit-other
-        version: 0.4.0
-        )");
-    }
-
-    SECTION("multiple plugins with alternatives")
-    {
-        check_requirements(true, {{"k8saudit-other", "0.5.0"}, {"json2", "0.5.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
-    alternatives:
-      - name: k8saudit-other
-        version: 0.4.0
-  - name: json
-    version: 0.3.0
-    alternatives:
-      - name: json2
-        version: 0.1.0
-        )");
-    }
-
-    SECTION("multiple plugins with alternatives with multiple versions")
-    {
-        check_requirements(true, {{"k8saudit-other", "0.7.0"}, {"json2", "0.5.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
-    alternatives:
-      - name: k8saudit-other
-        version: 0.4.0
-  - name: json
-    version: 0.3.0
-    alternatives:
-      - name: json2
-        version: 0.1.0
- required_plugin_versions:
-  - name: k8saudit
-    version: 1.0.0
-    alternatives:
-      - name: k8saudit-other
-        version: 0.7.0
-        )");
-    }
-}
-
-TEST_CASE("check_plugin_requirements must reject", "[rule_loader]")
-{
-    SECTION("no plugin loaded")
-    {
-        check_requirements(false, {}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
-        )");
-    }
-    
-    SECTION("single plugin wrong name")
-    {
-        check_requirements(false, {{"k8saudit", "0.1.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit2
-    version: 0.1.0
-        )");
-    }
-
-    SECTION("single plugin wrong version")
-    {
-        check_requirements(false, {{"k8saudit", "0.1.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.2.0
-        )");
-    }
-
-    SECTION("multiple plugins")
-    {
-        check_requirements(false, {{"k8saudit", "0.1.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
-  - name: json
-    version: 0.3.0
-        )");
-    }
-
-    SECTION("single plugin multiple versions")
-    {
-        check_requirements(false, {{"k8saudit", "0.1.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.2.0
-        )");
-    }
-
-    SECTION("single plugin with alternatives")
-    {
-        check_requirements(false, {{"k8saudit2", "0.5.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
-    alternatives:
-      - name: k8saudit-other
-        version: 0.4.0
-        )");
-    }
-
-    SECTION("single plugin with overlapping alternatives")
-    {
-        check_requirements(false, {{"k8saudit", "0.5.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
-    alternatives:
-      - name: k8saudit
-        version: 0.4.0
-        )");
-    }
-
-    SECTION("multiple plugins with alternatives")
-    {
-        check_requirements(false, {{"k8saudit-other", "0.5.0"}, {"json3", "0.5.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.1.0
-    alternatives:
-      - name: k8saudit-other
-        version: 0.4.0
-  - name: json
-    version: 0.3.0
-    alternatives:
-      - name: json2
-        version: 0.1.0
-        )");
-    }
-
-    SECTION("multiple plugins with alternatives with multiple versions")
-    {
-        check_requirements(false, {{"k8saudit", "0.7.0"}, {"json2", "0.5.0"}}, R"(
- required_plugin_versions:
-  - name: k8saudit
-    version: 0.4.0
-    alternatives:
-      - name: k8saudit-other
-        version: 0.4.0
-  - name: json
-    version: 0.3.0
-    alternatives:
-      - name: json2
-        version: 0.1.0
- required_plugin_versions:
-  - name: k8saudit
-    version: 1.0.0
-    alternatives:
-      - name: k8saudit-other
-        version: 0.7.0
-        )");
-    }
-}
--- a/tests/engine/test_rulesets.cpp
+++ b/tests/engine/test_rulesets.cpp
@@ -1,219 +0,0 @@
-/*
-Copyright (C) 2020 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include "falco_common.h"
-#include "evttype_index_ruleset.h"
-#include <filter.h>
-#include <catch.hpp>
-
-static bool exact_match = true;
-static bool substring_match = false;
-static uint16_t default_ruleset = 0;
-static uint16_t non_default_ruleset = 3;
-static uint16_t other_non_default_ruleset = 2;
-static std::set<std::string> tags = {"some_tag", "some_other_tag"};
-static std::set<uint16_t> evttypes = { ppm_event_type::PPME_GENERIC_E };
-
-static std::shared_ptr<libsinsp::filter::ast::expr> create_filter()
-{
-	libsinsp::filter::parser parser("evt.type=open");
-	std::shared_ptr<libsinsp::filter::ast::expr> ret(parser.parse());
-	return ret;
-}
-
-static std::shared_ptr<filter_ruleset> create_ruleset()
-{
-	std::shared_ptr<gen_event_filter_factory> f(new sinsp_filter_factory(NULL));
-	std::shared_ptr<filter_ruleset> ret(new evttype_index_ruleset(f));
-	return ret;
-}
-
-TEST_CASE("Should enable/disable on ruleset", "[rulesets]")
-{
-	auto r = create_ruleset();
-	auto filter = create_filter();
-	falco_rule rule;
-	rule.name = "one_rule";
-	rule.source = falco_common::syscall_source;
-	rule.tags = tags;
-
-	r->add(rule, filter);
-
-	SECTION("Should enable/disable for exact match w/ default ruleset")
-	{
-		r->enable("one_rule", exact_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 1);
-
-		r->disable("one_rule", exact_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-	}
-
-	SECTION("Should enable/disable for exact match w/ specific ruleset")
-	{
-		r->enable("one_rule", exact_match, non_default_ruleset);
-		REQUIRE(r->enabled_count(non_default_ruleset) == 1);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-		REQUIRE(r->enabled_count(other_non_default_ruleset) == 0);
-
-		r->disable("one_rule", exact_match, non_default_ruleset);
-		REQUIRE(r->enabled_count(non_default_ruleset) == 0);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-		REQUIRE(r->enabled_count(other_non_default_ruleset) == 0);
-	}
-
-	SECTION("Should not enable for exact match different rule name")
-	{
-		r->enable("some_other_rule", exact_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-	}
-
-	SECTION("Should enable/disable for exact match w/ substring and default ruleset")
-	{
-		r->enable("one_rule", substring_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 1);
-
-		r->disable("one_rule", substring_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-	}
-
-	SECTION("Should not enable for substring w/ exact_match")
-	{
-		r->enable("one_", exact_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-	}
-
-	SECTION("Should enable/disable for prefix match w/ default ruleset")
-	{
-		r->enable("one_", substring_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 1);
-
-		r->disable("one_", substring_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-	}
-
-	SECTION("Should enable/disable for suffix match w/ default ruleset")
-	{
-		r->enable("_rule", substring_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 1);
-
-		r->disable("_rule", substring_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-	}
-
-	SECTION("Should enable/disable for substring match w/ default ruleset")
-	{
-		r->enable("ne_ru", substring_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 1);
-
-		r->disable("ne_ru", substring_match, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-	}
-
-	SECTION("Should enable/disable for substring match w/ specific ruleset")
-	{
-		r->enable("ne_ru", substring_match, non_default_ruleset);
-		REQUIRE(r->enabled_count(non_default_ruleset) == 1);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-		REQUIRE(r->enabled_count(other_non_default_ruleset) == 0);
-
-		r->disable("ne_ru", substring_match, non_default_ruleset);
-		REQUIRE(r->enabled_count(non_default_ruleset) == 0);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-		REQUIRE(r->enabled_count(other_non_default_ruleset) == 0);
-	}
-
-	SECTION("Should enable/disable for tags w/ default ruleset")
-	{
-		std::set<std::string> want_tags = {"some_tag"};
-
-		r->enable_tags(want_tags, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 1);
-
-		r->disable_tags(want_tags, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-	}
-
-	SECTION("Should enable/disable for tags w/ specific ruleset")
-	{
-		std::set<std::string> want_tags = {"some_tag"};
-
-		r->enable_tags(want_tags, non_default_ruleset);
-		REQUIRE(r->enabled_count(non_default_ruleset) == 1);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-		REQUIRE(r->enabled_count(other_non_default_ruleset) == 0);
-
-		r->disable_tags(want_tags, non_default_ruleset);
-		REQUIRE(r->enabled_count(non_default_ruleset) == 0);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-		REQUIRE(r->enabled_count(other_non_default_ruleset) == 0);
-	}
-
-	SECTION("Should not enable for different tags")
-	{
-		std::set<std::string> want_tags = {"some_different_tag"};
-
-		r->enable_tags(want_tags, default_ruleset);
-		REQUIRE(r->enabled_count(non_default_ruleset) == 0);
-	}
-
-	SECTION("Should enable/disable for overlapping tags")
-	{
-		std::set<std::string> want_tags = {"some_tag", "some_different_tag"};
-
-		r->enable_tags(want_tags, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 1);
-
-		r->disable_tags(want_tags, default_ruleset);
-		REQUIRE(r->enabled_count(default_ruleset) == 0);
-	}
-
-}
-
-TEST_CASE("Should enable/disable on ruleset for incremental adding tags", "[rulesets]")
-{
-	auto r = create_ruleset();
-
-	auto rule1_filter = create_filter();
-	falco_rule rule1;
-	rule1.name = "one_rule";
-	rule1.source = falco_common::syscall_source;
-	rule1.tags =  {"rule1_tag"};
-	r->add(rule1, rule1_filter);
-
-	auto rule2_filter = create_filter();
-	falco_rule rule2;
-	rule2.name = "two_rule";
-	rule2.source = falco_common::syscall_source;
-	rule2.tags =  {"rule2_tag"};
-	r->add(rule2, rule2_filter);
-
-	std::set<std::string> want_tags;
-
-	want_tags = rule1.tags;
-	r->enable_tags(want_tags, default_ruleset);
-	REQUIRE(r->enabled_count(default_ruleset) == 1);
-
-	want_tags = rule2.tags;
-	r->enable_tags(want_tags, default_ruleset);
-	REQUIRE(r->enabled_count(default_ruleset) == 2);
-
-	r->disable_tags(want_tags, default_ruleset);
-	REQUIRE(r->enabled_count(default_ruleset) == 1);
-
-	want_tags = rule1.tags;
-	r->disable_tags(want_tags, default_ruleset);
-	REQUIRE(r->enabled_count(default_ruleset) == 0);
-}
--- a/tests/falco/test_configuration.cpp
+++ b/tests/falco/test_configuration.cpp
@@ -1,106 +0,0 @@
-/*
-Copyright (C) 2021 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-#include "configuration.h"
-#include <catch.hpp>
-
-string sample_yaml = 
-    "base_value:\n"
-    "    id: 1\n"
-    "    name: 'sample_name'\n"
-    "    subvalue:\n"
-    "      subvalue2:\n"
-    "        boolean: true\n"
-    "base_value_2:\n"
-    "  sample_list:\n"
-    "    - elem1\n"
-    "    - elem2\n"
-    "    - elem3\n"
-;
-
-TEST_CASE("configuration must load YAML data", "[configuration]")
-{
-    yaml_configuration conf;
-
-    SECTION("broken YAML")
-    {
-        string sample_broken_yaml = sample_yaml + " /  bad_symbol";
-        REQUIRE_THROWS(conf.load_from_string(sample_broken_yaml));
-    }
-
-    SECTION("valid YAML")
-    {    
-        REQUIRE_NOTHROW(conf.load_from_string(sample_yaml));
-    }
-
-    SECTION("clearing and reloading")
-    {   
-        conf.load_from_string(sample_yaml);
-        REQUIRE(conf.is_defined("base_value") == true);
-        conf.clear();
-        REQUIRE(conf.is_defined("base_value") == false);
-        conf.load_from_string(sample_yaml);
-        REQUIRE(conf.is_defined("base_value") == true);
-    }
-}
-
-TEST_CASE("configuration must read YAML fields", "[configuration]")
-{
-	yaml_configuration conf;
-    conf.load_from_string(sample_yaml);
-
-    SECTION("base level")
-    {
-        REQUIRE(conf.is_defined("base_value") == true);
-        REQUIRE(conf.is_defined("base_value_2") == true);
-        REQUIRE(conf.is_defined("unknown_base_value") == false);
-    }
-
-    SECTION("arbitrary depth nesting")
-    {
-        REQUIRE(conf.get_scalar<int>("base_value.id", -1) == 1);
-        REQUIRE(conf.get_scalar<string>("base_value.name", "none") == "sample_name");
-        REQUIRE(conf.get_scalar<bool>("base_value.subvalue.subvalue2.boolean", false) == true);
-    }
-    
-    SECTION("list field elements")
-    {
-        REQUIRE(conf.get_scalar<string>("base_value_2.sample_list[0]", "none") == "elem1");
-        REQUIRE(conf.get_scalar<string>("base_value_2.sample_list[1]", "none") == "elem2");
-        REQUIRE(conf.get_scalar<string>("base_value_2.sample_list[2]", "none") == "elem3");
-    }
-
-    SECTION("sequence")
-    {
-        vector<string> seq;
-        conf.get_sequence(seq, "base_value_2.sample_list");
-        REQUIRE(seq.size() == 3);
-        REQUIRE(seq[0] == "elem1");
-        REQUIRE(seq[1] == "elem2");
-        REQUIRE(seq[2] == "elem3");
-    }
-}
-
-TEST_CASE("configuration must modify YAML fields", "[configuration]")
-{
-    string key = "base_value.subvalue.subvalue2.boolean";
-	yaml_configuration conf;
-    conf.load_from_string(sample_yaml);
-    REQUIRE(conf.get_scalar<bool>(key, false) == true);
-    conf.set_scalar<bool>(key, false);
-    REQUIRE(conf.get_scalar<bool>(key, true) == false);
-    conf.set_scalar<bool>(key, true);
-    REQUIRE(conf.get_scalar<bool>(key, false) == true);
-}
--- a/unit_tests/CMakeLists.txt
+++ b/unit_tests/CMakeLists.txt
@@ -0,0 +1,64 @@
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+message(STATUS "Falco unit tests build enabled")
+
+include(FetchContent)
+
+FetchContent_Declare(
+  googletest
+  GIT_REPOSITORY https://github.com/google/googletest.git
+  GIT_TAG        release-1.12.1
+)
+
+FetchContent_MakeAvailable(googletest)
+
+file(GLOB_RECURSE ENGINE_TESTS ${CMAKE_CURRENT_SOURCE_DIR}/engine/*.cpp)
+file(GLOB_RECURSE FALCO_TESTS ${CMAKE_CURRENT_SOURCE_DIR}/falco/*.cpp)
+
+set(FALCO_UNIT_TESTS_SOURCES
+  "${ENGINE_TESTS}"
+  "${FALCO_TESTS}"
+)
+
+set(FALCO_UNIT_TESTS_INCLUDES
+    PRIVATE
+    ${CMAKE_SOURCE_DIR}/userspace
+    ${CMAKE_BINARY_DIR}/userspace/falco # we need it to include indirectly `config_falco.h` file
+    ${CMAKE_SOURCE_DIR}/userspace/engine # we need it to include indirectly `falco_common.h` file
+)
+
+set(FALCO_UNIT_TESTS_DEPENDENCIES
+  gtest
+  gtest_main
+  falco_application
+)
+
+get_target_property(FALCO_APPLICATION_LIBRARIES falco_application LINK_LIBRARIES)
+
+set(FALCO_UNIT_TESTS_LIBRARIES
+  gtest
+  gtest_main
+  falco_application
+  ${FALCO_APPLICATION_LIBRARIES}
+)
+
+message(STATUS "FALCO_UNIT_TESTS_SOURCES: ${FALCO_UNIT_TESTS_SOURCES}")
+message(STATUS "FALCO_UNIT_TESTS_INCLUDES: ${FALCO_UNIT_TESTS_INCLUDES}")
+message(STATUS "FALCO_UNIT_TESTS_DEPENDENCIES: ${FALCO_UNIT_TESTS_DEPENDENCIES}")
+message(STATUS "FALCO_UNIT_TESTS_LIBRARIES: ${FALCO_UNIT_TESTS_LIBRARIES}")
+
+add_executable(falco_unit_tests ${FALCO_UNIT_TESTS_SOURCES})
+target_include_directories(falco_unit_tests ${FALCO_UNIT_TESTS_INCLUDES})
+target_link_libraries(falco_unit_tests ${FALCO_UNIT_TESTS_LIBRARIES})
+add_dependencies(falco_unit_tests ${FALCO_UNIT_TESTS_DEPENDENCIES})
--- a/unit_tests/README.md
+++ b/unit_tests/README.md
@@ -0,0 +1,13 @@
+# Falco unit tests
+
+## Intro
+
+Under `unit_tests/engine` and `unit_tests/falco` directories, we have different test suites that could be a single file or an entire directory according to the number and the complexity of tests.
+
+## Build and Run
+
+```bash
+cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DBUILD_FALCO_UNIT_TESTS=On ..
+make falco_unit_tests
+sudo ./unit_tests/falco_unit_tests
+```
--- a/unit_tests/engine/test_falco_utils.cpp
+++ b/unit_tests/engine/test_falco_utils.cpp
@@ -0,0 +1,38 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <gtest/gtest.h>
+#include <engine/falco_utils.h>
+
+TEST(FalcoUtils, is_unix_scheme)
+{
+	/* Wrong prefix */
+	ASSERT_EQ(falco::utils::network::is_unix_scheme("something:///run/falco/falco.sock"), false);
+
+	/* Similar prefix, but wrong */
+	ASSERT_EQ(falco::utils::network::is_unix_scheme("unix///falco.sock"), false);
+
+	/* Right prefix, passed as an `rvalue` */
+	ASSERT_EQ(falco::utils::network::is_unix_scheme("unix:///falco.sock"), true);
+
+	/* Right prefix, passed as a `std::string` */
+	std::string url_string("unix:///falco.sock");
+	ASSERT_EQ(falco::utils::network::is_unix_scheme(url_string), true);
+
+	/* Right prefix, passed as a `char[]` */
+	char url_char[] = "unix:///falco.sock";
+	ASSERT_EQ(falco::utils::network::is_unix_scheme(url_char), true);
+}
--- a/unit_tests/engine/test_filter_macro_resolver.cpp
+++ b/unit_tests/engine/test_filter_macro_resolver.cpp
@@ -0,0 +1,278 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless ASSERT_EQd by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <gtest/gtest.h>
+#include <engine/filter_macro_resolver.h>
+
+static std::vector<filter_macro_resolver::value_info>::const_iterator find_value(
+	const std::vector<filter_macro_resolver::value_info>& values,
+	const std::string& ref)
+{
+	return std::find_if(
+		values.begin(),
+		values.end(),
+		[&ref](const filter_macro_resolver::value_info& v)
+		{ return v.first == ref; });
+}
+
+#define MACRO_NAME "test_macro"
+#define MACRO_A_NAME "test_macro_1"
+#define MACRO_B_NAME "test_macro_2"
+
+TEST(MacroResolver, should_resolve_macros_on_a_filter_AST)
+{
+	libsinsp::filter::ast::pos_info macro_pos(12, 85, 27);
+
+	std::shared_ptr<libsinsp::filter::ast::expr> macro = std::move(libsinsp::filter::ast::unary_check_expr::create("test.field", "", "exists"));
+
+	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> filter_and;
+	filter_and.push_back(libsinsp::filter::ast::unary_check_expr::create("evt.name", "", "exists"));
+	filter_and.push_back(libsinsp::filter::ast::not_expr::create(libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos)));
+	std::shared_ptr<libsinsp::filter::ast::expr> filter = std::move(libsinsp::filter::ast::and_expr::create(filter_and));
+
+	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> expected_and;
+	expected_and.push_back(libsinsp::filter::ast::unary_check_expr::create("evt.name", "", "exists"));
+	expected_and.push_back(libsinsp::filter::ast::not_expr::create(clone(macro.get())));
+	std::shared_ptr<libsinsp::filter::ast::expr> expected = std::move(libsinsp::filter::ast::and_expr::create(expected_and));
+
+	filter_macro_resolver resolver;
+	resolver.set_macro(MACRO_NAME, macro);
+
+	// first run
+	ASSERT_TRUE(resolver.run(filter));
+	ASSERT_EQ(resolver.get_resolved_macros().size(), 1);
+	ASSERT_STREQ(resolver.get_resolved_macros().begin()->first.c_str(), MACRO_NAME);
+	ASSERT_EQ(resolver.get_resolved_macros().begin()->second, macro_pos);
+	ASSERT_TRUE(resolver.get_unknown_macros().empty());
+	ASSERT_TRUE(filter->is_equal(expected.get()));
+
+	// second run
+	ASSERT_FALSE(resolver.run(filter));
+	ASSERT_TRUE(resolver.get_resolved_macros().empty());
+	ASSERT_TRUE(resolver.get_unknown_macros().empty());
+	ASSERT_TRUE(filter->is_equal(expected.get()));
+}
+
+TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_single_node)
+{
+	libsinsp::filter::ast::pos_info macro_pos(12, 85, 27);
+
+	std::shared_ptr<libsinsp::filter::ast::expr> macro = std::move(libsinsp::filter::ast::unary_check_expr::create("test.field", "", "exists"));
+
+	std::shared_ptr<libsinsp::filter::ast::expr> filter = std::move(libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos));
+
+	filter_macro_resolver resolver;
+	resolver.set_macro(MACRO_NAME, macro);
+
+	// first run
+	libsinsp::filter::ast::expr* old_filter_ptr = filter.get();
+	ASSERT_TRUE(resolver.run(filter));
+	ASSERT_NE(filter.get(), old_filter_ptr);
+	ASSERT_EQ(resolver.get_resolved_macros().size(), 1);
+	ASSERT_STREQ(resolver.get_resolved_macros().begin()->first.c_str(), MACRO_NAME);
+	ASSERT_EQ(resolver.get_resolved_macros().begin()->second, macro_pos);
+	ASSERT_TRUE(resolver.get_unknown_macros().empty());
+	ASSERT_TRUE(filter->is_equal(macro.get()));
+
+	// second run
+	old_filter_ptr = filter.get();
+	ASSERT_FALSE(resolver.run(filter));
+	ASSERT_EQ(filter.get(), old_filter_ptr);
+	ASSERT_TRUE(resolver.get_resolved_macros().empty());
+	ASSERT_TRUE(resolver.get_unknown_macros().empty());
+	ASSERT_TRUE(filter->is_equal(macro.get()));
+}
+
+TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_multiple_macros)
+{
+	libsinsp::filter::ast::pos_info a_macro_pos(11, 75, 43);
+	libsinsp::filter::ast::pos_info b_macro_pos(91, 21, 9);
+
+	std::shared_ptr<libsinsp::filter::ast::expr> a_macro = std::move(libsinsp::filter::ast::unary_check_expr::create("one.field", "", "exists"));
+	std::shared_ptr<libsinsp::filter::ast::expr> b_macro = std::move(libsinsp::filter::ast::unary_check_expr::create("another.field", "", "exists"));
+
+	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> filter_or;
+	filter_or.push_back(libsinsp::filter::ast::value_expr::create(MACRO_A_NAME, a_macro_pos));
+	filter_or.push_back(libsinsp::filter::ast::value_expr::create(MACRO_B_NAME, b_macro_pos));
+	std::shared_ptr<libsinsp::filter::ast::expr> filter = std::move(libsinsp::filter::ast::or_expr::create(filter_or));
+
+	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> expected_or;
+	expected_or.push_back(clone(a_macro.get()));
+	expected_or.push_back(clone(b_macro.get()));
+	std::shared_ptr<libsinsp::filter::ast::expr> expected_filter = std::move(libsinsp::filter::ast::or_expr::create(expected_or));
+
+	filter_macro_resolver resolver;
+	resolver.set_macro(MACRO_A_NAME, a_macro);
+	resolver.set_macro(MACRO_B_NAME, b_macro);
+
+	// first run
+	ASSERT_TRUE(resolver.run(filter));
+	ASSERT_EQ(resolver.get_resolved_macros().size(), 2);
+	auto a_resolved_itr = find_value(resolver.get_resolved_macros(), MACRO_A_NAME);
+	ASSERT_NE(a_resolved_itr, resolver.get_resolved_macros().end());
+	ASSERT_STREQ(a_resolved_itr->first.c_str(), MACRO_A_NAME);
+	ASSERT_EQ(a_resolved_itr->second, a_macro_pos);
+
+	auto b_resolved_itr = find_value(resolver.get_resolved_macros(), MACRO_B_NAME);
+	ASSERT_NE(b_resolved_itr, resolver.get_resolved_macros().end());
+	ASSERT_TRUE(resolver.get_unknown_macros().empty());
+	ASSERT_STREQ(b_resolved_itr->first.c_str(), MACRO_B_NAME);
+	ASSERT_EQ(b_resolved_itr->second, b_macro_pos);
+	ASSERT_TRUE(filter->is_equal(expected_filter.get()));
+
+	// second run
+	ASSERT_FALSE(resolver.run(filter));
+	ASSERT_TRUE(resolver.get_resolved_macros().empty());
+	ASSERT_TRUE(resolver.get_unknown_macros().empty());
+	ASSERT_TRUE(filter->is_equal(expected_filter.get()));
+}
+
+TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_nested_macros)
+{
+	libsinsp::filter::ast::pos_info a_macro_pos(47, 1, 76);
+	libsinsp::filter::ast::pos_info b_macro_pos(111, 65, 2);
+
+	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> a_macro_and;
+	a_macro_and.push_back(libsinsp::filter::ast::unary_check_expr::create("one.field", "", "exists"));
+	a_macro_and.push_back(libsinsp::filter::ast::value_expr::create(MACRO_B_NAME, b_macro_pos));
+	std::shared_ptr<libsinsp::filter::ast::expr> a_macro = std::move(libsinsp::filter::ast::and_expr::create(a_macro_and));
+
+	std::shared_ptr<libsinsp::filter::ast::expr> b_macro = std::move(
+		libsinsp::filter::ast::unary_check_expr::create("another.field", "", "exists"));
+
+	std::shared_ptr<libsinsp::filter::ast::expr> filter = std::move(libsinsp::filter::ast::value_expr::create(MACRO_A_NAME, a_macro_pos));
+
+	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> expected_and;
+	expected_and.push_back(libsinsp::filter::ast::unary_check_expr::create("one.field", "", "exists"));
+	expected_and.push_back(libsinsp::filter::ast::unary_check_expr::create("another.field", "", "exists"));
+	std::shared_ptr<libsinsp::filter::ast::expr> expected_filter = std::move(libsinsp::filter::ast::and_expr::create(expected_and));
+
+	filter_macro_resolver resolver;
+	resolver.set_macro(MACRO_A_NAME, a_macro);
+	resolver.set_macro(MACRO_B_NAME, b_macro);
+
+	// first run
+	ASSERT_TRUE(resolver.run(filter));
+	ASSERT_EQ(resolver.get_resolved_macros().size(), 2);
+	auto a_resolved_itr = find_value(resolver.get_resolved_macros(), MACRO_A_NAME);
+	ASSERT_NE(a_resolved_itr, resolver.get_resolved_macros().end());
+	ASSERT_STREQ(a_resolved_itr->first.c_str(), MACRO_A_NAME);
+	ASSERT_EQ(a_resolved_itr->second, a_macro_pos);
+
+	auto b_resolved_itr = find_value(resolver.get_resolved_macros(), MACRO_B_NAME);
+	ASSERT_NE(b_resolved_itr, resolver.get_resolved_macros().end());
+	ASSERT_TRUE(resolver.get_unknown_macros().empty());
+	ASSERT_STREQ(b_resolved_itr->first.c_str(), MACRO_B_NAME);
+	ASSERT_EQ(b_resolved_itr->second, b_macro_pos);
+
+	ASSERT_TRUE(resolver.get_unknown_macros().empty());
+	ASSERT_TRUE(filter->is_equal(expected_filter.get()));
+
+	// second run
+	ASSERT_FALSE(resolver.run(filter));
+	ASSERT_TRUE(resolver.get_resolved_macros().empty());
+	ASSERT_TRUE(resolver.get_unknown_macros().empty());
+	ASSERT_TRUE(filter->is_equal(expected_filter.get()));
+}
+
+TEST(MacroResolver, should_find_unknown_macros)
+{
+	libsinsp::filter::ast::pos_info macro_pos(9, 4, 2);
+
+	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> filter_and;
+	filter_and.push_back(libsinsp::filter::ast::unary_check_expr::create("evt.name", "", "exists"));
+	filter_and.push_back(libsinsp::filter::ast::not_expr::create(libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos)));
+	std::shared_ptr<libsinsp::filter::ast::expr> filter = std::move(libsinsp::filter::ast::and_expr::create(filter_and));
+
+	filter_macro_resolver resolver;
+	ASSERT_FALSE(resolver.run(filter));
+	ASSERT_EQ(resolver.get_unknown_macros().size(), 1);
+	ASSERT_STREQ(resolver.get_unknown_macros().begin()->first.c_str(), MACRO_NAME);
+	ASSERT_EQ(resolver.get_unknown_macros().begin()->second, macro_pos);
+	ASSERT_TRUE(resolver.get_resolved_macros().empty());
+}
+
+TEST(MacroResolver, should_find_unknown_nested_macros)
+{
+	libsinsp::filter::ast::pos_info a_macro_pos(32, 84, 9);
+	libsinsp::filter::ast::pos_info b_macro_pos(1, 0, 5);
+
+	std::vector<std::unique_ptr<libsinsp::filter::ast::expr>> a_macro_and;
+	a_macro_and.push_back(libsinsp::filter::ast::unary_check_expr::create("one.field", "", "exists"));
+	a_macro_and.push_back(libsinsp::filter::ast::value_expr::create(MACRO_B_NAME, b_macro_pos));
+	std::shared_ptr<libsinsp::filter::ast::expr> a_macro = std::move(libsinsp::filter::ast::and_expr::create(a_macro_and));
+
+	std::shared_ptr<libsinsp::filter::ast::expr> filter = std::move(libsinsp::filter::ast::value_expr::create(MACRO_A_NAME, a_macro_pos));
+	auto expected_filter = clone(a_macro.get());
+
+	filter_macro_resolver resolver;
+	resolver.set_macro(MACRO_A_NAME, a_macro);
+
+	ASSERT_TRUE(resolver.run(filter));
+	ASSERT_EQ(resolver.get_resolved_macros().size(), 1);
+	ASSERT_STREQ(resolver.get_resolved_macros().begin()->first.c_str(), MACRO_A_NAME);
+	ASSERT_EQ(resolver.get_resolved_macros().begin()->second, a_macro_pos);
+	ASSERT_EQ(resolver.get_unknown_macros().size(), 1);
+	ASSERT_STREQ(resolver.get_unknown_macros().begin()->first.c_str(), MACRO_B_NAME);
+	ASSERT_EQ(resolver.get_unknown_macros().begin()->second, b_macro_pos);
+	ASSERT_TRUE(filter->is_equal(expected_filter.get()));
+}
+
+TEST(MacroResolver, should_undefine_macro)
+{
+	libsinsp::filter::ast::pos_info macro_pos_1(12, 9, 3);
+	libsinsp::filter::ast::pos_info macro_pos_2(9, 6, 3);
+
+	std::shared_ptr<libsinsp::filter::ast::expr> macro = std::move(libsinsp::filter::ast::unary_check_expr::create("test.field", "", "exists"));
+	std::shared_ptr<libsinsp::filter::ast::expr> a_filter = std::move(libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos_1));
+	std::shared_ptr<libsinsp::filter::ast::expr> b_filter = std::move(libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos_2));
+	filter_macro_resolver resolver;
+
+	resolver.set_macro(MACRO_NAME, macro);
+	ASSERT_TRUE(resolver.run(a_filter));
+	ASSERT_EQ(resolver.get_resolved_macros().size(), 1);
+	ASSERT_STREQ(resolver.get_resolved_macros().begin()->first.c_str(), MACRO_NAME);
+	ASSERT_EQ(resolver.get_resolved_macros().begin()->second, macro_pos_1);
+	ASSERT_TRUE(resolver.get_unknown_macros().empty());
+	ASSERT_TRUE(a_filter->is_equal(macro.get()));
+
+	resolver.set_macro(MACRO_NAME, NULL);
+	ASSERT_FALSE(resolver.run(b_filter));
+	ASSERT_TRUE(resolver.get_resolved_macros().empty());
+	ASSERT_EQ(resolver.get_unknown_macros().size(), 1);
+	ASSERT_STREQ(resolver.get_unknown_macros().begin()->first.c_str(), MACRO_NAME);
+	ASSERT_EQ(resolver.get_unknown_macros().begin()->second, macro_pos_2);
+}
+
+/* checks that the macro AST is cloned and not shared across resolved filters */
+TEST(MacroResolver, should_clone_macro_AST)
+{
+	libsinsp::filter::ast::pos_info macro_pos(5, 2, 8888);
+	std::shared_ptr<libsinsp::filter::ast::unary_check_expr> macro = std::move(libsinsp::filter::ast::unary_check_expr::create("test.field", "", "exists"));
+	std::shared_ptr<libsinsp::filter::ast::expr> filter = std::move(libsinsp::filter::ast::value_expr::create(MACRO_NAME, macro_pos));
+	filter_macro_resolver resolver;
+
+	resolver.set_macro(MACRO_NAME, macro);
+	ASSERT_TRUE(resolver.run(filter));
+	ASSERT_EQ(resolver.get_resolved_macros().size(), 1);
+	ASSERT_STREQ(resolver.get_resolved_macros().begin()->first.c_str(), MACRO_NAME);
+	ASSERT_EQ(resolver.get_resolved_macros().begin()->second, macro_pos);
+	ASSERT_TRUE(resolver.get_unknown_macros().empty());
+	ASSERT_TRUE(filter->is_equal(macro.get()));
+
+	macro->field = "another.field";
+	ASSERT_FALSE(filter->is_equal(macro.get()));
+}
--- a/unit_tests/engine/test_filter_warning_resolver.cpp
+++ b/unit_tests/engine/test_filter_warning_resolver.cpp
@@ -0,0 +1,42 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless ASSERTd by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <gtest/gtest.h>
+#include <engine/filter_warning_resolver.h>
+
+static bool warns(const std::string& condition)
+{
+	std::set<falco::load_result::warning_code> w;
+	auto ast = libsinsp::filter::parser(condition).parse();
+	filter_warning_resolver().run(ast.get(), w);
+	return !w.empty();
+}
+
+TEST(WarningResolver, warnings_in_filtering_conditions)
+{
+	ASSERT_FALSE(warns("ka.field exists"));
+	ASSERT_FALSE(warns("some.field = <NA>"));
+	ASSERT_TRUE(warns("jevt.field = <NA>"));
+	ASSERT_TRUE(warns("ka.field = <NA>"));
+	ASSERT_TRUE(warns("ka.field == <NA>"));
+	ASSERT_TRUE(warns("ka.field != <NA>"));
+	ASSERT_TRUE(warns("ka.field in (<NA>)"));
+	ASSERT_TRUE(warns("ka.field in (otherval, <NA>)"));
+	ASSERT_TRUE(warns("ka.field intersects (<NA>)"));
+	ASSERT_TRUE(warns("ka.field intersects (otherval, <NA>)"));
+	ASSERT_TRUE(warns("ka.field pmatch (<NA>)"));
+	ASSERT_TRUE(warns("ka.field pmatch (otherval, <NA>)"));
+}
--- a/unit_tests/engine/test_plugin_requirements.cpp
+++ b/unit_tests/engine/test_plugin_requirements.cpp
@@ -0,0 +1,238 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <memory>
+#include <engine/falco_engine.h>
+#include <gtest/gtest.h>
+
+static bool check_requirements(std::string& err,
+			       const std::vector<falco_engine::plugin_version_requirement>& plugins,
+			       const std::string& ruleset_content)
+{
+	std::unique_ptr<falco_engine> e(new falco_engine());
+	falco::load_result::rules_contents_t c = {{"test", ruleset_content}};
+
+	auto res = e->load_rules(c.begin()->second, c.begin()->first);
+	if(!res->successful())
+	{
+		return false;
+	}
+	return e->check_plugin_requirements(plugins, err);
+}
+
+TEST(PluginRequirements, check_plugin_requirements_success)
+{
+	std::string error;
+
+	/* No requirement */
+	ASSERT_TRUE(check_requirements(error, {{"k8saudit", "0.1.0"}}, "")) << error << std::endl;
+
+	/* Single plugin */
+	ASSERT_TRUE(check_requirements(error, {{"k8saudit", "0.1.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+        )")) << error
+	     << std::endl;
+
+	/* Single plugin newer version */
+	ASSERT_TRUE(check_requirements(error, {{"k8saudit", "0.2.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+        )")) << error
+	     << std::endl;
+
+	/* Multiple plugins */
+	ASSERT_TRUE(check_requirements(error, {{"k8saudit", "0.1.0"}, {"json", "0.3.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+  - name: json
+    version: 0.3.0
+        )")) << error
+	     << std::endl;
+
+	/* Single plugin multiple versions */
+	ASSERT_TRUE(check_requirements(error, {{"k8saudit", "0.2.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.2.0
+        )")) << error
+	     << std::endl;
+
+	/* Single plugin with alternatives */
+	ASSERT_TRUE(check_requirements(error, {{"k8saudit-other", "0.5.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+    alternatives:
+      - name: k8saudit-other
+        version: 0.4.0
+        )")) << error
+	     << std::endl;
+
+	/* Multiple plugins with alternatives */
+	ASSERT_TRUE(check_requirements(error, {{"k8saudit-other", "0.5.0"}, {"json2", "0.5.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+    alternatives:
+      - name: k8saudit-other
+        version: 0.4.0
+  - name: json
+    version: 0.3.0
+    alternatives:
+      - name: json2
+        version: 0.1.0
+        )")) << error
+	     << std::endl;
+
+	/* Multiple plugins with alternatives with multiple versions */
+	ASSERT_TRUE(check_requirements(error, {{"k8saudit-other", "0.7.0"}, {"json2", "0.5.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+    alternatives:
+      - name: k8saudit-other
+        version: 0.4.0
+  - name: json
+    version: 0.3.0
+    alternatives:
+      - name: json2
+        version: 0.1.0
+- required_plugin_versions:
+  - name: k8saudit
+    version: 1.0.0
+    alternatives:
+      - name: k8saudit-other
+        version: 0.7.0
+        )")) << error
+	     << std::endl;
+}
+
+TEST(PluginRequirements, check_plugin_requirements_reject)
+{
+	std::string error;
+
+	/* No plugin loaded */
+	ASSERT_FALSE(check_requirements(error, {}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+        )")) << error
+	     << std::endl;
+
+	/* Single plugin wrong name */
+	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.1.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit2
+    version: 0.1.0
+        )")) << error
+	     << std::endl;
+
+	/* Single plugin wrong version */
+	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.1.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.2.0
+        )")) << error
+	     << std::endl;
+
+	/* Multiple plugins */
+	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.1.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+  - name: json
+    version: 0.3.0
+        )")) << error
+	     << std::endl;
+
+	/* Single plugin multiple versions */
+	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.1.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.2.0
+        )")) << error
+	     << std::endl;
+
+	/* Single plugin with alternatives */
+	ASSERT_FALSE(check_requirements(error, {{"k8saudit2", "0.5.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+    alternatives:
+      - name: k8saudit-other
+        version: 0.4.0
+        )")) << error
+	     << std::endl;
+
+	/* Single plugin with overlapping alternatives */
+	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.5.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+    alternatives:
+      - name: k8saudit
+        version: 0.4.0
+        )")) << error
+	     << std::endl;
+
+	/* Multiple plugins with alternatives */
+	ASSERT_FALSE(check_requirements(error, {{"k8saudit-other", "0.5.0"}, {"json3", "0.5.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.1.0
+    alternatives:
+      - name: k8saudit-other
+        version: 0.4.0
+  - name: json
+    version: 0.3.0
+    alternatives:
+      - name: json2
+        version: 0.1.0
+        )")) << error
+	     << std::endl;
+
+	/* Multiple plugins with alternatives with multiple versions */
+	ASSERT_FALSE(check_requirements(error, {{"k8saudit", "0.7.0"}, {"json2", "0.5.0"}}, R"(
+- required_plugin_versions:
+  - name: k8saudit
+    version: 0.4.0
+    alternatives:
+      - name: k8saudit-other
+        version: 0.4.0
+  - name: json
+    version: 0.3.0
+    alternatives:
+      - name: json2
+        version: 0.1.0
+- required_plugin_versions:
+  - name: k8saudit
+    version: 1.0.0
+    alternatives:
+      - name: k8saudit-other
+        version: 0.7.0
+        )")) << error
+	     << std::endl;
+}
--- a/unit_tests/engine/test_rulesets.cpp
+++ b/unit_tests/engine/test_rulesets.cpp
@@ -0,0 +1,177 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <gtest/gtest.h>
+#include <engine/evttype_index_ruleset.h>
+
+#define RULESET_0 0
+#define RULESET_1 1
+#define RULESET_2 2
+
+/* Helpers methods */
+static std::shared_ptr<gen_event_filter_factory> create_factory()
+{
+	std::shared_ptr<gen_event_filter_factory> ret(new sinsp_filter_factory(NULL));
+	return ret;
+}
+
+static std::shared_ptr<filter_ruleset> create_ruleset(std::shared_ptr<gen_event_filter_factory> f)
+{
+	std::shared_ptr<filter_ruleset> ret(new evttype_index_ruleset(f));
+	return ret;
+}
+
+static std::shared_ptr<libsinsp::filter::ast::expr> create_ast(std::shared_ptr<gen_event_filter_factory> f)
+{
+	libsinsp::filter::parser parser("evt.type=open");
+	std::shared_ptr<libsinsp::filter::ast::expr> ret(parser.parse());
+	return ret;
+}
+
+static std::shared_ptr<gen_event_filter> create_filter(
+	std::shared_ptr<gen_event_filter_factory> f,
+	std::shared_ptr<libsinsp::filter::ast::expr> ast)
+{
+	sinsp_filter_compiler compiler(f, ast.get());
+	std::shared_ptr<gen_event_filter> filter(compiler.compile());
+	return filter;
+}
+
+TEST(Ruleset, enable_disable_rules_using_names)
+{
+	auto f = create_factory();
+	auto r = create_ruleset(f);
+	auto ast = create_ast(f);
+	auto filter = create_filter(f, ast);
+
+	falco_rule rule_A = {};
+	rule_A.name = "rule_A";
+	rule_A.source = falco_common::syscall_source;
+
+	falco_rule rule_B = {};
+	rule_B.name = "rule_B";
+	rule_B.source = falco_common::syscall_source;
+
+	falco_rule rule_C = {};
+	rule_C.name = "rule_C";
+	rule_C.source = falco_common::syscall_source;
+
+	r->add(rule_A, filter, ast);
+	r->add(rule_B, filter, ast);
+	r->add(rule_C, filter, ast);
+
+	/* Enable `rule_A` for RULESET_0 */
+	r->enable(rule_A.name, true, RULESET_0);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 1);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Disable `rule_A` for RULESET_1, this should have no effect */
+	r->disable(rule_A.name, true, RULESET_1);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 1);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Enable a not existing rule for RULESET_2, this should have no effect */
+	r->disable("<NA>", true, RULESET_2);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 1);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Enable all rules for RULESET_0 */
+	r->enable("rule_", false, RULESET_0);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 3);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Try to disable all rules with exact match for RULESET_0, this should have no effect */
+	r->disable("rule_", true, RULESET_0);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 3);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Disable all rules for RULESET_0 */
+	r->disable("rule_", false, RULESET_0);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Enable rule_C for RULESET_2 without exact_match */
+	r->enable("_C", false, RULESET_2);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 1);
+}
+
+TEST(Ruleset, enable_disable_rules_using_tags)
+{
+	auto f = create_factory();
+	auto r = create_ruleset(f);
+	auto ast = create_ast(f);
+	auto filter = create_filter(f, ast);
+
+	falco_rule rule_A = {};
+	rule_A.name = "rule_A";
+	rule_A.source = falco_common::syscall_source;
+	rule_A.tags = {"first_rule_A_tag", "second_rule_A_tag", "common_tag"};
+
+	falco_rule rule_B = {};
+	rule_B.name = "rule_B";
+	rule_B.source = falco_common::syscall_source;
+	rule_B.tags = {"first_rule_B_tag", "second_rule_B_tag", "common_tag"};
+
+	r->add(rule_A, filter, ast);
+	r->add(rule_B, filter, ast);
+
+	/* Enable `rule_A` for RULESET_0 using its first tag */
+	r->enable_tags({"first_rule_A_tag"}, RULESET_0);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 1);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Disable `rule_A` for RULESET_1 using its first tag, this should have no effect */
+	r->disable_tags({"first_rule_A_tag"}, RULESET_1);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 1);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Enable a not existing rule for RULESET_0, this should have no effect */
+	r->enable_tags({"<NA_tag>"}, RULESET_0);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 1);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+
+	/* Enable all rules for RULESET_2 */
+	r->enable_tags({"common_tag"}, RULESET_2);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 1);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 2);
+
+	/* Disable `rule_A` for RULESET_0 using its second tag
+	 * Note that we have previously enabled it using the first tag,
+	 * so here we are using a different tag of the rule t disable it!
+	 */
+	r->disable_tags({"second_rule_A_tag"}, RULESET_0);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 2);
+
+	/* Disable all rules for RULESET_2 */
+	r->disable_tags({"common_tag"}, RULESET_2);
+	ASSERT_EQ(r->enabled_count(RULESET_0), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_1), 0);
+	ASSERT_EQ(r->enabled_count(RULESET_2), 0);
+}
--- a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
+++ b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
@@ -0,0 +1,390 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+*/
+
+#include <falco_engine.h>
+
+#include <falco/app/state.h>
+#include <falco/app/actions/actions.h>
+
+#include <gtest/gtest.h>
+
+#define ASSERT_NAMES_EQ(a, b) { \
+	EXPECT_EQ(_order(a).size(), _order(b).size()); \
+	ASSERT_EQ(_order(a), _order(b)); \
+}
+
+#define ASSERT_NAMES_CONTAIN(a, b) { \
+	ASSERT_NAMES_EQ(unordered_set_intersection(a, b), b); \
+}
+
+#define ASSERT_NAMES_NOCONTAIN(a, b) { \
+	ASSERT_NAMES_EQ(unordered_set_intersection(a, b), strset_t({})); \
+}
+
+using strset_t = std::unordered_set<std::string>;
+
+static std::set<std::string> _order(const strset_t& s) 
+{
+	return std::set<std::string>(s.begin(), s.end());
+}
+
+static std::string s_sample_ruleset = "sample-ruleset";
+
+static std::string s_sample_source = falco_common::syscall_source;
+
+static strset_t s_sample_filters = {
+	"evt.type=connect or evt.type=accept or evt.type=accept4 or evt.type=umount2",
+	"evt.type in (open, ptrace, mmap, execve, read, container)",
+	"evt.type in (open, execve, mprotect) and not evt.type=mprotect"};
+
+static strset_t s_sample_generic_filters = {
+	"evt.type=syncfs or evt.type=fanotify_init"};
+
+static strset_t s_sample_nonsyscall_filters = {
+	"evt.type in (procexit, switch, pluginevent, container)"};
+
+
+// todo(jasondellaluce): once we have deeper and more modular
+// control on the falco engine, make this a little nicer
+static std::shared_ptr<falco_engine> mock_engine_from_filters(const strset_t& filters)
+{
+	// craft a fake ruleset with the given filters
+	int n_rules = 0;
+	std::string dummy_rules;
+	falco::load_result::rules_contents_t content = {{"dummy_rules.yaml", dummy_rules}};
+	for (const auto& f : filters)
+	{
+		n_rules++;
+		dummy_rules +=
+			"- rule: Dummy Rule " + std::to_string(n_rules) + "\n"
+			+ "  output: Dummy Output " + std::to_string(n_rules) + "\n"
+			+ "  condition: " + f + "\n"
+			+ "  desc: Dummy Desc " + std::to_string(n_rules) + "\n"
+			+ "  priority: CRITICAL\n\n";
+	}
+
+	// create a falco engine and load the ruleset
+	std::shared_ptr<falco_engine> res(new falco_engine());
+	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+			new sinsp_filter_factory(nullptr));
+	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+			new sinsp_evt_formatter_factory(nullptr));
+	res->add_source(s_sample_source, filter_factory, formatter_factory);
+	res->load_rules(dummy_rules, "dummy_rules.yaml");
+	res->enable_rule("", true, s_sample_ruleset);
+	return res;
+}
+
+TEST(ConfigureInterestingSets, engine_codes_syscalls_set)
+{
+	auto engine = mock_engine_from_filters(s_sample_filters);
+	auto enabled_count = engine->num_rules_for_ruleset(s_sample_ruleset);
+	ASSERT_EQ(enabled_count, s_sample_filters.size());
+
+	// test if event code names were extracted from each rule in test ruleset.
+	auto rules_event_set = engine->event_codes_for_ruleset(s_sample_source);
+	auto rules_event_names = libsinsp::events::event_set_to_names(rules_event_set);
+	ASSERT_NAMES_EQ(rules_event_names, strset_t({
+		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", "container"}));
+
+	// test if sc code names were extracted from each rule in test ruleset.
+	// note, this is not supposed to contain "container", as that's an event
+	// not mapped through the ppm_sc_code enumerative.
+	auto rules_sc_set = engine->sc_codes_for_ruleset(s_sample_source);
+	auto rules_sc_names = libsinsp::events::sc_set_to_names(rules_sc_set);
+	ASSERT_NAMES_EQ(rules_sc_names, strset_t({
+		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read"}));
+}
+
+TEST(ConfigureInterestingSets, preconditions_postconditions)
+{
+	falco::app::state s;
+	auto mock_engine = mock_engine_from_filters(s_sample_filters);
+
+	s.engine = mock_engine;
+	s.config = nullptr;
+	auto result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_FALSE(result.success);
+	ASSERT_NE(result.errstr, "");
+
+	s.engine = nullptr;
+	s.config = std::make_shared<falco_configuration>();
+	result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_FALSE(result.success);
+	ASSERT_NE(result.errstr, "");
+
+	s.engine = mock_engine;
+	s.config = std::make_shared<falco_configuration>();
+	result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+
+	auto prev_selection_size = s.selected_sc_set.size();
+	result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	ASSERT_EQ(prev_selection_size, s.selected_sc_set.size());
+}
+
+TEST(ConfigureInterestingSets, engine_codes_nonsyscalls_set)
+{
+	auto filters = s_sample_filters;
+	filters.insert(s_sample_generic_filters.begin(), s_sample_generic_filters.end());
+	filters.insert(s_sample_nonsyscall_filters.begin(), s_sample_nonsyscall_filters.end());
+
+	auto engine = mock_engine_from_filters(filters);
+	auto enabled_count = engine->num_rules_for_ruleset(s_sample_ruleset);
+	ASSERT_EQ(enabled_count, filters.size());
+
+	auto rules_event_set = engine->event_codes_for_ruleset(s_sample_source);
+	auto rules_event_names = libsinsp::events::event_set_to_names(rules_event_set);
+	// note: including even one generic event will cause PPME_GENERIC_E to be
+	// included in the ruleset's event codes. As such, when translating to names,
+	// PPME_GENERIC_E will cause all names of generic events to be added!
+	// This is a good example of information loss from ppm_event_code <-> ppm_sc_code.
+	auto generic_names = libsinsp::events::event_set_to_names({ppm_event_code::PPME_GENERIC_E});
+	auto expected_names = strset_t({
+		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", "container", // ruleset
+		"procexit", "switch", "pluginevent"}); // from non-syscall event filters
+	expected_names.insert(generic_names.begin(), generic_names.end());
+	ASSERT_NAMES_EQ(rules_event_names, expected_names);
+
+	auto rules_sc_set = engine->sc_codes_for_ruleset(s_sample_source);
+	auto rules_sc_names = libsinsp::events::sc_set_to_names(rules_sc_set);
+	ASSERT_NAMES_EQ(rules_sc_names, strset_t({
+		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read",
+		"syncfs", "fanotify_init", // from generic event filters
+	}));
+}
+
+TEST(ConfigureInterestingSets, selection_not_allevents)
+{
+	// run app action with fake engine and without the `-A` option
+	falco::app::state s;
+	s.engine = mock_engine_from_filters(s_sample_filters);
+	s.options.all_events = false;
+	auto result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+
+	// todo(jasondellaluce): once we have deeper control on falco's outputs,
+	// also check if a warning has been printed in stderr
+
+	// check that the final selected set is the one expected
+	ASSERT_GT(s.selected_sc_set.size(), 1);
+	auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
+	auto expected_sc_names = strset_t({
+		// note: we expect the "read" syscall to have been erased
+		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", // from ruleset
+		"clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process)
+		"socket", "bind", "close" // from sinsp state set (network, files)
+	});
+	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
+
+	// check that all IO syscalls have been erased from the selection
+	auto io_set = libsinsp::events::io_sc_set();
+	auto erased_sc_names = libsinsp::events::sc_set_to_names(io_set);
+	ASSERT_NAMES_NOCONTAIN(selected_sc_names, erased_sc_names);
+
+	// check that final selected set is exactly sinsp state + ruleset
+	auto rule_set = s.engine->sc_codes_for_ruleset(s_sample_source, s_sample_ruleset);
+	auto state_set = libsinsp::events::sinsp_state_sc_set();
+	for (const auto &erased : io_set)
+	{
+		rule_set.remove(erased);
+		state_set.remove(erased);
+	}
+	auto union_set = state_set.merge(rule_set);
+	auto inter_set = state_set.intersect(rule_set);
+	ASSERT_EQ(s.selected_sc_set.size(), state_set.size() + rule_set.size() - inter_set.size());
+	ASSERT_EQ(s.selected_sc_set, union_set);
+}
+
+TEST(ConfigureInterestingSets, selection_allevents)
+{
+	// run app action with fake engine and with the `-A` option
+	falco::app::state s;
+	s.engine = mock_engine_from_filters(s_sample_filters);
+	s.options.all_events = true;
+	auto result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+
+	// todo(jasondellaluce): once we have deeper control on falco's outputs,
+	// also check if a warning has not been printed in stderr
+
+	// check that the final selected set is the one expected
+	ASSERT_GT(s.selected_sc_set.size(), 1);
+	auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
+	auto expected_sc_names = strset_t({
+		// note: we expect the "read" syscall to not be erased
+		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", // from ruleset
+		"clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process)
+		"socket", "bind", "close" // from sinsp state set (network, files)
+	});
+	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
+
+	// check that final selected set is exactly sinsp state + ruleset
+	auto rule_set = s.engine->sc_codes_for_ruleset(s_sample_source, s_sample_ruleset);
+	auto state_set = libsinsp::events::sinsp_state_sc_set();
+	auto union_set = state_set.merge(rule_set);
+	auto inter_set = state_set.intersect(rule_set);
+	ASSERT_EQ(s.selected_sc_set.size(), state_set.size() + rule_set.size() - inter_set.size());
+	ASSERT_EQ(s.selected_sc_set, union_set);
+}
+
+TEST(ConfigureInterestingSets, selection_generic_evts)
+{
+	// run app action with fake engine and without the `-A` option
+	falco::app::state s;
+	s.options.all_events = false;
+	auto filters = s_sample_filters;
+	filters.insert(s_sample_generic_filters.begin(), s_sample_generic_filters.end());
+	s.engine = mock_engine_from_filters(filters);
+	auto result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+
+	// check that the final selected set is the one expected
+	ASSERT_GT(s.selected_sc_set.size(), 1);
+	auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
+	auto expected_sc_names = strset_t({
+		// note: we expect the "read" syscall to not be erased
+		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", // from ruleset
+		"syncfs", "fanotify_init",  // from ruleset (generic events)
+		"clone", "clone3", "fork", "vfork", // from sinsp state set (spawned_process)
+		"socket", "bind", "close" // from sinsp state set (network, files)
+	});
+	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
+	auto unexpected_sc_names = libsinsp::events::sc_set_to_names(libsinsp::events::io_sc_set());
+	ASSERT_NAMES_NOCONTAIN(selected_sc_names, unexpected_sc_names);
+}
+
+// expected combinations precedence:
+// - final selected set is the union of rules events and base events
+//   (either default or custom positive set)
+// - events in the custom negative set are removed from the selected set
+// - if `-A` is not set, events from the IO set are removed from the selected set
+TEST(ConfigureInterestingSets, selection_custom_base_set)
+{
+	// run app action with fake engine and without the `-A` option
+	falco::app::state s;
+	s.options.all_events = true;
+	s.engine = mock_engine_from_filters(s_sample_filters);
+	auto default_base_set = libsinsp::events::sinsp_state_sc_set();
+
+	// non-empty custom base set (both positive and negative)
+	s.config->m_base_syscalls_repair = false;
+	s.config->m_base_syscalls_custom_set = {"syncfs", "!accept"};
+	auto result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
+	auto expected_sc_names = strset_t({
+		// note: `syncfs` has been added due to the custom base set, and `accept`
+		// has been remove due to the negative base set.
+		// note: `read` is not ignored due to the "-A" option being set.
+		// note: `accept` is not included even though it is matched by the rules,
+		// which means that the custom negation base set has precedence over the
+		// final selection set as a whole
+		// todo(jasondellaluce): add "accept4" once names_to_sc_set is polished on the libs side
+		"connect", "umount2", "open", "ptrace", "mmap", "execve", "read", "syncfs", "sched_process_exit"
+	});
+	ASSERT_NAMES_EQ(selected_sc_names, expected_sc_names);
+
+	// non-empty custom base set (both positive and negative with collision)
+	s.config->m_base_syscalls_repair = false;
+	s.config->m_base_syscalls_custom_set = {"syncfs", "accept", "!accept"};
+	result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
+	// note: in case of collision, negation has priority, so the expected
+	// names are the same as the case above
+	ASSERT_NAMES_EQ(selected_sc_names, expected_sc_names);
+
+	// non-empty custom base set (only positive)
+	s.config->m_base_syscalls_custom_set = {"syncfs"};
+	result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
+	expected_sc_names = strset_t({
+		// note: accept is not negated anymore
+		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", "syncfs", "sched_process_exit"
+	});
+	ASSERT_NAMES_EQ(selected_sc_names, expected_sc_names);
+
+	// non-empty custom base set (only negative)
+	s.config->m_base_syscalls_custom_set = {"!accept"};
+	result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
+	expected_sc_names = unordered_set_union(
+		libsinsp::events::sc_set_to_names(default_base_set),
+		strset_t({ "connect", "umount2", "open", "ptrace", "mmap", "execve", "read"}));
+	expected_sc_names.erase("accept");
+	// todo(jasondellaluce): add "accept4" once names_to_sc_set is polished on the libs side
+	expected_sc_names.erase("accept4");
+	ASSERT_NAMES_EQ(selected_sc_names, expected_sc_names);
+
+	// non-empty custom base set (positive, without -A)
+	s.options.all_events = false;
+	s.config->m_base_syscalls_custom_set = {"read"};
+	result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
+	expected_sc_names = strset_t({
+		// note: read is both part of the custom base set and the rules set,
+		// but we expect the unset -A option to take precedence
+		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "sched_process_exit"
+	});
+	ASSERT_NAMES_EQ(selected_sc_names, expected_sc_names);
+	auto unexpected_sc_names = libsinsp::events::sc_set_to_names(libsinsp::events::io_sc_set());
+	ASSERT_NAMES_NOCONTAIN(selected_sc_names, unexpected_sc_names);
+}
+
+TEST(ConfigureInterestingSets, selection_custom_base_set_repair)
+{
+	// run app action with fake engine and without the `-A` option
+	falco::app::state s;
+	s.options.all_events = false;
+	s.engine = mock_engine_from_filters(s_sample_filters);
+
+	// simulate empty custom set but repair option set.
+	// note: here we use file syscalls (e.g. open, openat) and have a custom
+	// positive set, so we expect syscalls such as "close" to be selected as
+	// repaired. Also, given that we use some network syscalls, we expect "bind"
+	// to be selected event if we negate it, because repairment should have
+	// take precedence.
+	s.config->m_base_syscalls_custom_set = {"openat", "!bind"};
+	s.config->m_base_syscalls_repair = true;
+	auto result = falco::app::actions::configure_interesting_sets(s);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	auto selected_sc_names = libsinsp::events::sc_set_to_names(s.selected_sc_set);
+	auto expected_sc_names = strset_t({
+		// note: expecting syscalls from mock rules and `sinsp_repair_state_sc_set` enforced syscalls
+		"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "sched_process_exit", \
+		"bind", "socket", "clone3", "close", "setuid"
+	});
+	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
+	auto unexpected_sc_names = libsinsp::events::sc_set_to_names(libsinsp::events::io_sc_set());
+	ASSERT_NAMES_NOCONTAIN(selected_sc_names, unexpected_sc_names);
+}
--- a/unit_tests/falco/app/actions/test_select_event_sources.cpp
+++ b/unit_tests/falco/app/actions/test_select_event_sources.cpp
@@ -0,0 +1,97 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless ASSERTd by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <gtest/gtest.h>
+#include <falco/app/state.h>
+#include <falco/app/actions/actions.h>
+
+#define EXPECT_ACTION_OK(r)     { EXPECT_TRUE(r.success); EXPECT_TRUE(r.proceed); EXPECT_EQ(r.errstr, ""); }
+#define EXPECT_ACTION_FAIL(r)   { EXPECT_FALSE(r.success); EXPECT_FALSE(r.proceed); EXPECT_NE(r.errstr, ""); }
+
+TEST(ActionSelectEventSources, pre_post_conditions)
+{
+    auto action = falco::app::actions::select_event_sources;
+
+    // requires sources to be already loaded
+    {
+        falco::app::state s;
+        EXPECT_ACTION_FAIL(action(s));
+    }
+
+    // ignore source selection in capture mode
+    {
+        falco::app::state s;
+        s.options.trace_filename = "some_capture_file.scap";
+        EXPECT_TRUE(s.is_capture_mode());
+        EXPECT_ACTION_OK(action(s));
+    }
+
+    // enable all loaded sources by default, even with multiple calls
+    {
+        falco::app::state s;
+        s.loaded_sources = {"syscall", "some_source"};
+        EXPECT_ACTION_OK(action(s));
+        EXPECT_EQ(s.loaded_sources, s.enabled_sources);
+        s.loaded_sources.insert("another_source");
+        EXPECT_ACTION_OK(action(s));
+        EXPECT_EQ(s.loaded_sources, s.enabled_sources);
+    }
+
+    // enable only selected sources
+    {
+        falco::app::state s;
+        s.loaded_sources = {"syscall", "some_source"};
+        s.options.enable_sources = {"syscall"};
+        EXPECT_ACTION_OK(action(s));
+        EXPECT_EQ(s.enabled_sources.size(), 1);
+        EXPECT_EQ(*s.enabled_sources.begin(), "syscall");
+    }
+
+    // enable all loaded sources expect the disabled ones
+    {
+        falco::app::state s;
+        s.loaded_sources = {"syscall", "some_source"};
+        s.options.disable_sources = {"syscall"};
+        EXPECT_ACTION_OK(action(s));
+        EXPECT_EQ(s.enabled_sources.size(), 1);
+        EXPECT_EQ(*s.enabled_sources.begin(), "some_source");
+    }
+
+    // enable unknown sources
+    {
+        falco::app::state s;
+        s.loaded_sources = {"syscall", "some_source"};
+        s.options.enable_sources = {"some_other_source"};
+        EXPECT_ACTION_FAIL(action(s));
+    }
+
+    // disable unknown sources
+    {
+        falco::app::state s;
+        s.loaded_sources = {"syscall", "some_source"};
+        s.options.disable_sources = {"some_other_source"};
+        EXPECT_ACTION_FAIL(action(s));
+    }
+
+    // mix enable and disable sources options
+    {
+        falco::app::state s;
+        s.loaded_sources = {"syscall", "some_source"};
+        s.options.disable_sources = {"syscall"};
+        s.options.enable_sources = {"syscall"};
+        EXPECT_ACTION_FAIL(action(s));
+    }
+}
--- a/unit_tests/falco/test_atomic_signal_handler.cpp
+++ b/unit_tests/falco/test_atomic_signal_handler.cpp
@@ -0,0 +1,131 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless ASSERTd by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <gtest/gtest.h>
+#include <future>
+#include <thread>
+#include <vector>
+#include <memory>
+#include <chrono>
+ 
+#include <falco/atomic_signal_handler.h>
+#include <falco/logger.h>
+
+TEST(AtomicSignalHandler, lock_free_implementation)
+{
+	ASSERT_TRUE(falco::atomic_signal_handler().is_lock_free());
+}
+
+TEST(AtomicSignalHandler, handle_once_wait_consistency)
+{
+	constexpr const auto thread_num = 10;
+	constexpr const auto thread_wait_sec = 2;
+	constexpr const auto handler_wait_sec = 1;
+
+	// have a shared signal handler
+	falco::atomic_signal_handler handler;
+
+	// launch a bunch of threads all syncing on the same handler
+	typedef struct
+	{
+		bool handled;
+		uint64_t duration_secs;
+	} task_result_t;
+	std::vector<std::future<task_result_t>> futures;
+	std::vector<std::unique_ptr<std::thread>> threads;
+	for (int i = 0; i < thread_num; i++)
+	{
+		std::packaged_task<task_result_t()> task([&handler, &thread_wait_sec]{
+			auto start = std::chrono::high_resolution_clock::now();
+			task_result_t res;
+			res.handled = false;
+			while (!handler.handled())
+			{
+				if (handler.triggered())
+				{
+					res.handled = handler.handle([&thread_wait_sec]{
+						std::this_thread::sleep_for (std::chrono::seconds(thread_wait_sec));
+					});
+				}
+			}
+			auto diff = std::chrono::high_resolution_clock::now() - start;
+			res.duration_secs = std::chrono::duration_cast<std::chrono::seconds>(diff).count();
+			return res;
+		});
+		futures.push_back(task.get_future());
+		threads.emplace_back();
+		threads[i].reset(new std::thread(std::move(task)));
+	}
+
+	// wait a bit, then trigger the signal handler from the main thread
+	auto total_handled = 0;
+	auto start = std::chrono::high_resolution_clock::now();
+	std::this_thread::sleep_for (std::chrono::seconds(handler_wait_sec));
+	handler.trigger();
+	for (int i = 0; i < thread_num; i++)
+	{
+		// we need to check that all threads didn't quit before
+		// the handle() function finished executing
+		futures[i].wait();
+		threads[i]->join();
+		auto res = futures[i].get();
+		if (res.handled)
+		{
+			total_handled++;
+		}
+		ASSERT_GE(res.duration_secs, thread_wait_sec);
+	}
+
+	// check that the total time is consistent with the expectations
+	auto diff = std::chrono::high_resolution_clock::now() - start;
+	auto secs = std::chrono::duration_cast<std::chrono::seconds>(diff).count();
+	ASSERT_GE(secs, thread_wait_sec + handler_wait_sec);
+
+	// check that only one thread handled the signal
+	ASSERT_EQ(total_handled, 1);
+}
+
+TEST(AtomicSignalHandler, handle_and_reset)
+{
+	auto do_nothing = []{};
+	falco::atomic_signal_handler handler;
+
+	ASSERT_FALSE(handler.triggered());
+	ASSERT_FALSE(handler.handled());
+	ASSERT_FALSE(handler.handle(do_nothing));
+
+	handler.trigger();
+	ASSERT_TRUE(handler.triggered());
+	ASSERT_FALSE(handler.handled());
+
+	ASSERT_TRUE(handler.handle(do_nothing));
+	ASSERT_TRUE(handler.triggered());
+	ASSERT_TRUE(handler.handled());
+	ASSERT_FALSE(handler.handle(do_nothing));
+
+	handler.trigger();
+	ASSERT_TRUE(handler.triggered());
+	ASSERT_FALSE(handler.handled());
+	ASSERT_TRUE(handler.handle(do_nothing));
+	ASSERT_TRUE(handler.triggered());
+	ASSERT_TRUE(handler.handled());
+	ASSERT_FALSE(handler.handle(do_nothing));
+
+	handler.reset();
+	ASSERT_FALSE(handler.triggered());
+	ASSERT_FALSE(handler.handled());
+	ASSERT_FALSE(handler.handle(do_nothing));
+}
--- a/unit_tests/falco/test_configuration.cpp
+++ b/unit_tests/falco/test_configuration.cpp
@@ -0,0 +1,103 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless ASSERTd by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <gtest/gtest.h>
+#include <falco/configuration.h>
+
+static std::string sample_yaml =
+	"base_value:\n"
+	"    id: 1\n"
+	"    name: 'sample_name'\n"
+	"    subvalue:\n"
+	"      subvalue2:\n"
+	"        boolean: true\n"
+	"base_value_2:\n"
+	"  sample_list:\n"
+	"    - elem1\n"
+	"    - elem2\n"
+	"    - elem3\n";
+
+TEST(Configuration, configuration_exceptions)
+{
+	yaml_helper conf;
+
+	/* Broken YAML */
+	std::string sample_broken_yaml = sample_yaml + " /  bad_symbol";
+	EXPECT_ANY_THROW(conf.load_from_string(sample_broken_yaml));
+
+	/* Right YAML */
+	EXPECT_NO_THROW(conf.load_from_string(sample_yaml));
+}
+
+TEST(Configuration, configuration_reload)
+{
+	yaml_helper conf;
+
+	/* Clear and reload config */
+	conf.load_from_string(sample_yaml);
+	ASSERT_TRUE(conf.is_defined("base_value"));
+	conf.clear();
+	ASSERT_FALSE(conf.is_defined("base_value"));
+	conf.load_from_string(sample_yaml);
+	ASSERT_TRUE(conf.is_defined("base_value"));
+}
+
+TEST(Configuration, read_yaml_fields)
+{
+	yaml_helper conf;
+	conf.load_from_string(sample_yaml);
+
+	/* is_defined */
+	ASSERT_TRUE(conf.is_defined("base_value"));
+	ASSERT_TRUE(conf.is_defined("base_value_2"));
+	ASSERT_FALSE(conf.is_defined("unknown_base_value"));
+
+	/* get some fields */
+	ASSERT_EQ(conf.get_scalar<int>("base_value.id", -1), 1);
+	ASSERT_STREQ(conf.get_scalar<std::string>("base_value.name", "none").c_str(), "sample_name");
+	ASSERT_EQ(conf.get_scalar<bool>("base_value.subvalue.subvalue2.boolean", false), true);
+
+	/* get list field elements */
+	ASSERT_STREQ(conf.get_scalar<std::string>("base_value_2.sample_list[0]", "none").c_str(), "elem1");
+	ASSERT_STREQ(conf.get_scalar<std::string>("base_value_2.sample_list[1]", "none").c_str(), "elem2");
+	ASSERT_STREQ(conf.get_scalar<std::string>("base_value_2.sample_list[2]", "none").c_str(), "elem3");
+
+	/* get sequence */
+	std::vector<std::string> seq;
+	conf.get_sequence(seq, "base_value_2.sample_list");
+	ASSERT_EQ(seq.size(), 3);
+	ASSERT_STREQ(seq[0].c_str(), "elem1");
+	ASSERT_STREQ(seq[1].c_str(), "elem2");
+	ASSERT_STREQ(seq[2].c_str(), "elem3");
+}
+
+TEST(Configuration, modify_yaml_fields)
+{
+	std::string key = "base_value.subvalue.subvalue2.boolean";
+	yaml_helper conf;
+	
+    /* Get original value */
+    conf.load_from_string(sample_yaml);
+	ASSERT_EQ(conf.get_scalar<bool>(key, false), true);
+	
+    /* Modify the original value */
+    conf.set_scalar<bool>(key, false);
+	ASSERT_EQ(conf.get_scalar<bool>(key, true), false);
+	
+    /* Modify it again */
+    conf.set_scalar<bool>(key, true);
+	ASSERT_EQ(conf.get_scalar<bool>(key, false), true);
+}
--- a/userspace/engine/CMakeLists.txt
+++ b/userspace/engine/CMakeLists.txt
@@ -19,7 +19,6 @@ set(FALCO_ENGINE_SOURCE_FILES
    evttype_index_ruleset.cpp
    formats.cpp
    filter_macro_resolver.cpp
-    filter_evttype_resolver.cpp
    filter_warning_resolver.cpp
    stats_manager.cpp
    rule_loader.cpp
@@ -28,11 +27,8 @@ set(FALCO_ENGINE_SOURCE_FILES
    rule_loader_compiler.cpp)

 add_library(falco_engine STATIC ${FALCO_ENGINE_SOURCE_FILES})
-add_dependencies(falco_engine njson string-view-lite)

-if(USE_BUNDLED_DEPS)
-  add_dependencies(falco_engine yamlcpp)
-endif()
+add_dependencies(falco_engine yamlcpp njson)

 if(MINIMAL_BUILD)
  target_include_directories(
@@ -40,7 +36,6 @@ if(MINIMAL_BUILD)
    PUBLIC
      "${NJSON_INCLUDE}"
      "${TBB_INCLUDE_DIR}"
-      "${STRING_VIEW_LITE_INCLUDE}"
      "${LIBSCAP_INCLUDE_DIRS}"
      "${LIBSINSP_INCLUDE_DIRS}"
      "${YAMLCPP_INCLUDE_DIR}"
@@ -51,7 +46,6 @@ else()
    PUBLIC
      "${NJSON_INCLUDE}"
      "${TBB_INCLUDE_DIR}"
-      "${STRING_VIEW_LITE_INCLUDE}"
      "${LIBSCAP_INCLUDE_DIRS}"
      "${LIBSINSP_INCLUDE_DIRS}"
      "${YAMLCPP_INCLUDE_DIR}"
--- a/userspace/engine/evttype_index_ruleset.cpp
+++ b/userspace/engine/evttype_index_ruleset.cpp
@@ -15,13 +15,10 @@ limitations under the License.
 */

 #include "evttype_index_ruleset.h"
-#include "filter_evttype_resolver.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

 #include <algorithm>

-using namespace std;
-
 evttype_index_ruleset::evttype_index_ruleset(
 	std::shared_ptr<gen_event_filter_factory> f): m_filter_factory(f)
 {
@@ -68,14 +65,14 @@ void evttype_index_ruleset::ruleset_filters::remove_wrapper_from_list(filter_wra

 void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper> wrap)
 {
-	if(wrap->evttypes.empty())
+	if(wrap->event_codes.empty())
 	{
 		// Should run for all event types
 		add_wrapper_to_list(m_filter_all_event_types, wrap);
 	}
 	else
 	{
-		for(auto &etype : wrap->evttypes)
+		for(auto &etype : wrap->event_codes)
 		{
 			if(m_filter_by_event_type.size() <= etype)
 			{
@@ -91,13 +88,13 @@ void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_w

 void evttype_index_ruleset::ruleset_filters::remove_filter(std::shared_ptr<filter_wrapper> wrap)
 {
-	if(wrap->evttypes.empty())
+	if(wrap->event_codes.empty())
 	{
 		remove_wrapper_from_list(m_filter_all_event_types, wrap);
 	}
 	else
 	{
-		for(auto &etype : wrap->evttypes)
+		for(auto &etype : wrap->event_codes)
 		{
 			if( etype < m_filter_by_event_type.size() )
 			{
@@ -141,41 +138,53 @@ bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, falco_rule& mat
 	return false;
 }

-void evttype_index_ruleset::ruleset_filters::evttypes_for_ruleset(std::set<uint16_t> &evttypes)
+libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::ruleset_filters::sc_codes()
 {
-	evttypes.clear();
-
+	libsinsp::events::set<ppm_sc_code> res;
 	for(auto &wrap : m_filters)
 	{
-		evttypes.insert(wrap->evttypes.begin(), wrap->evttypes.end());
+		res.insert(wrap->sc_codes.begin(), wrap->sc_codes.end());
 	}
+	return res;
+}
+
+libsinsp::events::set<ppm_event_code> evttype_index_ruleset::ruleset_filters::event_codes()
+{
+	libsinsp::events::set<ppm_event_code> res;
+	for(auto &wrap : m_filters)
+	{
+		res.insert(wrap->event_codes.begin(), wrap->event_codes.end());
+	}
+	return res;
 }

 void evttype_index_ruleset::add(
 		const falco_rule& rule,
+		std::shared_ptr<gen_event_filter> filter,
 		std::shared_ptr<libsinsp::filter::ast::expr> condition)
 {
 	try
 	{
-		sinsp_filter_compiler compiler(m_filter_factory, condition.get());
-		shared_ptr<gen_event_filter> filter(compiler.compile());
 		std::shared_ptr<filter_wrapper> wrap(new filter_wrapper());
 		wrap->rule = rule;
 		wrap->filter = filter;
 		if(rule.source == falco_common::syscall_source)
 		{
-			filter_evttype_resolver resolver;
-			resolver.evttypes(condition, wrap->evttypes);
+			wrap->sc_codes = libsinsp::filter::ast::ppm_sc_codes(condition.get());
+			// todo(jasondellaluce): once libsinsp has its fixes, optimize this
+			// by using libsinsp::events::ppm_set_to_event_set(wrap->sc_codes)
+			wrap->event_codes = libsinsp::filter::ast::ppm_event_codes(condition.get());
 		}
 		else
 		{
-			wrap->evttypes = { ppm_event_type::PPME_PLUGINEVENT_E };
+			wrap->sc_codes = { };
+			wrap->event_codes = { ppm_event_code::PPME_PLUGINEVENT_E };
 		}
 		m_filters.insert(wrap);
 	}
 	catch (const sinsp_exception& e)
 	{
-		throw falco_exception(string(e.what()));
+		throw falco_exception(std::string(e.what()));
 	}
 }

@@ -194,17 +203,17 @@ void evttype_index_ruleset::clear()
 	m_filters.clear();
 }

-void evttype_index_ruleset::enable(const string &substring, bool match_exact, uint16_t ruleset_id)
+void evttype_index_ruleset::enable(const std::string &substring, bool match_exact, uint16_t ruleset_id)
 {
 	enable_disable(substring, match_exact, true, ruleset_id);
 }

-void evttype_index_ruleset::disable(const string &substring, bool match_exact, uint16_t ruleset_id)
+void evttype_index_ruleset::disable(const std::string &substring, bool match_exact, uint16_t ruleset_id)
 {
 	enable_disable(substring, match_exact, false, ruleset_id);
 }

-void evttype_index_ruleset::enable_disable(const string &substring, bool match_exact, bool enabled, uint16_t ruleset_id)
+void evttype_index_ruleset::enable_disable(const std::string &substring, bool match_exact, bool enabled, uint16_t ruleset_id)
 {
 	while(m_rulesets.size() < (size_t)ruleset_id + 1)
 	{
@@ -224,7 +233,7 @@ void evttype_index_ruleset::enable_disable(const string &substring, bool match_e
 		}
 		else
 		{
-			matches = (substring == "" || (wrap->rule.name.find(substring) != string::npos));
+			matches = (substring == "" || (wrap->rule.name.find(substring) != std::string::npos));
 		}

 		if(matches)
@@ -241,17 +250,17 @@ void evttype_index_ruleset::enable_disable(const string &substring, bool match_e
 	}
 }

-void evttype_index_ruleset::enable_tags(const set<string> &tags, uint16_t ruleset_id)
+void evttype_index_ruleset::enable_tags(const std::set<std::string> &tags, uint16_t ruleset_id)
 {
 	enable_disable_tags(tags, true, ruleset_id);
 }

-void evttype_index_ruleset::disable_tags(const set<string> &tags, uint16_t ruleset_id)
+void evttype_index_ruleset::disable_tags(const std::set<std::string> &tags, uint16_t ruleset_id)
 {
 	enable_disable_tags(tags, false, ruleset_id);
 }

-void evttype_index_ruleset::enable_disable_tags(const set<string> &tags, bool enabled, uint16_t ruleset_id)
+void evttype_index_ruleset::enable_disable_tags(const std::set<std::string> &tags, bool enabled, uint16_t ruleset_id)
 {
 	while(m_rulesets.size() < (size_t)ruleset_id + 1)
 	{
@@ -260,7 +269,7 @@ void evttype_index_ruleset::enable_disable_tags(const set<string> &tags, bool en

 	for(const auto &wrap : m_filters)
 	{
-		std::set<string> intersect;
+		std::set<std::string> intersect;

 		set_intersection(tags.begin(), tags.end(),
 				 wrap->rule.tags.begin(), wrap->rule.tags.end(),
@@ -300,12 +309,29 @@ bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t rule
 	return m_rulesets[ruleset_id]->run(evt, match);
 }

-void evttype_index_ruleset::enabled_evttypes(set<uint16_t> &evttypes, uint16_t ruleset_id)
+void evttype_index_ruleset::enabled_evttypes(std::set<uint16_t> &evttypes, uint16_t ruleset_id)
 {
-	if(m_rulesets.size() < (size_t)ruleset_id + 1)
+	evttypes.clear();
+	for (const auto& e : enabled_event_codes(ruleset_id))
 	{
-		return;
+		evttypes.insert((uint16_t) e);
 	}
-
-	return m_rulesets[ruleset_id]->evttypes_for_ruleset(evttypes);
+}
+
+libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::enabled_sc_codes(uint16_t ruleset)
+{
+	if(m_rulesets.size() < (size_t)ruleset + 1)
+	{
+		return {};
+	}
+	return m_rulesets[ruleset]->sc_codes();
+}
+	
+libsinsp::events::set<ppm_event_code> evttype_index_ruleset::enabled_event_codes(uint16_t ruleset)
+{
+	if(m_rulesets.size() < (size_t)ruleset + 1)
+	{
+		return {};
+	}
+	return m_rulesets[ruleset]->event_codes();
 }
--- a/userspace/engine/evttype_index_ruleset.h
+++ b/userspace/engine/evttype_index_ruleset.h
@@ -41,6 +41,7 @@ public:

 	void add(
 		const falco_rule& rule,
+		std::shared_ptr<gen_event_filter> filter,
 		std::shared_ptr<libsinsp::filter::ast::expr> condition) override;

 	void clear() override;
@@ -69,11 +70,17 @@ public:
 		const std::set<std::string> &tags,
 		uint16_t rulset_id) override;

-	// evttypes for a ruleset
+	// note(jasondellaluce): this is deprecated, must use the new
+	// typing-improved `enabled_event_codes` and `enabled_sc_codes` instead
+	// todo(jasondellaluce): remove this in future code refactors
 	void enabled_evttypes(
 		std::set<uint16_t> &evttypes,
 		uint16_t ruleset) override;

+	libsinsp::events::set<ppm_sc_code> enabled_sc_codes(uint16_t ruleset) override;
+
+	libsinsp::events::set<ppm_event_code> enabled_event_codes(uint16_t ruleset) override;
+
 private:

 	// Helper used by enable()/disable()
@@ -92,7 +99,8 @@ private:
 	struct filter_wrapper
 	{
 		falco_rule rule;
-		std::set<uint16_t> evttypes;
+		libsinsp::events::set<ppm_sc_code> sc_codes;
+		libsinsp::events::set<ppm_event_code> event_codes;
 		std::shared_ptr<gen_event_filter> filter;
 	};

@@ -112,7 +120,9 @@ private:

 		bool run(gen_event *evt, falco_rule& match);

-		void evttypes_for_ruleset(std::set<uint16_t> &evttypes);
+		libsinsp::events::set<ppm_sc_code> sc_codes();
+
+		libsinsp::events::set<ppm_event_code> event_codes();

 	private:
 		void add_wrapper_to_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap);
--- a/userspace/engine/falco_common.cpp
+++ b/userspace/engine/falco_common.cpp
@@ -16,7 +16,7 @@ limitations under the License.

 #include "falco_common.h"

-static vector<string> priority_names = {
+static std::vector<std::string> priority_names = {
 	"Emergency",
 	"Alert",
 	"Critical",
@@ -27,7 +27,7 @@ static vector<string> priority_names = {
 	"Debug"
 };

-bool falco_common::parse_priority(string v, priority_type& out)
+bool falco_common::parse_priority(std::string v, priority_type& out)
 {
 	for (size_t i = 0; i < priority_names.size(); i++)
 	{
@@ -44,7 +44,7 @@ bool falco_common::parse_priority(string v, priority_type& out)
 	return false;
 }

-falco_common::priority_type falco_common::parse_priority(string v)
+falco_common::priority_type falco_common::parse_priority(std::string v)
 {
 	falco_common::priority_type out;
 	if (!parse_priority(v, out))
@@ -54,7 +54,7 @@ falco_common::priority_type falco_common::parse_priority(string v)
 	return out;
 }

-bool falco_common::format_priority(priority_type v, string& out, bool shortfmt)
+bool falco_common::format_priority(priority_type v, std::string& out, bool shortfmt)
 {
 	if ((size_t) v < priority_names.size())
 	{
@@ -71,12 +71,12 @@ bool falco_common::format_priority(priority_type v, string& out, bool shortfmt)
 	return false;
 }

-string falco_common::format_priority(priority_type v, bool shortfmt)
+std::string falco_common::format_priority(priority_type v, bool shortfmt)
 {
-	string out;
+	std::string out;
 	if(!format_priority(v, out, shortfmt))
 	{
-		throw falco_exception("Unknown priority enum value: " + to_string(v));
+		throw falco_exception("Unknown priority enum value: " + std::to_string(v));
 	}
 	return out;
 }
--- a/userspace/engine/falco_common.h
+++ b/userspace/engine/falco_common.h
@@ -52,7 +52,7 @@ struct falco_exception : std::exception

 namespace falco_common
 {
-	const string syscall_source = "syscall";
+	const std::string syscall_source = "syscall";

 	// Same as numbers/indices into the above vector
 	enum priority_type
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -15,7 +15,14 @@ limitations under the License.
 */

 #include <cstdlib>
+#ifndef _WIN32
 #include <unistd.h>
+#else
+#include <stdlib.h>
+#include <io.h>
+#define srandom srand
+#define random rand
+#endif
 #include <string>
 #include <fstream>
 #include <functional>
@@ -38,7 +45,6 @@ limitations under the License.

 const std::string falco_engine::s_default_ruleset = "falco-default-ruleset";

-using namespace std;
 using namespace falco;

 falco_engine::falco_engine(bool seed_rng)
@@ -85,7 +91,7 @@ const falco_source* falco_engine::find_source(std::size_t index) const
 	auto ret = m_sources.at(index);
 	if(!ret)
 	{
-		throw falco_exception("Unknown event source index " + to_string(index));
+		throw falco_exception("Unknown event source index " + std::to_string(index));
 	}
 	return ret;
 }
@@ -169,7 +175,7 @@ void falco_engine::list_fields(std::string &source, bool verbose, bool names_onl
 	}
 }

-void falco_engine::load_rules(const string &rules_content, bool verbose, bool all_events)
+void falco_engine::load_rules(const std::string &rules_content, bool verbose, bool all_events)
 {
 	static const std::string no_name = "N/A";

@@ -222,7 +228,7 @@ void falco_engine::load_rules_file(const std::string &rules_filename, bool verbo
 	interpret_load_result(res, rules_filename, rules_content, verbose);
 }

-std::unique_ptr<load_result> falco_engine::load_rules_file(const string &rules_filename)
+std::unique_ptr<load_result> falco_engine::load_rules_file(const std::string &rules_filename)
 {
 	std::string rules_content;

@@ -237,13 +243,13 @@ std::unique_ptr<load_result> falco_engine::load_rules_file(const string &rules_f

 		res->add_error(load_result::LOAD_ERR_FILE_READ, e.what(), ctx);

-		return std::move(res);
+		return res;
 	}

 	return load_rules(rules_content, rules_filename);
 }

-void falco_engine::enable_rule(const string &substring, bool enabled, const string &ruleset)
+void falco_engine::enable_rule(const std::string &substring, bool enabled, const std::string &ruleset)
 {
 	uint16_t ruleset_id = find_ruleset_id(ruleset);
 	bool match_exact = false;
@@ -261,7 +267,7 @@ void falco_engine::enable_rule(const string &substring, bool enabled, const stri
 	}
 }

-void falco_engine::enable_rule_exact(const string &rule_name, bool enabled, const string &ruleset)
+void falco_engine::enable_rule_exact(const std::string &rule_name, bool enabled, const std::string &ruleset)
 {
 	uint16_t ruleset_id = find_ruleset_id(ruleset);
 	bool match_exact = true;
@@ -279,7 +285,7 @@ void falco_engine::enable_rule_exact(const string &rule_name, bool enabled, cons
 	}
 }

-void falco_engine::enable_rule_by_tag(const set<string> &tags, bool enabled, const string &ruleset)
+void falco_engine::enable_rule_by_tag(const std::set<std::string> &tags, bool enabled, const std::string &ruleset)
 {
 	uint16_t ruleset_id = find_ruleset_id(ruleset);

@@ -328,13 +334,23 @@ void falco_engine::evttypes_for_ruleset(std::string &source, std::set<uint16_t>
 	find_source(source)->ruleset->enabled_evttypes(evttypes, find_ruleset_id(ruleset));
 }

+libsinsp::events::set<ppm_sc_code> falco_engine::sc_codes_for_ruleset(const std::string &source, const std::string &ruleset)
+{
+	return find_source(source)->ruleset->enabled_sc_codes(find_ruleset_id(ruleset));
+}
+	
+libsinsp::events::set<ppm_event_code> falco_engine::event_codes_for_ruleset(const std::string &source, const std::string &ruleset)
+{
+	return find_source(source)->ruleset->enabled_event_codes(find_ruleset_id(ruleset));
+}
+
 std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::string &source,
 								    const std::string &output) const
 {
 	return find_source(source)->formatter_factory->create_formatter(output);
 }

-unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id)
+std::unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id)
 {
 	// note: there are no thread-safety guarantees on the filter_ruleset::run()
 	// method, but the thread-safety assumptions of falco_engine::process_event()
@@ -346,6 +362,11 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so

 	if(source_idx == m_syscall_source_idx)
 	{
+		if(m_syscall_source == NULL)
+		{
+			m_syscall_source = find_source(m_syscall_source_idx);
+		}
+
 		source = m_syscall_source;
 	}
 	else
@@ -355,10 +376,10 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so

 	if(should_drop_evt() || !source || !source->ruleset->run(ev, source->m_rule, ruleset_id))
 	{
-		return unique_ptr<struct rule_result>();
+		return std::unique_ptr<struct rule_result>();
 	}

-	unique_ptr<struct rule_result> res(new rule_result());
+	std::unique_ptr<struct rule_result> res(new rule_result());
 	res->evt = ev;
 	res->rule = source->m_rule.name;
 	res->source = source->m_rule.source;
@@ -370,7 +391,7 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so
 	return res;
 }

-unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t source_idx, gen_event *ev)
+std::unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t source_idx, gen_event *ev)
 {
 	return process_event(source_idx, ev, m_default_ruleset_id);
 }
@@ -387,7 +408,6 @@ std::size_t falco_engine::add_source(const std::string &source,
 	if(source == falco_common::syscall_source)
 	{
 		m_syscall_source_idx = idx;
-		m_syscall_source = find_source(m_syscall_source_idx);
 	}

 	return idx;
@@ -407,7 +427,7 @@ std::size_t falco_engine::add_source(const std::string &source,
 	return m_sources.insert(src, source);
 }

-void falco_engine::describe_rule(string *rule) const
+void falco_engine::describe_rule(std::string *rule) const
 {
 	static const char* rule_fmt = "%-50s %s\n";
 	fprintf(stdout, rule_fmt, "Rule", "Description");
@@ -430,7 +450,7 @@ void falco_engine::describe_rule(string *rule) const

 void falco_engine::print_stats() const
 {
-	string out;
+	std::string out;
 	m_rule_stats_manager.format(m_rules, out);
 	// todo(jasondellaluce): introduce a logging callback in Falco
 	fprintf(stdout, "%s", out.c_str());
@@ -443,7 +463,7 @@ bool falco_engine::is_source_valid(const std::string &source) const

 void falco_engine::read_file(const std::string& filename, std::string& contents)
 {
-	ifstream is;
+	std::ifstream is;

 	is.open(filename);
 	if (!is.is_open())
@@ -451,8 +471,8 @@ void falco_engine::read_file(const std::string& filename, std::string& contents)
 		throw falco_exception("Could not open " + filename + " for reading");
 	}

-	contents.assign(istreambuf_iterator<char>(is),
-			istreambuf_iterator<char>());
+	contents.assign(std::istreambuf_iterator<char>(is),
+			std::istreambuf_iterator<char>());
 }

 void falco_engine::interpret_load_result(std::unique_ptr<load_result>& res,
@@ -555,7 +575,7 @@ void falco_engine::set_sampling_multiplier(double sampling_multiplier)
 	m_sampling_multiplier = sampling_multiplier;
 }

-void falco_engine::set_extra(string &extra, bool replace_container_info)
+void falco_engine::set_extra(std::string &extra, bool replace_container_info)
 {
 	m_extra = extra;
 	m_replace_container_info = replace_container_info;
--- a/Show More
+++ b/Show More