update(userspace/falco): better help message for --pidfile

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
Relocate tools on Flatcar in BPF mode
2026-03-20 11:42:06 +00:00 · 2023-08-21 11:12:28 +02:00 · 2023-08-21 10:48:20 +02:00 · 2023-08-11 16:47:47 +02:00 · 2023-08-11 16:47:47 +02:00 · 2023-08-11 16:47:47 +02:00
416 changed files with 9250 additions and 15579 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,925 +0,0 @@
-version: 2.1
-jobs:
-  "build-arm64":
-    machine:
-      enabled: true
-      image: ubuntu-2204:2022.10.2
-    resource_class: arm.large
-    steps:
-
-      # Install dependencies to build the modern BPF probe skeleton.
-      - run:
-          name: Install deps ⛓️
-          command: |
-            sudo apt update
-            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
-            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
-            cd bpftool
-            git submodule update --init
-            cd src && sudo make install
-
-      # Path to the source code
-      - checkout:
-          path: /tmp/source-arm64/falco
-
-      # Build the skeleton
-      - run:
-          name: Build modern BPF skeleton 🐝
-          command: |
-            mkdir -p /tmp/source-arm64/falco/skeleton-build
-            cd /tmp/source-arm64/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
-            make ProbeSkeleton
-
-      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
-      # This dockerfile returns as output:
-      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
-      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
-      - run:
-          name: Build Falco packages 🏗️
-          command: |
-            DOCKER_BUILDKIT=1 docker build -f /tmp/source-arm64/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off" --build-arg DEST_BUILD_DIR=/build-arm64/release /tmp/source-arm64/falco
-
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-
-      - persist_to_workspace:
-          root: /tmp
-          paths:
-            - build-arm64/release
-            - source-arm64
-
-  # Build a statically linked Falco release binary using musl
-  # This build is 100% static, there are no host dependencies
-  "build-musl":
-    docker:
-      - image: alpine:3.17
-    resource_class: large
-    steps:
-      - checkout:
-          path: /source-static/falco
-      - run:
-          name: Update base image
-          command: apk update
-      - run:
-          name: Install build dependencies
-          command: apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
-      - run:
-          name: Prepare project
-          command: |
-            mkdir -p /build-static/release
-            cd /build-static/release
-            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
-      - run:
-          name: Build
-          command: |
-            cd /build-static/release
-            make -j6 all
-      - run:
-          name: Package
-          command: |
-            cd /build-static/release
-            make -j6 package
-      - run:
-          name: Run unit tests
-          command: |
-            cd /build-static/release
-            make tests
-      - run:
-          name: Prepare artifacts
-          command: |
-            mkdir -p /tmp/packages
-            cp /build-static/release/*.tar.gz /tmp/packages
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build-static/release
-            - source-static
-
-  # This build is static, dependencies are bundled in the Falco binary
-  "build-centos7":
-    machine:
-      enabled: true
-      image: ubuntu-2204:2022.10.2
-    resource_class: large
-    steps:
-
-      # Install dependencies to build the modern BPF probe skeleton.
-      - run:
-          name: Install deps ⛓️
-          command: |
-            sudo apt update
-            sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 git pkg-config autoconf automake libelf-dev
-            sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90
-            sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90
-            git clone https://github.com/libbpf/bpftool.git --branch v7.0.0 --single-branch
-            cd bpftool
-            git submodule update --init
-            cd src && sudo make install
-
-      # Path for the source code
-      - checkout:
-          path: /tmp/source/falco
-
-      - run:
-          name: Build modern BPF skeleton 🐝
-          command: |
-            mkdir -p /tmp/source/falco/skeleton-build
-            cd /tmp/source/falco/skeleton-build && cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off ../
-            make ProbeSkeleton
-
-      # Build the Falco packages (tar, deb, rpm) inside the centos7 builder.
-      # This dockerfile returns as output:
-      # - the build directory. (under /tmp/${DEST_BUILD_DIR})
-      # - the 3 packages: tar, deb, rpm. (under /tmp/packages)
-      - run:
-          name: Build Falco packages 🏗️
-          command: |
-            DOCKER_BUILDKIT=1 docker build -f /tmp/source/falco/docker/builder/modern-falco-builder.Dockerfile --output type=local,dest=/tmp --build-arg CMAKE_OPTIONS="-DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DFALCO_ETC_DIR=/etc/falco -DBUILD_FALCO_MODERN_BPF=ON -DMODERN_BPF_SKEL_DIR=/source/skeleton-build/skel_dir -DBUILD_DRIVER=Off -DBUILD_BPF=Off" --build-arg DEST_BUILD_DIR=/build/release /tmp/source/falco
-
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-
-      - persist_to_workspace:
-          root: /tmp
-          paths:
-            - build/release
-            - source
-
-  # Execute integration tests based on the build results coming from the "build-centos7" job
-  "tests-integration":
-    docker:
-      - image: falcosecurity/falco-tester:latest
-        environment:
-          SOURCE_DIR: "/source"
-          BUILD_DIR: "/build"
-          BUILD_TYPE: "release"
-    steps:
-      - setup_remote_docker
-      - attach_workspace:
-          at: /
-      - run:
-          name: Execute integration tests
-          command: /usr/bin/entrypoint test
-      - store_test_results:
-          path: /build/release/integration-tests-xunit
-  "tests-integration-static":
-    docker:
-      - image: falcosecurity/falco-tester:latest
-        environment:
-          SOURCE_DIR: "/source-static"
-          BUILD_DIR: "/build-static"
-          BUILD_TYPE: "release"
-          SKIP_PACKAGES_TESTS: "true"
-          SKIP_PLUGINS_TESTS: "true"
-    steps:
-      - setup_remote_docker
-      - attach_workspace:
-          at: /
-      - run:
-          name: Execute integration tests
-          command: /usr/bin/entrypoint test
-      - store_test_results:
-          path: /build-static/release/integration-tests-xunit
-  # Execute integration tests based on the build results coming from the "build-arm64" job
-  "tests-integration-arm64":
-    machine:
-      enabled: true
-      image: ubuntu-2004:202101-01
-    resource_class: arm.medium
-    steps:
-      - attach_workspace:
-          at: /tmp
-      - run:
-          name: Execute integration tests
-          command: |
-            docker run -e BUILD_TYPE="release" -e BUILD_DIR="/build" -e SOURCE_DIR="/source" -it -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/source-arm64:/source -v /tmp/build-arm64:/build \
-              falcosecurity/falco-tester:latest \
-              test
-      - store_test_results:
-          path: /tmp/build-arm64/release/integration-tests-xunit
-  "tests-driver-loader-integration":
-    machine:
-      image: ubuntu-2004:202107-02
-    steps:
-      - attach_workspace:
-          at: /tmp/ws
-      - run:
-          name: Execute driver-loader integration tests
-          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
-
-  # Sign rpm packages
-  "rpm-sign":
-    docker:
-      - image: docker.io/centos:7
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Install rpmsign
-          command: |
-            yum update -y
-            yum install rpm-sign expect which -y
-      - run:
-          name: Prepare
-          command: |
-            echo "%_signature gpg" > ~/.rpmmacros
-            echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
-            echo "%__gpg_sign_cmd %{__gpg} --force-v3-sigs --batch --no-armor --passphrase-fd 3 --no-secmem-warning -u \"%{_gpg_name}\" -sb --digest-algo sha256 %{__plaintext_filename}'" >> ~/.rpmmacros
-            cat > ~/sign \<<EOF
-            #!/usr/bin/expect -f
-            spawn rpmsign --addsign {*}\$argv
-            expect -exact "Enter pass phrase: "
-            send -- "\n"
-            expect eof
-            EOF
-            chmod +x ~/sign
-            echo $GPG_KEY | base64 -d | gpg --import
-      - run:
-          name: Sign rpm x86_64
-          command: |
-            cd /build/release/
-            ~/sign *.rpm
-            rpm --qf %{SIGPGP:pgpsig} -qp *.rpm | grep SHA256
-      - run:     
-          name: Sign rpm arm64
-          command: |
-            cd /build-arm64/release/
-            ~/sign *.rpm
-            rpm --qf %{SIGPGP:pgpsig} -qp *.rpm | grep SHA256
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build/release/*.rpm
-            - build-arm64/release/*.rpm
-
-  # Publish the dev packages
-  "publish-packages-dev":
-    docker:
-      - image: docker.io/centos:7
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Setup
-          command: |
-            yum install epel-release -y
-            yum update -y
-            yum install createrepo gpg python python-pip -y
-            pip install awscli==1.19.47
-            echo $GPG_KEY | base64 -d | gpg --import
-      - run:
-          name: Publish rpm-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            /source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.rpm -r rpm-dev
-      - run:
-          name: Publish bin-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            /source/falco/scripts/publish-bin -f /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin-dev -a x86_64
-            /source/falco/scripts/publish-bin -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.tar.gz -r bin-dev -a aarch64
-      - run:
-          name: Publish bin-static-dev
-          command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            cp -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz /build-static/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz
-            /source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz -r bin-dev -a x86_64
-  "publish-packages-deb-dev":
-    docker:
-      - image: docker.io/debian:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Setup
-          command: |
-            apt update -y
-            apt-get install apt-utils bzip2 gpg python python3-pip -y
-            pip install awscli
-            echo $GPG_KEY | base64 -d | gpg --import
-      - run:
-          name: Publish deb-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            /source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.deb -r deb-dev
-
-  "build-docker-dev":
-    docker:
-      - image: alpine:3.16
-    steps: 
-      - attach_workspace:
-          at: /
-      - setup_remote_docker:
-          version: 20.10.12
-          docker_layer_caching: true
-      - run:
-          name: Install deps
-          command: |
-            apk update
-            apk add make bash git docker docker-cli-buildx py3-pip
-            pip install awscli
-      - run:
-          name: Login to registries
-          command: |
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-      - run:
-          name: Build and publish no-driver-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} \
-              -t falcosecurity/falco-no-driver:x86_64-master \
-              -t falcosecurity/falco:x86_64-master-slim \
-              -t public.ecr.aws/falcosecurity/falco-no-driver:x86_64-master \
-              -t public.ecr.aws/falcosecurity/falco:x86_64-master-slim \
-              docker/no-driver
-      - run:
-          name: Build and publish falco-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} \
-              -t falcosecurity/falco:x86_64-master \
-              -t public.ecr.aws/falcosecurity/falco:x86_64-master \
-              docker/falco
-      - run:
-          name: Build and publish falco-driver-loader-dev
-          command: |
-            cd /source/falco
-            docker buildx build --push --build-arg FALCO_IMAGE_TAG=x86_64-master \
-              -t falcosecurity/falco-driver-loader:x86_64-master \
-              -t public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-master \
-              docker/driver-loader
-            
-  "build-docker-dev-arm64":
-    machine:
-      enabled: true
-      image: ubuntu-2004:202101-01
-      docker_layer_caching: true
-    resource_class: arm.medium
-    steps:
-      - attach_workspace:
-          at: /tmp
-      - run:
-          name: Install deps
-          command: |
-            sudo apt update
-            sudo apt install groff less python3-pip
-            pip install awscli
-      - run:
-          name: Login to registries
-          command: |
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-      - run:
-          name: Build and publish no-driver-dev
-          command: |
-            FALCO_VERSION=$(cat /tmp/build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            cd /tmp/source-arm64/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} \
-              -t falcosecurity/falco-no-driver:aarch64-master \
-              -t falcosecurity/falco:aarch64-master-slim \
-              -t public.ecr.aws/falcosecurity/falco-no-driver:aarch64-master \
-              -t public.ecr.aws/falcosecurity/falco:aarch64-master-slim \
-              docker/no-driver
-      - run:
-          name: Build and publish falco-dev
-          command: |
-            FALCO_VERSION=$(cat /tmp/build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            cd /tmp/source-arm64/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} \
-              -t falcosecurity/falco:aarch64-master \
-              -t public.ecr.aws/falcosecurity/falco:aarch64-master \
-              docker/falco
-      - run:
-          name: Build and publish falco-driver-loader-dev
-          command: |
-            cd /tmp/source-arm64/falco
-            docker buildx build --push --build-arg FALCO_IMAGE_TAG=aarch64-master \
-              -t falcosecurity/falco-driver-loader:aarch64-master \
-              -t public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-master \
-              docker/driver-loader
-
-  # Publish docker packages
-  "publish-docker-dev":
-    docker:
-      - image: cimg/base:stable
-        user: root
-    steps:
-      - setup_remote_docker:
-          version: 20.10.12
-      - run:
-          name: Install deps
-          command: |
-            sudo apt update
-            sudo apt install groff less python3-pip
-            pip install awscli
-      - run:
-          name: Login to registries
-          command: |
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-      - run:
-          name: Upload no-driver-dev manifest to registries
-          command: |
-            docker manifest create falcosecurity/falco-no-driver:master \
-                                   falcosecurity/falco-no-driver:aarch64-master \
-                                   falcosecurity/falco-no-driver:x86_64-master
-            docker manifest push falcosecurity/falco-no-driver:master
-            
-            docker manifest create falcosecurity/falco:master-slim \
-                                   falcosecurity/falco:aarch64-master-slim \
-                                   falcosecurity/falco:x86_64-master-slim
-            docker manifest push falcosecurity/falco:master-slim
-            
-            docker manifest create public.ecr.aws/falcosecurity/falco-no-driver:master \
-                                   public.ecr.aws/falcosecurity/falco-no-driver:aarch64-master \
-                                   public.ecr.aws/falcosecurity/falco-no-driver:x86_64-master
-            docker manifest push public.ecr.aws/falcosecurity/falco-no-driver:master
-            
-            docker manifest create public.ecr.aws/falcosecurity/falco:master-slim \
-                                   public.ecr.aws/falcosecurity/falco:aarch64-master-slim \
-                                   public.ecr.aws/falcosecurity/falco:x86_64-master-slim
-            docker manifest push public.ecr.aws/falcosecurity/falco:master-slim
-      - run:
-          name: Upload falco-dev manifest to registries
-          command: |
-            docker manifest create falcosecurity/falco:master \
-                                   falcosecurity/falco:aarch64-master \
-                                   falcosecurity/falco:x86_64-master
-            docker manifest push falcosecurity/falco:master
-            
-            docker manifest create public.ecr.aws/falcosecurity/falco:master \
-                                   public.ecr.aws/falcosecurity/falco:aarch64-master \
-                                   public.ecr.aws/falcosecurity/falco:x86_64-master
-            docker manifest push public.ecr.aws/falcosecurity/falco:master
-      - run:
-          name: Upload falco-driver-loader-dev manifest to registries
-          command: |
-            docker manifest create falcosecurity/falco-driver-loader:master \
-                                   falcosecurity/falco-driver-loader:aarch64-master \
-                                   falcosecurity/falco-driver-loader:x86_64-master
-            docker manifest push falcosecurity/falco-driver-loader:master
-            
-            docker manifest create public.ecr.aws/falcosecurity/falco-driver-loader:master \
-                                   public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-master \
-                                   public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-master
-            docker manifest push public.ecr.aws/falcosecurity/falco-driver-loader:master
-
-  # Publish the packages
-  "publish-packages":
-    docker:
-      - image: docker.io/centos:7
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Setup
-          command: |
-            yum install epel-release -y
-            yum update -y
-            yum install createrepo gpg python python-pip -y
-            pip install awscli==1.19.47
-            echo $GPG_KEY | base64 -d | gpg --import
-      - run:
-          name: Publish rpm
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            /source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.rpm -r rpm
-      - run:
-          name: Publish bin
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            /source/falco/scripts/publish-bin -f /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin -a x86_64
-            /source/falco/scripts/publish-bin -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.tar.gz -r bin -a aarch64
-      - run:
-          name: Publish bin-static
-          command: |
-            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            cp -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz /build-static/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz
-            /source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-static-x86_64.tar.gz -r bin -a x86_64
-  "publish-packages-deb":
-    docker:
-      - image: docker.io/debian:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Setup
-          command: |
-            apt update -y
-            apt-get install apt-utils bzip2 gpg python python3-pip -y
-            pip install awscli
-            echo $GPG_KEY | base64 -d | gpg --import
-      - run:
-          name: Publish deb
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            /source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -f /build-arm64/release/falco-${FALCO_VERSION}-aarch64.deb -r deb
-  
-  "build-docker":
-    docker:
-      - image: alpine:3.16
-    steps: 
-      - attach_workspace:
-          at: /
-      - setup_remote_docker:
-          version: 20.10.12
-          docker_layer_caching: true
-      - run:
-          name: Install deps
-          command: |
-            apk update
-            apk add make bash git docker docker-cli-buildx py3-pip
-            pip install awscli
-      - run:
-          name: Login to registries
-          command: |
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-      - run:
-          name: Build and publish no-driver
-          command: |
-            cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} \
-              -t "falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}" \
-              -t falcosecurity/falco-no-driver:x86_64-latest \
-              -t "falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim" \
-              -t "falcosecurity/falco:x86_64-latest-slim" \
-              -t "public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}" \
-              -t "public.ecr.aws/falcosecurity/falco-no-driver:x86_64-latest" \
-              -t "public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim" \
-              -t "public.ecr.aws/falcosecurity/falco:x86_64-latest-slim" \
-              docker/no-driver
-      - run:
-          name: Build and publish falco
-          command: |
-            cd /source/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} \
-              -t "falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
-              -t "falcosecurity/falco:x86_64-latest" \
-              -t "public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}" \
-              -t "public.ecr.aws/falcosecurity/falco:x86_64-latest" \
-              docker/falco
-      - run:
-          name: Build and publish falco-driver-loader
-          command: |
-            cd /source/falco
-            docker buildx build --push --build-arg FALCO_IMAGE_TAG=x86_64-${CIRCLE_TAG} \
-              -t "falcosecurity/falco-driver-loader:x86_64-${CIRCLE_TAG}" \
-              -t "falcosecurity/falco-driver-loader:x86_64-latest" \
-              -t "public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${CIRCLE_TAG}" \
-              -t "public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-latest" \
-              docker/driver-loader
-            
-  "build-docker-arm64":
-    machine:
-      enabled: true
-      image: ubuntu-2004:202101-01
-      docker_layer_caching: true
-    resource_class: arm.medium
-    steps:
-      - attach_workspace:
-          at: /tmp
-      - run:
-          name: Install deps
-          command: |
-            sudo apt update
-            sudo apt install groff less python3-pip
-            pip install awscli
-      - run:
-          name: Login to registries
-          command: |
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-      - run:
-          name: Build and publish no-driver
-          command: |
-            cd /tmp/source-arm64/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} \
-              -t falcosecurity/falco-no-driver:aarch64-${CIRCLE_TAG} \
-              -t falcosecurity/falco-no-driver:aarch64-latest \
-              -t falcosecurity/falco:aarch64-${CIRCLE_TAG}-slim \
-              -t "falcosecurity/falco:aarch64-latest-slim" \
-              -t public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${CIRCLE_TAG} \
-              -t "public.ecr.aws/falcosecurity/falco-no-driver:aarch64-latest" \
-              -t public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG}-slim \
-              -t "public.ecr.aws/falcosecurity/falco:aarch64-latest-slim" \
-              docker/no-driver
-      - run:
-          name: Build and publish falco
-          command: |
-            cd /tmp/source-arm64/falco
-            docker buildx build --push --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} \
-              -t "falcosecurity/falco:aarch64-${CIRCLE_TAG}" \
-              -t "falcosecurity/falco:aarch64-latest" \
-              -t "public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG}" \
-              -t "public.ecr.aws/falcosecurity/falco:aarch64-latest" \
-              docker/falco
-      - run:
-          name: Build and publish falco-driver-loader
-          command: |
-            cd /tmp/source-arm64/falco
-            docker buildx build --push --build-arg FALCO_IMAGE_TAG=aarch64-${CIRCLE_TAG} \
-              -t "falcosecurity/falco-driver-loader:aarch64-${CIRCLE_TAG}" \
-              -t "falcosecurity/falco-driver-loader:aarch64-latest" \
-              -t "public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${CIRCLE_TAG}" \
-              -t "public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-latest" \
-              docker/driver-loader
-
-  # Publish docker packages
-  "publish-docker":
-    docker:
-      - image: cimg/base:stable
-        user: root
-    steps:
-      - setup_remote_docker:
-          version: 20.10.12
-      - run:
-          name: Install deps
-          command: |
-            sudo apt update
-            sudo apt install groff less python3-pip
-            pip install awscli
-      - run:
-          name: Login to registries
-          command: |
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
-      - run:
-          name: Upload no-driver manifest to registries
-          command: |
-            docker manifest create falcosecurity/falco-no-driver:${CIRCLE_TAG} \
-                                   falcosecurity/falco-no-driver:aarch64-${CIRCLE_TAG} \
-                                   falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}
-            docker manifest push falcosecurity/falco-no-driver:${CIRCLE_TAG}
-            
-            docker manifest create falcosecurity/falco-no-driver:latest \
-                                   falcosecurity/falco-no-driver:aarch64-latest \
-                                   falcosecurity/falco-no-driver:x86_64-latest
-            docker manifest push falcosecurity/falco-no-driver:latest
-            
-            docker manifest create falcosecurity/falco:${CIRCLE_TAG}-slim \
-                                   falcosecurity/falco:aarch64-${CIRCLE_TAG}-slim \
-                                   falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim
-            docker manifest push falcosecurity/falco:${CIRCLE_TAG}-slim
-            
-            docker manifest create falcosecurity/falco:latest-slim \
-                                   falcosecurity/falco:aarch64-latest-slim \
-                                   falcosecurity/falco:x86_64-latest-slim
-            docker manifest push falcosecurity/falco:latest-slim
-            
-            docker manifest create public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG} \
-                                   public.ecr.aws/falcosecurity/falco-no-driver:aarch64-${CIRCLE_TAG} \
-                                   public.ecr.aws/falcosecurity/falco-no-driver:x86_64-${CIRCLE_TAG}
-            docker manifest push public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}
-            
-            docker manifest create public.ecr.aws/falcosecurity/falco-no-driver:latest \
-                                   public.ecr.aws/falcosecurity/falco-no-driver:aarch64-latest \
-                                   public.ecr.aws/falcosecurity/falco-no-driver:x86_64-latest
-            docker manifest push public.ecr.aws/falcosecurity/falco-no-driver:latest
-            
-            docker manifest create public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim \
-                                   public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG}-slim \
-                                   public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}-slim
-            docker manifest push public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim
-            
-            docker manifest create public.ecr.aws/falcosecurity/falco:latest-slim \
-                                   public.ecr.aws/falcosecurity/falco:aarch64-latest-slim \
-                                   public.ecr.aws/falcosecurity/falco:x86_64-latest-slim
-            docker manifest push public.ecr.aws/falcosecurity/falco:latest-slim
-      - run:
-          name: Upload falco manifest to registries
-          command: |
-            docker manifest create falcosecurity/falco:${CIRCLE_TAG} \
-                                   falcosecurity/falco:aarch64-${CIRCLE_TAG} \
-                                   falcosecurity/falco:x86_64-${CIRCLE_TAG}
-            docker manifest push falcosecurity/falco:${CIRCLE_TAG}
-
-            docker manifest create falcosecurity/falco:latest \
-                                   falcosecurity/falco:aarch64-latest \
-                                   falcosecurity/falco:x86_64-latest
-            docker manifest push falcosecurity/falco:latest
-            
-            docker manifest create public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG} \
-                                   public.ecr.aws/falcosecurity/falco:aarch64-${CIRCLE_TAG} \
-                                   public.ecr.aws/falcosecurity/falco:x86_64-${CIRCLE_TAG}
-            docker manifest push public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}
-
-            docker manifest create public.ecr.aws/falcosecurity/falco:latest \
-                                   public.ecr.aws/falcosecurity/falco:aarch64-latest \
-                                   public.ecr.aws/falcosecurity/falco:x86_64-latest
-            docker manifest push public.ecr.aws/falcosecurity/falco:latest
-      - run:
-          name: Upload falco-driver-loader manifest to registries
-          command: |
-            docker manifest create falcosecurity/falco-driver-loader:${CIRCLE_TAG} \
-                                   falcosecurity/falco-driver-loader:aarch64-${CIRCLE_TAG} \
-                                   falcosecurity/falco-driver-loader:x86_64-${CIRCLE_TAG}
-            docker manifest push falcosecurity/falco-driver-loader:${CIRCLE_TAG}
-            
-            docker manifest create falcosecurity/falco-driver-loader:latest \
-                                   falcosecurity/falco-driver-loader:aarch64-latest \
-                                   falcosecurity/falco-driver-loader:x86_64-latest
-            docker manifest push falcosecurity/falco-driver-loader:latest
-            
-            docker manifest create public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG} \
-                                   public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-${CIRCLE_TAG} \
-                                   public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-${CIRCLE_TAG}
-            docker manifest push public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}
-            
-            docker manifest create public.ecr.aws/falcosecurity/falco-driver-loader:latest \
-                                   public.ecr.aws/falcosecurity/falco-driver-loader:aarch64-latest \
-                                   public.ecr.aws/falcosecurity/falco-driver-loader:x86_64-latest
-            docker manifest push public.ecr.aws/falcosecurity/falco-driver-loader:latest
-
-workflows:
-  version: 2.1
-  build_and_test:
-    jobs:
-      - "build-musl"
-      - "build-arm64"
-      - "build-centos7"
-      - "tests-integration":
-          requires:
-            - "build-centos7"
-      - "tests-integration-arm64":
-          requires:
-            - "build-arm64"
-      - "tests-integration-static":
-          requires:
-            - "build-musl"
-      - "tests-driver-loader-integration":
-          requires:
-            - "build-centos7"
-      - "rpm-sign":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "tests-integration"
-            - "tests-integration-arm64"
-      - "publish-packages-dev":
-          context:
-            - falco
-            - test-infra
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "rpm-sign"
-            - "tests-integration-static"
-      - "publish-packages-deb-dev":
-          context:
-            - falco
-            - test-infra
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "tests-integration"
-            - "tests-integration-arm64"
-      - "build-docker-dev":
-          context:
-            - falco
-            - test-infra
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "publish-packages-dev"
-            - "publish-packages-deb-dev"
-            - "tests-driver-loader-integration"
-      - "build-docker-dev-arm64":
-          context:
-            - falco
-            - test-infra
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "publish-packages-dev"
-            - "publish-packages-deb-dev"
-            - "tests-driver-loader-integration"      
-      - "publish-docker-dev":
-          context:
-            - falco
-            - test-infra
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "build-docker-dev"
-            - "build-docker-dev-arm64"
-      # - "quality/static-analysis" # This is temporarily disabled: https://github.com/falcosecurity/falco/issues/1526
-  release:
-    jobs:
-      - "build-musl":
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "build-centos7":
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "build-arm64":
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "rpm-sign":
-          context: falco
-          requires:
-            - "build-centos7"
-            - "build-arm64"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish-packages":
-          context:
-            - falco
-            - test-infra
-          requires:
-            - "build-musl"
-            - "rpm-sign"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish-packages-deb":
-          context:
-            - falco
-            - test-infra
-          requires:
-            - "build-centos7"
-            - "build-arm64"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "build-docker":
-          context:
-            - falco
-            - test-infra
-          requires:
-            - "publish-packages"
-            - "publish-packages-deb"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "build-docker-arm64":
-          context:
-            - falco
-            - test-infra
-          requires:
-            - "publish-packages"
-            - "publish-packages-deb"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish-docker":
-          context:
-            - falco
-            - test-infra
-          requires:
-            - "build-docker"
-            - "build-docker-arm64"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
--- a/test/rules/list_append_failure.yaml
+++ b/test/rules/list_append_failure.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,6 +14,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
- list: my_list
-  items: [not-cat]
-  append: true
+
+version: 2
+
+updates:
+  - package-ecosystem: gitsubmodule
+    schedule:
+      interval: "daily"
+    directory: /
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,110 +1,117 @@
 name: CI Build
 on:
  pull_request:
-    branches: [master]
-  push:
-    branches: [master]
+    branches:
+      - master
+      - release/*
  workflow_dispatch:

+# Checks if any concurrent jobs under the same pull request or branch are being executed
+# NOTE: this will cancel every workflow that is being ran against a PR as group is just the github ref (without the workflow name)
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true  
+
 jobs:
-  build-minimal:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
+  fetch-version:
+    uses: ./.github/workflows/reusable_fetch_version.yaml
+
+  build-dev-packages:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: x86_64
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  test-dev-packages:
+    needs: [fetch-version, build-dev-packages]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    strategy:
+      fail-fast: false
+      matrix:
+        static: ["static", ""]
+    with:
+      arch: x86_64
+      static: ${{ matrix.static != '' && true || false }}
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  build-dev-minimal:
+    uses: ./.github/workflows/reusable_build_dev.yaml
+    with:
+      arch: x86_64
+      git_ref: ${{ github.event.pull_request.head.sha }}
+      minimal: true
+      build_type: Debug
+  
+  # builds using system deps, checking out the PR's code
+  # note: this also runs a command that generates an output of form: "<engine_version> <some_hash>",
+  # of which <some_hash> is computed by hashing in order the following:
+  # - Driver schema version supported by the built-in falcosecurity/libs
+  # - The supported event types usable in Falco rules (evt.type=xxx)
+  # - The supported rules fields with their name, type, and description
+  build-dev:
+    uses: ./.github/workflows/reusable_build_dev.yaml
+    with:
+      arch: x86_64
+      git_ref: ${{ github.event.pull_request.head.sha }}
+      minimal: false
+      build_type: Debug
+      cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-syscall-events | sort) | sha256sum)"
+
+  # checks the falco engine checksum for consistency
+  check-engine-checksum:
+    runs-on: ubuntu-latest
+    needs: [build-dev]
+    steps:    
+      - name: Checkout PR head ref
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          ref: ${{ github.event.pull_request.head.sha }}

-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
-
-      - name: Prepare project
+      - name: Check Engine checksum
        run: |
-          mkdir build-minimal
-          pushd build-minimal
-          cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
-          popd
+          prev_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
+          cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2)
+          
+          echo "encoded checksum: $prev_hash"
+          echo "current checksum: $cur_hash"
+          if [ $prev_hash != $cur_hash ]; then
+            echo "current engine checksum differs from the one encoded in userspace/engine/falco_engine_version.h"
+            exit 1
+          else
+            echo "current and encoded engine checksum are matching"
+          fi

-      - name: Build
-        run: |
-          pushd build-minimal
-          make -j4 all
-          popd
-
-      - name: Run unit tests
-        run: |
-          pushd build-minimal
-          make tests
-          popd
-
-  build-ubuntu-focal:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
+  # checks the falco engine version and enforce bumping when necessary
+  check-engine-version:
+    runs-on: ubuntu-latest
+    needs: [build-dev]
+    steps:    
+      - name: Checkout base ref
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ github.base_ref }}

-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
-
-      - name: Prepare project
+      - name: Check Engine version
        run: |
-          mkdir build
-          pushd build
-          cmake -DBUILD_BPF=On ..
-          popd
+          base_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
+          base_engine_ver=$(grep ENGINE_VERSION "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')

-      - name: Build
-        run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
+          cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2)
+          cur_engine_ver=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 1)

-      - name: Run unit tests
-        run: |
-          pushd build
-          make tests
-          popd
-
-  build-ubuntu-focal-debug:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
-
-      - name: Prepare project
-        run: |
-          mkdir build
-          pushd build
-          cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
-          popd
-
-      - name: Build
-        run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
-
-      - name: Run unit tests
-        run: |
-          pushd build
-          make tests
-          popd
+          echo "baseref checksum: $base_hash"
+          echo "baseref engine version: $base_engine_ver"
+          echo "headref checksum: $cur_hash"
+          echo "headref engine version: $cur_engine_ver"
+          if [ "$base_hash" != "$cur_hash" ]; then
+              echo "engine checksum for baseref and headref differ"
+              if [ "$base_engine_ver" == "$cur_engine_ver" ]; then
+                  echo "engine version must be bumped"
+                  exit 1
+              else
+                  echo "engine version for baseref and headref differ too, so no bump is required"
+              fi
+          fi
--- a/.github/workflows/engine-version-weakcheck.yaml
+++ b/.github/workflows/engine-version-weakcheck.yaml
@@ -0,0 +1,41 @@
+# NOTE: it is UNSAFE to run ANY kind of script when using the pull_request_target trigger!
+# DO NOT TOUCH THIS FILE UNLESS THE TRIGGER IS CHANGED.
+# See warning in https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
+
+name: Engine version checks (weak)
+on:
+  pull_request_target:
+    paths:
+      - 'userspace/engine/*.cpp'
+      - 'userspace/engine/*.h'
+
+jobs:
+  paths-filter:
+    runs-on: ubuntu-latest
+    outputs:
+      engine_version_changed: ${{ steps.filter.outputs.engine_version }}
+    steps:
+    - uses: actions/checkout@v2
+    - uses: dorny/paths-filter@v2
+      id: filter
+      with:
+        filters: |
+          engine_version:
+            - 'userspace/engine/falco_engine_version.h'
+
+  check-engine-version-weak:
+    runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
+    needs: paths-filter
+    if: needs.paths-filter.outputs.engine_version_changed == 'false'
+    steps:
+      - name: Check driver Falco engine version
+        uses: mshick/add-pr-comment@v2
+        with:
+          message: |
+            This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.
+
+            Please double check **userspace/engine/falco_engine_version.h** file. See [versioning for FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/RELEASE.md#falco-repo-this-repo).
+
+            /hold
--- a/.github/workflows/master.yaml
+++ b/.github/workflows/master.yaml
@@ -0,0 +1,83 @@
+name: Dev Packages and Docker images
+on:
+  push:
+    branches: [master]
+
+# Checks if any concurrent jobs is running for master CI and eventually cancel it
+concurrency:
+  group: ci-master
+  cancel-in-progress: true  
+
+jobs:
+  fetch-version:
+    uses: ./.github/workflows/reusable_fetch_version.yaml 
+
+  build-dev-packages:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: x86_64
+      version: ${{ needs.fetch-version.outputs.version }}
+    secrets: inherit
+  
+  build-dev-packages-arm64:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ needs.fetch-version.outputs.version }}
+    secrets: inherit
+
+  test-dev-packages:
+    needs: [fetch-version, build-dev-packages]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    strategy:
+      fail-fast: false
+      matrix:
+        static: ["static", ""]
+    with:
+      arch: x86_64
+      static: ${{ matrix.static != '' && true || false }}
+      version: ${{ needs.fetch-version.outputs.version }}
+  
+  test-dev-packages-arm64:
+    needs: [fetch-version, build-dev-packages-arm64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  publish-dev-packages:
+    needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
+    uses: ./.github/workflows/reusable_publish_packages.yaml
+    with:
+      bucket_suffix: '-dev'
+      version: ${{ needs.fetch-version.outputs.version }}
+    secrets: inherit
+  
+  build-dev-docker:
+    needs: [fetch-version, publish-dev-packages]
+    uses: ./.github/workflows/reusable_build_docker.yaml
+    with:
+      arch: x86_64
+      bucket_suffix: '-dev'
+      version: ${{ needs.fetch-version.outputs.version }}
+      tag: master
+    secrets: inherit
+    
+  build-dev-docker-arm64:
+    needs: [fetch-version, publish-dev-packages]
+    uses: ./.github/workflows/reusable_build_docker.yaml
+    with:
+      arch: aarch64
+      bucket_suffix: '-dev'
+      version: ${{ needs.fetch-version.outputs.version }}
+      tag: master
+    secrets: inherit
+    
+  publish-dev-docker:
+    needs: [fetch-version, build-dev-docker, build-dev-docker-arm64]
+    uses: ./.github/workflows/reusable_publish_docker.yaml
+    with:
+      tag: master
+    secrets: inherit
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,124 @@
+name: Release Packages and Docker images
+on:
+  release:
+    types: [published]
+
+# Checks if any concurrent jobs is running for release CI and eventually cancel it.
+concurrency:
+  group: ci-release
+  cancel-in-progress: true  
+
+jobs:
+  release-settings:
+    runs-on: ubuntu-latest
+    outputs:
+      is_latest: ${{ steps.get_settings.outputs.is_latest }} 
+      bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
+    steps:
+      - name: Get latest release
+        uses: rez0n/actions-github-release@v2.0
+        id: latest_release
+        env:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.repository }}
+          type: "stable"
+
+      - name: Get settings for this release
+        id: get_settings
+        shell: python
+        run: |
+          import os
+          import re
+          import sys
+
+          semver_no_meta = '''^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?$'''
+          tag_name = '${{ github.event.release.tag_name }}'
+
+          is_valid_version = re.match(semver_no_meta, tag_name) is not None
+          if not is_valid_version:
+            print(f'Release version {tag_name} is not a valid full or pre-release. See RELEASE.md for more information.')
+            sys.exit(1)
+
+          is_prerelease = '-' in tag_name
+
+          # Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
+          is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease
+
+          bucket_suffix = '-dev' if is_prerelease else ''
+
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
+            print(f'is_latest={is_latest}'.lower(), file=ofp)
+            print(f'bucket_suffix={bucket_suffix}', file=ofp)
+
+  build-packages:
+    needs: [release-settings]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: x86_64
+      version: ${{ github.event.release.tag_name }}
+    secrets: inherit
+
+  build-packages-arm64:
+    needs: [release-settings]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ github.event.release.tag_name }}
+    secrets: inherit
+
+  test-packages:
+    needs: [release-settings, build-packages]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    strategy:
+      fail-fast: false
+      matrix:
+        static: ["static", ""]
+    with:
+      arch: x86_64
+      static: ${{ matrix.static != '' && true || false }}
+      version: ${{ github.event.release.tag_name }}
+  
+  test-packages-arm64:
+    needs: [release-settings, build-packages-arm64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ github.event.release.tag_name }}
+    
+  publish-packages:
+    needs: [release-settings, test-packages, test-packages-arm64]
+    uses: ./.github/workflows/reusable_publish_packages.yaml
+    with:
+      bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
+      version: ${{ github.event.release.tag_name }}
+    secrets: inherit
+  
+  # Both build-docker and its arm64 counterpart require build-packages because they use its output
+  build-docker:
+    needs: [release-settings, build-packages, publish-packages]
+    uses: ./.github/workflows/reusable_build_docker.yaml
+    with:
+      arch: x86_64
+      bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
+      version: ${{ github.event.release.tag_name }}
+      tag: ${{ github.event.release.tag_name }}
+    secrets: inherit
+    
+  build-docker-arm64:
+    needs: [release-settings, build-packages, publish-packages]
+    uses: ./.github/workflows/reusable_build_docker.yaml
+    with:
+      arch: aarch64
+      bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
+      version: ${{ github.event.release.tag_name }}
+      tag: ${{ github.event.release.tag_name }}
+    secrets: inherit
+
+  publish-docker:
+    needs: [release-settings, build-docker, build-docker-arm64]
+    uses: ./.github/workflows/reusable_publish_docker.yaml
+    secrets: inherit
+    with:
+      is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
+      tag: ${{ github.event.release.tag_name }}
+      sign: true
--- a/.github/workflows/reusable_build_dev.yaml
+++ b/.github/workflows/reusable_build_dev.yaml
@@ -0,0 +1,85 @@
+# This is a reusable workflow used by the master CI
+on:
+  workflow_call:
+    outputs:
+      cmdout:
+        description: "Post-build command output"
+        value: ${{ jobs.build-and-test.outputs.cmdout }}
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      minimal:
+        description: Minimal build
+        required: true
+        type: boolean
+      build_type:
+        description: One of 'Debug' or 'Release'
+        required: true
+        type: string
+      git_ref:
+        description: Git ref used for checking out the code
+        required: true
+        type: string
+      cmd:
+        description: If defined, this command is executed after a successful build and its output is set in the `cmdout` output
+        required: false
+        default: ''
+        type: string
+       
+jobs:
+  build-and-test:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-22.04' }}
+    container: ${{ (inputs.arch == 'aarch64' && 'ubuntu:22.04') || '' }}
+    outputs:
+      cmdout: ${{ steps.run_cmd.outputs.out }}  
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.git_ref }}
+
+      - name: Update base image
+        run: sudo apt update -y
+      
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libelf-dev libyaml-cpp-dev cmake build-essential git -y
+
+      - name: Install build dependencies (non-minimal)
+        if: inputs.minimal != true
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libgrpc++-dev protobuf-compiler-grpc rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y
+      
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake \
+            -DBUILD_FALCO_UNIT_TESTS=On \
+            -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+            -DBUILD_BPF=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
+            -DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
+            -DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \
+            ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          sudo ./unit_tests/falco_unit_tests 
+          popd
+
+      - name: Run command
+        id: run_cmd
+        if: inputs.cmd != ''
+        run: |
+          OUT=$(${{ inputs.cmd }})
+          echo "out=${OUT}" >> $GITHUB_OUTPUT
--- a/.github/workflows/reusable_build_docker.yaml
+++ b/.github/workflows/reusable_build_docker.yaml
@@ -0,0 +1,73 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      bucket_suffix:
+        description: bucket suffix for packages
+        required: false
+        default: ''
+        type: string
+      version:
+        description: The Falco version to use when building images
+        required: true
+        type: string
+      tag:
+        description: The tag to use (e.g. "master" or "0.35.0")
+        required: true
+        type: string
+
+# Here we just build all docker images as tarballs, 
+# then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
+# In this way, we don't need to publish any arch specific image, 
+# and this "build" workflow is actually only building images.
+jobs:
+  build-docker:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    env:
+      TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+          
+      - name: Build no-driver image
+        run: |
+          cd ${{ github.workspace }}/docker/no-driver/
+          docker build -t docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-no-driver-${{ inputs.arch }}.tar
+            
+      - name: Build falco image
+        run: |
+          cd ${{ github.workspace }}/docker/falco/
+          docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar
+
+      - name: Build falco-driver-loader image
+        run: |
+          cd ${{ github.workspace }}/docker/driver-loader/
+          docker build -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar
+            
+      - name: Upload images tarballs
+        uses: actions/upload-artifact@v3
+        with:
+          name: falco-images
+          path: /tmp/falco-*.tar
--- a/.github/workflows/reusable_build_packages.yaml
+++ b/.github/workflows/reusable_build_packages.yaml
@@ -0,0 +1,160 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      version:
+        description: The Falco version to use when building packages
+        required: true
+        type: string
+
+jobs:
+  build-modern-bpf-skeleton:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    container: fedora:latest
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build dependencies
+        run: |
+          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel
+    
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Build modern BPF skeleton
+        run: |
+          mkdir skeleton-build && cd skeleton-build
+          cmake -DUSE_BUNDLED_DEPS=ON -DBUILD_FALCO_MODERN_BPF=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }} ..
+          make ProbeSkeleton -j6
+          
+      - name: Upload skeleton
+        uses: actions/upload-artifact@v3
+        with:
+          name: bpf_probe_${{ inputs.arch }}.skel.h
+          path: skeleton-build/skel_dir/bpf_probe.skel.h
+          
+  build-packages:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    needs: [build-modern-bpf-skeleton]
+    container: centos:7
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build dependencies
+        run: |
+          yum -y install centos-release-scl
+          yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
+          source /opt/rh/devtoolset-9/enable
+          yum install -y wget git make m4 rpm-build perl-IPC-Cmd
+    
+      - name: Checkout
+        uses: actions/checkout@v3
+    
+      - name: Download skeleton
+        uses: actions/download-artifact@v3
+        with:
+          name: bpf_probe_${{ inputs.arch }}.skel.h
+          path: /tmp
+          
+      - name: Install updated cmake
+        run: |
+          curl -L -o /tmp/cmake.tar.gz https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz
+          gzip -d /tmp/cmake.tar.gz
+          tar -xpf /tmp/cmake.tar --directory=/tmp
+          cp -R /tmp/cmake-3.22.5-linux-$(uname -m)/* /usr
+          rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)
+    
+      - name: Prepare project
+        run: |
+          mkdir build && cd build
+          source /opt/rh/devtoolset-9/enable
+          cmake \
+              -DCMAKE_BUILD_TYPE=Release \
+              -DUSE_BUNDLED_DEPS=On \
+              -DFALCO_ETC_DIR=/etc/falco \
+              -DBUILD_FALCO_MODERN_BPF=ON \
+              -DMODERN_BPF_SKEL_DIR=/tmp \
+              -DBUILD_DRIVER=Off \
+              -DBUILD_BPF=Off \
+              -DFALCO_VERSION=${{ inputs.version }} \
+              ..
+              
+      - name: Build project
+        run: |
+          cd build
+          source /opt/rh/devtoolset-9/enable
+          make falco -j6
+      
+      - name: Build packages
+        run: |
+          cd build
+          source /opt/rh/devtoolset-9/enable
+          make package
+
+      - name: Upload Falco tar.gz package
+        uses: actions/upload-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-*.tar.gz
+            
+      - name: Upload Falco deb package
+        uses: actions/upload-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
+          path: |
+            ${{ github.workspace }}/build/falco-*.deb
+      
+      - name: Upload Falco rpm package
+        uses: actions/upload-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
+          path: |
+            ${{ github.workspace }}/build/falco-*.rpm
+            
+  build-musl-package:
+    # x86_64 only for now
+    if: ${{ inputs.arch == 'x86_64' }}
+    runs-on: ubuntu-latest
+    container: alpine:3.17
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build dependencies
+        run: |
+          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
+    
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          
+      - name: Prepare project
+        run: |
+          mkdir build && cd build
+          cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco ../ -DFALCO_VERSION=${{ inputs.version }}
+          
+      - name: Build project
+        run: |
+          cd build
+          make -j6 all
+      
+      - name: Build packages
+        run: |
+          cd build
+          make -j6 package
+
+      - name: Rename static package
+        run: |
+          cd build
+          mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz 
+          
+      - name: Upload Falco static package
+        uses: actions/upload-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-static-x86_64.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-${{ inputs.version }}-static-x86_64.tar.gz
--- a/.github/workflows/reusable_fetch_version.yaml
+++ b/.github/workflows/reusable_fetch_version.yaml
@@ -0,0 +1,40 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    outputs:
+      version:
+        description: "Falco version"
+        value: ${{ jobs.fetch-version.outputs.version }}
+    
+jobs:
+  # We need to use an ubuntu-latest to fetch Falco version because
+  # Falco version is computed by some cmake scripts that do git sorceries
+  # to get the current version.
+  # But centos7 jobs have a git version too old and actions/checkout does not 
+  # fully clone the repo, but uses http rest api instead.
+  fetch-version:
+    runs-on: ubuntu-latest
+    # Map the job outputs to step outputs
+    outputs:
+      version: ${{ steps.store_version.outputs.version }}  
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          
+      - name: Install build dependencies
+        run: |
+          sudo apt update 
+          sudo apt install -y cmake build-essential
+      
+      - name: Configure project
+        run: |
+          mkdir build && cd build
+          cmake -DUSE_BUNDLED_DEPS=On ..
+          
+      - name: Load and store Falco version output
+        id: store_version
+        run: |
+          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT
--- a/.github/workflows/reusable_publish_docker.yaml
+++ b/.github/workflows/reusable_publish_docker.yaml
@@ -0,0 +1,144 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: The tag to push
+        required: true
+        type: string
+      is_latest:
+        description: Update the latest tag with the new image
+        required: false
+        type: boolean
+        default: false
+      sign:
+        description: Add signature with cosign
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  id-token: write
+  contents: read
+  
+jobs:
+  publish-docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+    
+      - name: Download images tarballs
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-images
+          path: /tmp/falco-images
+      
+      - name: Load all images
+        run: |
+          for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
+    
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_SECRET }}
+      
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
+          aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
+          
+      - name: Login to Amazon ECR
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
+        with:
+          registry-type: public    
+      
+      - name: Setup Crane
+        uses: imjasonh/setup-crane@v0.3
+        with:
+          version: v0.15.1
+
+      # We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later
+      - name: Push arch-specific images to Docker Hub
+        run: |
+          docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
+
+      - name: Create no-driver manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@0.3.1
+        with:
+          inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
+          images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
+          push: true
+          
+      - name: Tag slim manifest on Docker Hub
+        run: |
+          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim
+
+      - name: Create falco manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@0.3.1
+        with:
+          inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}
+          images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
+          push: true
+          
+      - name: Create falco-driver-loader manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@0.3.1
+        with:
+          inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}
+          images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
+          push: true
+
+      - name: Get Digests for images
+        id: digests
+        run: |
+          echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+
+      - name: Publish images to ECR
+        run: |
+          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }}
+          crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
+          crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
+          crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim
+
+      - name: Tag latest on Docker Hub and ECR
+        if: inputs.is_latest
+        run: |
+          crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
+          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
+          crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
+          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
+
+          crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
+          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
+          crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
+          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
+
+      - name: Setup Cosign
+        if: inputs.sign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: v2.0.2
+
+      - name: Sign images with cosign
+        if: inputs.sign
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+          COSIGN_YES: "true"
+        run: |
+          cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
+          cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }}
+          cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
+
+          cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
+          cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }}
+          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
--- a/.github/workflows/reusable_publish_packages.yaml
+++ b/.github/workflows/reusable_publish_packages.yaml
@@ -0,0 +1,149 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: The Falco version to use when publishing packages
+        required: true
+        type: string
+      bucket_suffix:
+        description: bucket suffix for packages
+        required: false
+        default: ''
+        type: string
+       
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  AWS_S3_REGION: eu-west-1
+  AWS_CLOUDFRONT_DIST_ID: E1CQNPFWRXLGQD
+
+jobs:
+  publish-packages:
+    runs-on: ubuntu-latest
+    container: docker.io/centos:7
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+    
+      - name: Install dependencies
+        run: |
+          yum install epel-release -y
+          yum update -y
+          yum install rpm-sign expect which createrepo gpg python python-pip -y
+          pip install awscli==1.19.47
+
+      # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
+      # Note: master CI can only push dev packages as we have 2 different roles for master and release.
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
+          aws-region: ${{ env.AWS_S3_REGION }}    
+          
+      - name: Download RPM x86_64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-x86_64.rpm
+          path: /tmp/falco-build-rpm
+
+      - name: Download RPM aarch64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-aarch64.rpm
+          path: /tmp/falco-build-rpm
+
+      - name: Download binary x86_64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-x86_64.tar.gz
+          path: /tmp/falco-build-bin
+
+      - name: Download binary aarch64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-aarch64.tar.gz
+          path: /tmp/falco-build-bin
+
+      - name: Download static binary x86_64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-static-x86_64.tar.gz
+          path: /tmp/falco-build-bin-static
+        
+      - name: Import gpg key 
+        env:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+        run: printenv GPG_KEY | gpg --import -
+        
+      - name: Sign rpms
+        run: |
+          echo "%_signature gpg" > ~/.rpmmacros
+          echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
+          echo "%__gpg_sign_cmd %{__gpg} --force-v3-sigs --batch --no-armor --passphrase-fd 3 --no-secmem-warning -u \"%{_gpg_name}\" -sb --digest-algo sha256 %{__plaintext_filename}'" >> ~/.rpmmacros
+          cat > ~/sign <<EOF
+          #!/usr/bin/expect -f
+          spawn rpmsign --addsign {*}\$argv
+          expect -exact "Enter pass phrase: "
+          send -- "\n"
+          expect eof
+          EOF
+          chmod +x ~/sign
+          ~/sign /tmp/falco-build-rpm/falco-*.rpm
+          rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-build-rpm/falco-*.rpm | grep SHA256
+          
+      - name: Publish rpm
+        run: |
+          ./scripts/publish-rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket_suffix }}
+      
+      - name: Publish bin
+        run: |
+          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
+          ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
+          
+      - name: Publish static
+        run: |
+          ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
+          
+  publish-packages-deb:
+    runs-on: ubuntu-latest
+    container: docker.io/debian:stable
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+    
+      - name: Install dependencies
+        run: |
+          apt update -y
+          apt-get install apt-utils bzip2 gpg awscli -y
+      
+      # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
+      # Note: master CI can only push dev packages as we have 2 different roles for master and release.
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
+          aws-region: ${{ env.AWS_S3_REGION }}     
+      
+      - name: Download deb x86_64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-x86_64.deb
+          path: /tmp/falco-build-deb
+
+      - name: Download deb aarch64
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}-aarch64.deb
+          path: /tmp/falco-build-deb
+
+      - name: Import gpg key 
+        env:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+        run: printenv GPG_KEY | gpg --import -
+          
+      - name: Publish deb
+        run: |
+          ./scripts/publish-deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-x86_64.deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket_suffix }}
--- a/.github/workflows/reusable_test_packages.yaml
+++ b/.github/workflows/reusable_test_packages.yaml
@@ -0,0 +1,75 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      static:
+        description: Falco packages use a static build
+        required: false
+        type: boolean
+        default: false
+      version:
+        description: The Falco version to use when testing packages
+        required: true
+        type: string
+
+jobs:
+  test-packages:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: 'true'
+      
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '>=1.17.0'
+
+      - name: Download binary
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}.tar.gz
+      
+      - name: Install Falco package
+        run: |
+          ls falco-*.tar.gz
+          tar -xvf $(ls falco-*.tar.gz)
+          cd falco-${{ inputs.version }}-${{ inputs.arch }}
+          sudo cp -r * /
+
+      - name: Install go-junit-report
+        run: |
+          pushd submodules/falcosecurity-testing
+          go install github.com/jstemmer/go-junit-report/v2@latest
+          popd
+  
+      - name: Generate regression test files
+        run: |
+          pushd submodules/falcosecurity-testing
+          go generate ./...
+          popd
+
+      - name: Run regression tests
+        run: |
+          pushd submodules/falcosecurity-testing
+          ./build/falco.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+          if ${{ inputs.static && 'false' || 'true' }}; then
+            ./build/falcoctl.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+            ./build/k8saudit.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+          fi
+          cat ./report.txt | go-junit-report -set-exit-code > report.xml
+          popd
+
+      - name: Test Summary
+        if: always() # run this even if previous step fails
+        uses: test-summary/action@v2
+        with:
+          paths: "submodules/falcosecurity-testing/report.xml"
+          show: "fail"
--- a/.gitignore
+++ b/.gitignore
@@ -2,14 +2,6 @@
 *~
 *.pyc

-test/traces-negative
-test/traces-positive
-test/traces-info
-test/job-results
-test/.phoronix-test-suite
-test/results*.json.*
-test/build
-
 .vscode/*

 *.idea*
--- a/.gitmodules
+++ b/.gitmodules
@@ -2,3 +2,7 @@
 	path = submodules/falcosecurity-rules
 	url = https://github.com/falcosecurity/rules.git
 	branch = main
+[submodule "submodules/falcosecurity-testing"]
+	path = submodules/falcosecurity-testing
+	url = https://github.com/falcosecurity/testing.git
+	branch = main
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -24,6 +24,8 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.

+* [Deckhouse](https://deckhouse.io/) - Deckhouse Platform presents to you the opportunity to create homogeneous Kubernetes clusters anywhere and handles comprehensive, automagical management for them. It supplies all the add-ons you need for auto-scaling, observability, security, and service mesh. Falco is used as a part of the [runtime-audit-engine](https://deckhouse.io/documentation/latest/modules/650-runtime-audit-engine/) module to provide threats detection and enforce security compliance out of the box. By pairing with [shell-operator](https://github.com/flant/shell-operator) Falco can be configured by Kubernetes Custom Resources.
+
 * [Fairwinds](https://fairwinds.com/) - [Fairwinds Insights](https://fairwinds.com/insights), Kubernetes governance software, integrates Falco to offer a single pane of glass view into potential security incidents. Insights adds out-of-the-box integrations and rules filter to reduce alert fatigue and improve security response. The platform adds security prevention, detection, and response capabilities to your existing Kubernetes infrastructure. Security and DevOps teams benefit from a centralized view of container security vulnerability scanning and runtime container security.

 * [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.
@@ -66,12 +68,16 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Shapesecurity/F5](https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)

-* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
-
 * [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call driver. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.

+* [Thales Group](https://www.thalesgroup.com) Thales is a global technology leader with more than 81,000 employees on five continents. The Thales Group is investing in digital and “deep tech” innovations – Big Data, artificial intelligence, connectivity, cybersecurity and quantum technology – to build a future we can all trust. In the past few years, the Cloud-Native paradigms and its frameworks and tools have challenged the way applications and services are developed, delivered, and instantiated. All sorts of services are container-based workloads managed by higher level layers of orchestration such as the Kubernetes environment. Thales is committed to develop Cloud-Native services and to provide its customers with security features that ensure their applications and services are protected against cyber threats. Falco is a framework that can help Thales' products and services reach the level of trust, security and safety our clients need.
+
+* [Vinted](https://vinted.com/) Vinted uses Falco to continuously monitor container activities, identifying security threats, and ensuring compliance. The container-native approach, rule-based real-time threat detection, community support, extensibility, and compliance capabilities are the main factors why we chose it to enhance Vinted Kubernetes security. Falco Sidekick is used to send critical and warning severity alerts to our incident management solution (RTIR).
+
 * [Xenit AB](https://xenit.se/contact/) Xenit is a growth company with services within cloud and digital transformation. We provide an open-source Kubernetes framework that we leverage to help our customers get their applications to production as quickly and as securely as possible. We use Falco's detection capabilities to identify anomalous behaviour within our clusters in both Azure and AWS.

+* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
+
 ## Projects that use Falco libs

 * [R6/Phoenix](https://r6security.com/) is an attack surface protection company that uses moving target defense to provide fully automated, proactive and devops friendly security to its customers. There are a set of policies you can add to enable the moving target defense capabilities. Some of them are triggered by a combination of Falco's findings. You can kill, restart and rename pods according to the ever changing policies.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,154 @@
 # Change Log

+## v0.35.1
+
+Released on 2023-06-29
+
+### Major Changes
+
+
+### Minor Changes
+
+* update(userspace): change description of snaplen option stating only performance implications [[#2634](https://github.com/falcosecurity/falco/pull/2634)] - [@loresuso](https://github.com/loresuso)
+* update(cmake): bump libs to 0.11.3 [[#2662](https://github.com/falcosecurity/falco/pull/2662)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup(config): minor config clarifications [[#2651](https://github.com/falcosecurity/falco/pull/2651)] - [@incertum](https://github.com/incertum)
+* update(cmake): bump falco rules to v1.0.1 [[#2648](https://github.com/falcosecurity/falco/pull/2648)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(userspace/falco): make source matching error more expressive [[#2623](https://github.com/falcosecurity/falco/pull/2623)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(.github): integrate Go regression tests [[#2437](https://github.com/falcosecurity/falco/pull/2437)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Bug Fixes
+
+* fix(scripts): fixed falco-driver-loader to manage debian kernel rt and cloud flavors. [[#2627](https://github.com/falcosecurity/falco/pull/2627)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): solve live multi-source issues when loading more than two sources [[#2653](https://github.com/falcosecurity/falco/pull/2653)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(driver-loader): fix ubuntu kernel version parsing [[#2635](https://github.com/falcosecurity/falco/pull/2635)] - [@therealbobo](https://github.com/therealbobo)
+* fix(userspace): switch to timer_settime API for stats writer. [[#2646](https://github.com/falcosecurity/falco/pull/2646)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* CI: bump ubuntu version for tests-driver-loader-integration job [[#2661](https://github.com/falcosecurity/falco/pull/2661)] - [@Andreagit97](https://github.com/Andreagit97)
+
+## v0.35.0
+
+Released on 2023-06-07
+
+### Major Changes
+
+* BREAKING CHANGE: support for metadata enrichment from Mesos has been removed. [[#2465](https://github.com/falcosecurity/falco/pull/2465)] - [@leogr](https://github.com/leogr)
+
+* new(falco): introduce new metrics w/ Falco internal: metrics snapshot option and new metrics config [[#2333](https://github.com/falcosecurity/falco/pull/2333)] - [@incertum](https://github.com/incertum)
+* new(scripts): properly manage talos prebuilt drivers [[#2537](https://github.com/falcosecurity/falco/pull/2537)] - [@FedeDP](https://github.com/FedeDP)
+* new(release): released container images are now signed with cosign [[#2546](https://github.com/falcosecurity/falco/pull/2546)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(ci): ported master and release artifacts publishing CI to gha [[#2501](https://github.com/falcosecurity/falco/pull/2501)] - [@FedeDP](https://github.com/FedeDP)
+* new(app_actions): introduce base_syscalls user option [[#2428](https://github.com/falcosecurity/falco/pull/2428)] - [@incertum](https://github.com/incertum)
+* new(falco/config): add new configurations for http_output that allow custom CA certificates and stores. [[#2458](https://github.com/falcosecurity/falco/pull/2458)] - [@alacuku](https://github.com/alacuku)
+* new(userspace): add a new `syscall_drop_failed` config option to drop failed syscalls exit events [[#2456](https://github.com/falcosecurity/falco/pull/2456)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Minor Changes
+
+* update(cmake): bump Falco rules to 1.0.0 [[#2618](https://github.com/falcosecurity/falco/pull/2618)] - [@loresuso](https://github.com/loresuso)
+* update(cmake): bump libs to 0.11.1 [[#2614](https://github.com/falcosecurity/falco/pull/2614)] - [@loresuso](https://github.com/loresuso)
+* update(cmake): bump plugins to latest versions [[#2610](https://github.com/falcosecurity/falco/pull/2610)] - [@loresuso](https://github.com/loresuso)
+* update(cmake): bump falco rules to 1.0.0-rc1 [[#2609](https://github.com/falcosecurity/falco/pull/2609)] - [@loresuso](https://github.com/loresuso)
+* update(cmake): bump libs to 0.11.0 [[#2608](https://github.com/falcosecurity/falco/pull/2608)] - [@loresuso](https://github.com/loresuso)
+* cleanup(docs): update release.md [[#2599](https://github.com/falcosecurity/falco/pull/2599)] - [@incertum](https://github.com/incertum)
+* update(cmake): bump libs to 0.11.0-rc5 and driver to 5.0.1. [[#2600](https://github.com/falcosecurity/falco/pull/2600)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(docs): adjust falco readme style and content [[#2594](https://github.com/falcosecurity/falco/pull/2594)] - [@incertum](https://github.com/incertum)
+* cleanup(userspace, config): improve metrics UX, add include_empty_values option [[#2593](https://github.com/falcosecurity/falco/pull/2593)] - [@incertum](https://github.com/incertum)
+* feat: add the curl and jq packages to the falco-no-driver docker image [[#2581](https://github.com/falcosecurity/falco/pull/2581)] - [@therealdwright](https://github.com/therealdwright)
+* update: add missing exception, required_engine_version, required_plugin_version to -L json output [[#2584](https://github.com/falcosecurity/falco/pull/2584)] - [@loresuso](https://github.com/loresuso)
+* feat: add image source OCI label to docker images [[#2592](https://github.com/falcosecurity/falco/pull/2592)] - [@therealdwright](https://github.com/therealdwright)
+* cleanup(config): improve falco config [[#2571](https://github.com/falcosecurity/falco/pull/2571)] - [@incertum](https://github.com/incertum)
+* update(cmake): bump libs and plugins to latest dev versions [[#2586](https://github.com/falcosecurity/falco/pull/2586)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(userspace/falco): always print invalid syscalls from custom set [[#2578](https://github.com/falcosecurity/falco/pull/2578)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(build): upgrade falcoctl to 0.5.0 [[#2572](https://github.com/falcosecurity/falco/pull/2572)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(userspace/falco/app): print all supported plugin caps [[#2564](https://github.com/falcosecurity/falco/pull/2564)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: get rules details with `-l` or `-L` flags when json output format is specified [[#2544](https://github.com/falcosecurity/falco/pull/2544)] - [@loresuso](https://github.com/loresuso)
+* update!: bump libs version, and support latest plugin features, add --nodriver option [[#2552](https://github.com/falcosecurity/falco/pull/2552)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup(actions): now modern bpf support `-A` flag [[#2551](https://github.com/falcosecurity/falco/pull/2551)] - [@Andreagit97](https://github.com/Andreagit97)
+* update: `falco-driver-loader` now uses now uses $TMPDIR if set [[#2518](https://github.com/falcosecurity/falco/pull/2518)] - [@jabdr](https://github.com/jabdr)
+* update: improve control and UX of ignored events [[#2509](https://github.com/falcosecurity/falco/pull/2509)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: bump libs and adapt Falco to new libsinsp event source management [[#2507](https://github.com/falcosecurity/falco/pull/2507)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* new(app_actions)!: adjust base_syscalls option, add base_syscalls.repair [[#2457](https://github.com/falcosecurity/falco/pull/2457)] - [@incertum](https://github.com/incertum)
+* update(scripts): support al2022 and al2023 in falco-driver-loader. [[#2494](https://github.com/falcosecurity/falco/pull/2494)] - [@FedeDP](https://github.com/FedeDP)
+* update: sync libs with newest event name APIs [[#2471](https://github.com/falcosecurity/falco/pull/2471)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update!: remove `--mesos-api`, `-pmesos`, and `-pm` command-line flags [[#2465](https://github.com/falcosecurity/falco/pull/2465)] - [@leogr](https://github.com/leogr)
+* cleanup(unit_tests): try making test_configure_interesting_sets more robust [[#2464](https://github.com/falcosecurity/falco/pull/2464)] - [@incertum](https://github.com/incertum)
+
+
+### Bug Fixes
+
+* fix: unquote quoted URL's to avoid libcurl errors [[#2596](https://github.com/falcosecurity/falco/pull/2596)] - [@therealdwright](https://github.com/therealdwright)
+* fix(userspace/engine): store alternatives as array in -L json output [[#2597](https://github.com/falcosecurity/falco/pull/2597)] - [@loresuso](https://github.com/loresuso)
+* fix(userspace/engine): store required engine version as string in -L json output [[#2595](https://github.com/falcosecurity/falco/pull/2595)] - [@loresuso](https://github.com/loresuso)
+* fix(userspace/falco): report plugin deps rules issues in any case [[#2589](https://github.com/falcosecurity/falco/pull/2589)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace): hotreload on wrong metrics [[#2582](https://github.com/falcosecurity/falco/pull/2582)] - [@therealbobo](https://github.com/therealbobo)
+* fix(userspace): check the supported number of online CPUs with modern bpf [[#2575](https://github.com/falcosecurity/falco/pull/2575)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/falco): don't hang on terminating error when multi sourcing [[#2576](https://github.com/falcosecurity/falco/pull/2576)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/falco): properly format numeric values in metrics [[#2569](https://github.com/falcosecurity/falco/pull/2569)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(scripts): properly support debian kernel releases embedded in kernel version [[#2377](https://github.com/falcosecurity/falco/pull/2377)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* docs(README.md): add scope/status badge and simply doc structure [[#2611](https://github.com/falcosecurity/falco/pull/2611)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `3471984` to `16fb709` [[#2598](https://github.com/falcosecurity/falco/pull/2598)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs(proposals): Falco roadmap management [[#2547](https://github.com/falcosecurity/falco/pull/2547)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `b2290ad` to `3471984` [[#2577](https://github.com/falcosecurity/falco/pull/2577)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(build): libs 0.11.0-rc2 [[#2573](https://github.com/falcosecurity/falco/pull/2573)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `3f52480` to `b2290ad` [[#2570](https://github.com/falcosecurity/falco/pull/2570)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(ci): use repo instead of master branch for reusable workflows [[#2568](https://github.com/falcosecurity/falco/pull/2568)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(ci): cleaned up circleci workflow. [[#2566](https://github.com/falcosecurity/falco/pull/2566)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump requests from 2.26.0 to 2.31.0 in /test [[#2567](https://github.com/falcosecurity/falco/pull/2567)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(ci): simplify and fix multi-arch image publishing process [[#2542](https://github.com/falcosecurity/falco/pull/2542)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): get the manifest for the correct tag [[#2563](https://github.com/falcosecurity/falco/pull/2563)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `3f52480` to `6da15ae` [[#2559](https://github.com/falcosecurity/falco/pull/2559)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(ci): properly use `docker save` to store images. [[#2560](https://github.com/falcosecurity/falco/pull/2560)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): docker arg is named `TARGETARCH`. [[#2558](https://github.com/falcosecurity/falco/pull/2558)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): set docker TARGET_ARCH [[#2557](https://github.com/falcosecurity/falco/pull/2557)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): use normal docker to build docker images, instead of buildx. [[#2556](https://github.com/falcosecurity/falco/pull/2556)] - [@FedeDP](https://github.com/FedeDP)
+* docs: improve documentation and description of base_syscalls option [[#2515](https://github.com/falcosecurity/falco/pull/2515)] - [@Happy-Dude](https://github.com/Happy-Dude)
+* Updating Falco branding guidelines [[#2493](https://github.com/falcosecurity/falco/pull/2493)] - [@aijamalnk](https://github.com/aijamalnk)
+* build(deps): Bump submodules/falcosecurity-rules from `f773578` to `6da15ae` [[#2553](https://github.com/falcosecurity/falco/pull/2553)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(cmake): properly exclude prereleases when fetching latest tag from cmake [[#2550](https://github.com/falcosecurity/falco/pull/2550)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): load falco image before building falco-driver-loader [[#2549](https://github.com/falcosecurity/falco/pull/2549)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): correctly tag slim manifest [[#2545](https://github.com/falcosecurity/falco/pull/2545)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(config): modern bpf is no more experimental [[#2538](https://github.com/falcosecurity/falco/pull/2538)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(ci): add RC/prerelease support [[#2533](https://github.com/falcosecurity/falco/pull/2533)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): configure ECR public region [[#2531](https://github.com/falcosecurity/falco/pull/2531)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): falco images directory, ecr login [[#2528](https://github.com/falcosecurity/falco/pull/2528)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): separate rpm/bin/bin-static/deb packages before publication, rename bin-static [[#2527](https://github.com/falcosecurity/falco/pull/2527)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): add Cloudfront Distribution ID [[#2525](https://github.com/falcosecurity/falco/pull/2525)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): escape heredoc [[#2521](https://github.com/falcosecurity/falco/pull/2521)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(ci): build-musl-package does not need to wait for build-packages anymore [[#2520](https://github.com/falcosecurity/falco/pull/2520)] - [@FedeDP](https://github.com/FedeDP)
+* fix: ci Falco version [[#2516](https://github.com/falcosecurity/falco/pull/2516)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): fetch version step, download rpms/debs, minor change [[#2519](https://github.com/falcosecurity/falco/pull/2519)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(ci): properly install recent version of git (needed >= 2.18 by checkout action) [[#2514](https://github.com/falcosecurity/falco/pull/2514)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): enable toolset before every make command [[#2513](https://github.com/falcosecurity/falco/pull/2513)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): remove unnecessary mv [[#2512](https://github.com/falcosecurity/falco/pull/2512)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): bucket -> bucket_suffix [[#2511](https://github.com/falcosecurity/falco/pull/2511)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `5857874` to `1bd7e4a` [[#2478](https://github.com/falcosecurity/falco/pull/2478)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `694adf5` to `5857874` [[#2473](https://github.com/falcosecurity/falco/pull/2473)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(ci): properly set a concurrency for CI workflows. [[#2470](https://github.com/falcosecurity/falco/pull/2470)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `e0646a0` to `694adf5` [[#2466](https://github.com/falcosecurity/falco/pull/2466)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `0b0f50f` to `e0646a0` [[#2460](https://github.com/falcosecurity/falco/pull/2460)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+
+## v0.34.1
+
+Released on 2023-02-20
+
+### Minor Changes
+
+* fix(userspace/engine): correctly bump FALCO_ENGINE_VERSION after introduction of new fields [[#2418](https://github.com/falcosecurity/falco/pull/2418)] - [@loresuso](https://github.com/loresuso/)
+
+### Non user-facing changes
+
+* fix(dockerfile/no-driver): install ca-certificates [[#2412](https://github.com/falcosecurity/falco/pull/2412)] - [@alacuku](https://github.com/alacuku)
+
 ## v0.34.0

 Released on 2023-02-07
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -18,6 +18,7 @@ option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary"
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
+option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF)

 # gVisor is currently only supported on Linux x86_64
 if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
@@ -43,6 +44,8 @@ if (${EP_UPDATE_DISCONNECTED})
    PROPERTY EP_UPDATE_DISCONNECTED TRUE)
 endif()

+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_EXTENSIONS OFF)

 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
@@ -107,7 +110,7 @@ if(BUILD_WARNINGS_AS_ERRORS)
 endif()

 set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
-set(CMAKE_CXX_FLAGS "--std=c++0x ${CMAKE_COMMON_FLAGS} -Wno-class-memaccess")
+set(CMAKE_CXX_FLAGS "-std=c++17 ${CMAKE_COMMON_FLAGS} -Wno-class-memaccess")

 set(CMAKE_C_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
 set(CMAKE_CXX_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
@@ -115,8 +118,6 @@ set(CMAKE_CXX_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
 set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")

-include(GetFalcoVersion)
-
 set(PACKAGE_NAME "falco")
 set(DRIVER_NAME "falco")
 set(DRIVER_DEVICE_NAME "falco")
@@ -144,20 +145,14 @@ include(ExternalProject)
 # libs
 include(falcosecurity-libs)

+# compute FALCO_VERSION (depends on libs)
+include(falco-version)
+
 # jq
 include(jq)

 # nlohmann-json
-set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
-message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
-set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
-ExternalProject_Add(
-  njson
-  URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
-  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
+include(njson)

 # b64
 include(b64)
@@ -195,17 +190,11 @@ install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${FALCO_COMPO
 if(NOT MINIMAL_BUILD)
  # Coverage
  include(Coverage)
-
-  # Tests
-  add_subdirectory(test)
 endif()

 # Rules
 include(rules)

-# Dockerfiles
-add_subdirectory(docker)
-
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)

@@ -222,7 +211,6 @@ set(FALCO_BIN_DIR bin)
 add_subdirectory(scripts)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
-add_subdirectory(tests)

 if(NOT MUSL_OPTIMIZED_BUILD)
  include(plugins)
@@ -232,3 +220,7 @@ include(falcoctl)

 # Packages configuration
 include(CPackConfig)
+
+if(BUILD_FALCO_UNIT_TESTS)
+  add_subdirectory(unit_tests)
+endif()
--- a/2
+++ b/2
@@ -4,6 +4,8 @@ approvers:
  - jasondellaluce
  - fededp
  - andreagit97
+  - incertum
+  - LucaGuerra
 reviewers:
  - kaizhe
 emeritus_approvers:
--- a/README.md
+++ b/README.md
@@ -1,164 +1,83 @@
-<p align="center"><img src="https://raw.githubusercontent.com/falcosecurity/community/master/logo/primary-logo.png" width="360"></p>
-<p align="center"><b>Cloud Native Runtime Security.</b></p>
+# Falco

-<hr>
+[![Latest release](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![Supported Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![License](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs)

-[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Latest](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) ![Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)
+[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317)

-Want to talk? Join us on the [#falco](https://kubernetes.slack.com/messages/falco) channel in the [Kubernetes Slack](https://slack.k8s.io).
+[![Falco](https://falco.org/img/brand/falco-horizontal-color.svg)](https://falco.org)

-## Latest releases
+[Falco](https://falco.org/) is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.

-Read the [change log](CHANGELOG.md).
+At its core, Falco is a kernel monitoring and detection agent that observes events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.

-<!-- 
-Badges in the following table are constructed by using the
-https://img.shields.io/badge/dynamic/xml endpoint.
+Falco, originally created by [Sysdig](https://sysdig.com), is an incubating project under the [Cloud Native Computing Foundation](https://cncf.io) (CNCF) used in production by various [organisations](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md).

-Parameters are configured for fetching packages from S3 before 
-(filtered by prefix, sorted in ascending order) and for picking 
-the latest package by using an XPath selector after.
+For detailed technical information and insights into the cyber threats that Falco can detect, visit the official [Falco](https://falco.org/) website.

- Common query parameters:
+For comprehensive information on the latest updates and changes to the project, please refer to the [change log](CHANGELOG.md). Additionally, we have documented the [release process](RELEASE.md) for delivering new versions of Falco.

-color=#300aec7
-style=flat-square
-label=Falco
+## Falco Repo: Powering the Core of The Falco Project

- DEB packages parameters:
+This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its [libraries](https://github.com/falcosecurity/libs) and the [falco.yaml](falco.yaml) configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following *core* repositories:

-url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/deb/stable/falco-
-query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
+- [falcosecurity/libs](https://github.com/falcosecurity/libs): Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
+- [falcosecurity/rules](https://github.com/falcosecurity/rules): Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
+- [falcosecurity/plugins](https://github.com/falcosecurity/plugins/): Falco plugins facilitate integration with external services, expand Falco's capabilities beyond syscalls and container events, and are designed to evolve with specialized functionality in future releases.
+- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): Command-line utility for managing and interacting with Falco.

- RPM packages parameters:
+For more information, visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution). It provides valuable insights and information about the project's repositories.

-url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/rpm/falco-
-query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
+## Getting Started with Falco

- BIN packages parameters:
+Carefully review and follow the [official guide and documentation](https://falco.org/docs/getting-started/).

-url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/bin/x86_64/falco-
-query=substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'], "falco-")
+Considerations and guidance for Falco adopters:

-Notes:
- - if more than 1000 items are present under as S3 prefix, 
-   the actual latest package will be not picked;
-   see https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
- - for `-dev` packages, the S3 prefix is modified accordingly
- - finally, all parameters are URL encoded and appended to the badge endpoint
+1. Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.

-->
+2. Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.

-|              | development                                                                                                                                                                                                                                                                                                                                                                                                                                                                | stable                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| rpm-x86_64          | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-%26delimiter=aarch64)][1]          | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=aarch64)][2]          |
-| deb-x86_64          | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-%26delimiter=aarch64)][3] | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=aarch64)][4] |
-| binary-x86_64       | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Fx86_64%2Ffalco-)][5]                                                     | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6]                                                     |
-| rpm-aarch64    | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-%26delimiter=x86_64)][1]           | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=x86_64)][2]           |
-| deb-aarch64    | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-%26delimiter=x86_64)][3]  | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=x86_64)][4]  |
-| binary-aarch64 | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Faarch64%2Ffalco-)][7]                                                    | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Faarch64%2Ffalco-)][8]                                                    |
+3. Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.

---
+4. Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.

-The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
-Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. 
-Falco can also be extended to other data sources by using plugins.
-Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native.
-If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
-
-## What can Falco detect?
-
-Falco can detect and alert on any behavior that involves making Linux system calls.
-Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
-For example, Falco can easily detect incidents including but not limited to:
-
- A shell is running inside a container or pod in Kubernetes.
- A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
- A server process is spawning a child process of an unexpected type.
- Unexpected read of a sensitive file, such as `/etc/shadow`.
- A non-device file is written to `/dev`.
- A standard system binary, such as `ls`, is making an outbound network connection.
- A privileged pod is started in a Kubernetes cluster.
-
-The official Falco rules are maintained and released in [falcosecurity/rules](https://github.com/falcosecurity/rules/). That repository also contains the Falco rules inventory [document](https://github.com/falcosecurity/rules/blob/main/rules_inventory/rules_overview.md), which provides additional details around the default rules Falco ships with.
-
-## Installing Falco
-
-If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).
-
-### Kubernetes
-
-| Tool     | Link                                                                                       | Note                                                               |
-|----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
-| Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
-| Minikube | [Tutorial](https://falco.org/docs/getting-started/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
-| Kind     | [Tutorial](https://falco.org/docs/getting-started/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
-| GKE      | [Tutorial](https://falco.org/docs/getting-started/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
-
-## Developing
-
-Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
-
-Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/master/userspace/falco/outputs.proto).
-The Falco Project supports various SDKs for this endpoint.
-
-### SDKs
-
-| Language | Repository                                              |
-|----------|---------------------------------------------------------|
-| Go       | [client-go](https://github.com/falcosecurity/client-go) |
-
-## Plugins
-
-Falco comes with a [plugin framework](https://falco.org/docs/plugins/) that extends it to potentially any cloud detection scenario. Plugins are shared libraries that conform to a documented API and allow for:
-
- Adding new event sources that can be used in rules;
- Adding the ability to define new fields and extract information from events.
-
-The Falco Project maintains [various plugins](https://github.com/falcosecurity/plugins) and provides SDKs for plugin development.
+5. Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.


-### SDKs
+## How to Contribute

-| Language | Repository                                                                    |
-|----------|-------------------------------------------------------------------------------|
-| Go       | [falcosecurity/plugin-sdk-go](https://github.com/falcosecurity/plugin-sdk-go) |
+Please refer to the [contributing guide](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) and the [code of conduct](https://github.com/falcosecurity/evolution/CODE_OF_CONDUCT.md) for more information on how to contribute.


-## Documentation
-
-The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco.
-
 ## Join the Community

-To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.
+To get involved with the Falco Project please visit the [community repository](https://github.com/falcosecurity/community) to find more information and ways to get involved.
+
+If you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.

 How to reach out?

- - Join the [#falco](https://kubernetes.slack.com/messages/falco) channel on the [Kubernetes Slack](https://slack.k8s.io)
- - [Join the Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev)
- - [Read the Falco documentation](https://falco.org/docs/)
+ - Join the [#falco](https://kubernetes.slack.com/messages/falco) channel on the [Kubernetes Slack](https://slack.k8s.io).
+ - Join the [Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev).
+ - File an [issue](https://github.com/falcosecurity/falco/issues) or make feature requests.

-## How to contribute
+## Commitment to Falco's Own Security

-See the [contributing guide](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) and the [code of conduct](https://github.com/falcosecurity/evolution/CODE_OF_CONDUCT.md).
- 
-## Security Audit
+Full reports of various security audits can be found [here](./audits/).

-A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).
+In addition, you can refer to the [falco security](https://github.com/falcosecurity/falco/security) and [libs security](https://github.com/falcosecurity/libs/security) sections for detailed updates on security advisories and policies.

-## Reporting security vulnerabilities
+To report security vulnerabilities, please follow the community process outlined in the documentation found [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).
+
+## What's next for Falco?
+
+Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.

-Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).

 ## License

 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.

-## Project Evolution
-
-The [falcosecurity/evolution](https://github.com/falcosecurity/evolution) repository is the official space for the community to work together, discuss ideas, and document processes. It is also a place to make decisions. Check it out to find more helpful resources.
-
 ## Resources

 - [Governance](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md)
@@ -168,13 +87,3 @@ The [falcosecurity/evolution](https://github.com/falcosecurity/evolution) reposi
 - [Repositories Guidelines](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md)
 - [Repositories List](https://github.com/falcosecurity/evolution/blob/main/README.md#repositories)
 - [Adopters List](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md)
-
-
-[1]: https://download.falco.org/?prefix=packages/rpm-dev/
-[2]: https://download.falco.org/?prefix=packages/rpm/
-[3]: https://download.falco.org/?prefix=packages/deb-dev/stable/
-[4]: https://download.falco.org/?prefix=packages/deb/stable/
-[5]: https://download.falco.org/?prefix=packages/bin-dev/x86_64/
-[6]: https://download.falco.org/?prefix=packages/bin/x86_64/
-[7]: https://download.falco.org/?prefix=packages/bin-dev/aarch64/
-[8]: https://download.falco.org/?prefix=packages/bin/aarch64/
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -5,18 +5,22 @@

 This document provides the process to create a new Falco release. In addition, it provides information about the versioning of the Falco components. At a high level each Falco release consists of the following main components:

- Falco binary (userspace)
- Falco kernel driver object files (kernel space)
+- Falco binary (userspace), includes `modern_bpf` driver object code (kernel space) starting with Falco 0.34.x releases
+- Falco kernel driver object files, separate artifacts for `kmod` and `bpf` drivers, not applicable for `modern_bpf` driver (kernel space)
    - Option 1: Kernel module (`.ko` files)
    - Option 2: eBPF (`.o` files)
- Falco config and primary rules `.yaml` files (userspace)
+- Falco config and rules `.yaml` files (userspace)
 - Falco plugins (userspace - optional)

-One nice trait about releasing separate artifacts for userspace and kernel space is that Falco is amenable to supporting a large array of environments, that is, multiple kernel versions, distros and architectures (see `libs` [driver - kernel version support matrix](https://github.com/falcosecurity/libs#drivers-officially-supported-architectures)). The Falco project manages the release of both the Falco userspace binary and pre-compiled Falco kernel drivers for the most popular kernel versions and distros. The build and publish process is managed by the [test-infra](https://github.com/falcosecurity/test-infra) repo. The Falco userspace executable includes bundled dependencies, so that it can be run from anywhere.
+> Note: Starting with Falco 0.34.x releases, the Falco userspace binary includes the `modern_bpf` driver object code during the linking process. This integration is made possible by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to function on kernels that have backported BTF (BPF Type Format) support or have a kernel version >= 5.8. For the older `kmod` and `bpf` drivers, separate artifacts are released for the kernel space. This is because these drivers need to be explicitly compiled for the specific kernel release, using the exact kernel headers. This approach ensures that Falco can support a wide range of environments, including multiple kernel versions, distributions, and architectures.  (see `libs` [driver - kernel version support matrix](https://github.com/falcosecurity/libs#drivers-officially-supported-architectures)).

-The Falco project also publishes all sources for each component. In fact, sources are included in the Falco release in the same way as some plugins (k8saudit and cloudtrail) as well as the rules that are shipped together with Falco. This empowers the end user to audit the integrity of the project as well as build kernel drivers for custom kernels or not officially supported kernels / distros (see [driverkit](https://github.com/falcosecurity/driverkit) for more information). While the Falco project is deeply embedded into an ecosystem of supporting [Falco sub-projects](https://github.com/falcosecurity/evolution) that aim to make the deployment of Falco easy, user-friendly, extendible and cloud-native, core Falco is split across two repos, [falco](https://github.com/falcosecurity/falco) (this repo) and [libs](https://github.com/falcosecurity/libs). The `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines. More details are provided in the [Falco Components Versioning](#falco-components-versioning) section.
+The Falco Project manages the release of both the Falco userspace binary and pre-compiled Falco kernel drivers for the most popular kernel versions and distros. The build and publish process is managed by the [test-infra](https://github.com/falcosecurity/test-infra) repo.

-Finally, the release process follows a transparent process described in more detail in the following sections and the official [Falco docs](https://falco.org/) contain rich information around building, installing and using Falco.
+The Falco userspace executable includes bundled dependencies, so that it can be run from anywhere.
+
+Falco publishes all sources, enabling users to audit the project's integrity and build kernel drivers for custom or unsupported kernels/distributions, specifically for non-modern BPF drivers (see [driverkit](https://github.com/falcosecurity/driverkit) for more information).
+
+Finally, the release process follows a transparent process described in more detail in the following sections and the official [Falco guide and documentation](https://falco.org/) provide rich information around building, installing and using Falco.


 ### Falco Binaries, Rules and Sources Artifacts - Quick Links
@@ -28,7 +32,7 @@ The Falco project publishes all sources and the Falco userspace binaries as GitH
    - `tgz`, `zip` source code
 - [Libs Releases](https://github.com/falcosecurity/libs/releases)
    - `tgz`, `zip` source code
- [Libs Releases](https://github.com/falcosecurity/libs/releases)
+- [Driver Releases](https://github.com/falcosecurity/libs/releases), marked with `+driver` [build metadata](https://semver.org/). 
    - `tgz`, `zip` source code
 - [Falco Rules Releases](https://github.com/falcosecurity/rules/releases)
    - `tgz`, `zip` source code, each ruleset is tagged separately in a mono-repo fashion, see the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md)
@@ -42,8 +46,9 @@ Alternatively Falco binaries or plugins can be downloaded from the Falco Artifac

 ### Falco Drivers Artifacts Repo - Quick Links

+> Note: This section specifically applies to non-modern BPF drivers.

-The Falco project publishes all drivers for each release for all popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers or for example the eBPF verifier are not perfect. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
+The Falco Project publishes all drivers for each release for popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project's managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers sometimes fail to build the artifacts for a specific kernel version. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.

 - [Falco Artifacts Repo Drivers Root](https://download.falco.org/?prefix=driver/)
    - Option 1: Kernel module (`.ko` files) - all under same driver version directory
@@ -52,16 +57,16 @@ The Falco project publishes all drivers for each release for all popular kernel

 ### Timeline

-Falco releases are due to happen 3 times per year. Our current schedule sees a new release by the end of January, May, and September each year. Hotfix releases can happen whenever it's needed.
+Falco follows a release schedule of three times per year, with releases expected at the end of January, May, and September. Hotfix releases are issued as needed.

-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+Changes and new features are organized into [milestones](https://github.com/falcosecurity/falco/milestones). The milestone corresponding to the next version represents the content that will be included in the upcoming release.


 ### Procedures

-The release process is mostly automated requiring only a few manual steps to initiate and complete it.
+The release process is mostly automated, requiring only a few manual steps to initiate and complete.

-Moreover, we need to assign owners for each release (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community).
+Moreover, we assign owners for each release (typically pairing a new person with an experienced one). Assignees and due dates for releases are proposed during the [weekly community call](https://github.com/falcosecurity/community).

 At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order:

@@ -69,11 +74,13 @@ At a high level each Falco release needs to follow a pre-determined sequencing o
 - [4] Falco driver pre-compiled object files push to Falco's Artifacts repo
 - [5] Falco userspace binary release

-Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
+Assignees are responsible for creating a Falco GitHub issue to track the release tasks and monitor the progress of the release. This issue serves as a central point for communication and provides updates on the release dates. You can refer to the [Falco v0.35 release](https://github.com/falcosecurity/falco/issues/2554) or [Libs Release (0.11.0+5.0.1+driver)](https://github.com/falcosecurity/libs/issues/1092) issues as examples/templates for creating the release issue.
+
+Finally, on the proposed due date, the assignees for the upcoming release proceed with the processes described below.  

 ## Pre-Release Checklist

-Prior to cutting a release the following preparatory steps should take 5 minutes using the GitHub UI.
+Before proceeding with the release, make sure to complete the following preparatory steps, which can be easily done using the GitHub UI:

 ### 1. Release notes
 - Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
@@ -87,7 +94,19 @@ Prior to cutting a release the following preparatory steps should take 5 minutes

 - Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone

-### 3. Release PR
+
+### 3. Release branch
+
+Assuming we are releasing a non-patch version (like: Falco 0.34.0), a new release branch needs to be created.  
+Its naming will be `release/M.m.x`; for example: `release/0.34.x`.  
+The same branch will then be used for any eventual cherry pick for patch releases.  
+
+For patch releases, instead, the `release/M.m.x` branch should already be in place; no more steps are needed.  
+Double check that any PR that should be part of the tag has been cherry-picked from master!
+
+### 4. Release PR
+
+The release PR is meant to be made against the respective `release/M.m.x` branch, **then cherry-picked on master**.  

 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
    - If any, manually correct it then open an issue to automate version number bumping later
@@ -98,50 +117,54 @@ Prior to cutting a release the following preparatory steps should take 5 minutes
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
- Close the completed milestone as soon as the PR is merged
+- Close the completed milestone as soon as the PR is merged into the release branch
+- Cherry pick the PR on master too
+
+## Publishing Pre-Releases (RCs and tagged development versions)
+
+Core maintainers and/or the release manager can decide to publish pre-releases at any time before the final release
+is live for development and testing purposes.
+
+The prerelease tag must be formatted as `M.m.p-r`where `r` is the prerelease version information (e.g. `0.35.0-rc1`.)
+
+To do so:
+
+- [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
+- Use `M.m.p-r` both as tag version and release title.
+- Check the "Set as a pre-release" checkbox and make sure "Set as the latest release" is unchecked
+- It is recommended to add a brief description so that other contributors will understand the reason why the prerelease is published
+- Publish the prerelease!
+- The release pipeline will start automatically. Packages will be uploaded to the `-dev` bucket and container images will be tagged with the specified tag.
+
+In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release.

 ## Release

-Now assume `x.y.z` is the new version.
+Assume `M.m.p` is the new version.

-### 1. Create a tag
-
- Once the release PR has got merged, and the CI has done its job on the master, git tag the new release
-
-    ```
-    git pull
-    git checkout master
-    git tag x.y.z
-    git push origin x.y.z
-    ```
-
-> **N.B.**: do NOT use an annotated tag. For reference https://git-scm.com/book/en/v2/Git-Basics-Tagging
-
- Wait for the CI to complete
-
-### 2. Update the GitHub release
+### 1. Create the release with GitHub

 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
- Use `x.y.z` both as tag version and release title
+- Use `M.m.p` both as tag version and release title
 - Use the following template to fill the release description:
    ```
-    <!-- Substitute x.y.z with the current release version -->
+    <!-- Substitute M.m.p with the current release version -->

    | Packages | Download                                                                                                                                               |
    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-    | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-x86_64.rpm)        |
-    | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-x86_64.deb) |
-    | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-x.y.z-x86_64.tar.gz) |
-    | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-aarch64.rpm)        |
-    | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-aarch64.deb) |
-    | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/aarch64/falco-x.y.z-aarch64.tar.gz) |
+    | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-x86_64.rpm)        |
+    | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-x86_64.deb) |
+    | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-M.m.p-x86_64.tar.gz) |
+    | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-aarch64.rpm)        |
+    | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-aarch64.deb) |
+    | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/aarch64/falco-M.m.p-aarch64.tar.gz) |

    | Images                                                                      |
    | --------------------------------------------------------------------------- |
-    | `docker pull docker.io/falcosecurity/falco:x.y.z`                           |
-    | `docker pull public.ecr.aws/falcosecurity/falco:x.y.z`                      |
-    | `docker pull docker.io/falcosecurity/falco-driver-loader:x.y.z`             |
-    | `docker pull docker.io/falcosecurity/falco-no-driver:x.y.z`                 |
+    | `docker pull docker.io/falcosecurity/falco:M.m.p`                           |
+    | `docker pull public.ecr.aws/falcosecurity/falco:M.m.p`                      |
+    | `docker pull docker.io/falcosecurity/falco-driver-loader:M.m.p`             |
+    | `docker pull docker.io/falcosecurity/falco-no-driver:M.m.p`                 |

    <changelog>

@@ -163,14 +186,17 @@ Now assume `x.y.z` is the new version.
    ```

 - Finally, publish the release!
+- The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories.

-### 3. Update the meeting notes
+In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release.
+
+### 2. Update the meeting notes

 For each release we archive the meeting notes in git for historical purposes.

 - The notes from the Falco meetings can be [found here](https://hackmd.io/3qYPnZPUQLGKCzR14va_qg).
    - Note: There may be other notes from working groups that can optionally be added as well as needed.
- - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-x.y.z.md`
+ - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-M.m.p.md`
 - Open up a pull request with the new change.


@@ -186,13 +212,13 @@ Announce the new release to the world!

 ## Falco Components Versioning

-This section provides more details around the versioning of all components that make up core Falco. It can also be a useful guide for the uninitiated to be more informed about Falco's source. Because the `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines, the [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) is an excellent additional resource. In addition, the [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) provides similar details around Falco's plugins. `SHA256` checksums are provided throughout Falco's source code to empower the end user to perform integrity checks. All Falco releases also contain the sources as part of the packages.
+This section provides more details around the versioning of the components that make up Falco's core. It can also be a useful guide for the uninitiated to be more informed about Falco's source. Because `libs` makes up the greater portion of the source code of the Falco binary and is the home of each of the kernel drivers and engines, the [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) is an excellent additional resource. In addition, the [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) provides similar details around Falco's plugins. `SHA256` checksums are provided throughout Falco's source code to empower the end user to perform integrity checks. All Falco releases also contain the sources as part of the packages.


 ### Falco repo (this repo)
 - Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.
- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax or `falco --list -N | sha256sum` has changed. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The primary idea behind the hash is that when new filter / display fields (see currently supported [Falco fields](https://falco.org/docs/rules/supported-fields/)) are introduced a version bump indicates that this field was not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules.
- During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable Libs version is used (read below).
+- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax and loading logic, and/or when `FALCO_ENGINE_CHECKSUM` has changed. The checksum is computed by considering the available rules fields (see currently supported [Falco fields](https://falco.org/docs/reference/rules/supported-fields/)), the event types (see currently supported [Falco events](https://falco.org/docs/reference/rules/supported-events/)), and the supported driver schema version. A checksum indicates that something was not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The version number must be incremented every time and only when a single change or an atomic group of changes - which meet the criteria described above - is included in the `master` branch. Thus, a version bump can occur multiple times during the development and testing phases of a given release cycle. A given version bump must not group multiple changes that occurred sporadically during the release cycle.
+- During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice, they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable libs version is used (read below).
 - Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release.
 - At release time Plugin, Libs and Driver versions are compatible with Falco.
 - If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with (read more below under Libs).
@@ -212,7 +238,7 @@ Driver:

 ### Libs repo
 - Libs version is a git tag (`x.y.z`) and when building Falco the libs version is set via the `FALCOSECURITY_LIBS_VERSION` flag (see above).
- Driver version in and of itself is not directly tied to the Falco binary as opposed to the libs version being part of the source code used to compile Falco's userspace binary. This is because of the strict separation between userspace and kernel space artifacts, so things become a bit more interesting here. This is why the concept of a `Default driver` has been introduced to still implicitly declare the compatible driver versions. For example, if the default driver version is `2.0.0+driver`, Falco works with all driver versions >= 2.0.0 and < 3.0.0. This is a consequence of how the driver version is constructed starting from the `Driver API version` and `Driver Schema version`. Driver API and Schema versions are explained in the respective [libs driver doc](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md) -> Falco's `driver-loader` will always fetch the default driver, therefore a Falco release is always "shipped" with the driver version corresponding to the default driver.
+- The driver version is not directly linked to the userspace components of the Falco binary. This is because of the clear separation between userspace and kernel space, which adds an additional layer of complexity. To address this, the concept of a `Default driver` has been introduced, allowing for implicit declaration of compatible driver versions. For example, if the default driver version is `5.0.1+driver`, Falco works with all driver versions >= 5.0.1 and < 6.0.0. This is a consequence of how the driver version is constructed starting from the `Driver API version` and `Driver Schema version`. Driver API and Schema versions are explained in the respective [libs driver doc](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md) -> Falco's `driver-loader` will always fetch the default driver, therefore a Falco release is always "shipped" with the driver version corresponding to the default driver.
 - See [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) for more information.

 ### Plugins repo
@@ -223,4 +249,4 @@ Driver:
 ### Rules repo
 - Rulesets are versioned individually through git tags
 - See [rules release doc](https://github.com/falcosecurity/rules/blob/main/RELEASE.md) for more information.
- See [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) for more information about plugins rulesets.
+- See [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) for more information about plugins rulesets.
--- a/audits/SECURITY_AUDIT_2023_01_23-01-1097-LIV.pdf
+++ b/audits/SECURITY_AUDIT_2023_01_23-01-1097-LIV.pdf
--- a/brand/README.md
+++ b/brand/README.md
@@ -3,15 +3,13 @@

 # Falco Branding Guidelines

-This document describes The Falco Project's branding guidelines, language, and message.
-
-Content in this document can be used to publicly share about Falco.
-
+Falco is an open source security project whose brand and identity are governed by the [Cloud Native Computing Foundation](https://www.linuxfoundation.org/legal/trademark-usage).

+This document describes the official branding guidelines of The Falco Project. Please see the [Falco Branding](https://falco.org/community/falco-brand/) page on our website for further details.

 ### Logo

-There are 3 logos available for use in this directory. Use the primary logo unless required otherwise due to background issues, or printing.
+There are 3 logos available for use in this directory. Use the primary logo unless required otherwise due to background issues or printing.

 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.

@@ -34,55 +32,6 @@ The primary colors are those in the first two rows.

 > Cloud Native Runtime Security

-### What is Falco?
-
-Falco is a runtime security project originally created by Sysdig, Inc.
-Falco was contributed to the CNCF in October 2018.
-The CNCF now owns The Falco Project.
-
-### What is Runtime Security?
-
-Runtime security refers to an approach to preventing unwanted activity on a computer system. 
-With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
-Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
-Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
-
-### What does Falco do?
-
-Falco consumes signals from the Linux kernel, and container management tools such as Docker and Kubernetes.
-Falco parses the signals and asserts them against security rules.
-If a rule has been violated, Falco triggers an alert. 
-
-### How does Falco work?
-
-Falco traces kernel events and reports information about the system calls being executed at runtime.
-Falco leverages the extended berkeley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
-Falco enriches these kernel events with information about containers running on the system.
-Falco also can consume signals from other input streams such as the containerd socket, the Kubernetes API server and the Kubernetes audit log.
-At runtime, Falco will reason about these events and assert them against configured security rules.
-Based on the severity of a violation an alert is triggered.
-These alerts are configurable and extensible, for instance sending a notification or [plumbing through to other projects like Prometheus](https://github.com/falcosecurity/falco-exporter). 
-
-### Benefits of using Falco
-
- - **Strengthen Security** Create security rules driven by a context-rich and flexible engine to define unexpected application behavior.
- - **Reduce Risk** Immediately respond to policy violation alerts by plugging Falco into your current security response workflows and processes.
- - **Leverage up-to-date Rules** Alert using community-sourced detections of malicious activity and CVE exploits.
-    
-### Falco and securing Kubernetes
-
-Securing Kubernetes requires putting controls in place to detect unexpected behavior that could be malicious or harmful to a cluster or application(s). 
-
-Examples of malicious behavior include: 
-
- - Exploits of unpatched and new vulnerabilities in applications or Kubernetes itself. 
- - Insecure configurations in applications or Kubernetes itself. 
- - Leaked or weak credentials or secret material.
- - Insider threats from adjacent applications running at the same layer. 
-
-Falco is capable of [consuming the Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/falco/#use-falco-to-collect-audit-events).
-By adding Kubernetes application context, and Kubernetes audit logs teams can understand who did what.
-                                 
 ### Writing about Falco

 ##### Yes
@@ -98,50 +47,31 @@ Notice the capitalization of the following terms.
 - the falco project
 - the Falco project

-### Encouraged Phrasing
-
-Below are phrases that the project has reviewed, and found to be effective ways of messaging Falco's value add.
-Even when processes are in place for vulnerability scanning and implementing pod security and network policies, not every risk will be addressed. You still need mechanisms to confirm these security barriers are effective, help configure them, and provide with a last line of defense when they fail.
-
-##### Falco as a factory
-
-This term refers to the concept that Falco is a stateless processing engine. A large amount of data comes into the engine, but meticulously crafted security alerts come out.
-
-##### The engine that powers...
-
-Falco ultimately is a security engine. It reasons about signals coming from a system at runtime, and can alert if an anomaly is detected.
-
-##### Anomaly detection
-
-This refers to an event that occurs with something unusual, concerning, or odd occurs.
-We can associate anomalies with unwanted behavior, and alert in their presence.
-
-##### Detection tooling
-
-Falco does not prevent unwanted behavior.
-Falco however alerts when unusual behavior occurs.
-This is commonly referred to as **detection** or **forensics**.
-
-
 ---

-# Glossary 
+# Glossary

-#### Probe
+This section contains key terms specifically used within the context of The Falco Project. For a more comprehensive list of Falco-related terminology, we invite you to visit the [Glossary](https://falco.org/docs/reference/glossary/) page on our official website.
+
+#### eBPF Probe

 Used to describe the `.o` object that would be dynamically loaded into the kernel as a secure and stable (e)BPF probe. 
 This is one option used to pass kernel events up to userspace for Falco to consume.
-Sometimes this word is incorrectly used to refer to a `module`.

-#### Module
+#### Modern eBPF Probe
+
+More robust [eBPF probe](#ebpf-probe), which brings the CO-RE paradigm, better performances, and maintainability. 
+Unlike the legacy probe, the modern eBPF probe is not shipped as a separate artifact but bundled into the Falco binary itself.
+This is one option used to pass kernel events up to userspace for Falco to consume.
+
+#### Kernel Module

 Used to describe the `.ko` object that would be loaded into the kernel as a potentially risky kernel module.
 This is one option used to pass kernel events up to userspace for Falco to consume.
-Sometimes this word is incorrectly used to refer to a `probe`.

 #### Driver 

-The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
+The global term for the software that sends events from the kernel. Such as the [eBPF probe](#ebpf-probe), the [Modern eBPF probe](#modern-ebpf-probe), or the [Kernel Module](#kernel-module).

 #### Plugin

@@ -149,13 +79,5 @@ Used to describe a dynamic shared library (`.so` files in Unix, `.dll` files in

 #### Falco

-The name of the project, and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.
-
-#### Sysdig, Inc
-
-The name of the company that originally created The Falco Project, and later donated to the CNCF.
-
-#### sysdig 
-
-A [CLI tool](https://github.com/draios/sysdig) used to evaluate kernel system events at runtime. 
+The name of the project and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.

--- a/cmake/modules/Catch.cmake
+++ b/cmake/modules/Catch.cmake
@@ -1,159 +0,0 @@
-# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
-# https://cmake.org/licensing for details.
-
-#[=======================================================================[.rst:
-Catch
-----
-
-This module defines a function to help use the Catch test framework.
-
-The :command:`catch_discover_tests` discovers tests by asking the compiled test
-executable to enumerate its tests.  This does not require CMake to be re-run
-when tests change.  However, it may not work in a cross-compiling environment,
-and setting test properties is less convenient.
-
-This command is intended to replace use of :command:`add_test` to register
-tests, and will create a separate CTest test for each Catch test case.  Note
-that this is in some cases less efficient, as common set-up and tear-down logic
-cannot be shared by multiple test cases executing in the same instance.
-However, it provides more fine-grained pass/fail information to CTest, which is
-usually considered as more beneficial.  By default, the CTest test name is the
-same as the Catch name; see also ``TEST_PREFIX`` and ``TEST_SUFFIX``.
-
-.. command:: catch_discover_tests
-
-  Automatically add tests with CTest by querying the compiled test executable
-  for available tests::
-
-    catch_discover_tests(target
-                         [TEST_SPEC arg1...]
-                         [EXTRA_ARGS arg1...]
-                         [WORKING_DIRECTORY dir]
-                         [TEST_PREFIX prefix]
-                         [TEST_SUFFIX suffix]
-                         [PROPERTIES name1 value1...]
-                         [TEST_LIST var]
-    )
-
-  ``catch_discover_tests`` sets up a post-build command on the test executable
-  that generates the list of tests by parsing the output from running the test
-  with the ``--list-test-names-only`` argument.  This ensures that the full
-  list of tests is obtained.  Since test discovery occurs at build time, it is
-  not necessary to re-run CMake when the list of tests changes.
-  However, it requires that :prop_tgt:`CROSSCOMPILING_EMULATOR` is properly set
-  in order to function in a cross-compiling environment.
-
-  Additionally, setting properties on tests is somewhat less convenient, since
-  the tests are not available at CMake time.  Additional test properties may be
-  assigned to the set of tests as a whole using the ``PROPERTIES`` option.  If
-  more fine-grained test control is needed, custom content may be provided
-  through an external CTest script using the :prop_dir:`TEST_INCLUDE_FILES`
-  directory property.  The set of discovered tests is made accessible to such a
-  script via the ``<target>_TESTS`` variable.
-
-  The options are:
-
-  ``target``
-    Specifies the Catch executable, which must be a known CMake executable
-    target.  CMake will substitute the location of the built executable when
-    running the test.
-
-  ``TEST_SPEC arg1...``
-    Specifies test cases, wildcarded test cases, tags and tag expressions to
-    pass to the Catch executable with the ``--list-test-names-only`` argument.
-
-  ``EXTRA_ARGS arg1...``
-    Any extra arguments to pass on the command line to each test case.
-
-  ``WORKING_DIRECTORY dir``
-    Specifies the directory in which to run the discovered test cases.  If this
-    option is not provided, the current binary directory is used.
-
-  ``TEST_PREFIX prefix``
-    Specifies a ``prefix`` to be prepended to the name of each discovered test
-    case.  This can be useful when the same test executable is being used in
-    multiple calls to ``catch_discover_tests()`` but with different
-    ``TEST_SPEC`` or ``EXTRA_ARGS``.
-
-  ``TEST_SUFFIX suffix``
-    Similar to ``TEST_PREFIX`` except the ``suffix`` is appended to the name of
-    every discovered test case.  Both ``TEST_PREFIX`` and ``TEST_SUFFIX`` may
-    be specified.
-
-  ``PROPERTIES name1 value1...``
-    Specifies additional properties to be set on all tests discovered by this
-    invocation of ``catch_discover_tests``.
-
-  ``TEST_LIST var``
-    Make the list of tests available in the variable ``var``, rather than the
-    default ``<target>_TESTS``.  This can be useful when the same test
-    executable is being used in multiple calls to ``catch_discover_tests()``.
-    Note that this variable is only available in CTest.
-
-#]=======================================================================]
-
-# ------------------------------------------------------------------------------
-function(catch_discover_tests TARGET)
-  cmake_parse_arguments("" "" "TEST_PREFIX;TEST_SUFFIX;WORKING_DIRECTORY;TEST_LIST" "TEST_SPEC;EXTRA_ARGS;PROPERTIES"
-                        ${ARGN})
-
-  if(NOT _WORKING_DIRECTORY)
-    set(_WORKING_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}")
-  endif()
-  if(NOT _TEST_LIST)
-    set(_TEST_LIST ${TARGET}_TESTS)
-  endif()
-
-  # Generate a unique name based on the extra arguments
-  string(SHA1 args_hash "${_TEST_SPEC} ${_EXTRA_ARGS}")
-  string(SUBSTRING ${args_hash} 0 7 args_hash)
-
-  # Define rule to generate test list for aforementioned test executable
-  set(ctest_include_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_include-${args_hash}.cmake")
-  set(ctest_tests_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_tests-${args_hash}.cmake")
-  get_property(
-    crosscompiling_emulator
-    TARGET ${TARGET}
-    PROPERTY CROSSCOMPILING_EMULATOR)
-  add_custom_command(
-    TARGET ${TARGET}
-    POST_BUILD
-    BYPRODUCTS "${ctest_tests_file}"
-    COMMAND
-      "${CMAKE_COMMAND}" -D "TEST_TARGET=${TARGET}" -D "TEST_EXECUTABLE=$<TARGET_FILE:${TARGET}>" -D
-      "TEST_EXECUTOR=${crosscompiling_emulator}" -D "TEST_WORKING_DIR=${_WORKING_DIRECTORY}" -D
-      "TEST_SPEC=${_TEST_SPEC}" -D "TEST_EXTRA_ARGS=${_EXTRA_ARGS}" -D "TEST_PROPERTIES=${_PROPERTIES}" -D
-      "TEST_PREFIX=${_TEST_PREFIX}" -D "TEST_SUFFIX=${_TEST_SUFFIX}" -D "TEST_LIST=${_TEST_LIST}" -D
-      "CTEST_FILE=${ctest_tests_file}" -P "${_CATCH_DISCOVER_TESTS_SCRIPT}"
-    VERBATIM)
-
-  file(
-    WRITE "${ctest_include_file}"
-    "if(EXISTS \"${ctest_tests_file}\")\n" "  include(\"${ctest_tests_file}\")\n" "else()\n"
-    "  add_test(${TARGET}_NOT_BUILT-${args_hash} ${TARGET}_NOT_BUILT-${args_hash})\n" "endif()\n")
-
-  if(NOT ${CMAKE_VERSION} VERSION_LESS "3.10.0")
-    # Add discovered tests to directory TEST_INCLUDE_FILES
-    set_property(
-      DIRECTORY
-      APPEND
-      PROPERTY TEST_INCLUDE_FILES "${ctest_include_file}")
-  else()
-    # Add discovered tests as directory TEST_INCLUDE_FILE if possible
-    get_property(
-      test_include_file_set
-      DIRECTORY
-      PROPERTY TEST_INCLUDE_FILE
-      SET)
-    if(NOT ${test_include_file_set})
-      set_property(DIRECTORY PROPERTY TEST_INCLUDE_FILE "${ctest_include_file}")
-    else()
-      message(FATAL_ERROR "Cannot set more than one TEST_INCLUDE_FILE")
-    endif()
-  endif()
-
-endfunction()
-
-# ######################################################################################################################
-
-set(_CATCH_DISCOVER_TESTS_SCRIPT ${CMAKE_CURRENT_LIST_DIR}/CatchAddTests.cmake)
--- a/cmake/modules/CatchAddTests.cmake
+++ b/cmake/modules/CatchAddTests.cmake
@@ -1,61 +0,0 @@
-# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
-# https://cmake.org/licensing for details.
-
-set(prefix "${TEST_PREFIX}")
-set(suffix "${TEST_SUFFIX}")
-set(spec ${TEST_SPEC})
-set(extra_args ${TEST_EXTRA_ARGS})
-set(properties ${TEST_PROPERTIES})
-set(script)
-set(suite)
-set(tests)
-
-function(add_command NAME)
-  set(_args "")
-  foreach(_arg ${ARGN})
-    if(_arg MATCHES "[^-./:a-zA-Z0-9_]")
-      set(_args "${_args} [==[${_arg}]==]") # form a bracket_argument
-    else()
-      set(_args "${_args} ${_arg}")
-    endif()
-  endforeach()
-  set(script
-      "${script}${NAME}(${_args})\n"
-      PARENT_SCOPE)
-endfunction()
-
-# Run test executable to get list of available tests
-if(NOT EXISTS "${TEST_EXECUTABLE}")
-  message(FATAL_ERROR "Specified test executable '${TEST_EXECUTABLE}' does not exist")
-endif()
-execute_process(
-  COMMAND ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" ${spec} --list-test-names-only
-  OUTPUT_VARIABLE output
-  RESULT_VARIABLE result)
-# Catch --list-test-names-only reports the number of tests, so 0 is... surprising
-if(${result} EQUAL 0)
-  message(WARNING "Test executable '${TEST_EXECUTABLE}' contains no tests!\n")
-elseif(${result} LESS 0)
-  message(FATAL_ERROR "Error running test executable '${TEST_EXECUTABLE}':\n" "  Result: ${result}\n"
-                      "  Output: ${output}\n")
-endif()
-
-string(REPLACE "\n" ";" output "${output}")
-
-# Parse output
-foreach(line ${output})
-  set(test ${line})
-  # use escape commas to handle properly test cases with commands inside the name
-  string(REPLACE "," "\\," test_name ${test})
-  # ...and add to script
-  add_command(add_test "${prefix}${test}${suffix}" ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" "${test_name}" ${extra_args})
-  add_command(set_tests_properties "${prefix}${test}${suffix}" PROPERTIES WORKING_DIRECTORY "${TEST_WORKING_DIR}"
-              ${properties})
-  list(APPEND tests "${prefix}${test}${suffix}")
-endforeach()
-
-# Create a list of all discovered tests, which users may use to e.g. set properties on the tests
-add_command(set ${TEST_LIST} ${tests})
-
-# Write CTest script
-file(WRITE "${CTEST_FILE}" "${script}")
--- a/cmake/modules/DownloadCatch.cmake
+++ b/cmake/modules/DownloadCatch.cmake
@@ -1,27 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-include(ExternalProject)
-
-set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)
-
-set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.13.9.tar.gz URL_HASH
-                       SHA256=06dbc7620e3b96c2b69d57bf337028bf245a211b3cddb843835bfe258f427a52)
-
-ExternalProject_Add(
-  catch2
-  PREFIX ${CMAKE_BINARY_DIR}/catch2-prefix
-  ${CATCH_EXTERNAL_URL}
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/catch2-prefix/src/catch2/single_include/catch2/catch.hpp
-                  ${CATCH2_INCLUDE}/catch.hpp)
--- a/cmake/modules/DownloadFakeIt.cmake
+++ b/cmake/modules/DownloadFakeIt.cmake
@@ -1,28 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-include(ExternalProject)
-
-set(FAKEIT_INCLUDE ${CMAKE_BINARY_DIR}/fakeit-prefix/include)
-
-set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.9.tar.gz URL_HASH
-                        SHA256=dc4ee7b17a84c959019b92c20fce6dc9426e9e170b6edf84db6cb2e188520cd7)
-
-ExternalProject_Add(
-  fakeit-external
-  PREFIX ${CMAKE_BINARY_DIR}/fakeit-prefix
-  ${FAKEIT_EXTERNAL_URL}
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND
-    ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/fakeit-prefix/src/fakeit-external/single_header/catch/fakeit.hpp
-    ${FAKEIT_INCLUDE}/fakeit.hpp)
--- a/cmake/modules/FindMakedev.cmake
+++ b/cmake/modules/FindMakedev.cmake
@@ -1,31 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-# This module is used to understand where the makedev function is defined in the glibc in use. see 'man 3 makedev'
-# Usage: In your CMakeLists.txt include(FindMakedev)
-#
-# In your source code:
-#
-# #if HAVE_SYS_MKDEV_H #include <sys/mkdev.h> #endif #ifdef HAVE_SYS_SYSMACROS_H #include <sys/sysmacros.h> #endif
-#
-include(${CMAKE_ROOT}/Modules/CheckIncludeFile.cmake)
-
-check_include_file("sys/mkdev.h" HAVE_SYS_MKDEV_H)
-check_include_file("sys/sysmacros.h" HAVE_SYS_SYSMACROS_H)
-
-if(HAVE_SYS_MKDEV_H)
-  add_definitions(-DHAVE_SYS_MKDEV_H)
-endif()
-if(HAVE_SYS_SYSMACROS_H)
-  add_definitions(-DHAVE_SYS_SYSMACROS_H)
-endif()
--- a/cmake/modules/GetGitRevisionDescription.cmake
+++ b/cmake/modules/GetGitRevisionDescription.cmake
@@ -1,274 +0,0 @@
-# * Returns a version string from Git
-#
-# These functions force a re-configure on each git commit so that you can trust the values of the variables in your
-# build system.
-#
-# get_git_head_revision(<refspecvar> <hashvar> [<additional arguments to git describe> ...])
-#
-# Returns the refspec and sha hash of the current head revision
-#
-# git_describe(<var> [<additional arguments to git describe> ...])
-#
-# Returns the results of git describe on the source tree, and adjusting the output so that it tests false if an error
-# occurs.
-#
-# git_get_exact_tag(<var> [<additional arguments to git describe> ...])
-#
-# Returns the results of git describe --exact-match on the source tree, and adjusting the output so that it tests false
-# if there was no exact matching tag.
-#
-# git_local_changes(<var>)
-#
-# Returns either "CLEAN" or "DIRTY" with respect to uncommitted changes. Uses the return code of "git diff-index --quiet
-# HEAD --". Does not regard untracked files.
-#
-# Requires CMake 2.6 or newer (uses the 'function' command)
-#
-# Original Author: 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net> http://academic.cleardefinition.com
-# Iowa State University HCI Graduate Program/VRAC
-#
-# Copyright Iowa State University 2009-2010. Distributed under the Boost Software License, Version 1.0. (See
-# accompanying file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
-
-if(__get_git_revision_description)
-  return()
-endif()
-set(__get_git_revision_description YES)
-
-# We must run the following at "include" time, not at function call time, to find the path to this module rather than
-# the path to a calling list file
-get_filename_component(_gitdescmoddir ${CMAKE_CURRENT_LIST_FILE} PATH)
-
-function(get_git_head_revision _refspecvar _hashvar)
-  set(GIT_PARENT_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
-  set(GIT_DIR "${GIT_PARENT_DIR}/.git")
-  while(NOT EXISTS "${GIT_DIR}") # .git dir not found, search parent directories
-    set(GIT_PREVIOUS_PARENT "${GIT_PARENT_DIR}")
-    get_filename_component(GIT_PARENT_DIR ${GIT_PARENT_DIR} PATH)
-    if(GIT_PARENT_DIR STREQUAL GIT_PREVIOUS_PARENT)
-      # We have reached the root directory, we are not in git
-      set(${_refspecvar}
-          "GITDIR-NOTFOUND"
-          PARENT_SCOPE)
-      set(${_hashvar}
-          "GITDIR-NOTFOUND"
-          PARENT_SCOPE)
-      return()
-    endif()
-    set(GIT_DIR "${GIT_PARENT_DIR}/.git")
-  endwhile()
-  # check if this is a submodule
-  if(NOT IS_DIRECTORY ${GIT_DIR})
-    file(READ ${GIT_DIR} submodule)
-    string(REGEX REPLACE "gitdir: (.*)\n$" "\\1" GIT_DIR_RELATIVE ${submodule})
-    get_filename_component(SUBMODULE_DIR ${GIT_DIR} PATH)
-    get_filename_component(GIT_DIR ${SUBMODULE_DIR}/${GIT_DIR_RELATIVE} ABSOLUTE)
-  endif()
-  set(GIT_DATA "${CMAKE_CURRENT_BINARY_DIR}/CMakeFiles/git-data")
-  if(NOT EXISTS "${GIT_DATA}")
-    file(MAKE_DIRECTORY "${GIT_DATA}")
-  endif()
-
-  if(NOT EXISTS "${GIT_DIR}/HEAD")
-    return()
-  endif()
-  set(HEAD_FILE "${GIT_DATA}/HEAD")
-  configure_file("${GIT_DIR}/HEAD" "${HEAD_FILE}" COPYONLY)
-
-  configure_file("${_gitdescmoddir}/GetGitRevisionDescription.cmake.in" "${GIT_DATA}/grabRef.cmake" @ONLY)
-  include("${GIT_DATA}/grabRef.cmake")
-
-  set(${_refspecvar}
-      "${HEAD_REF}"
-      PARENT_SCOPE)
-  set(${_hashvar}
-      "${HEAD_HASH}"
-      PARENT_SCOPE)
-endfunction()
-
-function(git_get_latest_tag _var)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-
-  # We use git describe --tags `git rev-list --tags --max-count=1`
-  execute_process(COMMAND
-          "${GIT_EXECUTABLE}"
-          rev-list
-          --tags
-          --max-count=1
-          WORKING_DIRECTORY
-          "${CMAKE_CURRENT_SOURCE_DIR}"
-          COMMAND tail -n1
-          RESULT_VARIABLE
-          res
-          OUTPUT_VARIABLE
-          tag_hash
-          ERROR_QUIET
-          OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(out "${tag_hash}-${res}-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(COMMAND
-    "${GIT_EXECUTABLE}"
-    describe
-    --tags
-    ${tag_hash}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(out "${out}-${res}-NOTFOUND")
-  endif()
-  set(${_var} "${out}" PARENT_SCOPE)
-endfunction()
-
-function(git_get_delta_from_tag _var tag hash)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-
-  # Count commits in HEAD
-  execute_process(COMMAND
-    "${GIT_EXECUTABLE}"
-    rev-list
-    --count
-    ${hash}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out_counter_head
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(${_var} "HEADCOUNT-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-
-  # Count commits in latest tag
-  execute_process(COMMAND
-    "${GIT_EXECUTABLE}"
-    rev-list
-    --count
-    ${tag}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out_counter_tag
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(${_var} "TAGCOUNT-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(COMMAND
-    expr
-    ${out_counter_head} - ${out_counter_tag}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out_delta
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(${_var} "DELTA-NOTFOUND" PARENT_SCOPE)
-    return()
-  endif()
-  set(${_var} "${out_delta}" PARENT_SCOPE)
-endfunction()
-
-function(git_describe _var)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-            "GIT-NOTFOUND"
-            PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-            "HEAD-HASH-NOTFOUND"
-            PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(COMMAND
-          "${GIT_EXECUTABLE}"
-          describe
-          ${hash}
-          ${ARGN}
-          WORKING_DIRECTORY
-          "${CMAKE_CURRENT_SOURCE_DIR}"
-          RESULT_VARIABLE
-          res
-          OUTPUT_VARIABLE
-          out
-          ERROR_QUIET
-          OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(out "${out}-${res}-NOTFOUND")
-  endif()
-
-  set(${_var}
-          "${out}"
-          PARENT_SCOPE)
-endfunction()
-
-function(git_get_exact_tag _var)
-  git_describe(out --exact-match ${ARGN})
-  set(${_var}
-      "${out}"
-      PARENT_SCOPE)
-endfunction()
-
-function(git_local_changes _var)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-        "GIT-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-        "HEAD-HASH-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(
-    COMMAND "${GIT_EXECUTABLE}" diff-index --quiet HEAD --
-    WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE res
-    OUTPUT_VARIABLE out
-    ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(res EQUAL 0)
-    set(${_var}
-        "CLEAN"
-        PARENT_SCOPE)
-  else()
-    set(${_var}
-        "DIRTY"
-        PARENT_SCOPE)
-  endif()
-endfunction()
--- a/cmake/modules/GetGitRevisionDescription.cmake.in
+++ b/cmake/modules/GetGitRevisionDescription.cmake.in
@@ -1,41 +0,0 @@
-#
-# Internal file for GetGitRevisionDescription.cmake
-#
-# Requires CMake 2.6 or newer (uses the 'function' command)
-#
-# Original Author:
-# 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net>
-# http://academic.cleardefinition.com
-# Iowa State University HCI Graduate Program/VRAC
-#
-# Copyright Iowa State University 2009-2010.
-# Distributed under the Boost Software License, Version 1.0.
-# (See accompanying file LICENSE_1_0.txt or copy at
-# http://www.boost.org/LICENSE_1_0.txt)
-
-set(HEAD_HASH)
-
-file(READ "@HEAD_FILE@" HEAD_CONTENTS LIMIT 1024)
-
-string(STRIP "${HEAD_CONTENTS}" HEAD_CONTENTS)
-if(HEAD_CONTENTS MATCHES "ref")
-	# named branch
-	string(REPLACE "ref: " "" HEAD_REF "${HEAD_CONTENTS}")
-	if(EXISTS "@GIT_DIR@/${HEAD_REF}")
-		configure_file("@GIT_DIR@/${HEAD_REF}" "@GIT_DATA@/head-ref" COPYONLY)
-	else()
-		configure_file("@GIT_DIR@/packed-refs" "@GIT_DATA@/packed-refs" COPYONLY)
-		file(READ "@GIT_DATA@/packed-refs" PACKED_REFS)
-		if(${PACKED_REFS} MATCHES "([0-9a-z]*) ${HEAD_REF}")
-			set(HEAD_HASH "${CMAKE_MATCH_1}")
-		endif()
-	endif()
-else()
-	# detached HEAD
-	configure_file("@GIT_DIR@/HEAD" "@GIT_DATA@/head-ref" COPYONLY)
-endif()
-
-if(NOT HEAD_HASH)
-	file(READ "@GIT_DATA@/head-ref" HEAD_HASH LIMIT 1024)
-	string(STRIP "${HEAD_HASH}" HEAD_HASH)
-endif()
--- a/cmake/modules/cpp-httplib.cmake
+++ b/cmake/modules/cpp-httplib.cmake
@@ -24,8 +24,8 @@ else()

 	ExternalProject_Add(cpp-httplib
 		PREFIX "${PROJECT_BINARY_DIR}/cpp-httplib-prefix"
-		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.11.3.tar.gz"
-		URL_HASH "SHA256=799b2daa0441d207f6cd1179ae3a34869722084a434da6614978be1682c1e12d"
+		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.13.1.tar.gz"
+		URL_HASH "SHA256=9b837d290b61e3f0c4239da0b23bbf14c382922e2bf2a9bac21c1e3feabe1ff9"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ""
 		INSTALL_COMMAND "")	
--- a/cmake/modules/driver.cmake
+++ b/cmake/modules/driver.cmake
@@ -26,8 +26,8 @@ else()
  # In case you want to test against another driver version (or branch, or commit) just pass the variable -
  # ie., `cmake -DDRIVER_VERSION=dev ..`
  if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "4.0.0+driver")
-    set(DRIVER_CHECKSUM "SHA256=0f71a4e4492847ce6ca35fe6f9ecdf682f603c878397e57d7628a0cd60a29aed")
+    set(DRIVER_VERSION "942a2249b7b9f65def0a01acfb1fba84f629b3bf")
+    set(DRIVER_CHECKSUM "SHA256=8670d7b24fad659674cea90b9b3d86e5d0775a6b2faedc0d5303f910242282ff")
  endif()

  # cd /path/to/build && cmake /path/to/source
--- a/cmake/modules/GetFalcoVersion.cmake
+++ b/cmake/modules/GetFalcoVersion.cmake
@@ -12,46 +12,17 @@
 #

 # Retrieve git ref and commit hash
-include(GetGitRevisionDescription)
+include(GetVersionFromGit)

-# Create the falco version variable according to git index
+# Get Falco version variable according to git index
 if(NOT FALCO_VERSION)
-  # Try to obtain the exact git tag
-  git_get_exact_tag(FALCO_TAG)
-  if(NOT FALCO_TAG)
-      # Fetch current hash
-      get_git_head_revision(refspec FALCO_HASH)
-      if(NOT FALCO_HASH OR FALCO_HASH MATCHES "NOTFOUND$")
-        set(FALCO_VERSION "0.0.0")
-      else()
-        # Obtain the closest tag
-        git_get_latest_tag(FALCO_LATEST_TAG)
-        if(NOT FALCO_LATEST_TAG OR FALCO_LATEST_TAG MATCHES "NOTFOUND$")
-          set(FALCO_VERSION "0.0.0")
-        else()
-          # Compute commit delta since tag
-          git_get_delta_from_tag(FALCO_DELTA ${FALCO_LATEST_TAG} ${FALCO_HASH})
-          if(NOT FALCO_DELTA OR FALCO_DELTA MATCHES "NOTFOUND$")
-            set(FALCO_VERSION "0.0.0")
-          else()
-            # Cut hash to 7 bytes
-            string(SUBSTRING ${FALCO_HASH} 0 7 FALCO_HASH)
-            # Format FALCO_VERSION to be semver with prerelease and build part
-            set(FALCO_VERSION
-                  "${FALCO_LATEST_TAG}-${FALCO_DELTA}+${FALCO_HASH}")
-           endif()
-        endif()
-      endif()
-  else()
-    # A tag has been found: use it as the Falco version
-    set(FALCO_VERSION "${FALCO_TAG}")
-  endif()
+  set(FALCO_VERSION "0.0.0")
+  get_version_from_git(FALCO_VERSION "" "")
 endif()

 # Remove the starting "v" in case there is one
 string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_VERSION}")

-# TODO(leodido) > ensure Falco version is semver before extracting parts Populate partial version variables
 string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
 string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
 string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
--- a/cmake/modules/falcoctl.cmake
+++ b/cmake/modules/falcoctl.cmake
@@ -15,14 +15,14 @@ include(ExternalProject)

 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)

-set(FALCOCTL_VERSION "0.4.0")
+set(FALCOCTL_VERSION "0.5.1")

 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
    set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "13c88e612efe955bc014918a7af30bae28dc5ba99b2962af57e36b1b87f527f9")
+    set(FALCOCTL_HASH "ea7c89134dc745a1cbdbcf8f839d3b47851a40e1aebee20702a606b03b45b897")
 else() # aarch64
    set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "0f8898853e99a2cd1b4dd6b161e8545cf20ce0e3ce79cddc539f6002257d5de5")
+    set(FALCOCTL_HASH "22797200bf0e4c7c45f69207ed85218a3839115a302dc07939d3006778d41300")
 endif()

 ExternalProject_Add(
--- a/cmake/modules/falcosecurity-libs.cmake
+++ b/cmake/modules/falcosecurity-libs.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -25,14 +25,17 @@ if(FALCOSECURITY_LIBS_SOURCE_DIR)
 else()
  # FALCOSECURITY_LIBS_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository.
  # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
-  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
+  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
  if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.10.3")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=be6c771b9182fcd8fcd52cb56022c380edf6e051d1b0eee1983e093494ac0837")
+    set(FALCOSECURITY_LIBS_VERSION "942a2249b7b9f65def0a01acfb1fba84f629b3bf")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=8670d7b24fad659674cea90b9b3d86e5d0775a6b2faedc0d5303f910242282ff")
  endif()

  # cd /path/to/build && cmake /path/to/source
-  execute_process(COMMAND "${CMAKE_COMMAND}" -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION} -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
+  execute_process(COMMAND "${CMAKE_COMMAND}"
+      -DCMAKE_BUILD_TYPE="${CMAKE_BUILD_TYPE}"
+      -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION}
+      -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
    ${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})

  # cmake --build .
@@ -50,6 +53,8 @@ if(MUSL_OPTIMIZED_BUILD)
 endif()

 set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT")
+set(SCAP_HOSTNAME_ENV_VAR "FALCO_HOSTNAME")
+set(SINSP_AGENT_CGROUP_MEM_PATH_ENV_VAR "FALCO_CGROUP_MEM_PATH")

 if(NOT LIBSCAP_DIR)
  set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
--- a/cmake/modules/njson.cmake
+++ b/cmake/modules/njson.cmake
@@ -0,0 +1,34 @@
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+#
+# nlohmann-json
+#
+if(NJSON_INCLUDE)
+    # Adding the custom target we can use it with `add_dependencies()`
+    if(NOT TARGET njson)
+        add_custom_target(njson)
+    endif()
+else()
+    # We always use the bundled version
+    set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
+    set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
+    ExternalProject_Add(
+        njson
+        URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
+        URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
+        CONFIGURE_COMMAND ""
+        BUILD_COMMAND ""
+        INSTALL_COMMAND "")
+    message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
+endif()
--- a/cmake/modules/plugins.cmake
+++ b/cmake/modules/plugins.cmake
@@ -13,22 +13,26 @@

 include(ExternalProject)

+# 'stable' or 'dev'
+set(PLUGINS_DOWNLOAD_BUCKET "stable")
+
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)

 if(NOT DEFINED PLUGINS_COMPONENT_NAME)
    set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
 endif()

-set(PLUGIN_K8S_AUDIT_VERSION "0.5.0")
+# k8saudit
+set(PLUGIN_K8S_AUDIT_VERSION "0.6.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_K8S_AUDIT_HASH "c4abb288df018940be8e548340a74d39623b69142304e01523ea189bc698bc80")
+    set(PLUGIN_K8S_AUDIT_HASH "560e8f8dc8fd169e524d95462d65b5227415a7a157442e82383c7d9f456ce58f")
 else() # aarch64
-    set(PLUGIN_K8S_AUDIT_HASH "3bcc849d9f95a3fa519b4592d0947149e492b530fb935a3f98f098e234b7baa7")
+    set(PLUGIN_K8S_AUDIT_HASH "e4757af1bac42b21c5937340790841dedc3805759050a6ffb22d1761e1dd1d31")
 endif()

 ExternalProject_Add(
  k8saudit-plugin
-  URL "https://download.falco.org/plugins/stable/k8saudit-${PLUGIN_K8S_AUDIT_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/k8saudit-${PLUGIN_K8S_AUDIT_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
  URL_HASH "SHA256=${PLUGIN_K8S_AUDIT_HASH}"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
@@ -38,24 +42,25 @@ install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/

 ExternalProject_Add(
  k8saudit-rules
-  URL "https://download.falco.org/plugins/stable/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
-  URL_HASH "SHA256=4383c69ba0ad63a127667c05618c37effc5297e6a7e68a1492acb0e48386540e"
+  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
+  URL_HASH "SHA256=44cee2fb88312d889213e1dbe1b9902d0a3f5c594cce73b2cac8e54fb51321b7"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")

 install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")

-set(PLUGIN_CLOUDTRAIL_VERSION "0.7.0")
+# cloudtrail
+set(PLUGIN_CLOUDTRAIL_VERSION "0.8.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_CLOUDTRAIL_HASH "85d94d8f5915804d5a30ff2f056e51de27d537f1fd1115050b4f4be6d32588cf")
+    set(PLUGIN_CLOUDTRAIL_HASH "13ba77602c0859936f6e3b00f93bd218c463300c6a797b694a0d5aeecde13976")
 else() # aarch64
-    set(PLUGIN_CLOUDTRAIL_HASH "61ae471ee41e76680da9ab66f583d1ec43a2e48fbad8c157caecef56e4aa5fb7")
+    set(PLUGIN_CLOUDTRAIL_HASH "a01730738e9d5769f69957a204c8afe528b059e9a22f59792dfc65e19d6a43db")
 endif()

 ExternalProject_Add(
  cloudtrail-plugin
-  URL "https://download.falco.org/plugins/stable/cloudtrail-${PLUGIN_CLOUDTRAIL_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/cloudtrail-${PLUGIN_CLOUDTRAIL_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
  URL_HASH "SHA256=${PLUGIN_CLOUDTRAIL_HASH}"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
@@ -65,24 +70,25 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu

 ExternalProject_Add(
  cloudtrail-rules
-  URL "https://download.falco.org/plugins/stable/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
-  URL_HASH "SHA256=c805be29ddc14fbffa29f7d6ee4f7e968a3bdb42da5f5483e5e6de273e8850c8"
+  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
+  URL_HASH "SHA256=27f2fc0a74d39476ad968a61318dec65a82b109c4a462b9fa22be45425ddaaad"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
  INSTALL_COMMAND "")

-  install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")

-set(PLUGIN_JSON_VERSION "0.6.0")
+# json
+set(PLUGIN_JSON_VERSION "0.7.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_JSON_HASH "15fb7eddd978e8bb03f05412e9446e264e4548d7423b3d724b99d6d87a8c1b27")
+    set(PLUGIN_JSON_HASH "a7bf52009a935f22b473724f722566fde27aec5c7d618ecd426eed81e477e94d")
 else() # aarch64
-    set(PLUGIN_JSON_HASH "4db23f35a750e10a5b7b54c9aa469a7587705e7faa22927e941b41f3c5533e9f")
+    set(PLUGIN_JSON_HASH "9cd65fac3f1cbc7f723b69671d42d35901cd322a23d8f2b9dc95fb0593918a7e")
 endif()

 ExternalProject_Add(
  json-plugin
-  URL "https://download.falco.org/plugins/stable/json-${PLUGIN_JSON_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/json-${PLUGIN_JSON_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
  URL_HASH "SHA256=${PLUGIN_JSON_HASH}"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
--- a/cmake/modules/rules.cmake
+++ b/cmake/modules/rules.cmake
@@ -15,8 +15,8 @@ include(GNUInstallDirs)
 include(ExternalProject)

 # falco_rules.yaml
-set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-0.1.0")
-set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=0d3705a4650f09d10e7831b16e7af59c1da34ff19e788896e9ee77010014db4d")
+set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-1.0.1")
+set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=2348d43196bbbdea92e3f67fa928721a241b0406d0ef369693bdefcec2b3fa13")
 set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
 ExternalProject_Add(
  falcosecurity-rules-falco
--- a/cmake/modules/yaml-cpp.cmake
+++ b/cmake/modules/yaml-cpp.cmake
@@ -19,6 +19,7 @@ if(NOT USE_BUNDLED_DEPS)
  else()
    message(FATAL_ERROR "Couldn't find system yamlcpp")
  endif()
+  add_custom_target(yamlcpp)
 else()
  set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
  message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
--- a/docker/CMakeLists.txt
+++ b/docker/CMakeLists.txt
@@ -1 +0,0 @@
-add_subdirectory(local)
--- a/docker/README.md
+++ b/docker/README.md
@@ -7,11 +7,5 @@ This directory contains various ways to package Falco as a container and related
 | Name | Directory | Description |
 |---|---|---|
 | [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
-| _not yet published (experimental)_ | docker/ubi | Falco (built from RedHat's UBI base image) with the building toolchain. |
 | [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
 | [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
-| _not to be published_ | docker/local | Built on-the-fly and used by falco-tester. |
-
-> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
--- a/docker/builder/Dockerfile
+++ b/docker/builder/Dockerfile
@@ -1,46 +0,0 @@
-FROM centos:7
-
-LABEL name="falcosecurity/falco-builder"
-LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG BUILD_TYPE=release
-ARG BUILD_DRIVER=OFF
-ARG BUILD_BPF=OFF
-ARG BUILD_WARNINGS_AS_ERRORS=ON
-ARG MAKE_JOBS=4
-ARG FALCO_VERSION
-ARG CMAKE_VERSION=3.22.5
-
-ENV BUILD_TYPE=${BUILD_TYPE}
-ENV BUILD_DRIVER=${BUILD_DRIVER}
-ENV BUILD_BPF=${BUILD_BPF}
-ENV BUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS}
-ENV MAKE_JOBS=${MAKE_JOBS}
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV CMAKE_VERSION=${CMAKE_VERSION}
-
-# build toolchain
-RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel rpm-build libyaml-devel" && \
-    yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
-    rpm -V $INSTALL_PKGS
-
-
-RUN source scl_source enable devtoolset-7 llvm-toolset-7.0
-
-RUN curl -L -o /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
-    gzip -d /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
-    tar -xpf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar --directory=/tmp && \
-    cp -R /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)/* /usr && \
-    rm -rf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)
-
-COPY ./root /
-
-# DTS
-ENV BASH_ENV=/usr/bin/scl_enable \
-    ENV=/usr/bin/scl_enable \
-    PROMPT_COMMAND=". /usr/bin/scl_enable"
-
-ENTRYPOINT ["entrypoint"]
-CMD ["usage"]
--- a/docker/builder/README.md
+++ b/docker/builder/README.md
@@ -1,8 +1,6 @@
 # Builder folder

-* We use `Dockerfile` to build the `centos7` Falco builder image.
 * We use `modern-falco-builder.Dockerfile` to build Falco with the modern probe and return it as a Dockerfile output. This Dockerfile doesn't generate a Docker image but returns as output (through the `--output` command):
  * Falco `tar.gz`.
  * Falco `deb` package.
  * Falco `rpm` package.
-  * Falco build directory, used by other CI jobs.
--- a/docker/builder/modern-falco-builder.Dockerfile
+++ b/docker/builder/modern-falco-builder.Dockerfile
@@ -29,33 +29,15 @@ RUN source scl_source enable devtoolset-9; \
    make falco -j${MAKE_JOBS}
 RUN make package

-# We need `make tests` and `make all` for integration tests.
-RUN make tests -j${MAKE_JOBS}
+# We need `make all` for integration tests.
 RUN make all -j${MAKE_JOBS}

 FROM scratch AS export-stage

+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+
 ARG DEST_BUILD_DIR="/build"

 COPY --from=build-stage /build/release/falco-*.tar.gz /packages/
 COPY --from=build-stage /build/release/falco-*.deb /packages/
 COPY --from=build-stage /build/release/falco-*.rpm /packages/
-
-# This is what we need for integration tests. We don't export all the build directory
-# outside the container since its size is almost 6 GB, we export only what is strictly necessary
-# for integration tests.
-# This is just a workaround to fix the CI build until we replace our actual testing framework.
-COPY --from=build-stage /build/release/cloudtrail-plugin-prefix ${DEST_BUILD_DIR}/cloudtrail-plugin-prefix
-COPY --from=build-stage /build/release/cloudtrail-rules-prefix ${DEST_BUILD_DIR}/cloudtrail-rules-prefix
-COPY --from=build-stage /build/release/falcosecurity-rules-falco-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-falco-prefix
-COPY --from=build-stage /build/release/falcosecurity-rules-local-prefix ${DEST_BUILD_DIR}/falcosecurity-rules-local-prefix
-COPY --from=build-stage /build/release/json-plugin-prefix ${DEST_BUILD_DIR}/json-plugin-prefix
-COPY --from=build-stage /build/release/k8saudit-plugin-prefix ${DEST_BUILD_DIR}/k8saudit-plugin-prefix
-COPY --from=build-stage /build/release/k8saudit-rules-prefix ${DEST_BUILD_DIR}/k8saudit-rules-prefix
-COPY --from=build-stage /build/release/scripts ${DEST_BUILD_DIR}/scripts
-COPY --from=build-stage /build/release/test ${DEST_BUILD_DIR}/test
-COPY --from=build-stage /build/release/userspace/falco/falco ${DEST_BUILD_DIR}/userspace/falco/falco
-COPY --from=build-stage /build/release/userspace/falco/config_falco.h ${DEST_BUILD_DIR}/userspace/falco/config_falco.h
-COPY --from=build-stage /build/release/falco-*.tar.gz ${DEST_BUILD_DIR}/
-COPY --from=build-stage /build/release/falco-*.deb ${DEST_BUILD_DIR}/
-COPY --from=build-stage /build/release/falco-*.rpm ${DEST_BUILD_DIR}/
--- a/docker/builder/root/usr/bin/entrypoint
+++ b/docker/builder/root/usr/bin/entrypoint
@@ -1,59 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu -o pipefail
-
-SOURCE_DIR=/source
-BUILD_DIR=/build
-CMD=${1:-usage}
-shift
-
-# Build type can be "debug" or "release", fallbacks to "release" by default
-BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
-FALCO_EXTRA_DEBUG_FLAGS=
-case "$BUILD_TYPE" in
-"debug")
-    FALCO_EXTRA_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
-    ;;
-*)
-    BUILD_TYPE="release"
-    ;;
-esac
-
-case "$CMD" in
-"cmake")
-    # Check that source directory contains Falco
-    if [ ! -d "$SOURCE_DIR/falco" ]; then
-        echo "Missing falco source." >&2
-        exit 1
-    fi
-    # Prepare build directory
-    mkdir -p "$BUILD_DIR/$BUILD_TYPE"
-    cd "$BUILD_DIR/$BUILD_TYPE"
-
-    cmake \
-    -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
-    -DCMAKE_INSTALL_PREFIX=/usr \
-    -DBUILD_DRIVER="$BUILD_DRIVER" \
-    -DBUILD_BPF="$BUILD_BPF" \
-    -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
-    -DFALCO_VERSION="$FALCO_VERSION" \
-    -DFALCO_EXTRA_DEBUG_FLAGS="$FALCO_EXTRA_DEBUG_FLAGS" \
-    -DUSE_BUNDLED_DEPS=ON \
-    "$SOURCE_DIR/falco"
-    exit "$(printf '%d\n' $?)"
-    ;;
-"bash")
-    CMD=/bin/bash
-    ;& # fallthrough
-"usage")
-    exec "$CMD" "$@"
-    ;;
-*)
-    if [ ! -d "$BUILD_DIR/$BUILD_TYPE" ]; then
-        echo "Missing $BUILD_DIR/$BUILD_TYPE directory: run cmake."
-        exit 1
-    fi
-    cd "$BUILD_DIR/$BUILD_TYPE"
-    make -j"$MAKE_JOBS" "$CMD"
-    ;;
-esac
--- a/docker/builder/root/usr/bin/scl_enable
+++ b/docker/builder/root/usr/bin/scl_enable
@@ -1,6 +0,0 @@
-# IMPORTANT: Do not add more content to this file unless you know what you are doing.
-#            This file is sourced every time the shell session is opened.
-#
-# This will make scl collection binaries work out of box.
-unset BASH_ENV PROMPT_COMMAND ENV
-source scl_source enable devtoolset-7 llvm-toolset-7.0
--- a/docker/builder/root/usr/bin/usage
+++ b/docker/builder/root/usr/bin/usage
@@ -1,53 +0,0 @@
-#!/usr/bin/env bash
-
-gccversion=$(gcc --version | head -n1)
-cppversion=$(g++ -dM -E -x c++ /dev/null | grep -F __cplusplus | cut -d' ' -f3)
-cmakeversion=$(cmake --version | head -n1)
-clangversion=$(clang --version | head -n1)
-
-cat <<EOF
-Hello, this is the Falco builder container.
-
-How to use.
-
-    The default commands for the Falco builder image reports usage and environment info.
-    * docker run falcosecurity/falco-builder
-    * docker run falcosecurity/falco-builder usage
-
-    It supports bash.
-    * docker run -ti falcosecurity/falco-builder bash
-
-    To build Falco it needs:
-    - a bind-mount on the source directory (ie., the directory containing the Falco source as sibling)
-
-    Optionally, you can also bind-mount the build directory.
-    So, you can execute it from the Falco root directory as follows.
-
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder [<cmake-target-x>, ..., <cmake-target-y>]
-
-    Eg.,
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder tests
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder install
-
-How to build.
-
-    * cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-builder .
-
-    In case you want to customise the builder at build time the following build arguments are provided:
-    - BUILD_TYPE                whether you want a "release" or "debug" build (defaults to "release").
-    - BUILD_DRIVER              whether to build the driver or not (defaults to "OFF")
-    - BUILD_BPF                 whether to build the BPF driver or not (defaults to "OFF")
-    - BUILD_WARNINGS_AS_ERRORS  whether to intend warnings as errors or not (defaults to "ON")
-    - MAKE_JOBS                 the number of jobs to use during make (defaults to "4")
-    - FALCO_VERSION             the version to label the build (built from git index in case it is missing)
-
-    It is possible to change these at runtime (in the container) since environment variables with the same names are provided, too.
-
-Environment.
-
-    * ${gccversion}
-    * cplusplus ${cppversion}
-    * ${cmakeversion}
-    * ${clangversion}
-EOF
--- a/docker/driver-loader/Dockerfile
+++ b/docker/driver-loader/Dockerfile
@@ -1,7 +1,8 @@
 ARG FALCO_IMAGE_TAG=latest
-FROM falcosecurity/falco:${FALCO_IMAGE_TAG}
+FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}

 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"

 LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"

@@ -10,4 +11,4 @@ ENV HOME /root

 COPY ./docker-entrypoint.sh /

-ENTRYPOINT ["/docker-entrypoint.sh"]
+ENTRYPOINT ["/docker-entrypoint.sh"]
--- a/docker/falco/Dockerfile
+++ b/docker/falco/Dockerfile
@@ -1,6 +1,7 @@
 FROM debian:buster

 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"

 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"

--- a/docker/local/CMakeLists.txt
+++ b/docker/local/CMakeLists.txt
@@ -1,17 +0,0 @@
-add_subdirectory(traces)
-add_subdirectory(rules)
-
-add_custom_target(local-Dockerfile ALL
-	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile)
-
-add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
-	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
-	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile)
-
-add_custom_target(local-docker-entrypoint ALL
-	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint)
-
-add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint
-	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint.sh
-	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh)
-
--- a/docker/local/Dockerfile
+++ b/docker/local/Dockerfile
@@ -1,134 +0,0 @@
-FROM debian:buster
-
-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG TARGETARCH
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-ENV HOST_ROOT /host
-
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
-	bash-completion \
-	bc \
-	clang-7 \
-	ca-certificates \
-	curl \
-	dkms \
-	gnupg2 \
-	gcc \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	libyaml-0-2 \
-	llvm-7 \
-	netcat \
-	xz-utils \
-	libmpc3 \
-	binutils \
-	libgomp1 \
-	libitm1 \
-	libatomic1 \
-	liblsan0 \
-	libtsan0 \
-	libcc1-0 \
-	patchelf \
-	&& rm -rf /var/lib/apt/lists/*
-
-RUN if [ "$TARGETARCH" = "amd64" ]; \
-    then apt-get install -y --no-install-recommends libmpx2 libquadmath0; \
-    fi
-
-# gcc 6 is no longer included in debian stable, but we need it to
-# build kernel modules on the default debian-based ami used by
-# kops. So grab copies we've saved from debian snapshots with the
-# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
-# or so.
-
-RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libubsan0_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_${TARGETARCH}.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
-	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
-	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
-	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
-
-# gcc 5 is no longer included in debian stable, but we need it to
-# build centos kernels, which are 3.x based and explicitly want a gcc
-# version 3, 4, or 5 compiler. So grab copies we've saved from debian
-# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-
-RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
-	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
-	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
-	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
-
-# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
-# default to gcc-5.
-RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
-
-RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
-
-ADD falco-${FALCO_VERSION}-*.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# debian:stable head contains binutils 2.31, which generates
-# binaries that are incompatible with kernels < 4.16. So manually
-# forcibly install binutils 2.30-22 instead.
-RUN if [ "$TARGETARCH" = "amd64" ] ; then \
-    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    else  \
-    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    fi
-
-RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
-	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
-	&& curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \
-	&& dpkg -i *binutils*.deb \
-	&& rm -f *binutils*.deb
-
-# The local container also copies some test trace files and
-# corresponding rules that are used when running regression tests.
-COPY rules/*.yaml /rules/
-COPY traces/*.scap /traces/
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco"]
--- a/docker/local/docker-entrypoint.sh
+++ b/docker/local/docker-entrypoint.sh
@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-
-# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
-
-if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
-    done
-
-    /usr/bin/falco-driver-loader
-fi
-
-exec "$@"
--- a/docker/local/rules/CMakeLists.txt
+++ b/docker/local/rules/CMakeLists.txt
@@ -1,7 +0,0 @@
-include(copy_files_to_build_dir)
-
-# Note: list of rules is created at cmake time, not build time
-file(GLOB test_rule_files
-	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/rules/*.yaml")
-
-copy_files_to_build_dir("${test_rule_files}" docker-local-rules)
--- a/docker/local/traces/CMakeLists.txt
+++ b/docker/local/traces/CMakeLists.txt
@@ -1,7 +0,0 @@
-include(copy_files_to_build_dir)
-
-# Note: list of traces is created at cmake time, not build time
-file(GLOB test_trace_files
-	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/trace_files/*.scap")
-
-copy_files_to_build_dir("${test_trace_files}" docker-local-traces)
--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -23,10 +23,14 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/
 FROM debian:11-slim

 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"

 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation

+RUN apt-get -y update && apt-get -y install ca-certificates curl jq \
+    && apt clean -y && rm -rf /var/lib/apt/lists/*
+
 ENV HOST_ROOT /host
 ENV HOME /root

--- a/docker/tester/Dockerfile
+++ b/docker/tester/Dockerfile
@@ -1,29 +0,0 @@
-FROM fedora:31
-
-LABEL name="falcosecurity/falco-tester"
-LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG TARGETARCH
-
-ENV FALCO_VERSION=
-ENV BUILD_TYPE=release
-
-RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
-    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_x86_64.tar.gz; \
-    else curl -L -o grpcurl.tar.gz \
-    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
-    fi;
-
-RUN dnf install -y python-pip python docker findutils jq unzip sed curl && dnf clean all
-ENV PATH="/root/.local/bin/:${PATH}"
-RUN pip install --user avocado-framework==69.0
-RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
-RUN pip install --user watchdog==0.10.2
-RUN pip install --user pathtools==0.1.2
-RUN tar -C /usr/bin -xvf grpcurl.tar.gz
-
-COPY ./root /
-
-ENTRYPOINT ["entrypoint"]
-CMD ["usage"]
--- a/docker/tester/root/runners/deb.Dockerfile
+++ b/docker/tester/root/runners/deb.Dockerfile
@@ -1,21 +0,0 @@
-FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN apt update -y
-RUN apt install dkms -y
-
-ADD falco-${FALCO_VERSION}-*.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]
--- a/docker/tester/root/runners/rpm.Dockerfile
+++ b/docker/tester/root/runners/rpm.Dockerfile
@@ -1,22 +0,0 @@
-FROM centos:7
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN yum update -y
-RUN yum install epel-release -y
-
-ADD falco-${FALCO_VERSION}-*.rpm /
-RUN yum install -y /falco-${FALCO_VERSION}-$(uname -m).rpm
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]
--- a/docker/tester/root/runners/tar.gz.Dockerfile
+++ b/docker/tester/root/runners/tar.gz.Dockerfile
@@ -1,21 +0,0 @@
-FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN apt update -y
-RUN apt install dkms curl -y
-
-ADD falco-${FALCO_VERSION}-*.tar.gz /
-RUN cp -R /falco-${FALCO_VERSION}-$(uname -m)/* /
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]
--- a/docker/tester/root/usr/bin/entrypoint
+++ b/docker/tester/root/usr/bin/entrypoint
@@ -1,93 +0,0 @@
-#!/usr/bin/env bash
-
-BUILD_DIR=${BUILD_DIR:-/build}
-SOURCE_DIR=${SOURCE_DIR:-/source}
-SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
-
-CMD=${1:-test}
-shift
-
-# Stop the execution if a command in the pipeline has an error, from now on
-set -e -u -o pipefail
-
-# build type can be "debug" or "release", fallbacks to "release" by default
-BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
-case "$BUILD_TYPE" in
-"debug")
-    ;;
-*)
-    BUILD_TYPE="release"
-    ;;
-esac
-
-build_image() {
-    BUILD_DIR=$1
-    BUILD_TYPE=$2
-    FALCO_VERSION=$3
-    PACKAGE_TYPE=$4
-    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-$(uname -m).${PACKAGE_TYPE}"
-    if [ ! -f "$PACKAGE" ]; then
-        echo "Package not found: ${PACKAGE}." >&2
-        exit 1
-    fi
-    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
-    echo "Building local docker image $DOCKER_IMAGE_NAME from latest ${PACKAGE_TYPE} package..."
-
-    mkdir -p /runner-rootfs
-    cp "$PACKAGE" /runner-rootfs
-    cp -R "$SOURCE_DIR/falco/test/rules" /runner-rootfs
-    cp -R "$SOURCE_DIR/falco/test/trace_files" /runner-rootfs
-    docker build -f "/runners/$PACKAGE_TYPE.Dockerfile" --build-arg FALCO_VERSION="$FALCO_VERSION" -t "$DOCKER_IMAGE_NAME" /runner-rootfs
-}
-
-clean_image() {
-    PACKAGE_TYPE=$1
-    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
-    docker rmi -f "$DOCKER_IMAGE_NAME"
-}
-
-case "$CMD" in
-"test")
-    if [ -z "$FALCO_VERSION" ]; then
-        echo "Automatically figuring out Falco version."
-        FALCO_VERSION_FULL=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version)
-        FALCO_VERSION=$(echo "$FALCO_VERSION_FULL" | head -n 1 | cut -d' ' -f3  | tr -d '\r')
-        echo "Falco version: $FALCO_VERSION"
-    fi
-    if [ -z "$FALCO_VERSION" ]; then
-        echo "Falco version cannot be guessed, please provide it with the FALCO_VERSION environment variable." >&2
-        exit 1
-    fi
-
-    # build docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
-        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
-    fi
-
-    # check that source directory contains Falco
-    if [ ! -d "$SOURCE_DIR/falco/test" ]; then
-        echo "Missing $SOURCE_DIR/falco/test directory." >&2
-        exit 1
-    fi
-
-    # run tests
-    echo "Running regression tests ..."
-    cd "$SOURCE_DIR/falco/test"
-    SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"
-
-    # clean docker images
-    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
-        clean_image "deb"
-        clean_image "rpm"
-        clean_image "tar.gz"
-    fi
-    ;;
-"bash")
-    CMD=/bin/bash
-    ;& # fallthrough
-"usage")
-    exec "$CMD" "$@"
-    ;;
-esac
--- a/docker/tester/root/usr/bin/usage
+++ b/docker/tester/root/usr/bin/usage
@@ -1,41 +0,0 @@
-#!/usr/bin/env bash
-
-pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
-pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
-dockerversion=$(docker --version)
-avocadoversion=$(pip show avocado-framework | grep Version)
-avocadoversion=${avocadoversion#"Version: "}
-
-cat <<EOF
-Hello, this is the Falco tester container.
-
-How to use.
-
-    The default commands for the Falco tester image reports usage and environment info.
-    * docker run falcosecurity/falco-tester
-    * docker run falcosecurity/falco-tester usage
-
-    It supports bash.
-    * docker run -ti falcosecurity/falco-tester bash
-
-    To run Falco regression tests you need to provide:
-    - the docker socket
-    - the boot directory
-    - the source directory
-    - the directory where Falco has been built
-    - the environment variable FALCO_VARIABLE set to the value obtained during the Falco's build
-
-    Assuming you are running it from the Falco root directory, you can run it as follows.
-    * docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> falcosecurity/falco-tester test
-
-How to build.
-
-    * cd docker/tester && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .
-
-Environment.
-
-    * python ${pythonversion}
-    * ${pipversion}
-    * avocado ${avocadoversion}
-    * ${dockerversion}
-EOF
--- a/docker/ubi/Dockerfile
+++ b/docker/ubi/Dockerfile
@@ -1,45 +0,0 @@
-ARG UBI_VERSION=latest
-FROM registry.access.redhat.com/ubi8/ubi:${UBI_VERSION}
-
-ARG FALCO_VERSION
-RUN test -n "$FALCO_VERSION" || (echo "FALCO_VERSION  not set" && false)
-ENV FALCO_VERSION=${FALCO_VERSION}
-
-LABEL "name"="Falco Runtime Security"
-LABEL "vendor"="Falco"
-LABEL "version"="${FALCO_VERSION}"
-LABEL "release"="${FALCO_VERSION}"
-LABEL "ubi-version"="${UBI_VERSION}"
-LABEL "summary"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
-LABEL "description"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
-LABEL "io.k8s.display-name"="Falco"
-LABEL "io.k8s.description"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
-
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-RUN  dnf -y update && \
-     dnf -y install \
-          curl \
-          make \
-          cmake \
-          gcc \
-          llvm-toolset \
-          clang \
-          kmod \
-     && dnf -y clean all ; rm -rf /var/cache/{dnf,yum}
-
-RUN mkdir /build && cd /build/ && curl --remote-name-all -L https://github.com/dell/dkms/archive/refs/tags/v3.0.3.tar.gz && \
-     tar xvf v3.0.3.tar.gz && cd dkms-3.0.3 && make install-redhat && rm -rf /build
-
-RUN mkdir /deploy && cd /deploy/ && curl --remote-name-all -L https://download.falco.org/packages/bin/$(uname -m)/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
-     cd / && tar --strip-components=1 -xvf /deploy/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
-     rm -rf /deploy
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["/usr/bin/falco"]
--- a/docker/ubi/docker-entrypoint.sh
+++ b/docker/ubi/docker-entrypoint.sh
@@ -1,39 +0,0 @@
-#!/bin/bash
-#
-# Copyright (C) 2022 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
-
-if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
-
-    # Required by dkms to find the required dependencies on RedHat UBI
-    rm -fr /usr/src/kernels/ && rm -fr /usr/src/debug/
-    rm -fr /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules
-    rm -fr /boot && ln -s $HOST_ROOT/boot /boot
-
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
-    done
-
-    /usr/bin/falco-driver-loader
-fi
-
-exec "$@"
--- a/falco.yaml
+++ b/falco.yaml
--- a/proposals/20230511-roadmap-management.md
+++ b/proposals/20230511-roadmap-management.md
@@ -0,0 +1,100 @@
+# Falco Roadmap Management Proposal
+
+## Summary 
+
+This document proposes the introduction of a structured process for managing Falco's roadmap and implementing related changes in our development process. The goal is to ensure the efficient execution of our roadmap objectives.
+
+### Goals
+
+The pillars of this proposal are:
+
+- Define processes for release cycles and development iterations
+- Provide guidelines for planning and prioritizing efforts
+- Introduce regular meetings for core maintainers
+- Using *GitHub Project* as the primary tool for managing *The Falco Project* roadmap
+
+
+### Non-Goals
+
+- Providing an exact set of criteria for task prioritization
+- Detailing testing procedures
+- Providing detailed instructions for GitHub Project usage
+- Addressing hotfix releases
+
+### Scope of this Proposal
+
+Primarily, the roadmap targets the planning of Falco development and releases. However, given Falco's dependence on numerous components, it's inevitable that scheduling and planning activities span across multiple repositories. We anticipate that all [core repositories](https://github.com/falcosecurity/evolution#official) will be interconnected with the roadmap, making it comprehensive enough to incorporate items from all related [Falcosecurity repositories](https://github.com/falcosecurity) as necessary.
+
+This proposal does **not apply to hotfix releases** that may happen whenever needed at the maintainers' discretion.
+
+## Release Cycles and Development Iterations
+
+Falco releases happen 3 times per year. Each release cycle completes, respectively, by the end of January, May, and September.
+
+A **release cycle is a 16-week time frame** between two subsequent releases.
+
+Using this schema, in a 52-week calendar year, we allocate 48 weeks for scheduled activities (16 weeks *x* 3 releases), leaving 4 weeks for breaks.
+
+The 16-week release cycle is further divided into three distinct iterations:
+
+| Iteration Name | Duration | Description |
+|---------------|----------|-------------|
+| Development | 8 weeks | Development phase |
+| Stabilization | 4 weeks | Feature completion and bug fixing |
+| Release Preparation | 4 weeks | Release preparation, testing, bug fixing, no new feature |
+
+### Targeted Release Date
+
+The final week of the *Release Preparation* should conclude before the *last Monday of the release month* (ie. January/May/September). This *last Monday* is designated as the **targeted release date** (when the release is being published), and the remaining part of the week is considered a break period.
+
+### Milestones
+
+For each release, we create a [GitHub Milestone](https://github.com/falcosecurity/falco/milestones) (whose due date must be equal to the target release date). We use the milestone to collect all items to be tentatively completed within the release. 
+
+### Alignment of Falco Components
+
+The release schedule of the [components Falco depends on](https://github.com/falcosecurity/falco/blob/master/RELEASE.md#falco-components-versioning) needs to be synchronized to conform to these stipulations. For instance, a [falcosecurity/libs](https://github.com/falcosecurity/libs) release may be required at least one week prior to the termination of each iteration.
+
+The maintainers are responsible for adapting those components' release schedules and procedures to release cycles and development iterations of Falco. Furthermore, all release processes must be documented and provide clear expectations regarding release dates.
+
+## Project Roadmap
+
+We use the [GitHub Project called *Falco Roadmap*](https://github.com/orgs/falcosecurity/projects/5) to plan and track the progress of each release cycle. The GitHub Project needs to be configured with the above mentioned iterations and break periods, compiled with actual dates. It's recommended to preconfigure the GitHub Project to accommodate the current plus the following three release cycles.
+
+### Roadmap Planning
+
+The roadmap serves as a strategic planning tool that outlines the goals and objectives for Falco. Its purpose is to visually represent the overall direction and timeline, enhance transparency and engage the community.
+
+The onus is on the [Core Maintainers](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md#core-maintainers) to manage the roadmap. In this regard, Core Maintainers meet in **planning sessions on the first week of each calendar month**. 
+
+During these planning sessions, tasks are allocated to the current iteration or postponed to one of the following iterations. The assigned iteration indicates the projected completion date for a particular workstream.
+
+When a session matches with the commencement of an iteration, maintainers convene to assess the planning and prioritize tasks for the iteration. The first planning session of a release cycle must define top priorities for the related release.
+
+## Testing and Quality Assurance (QA)
+
+Each iteration's output must include at least one Falco pre-release (or a viable development build) designated for testing and QA activities. While it's acceptable for these builds to contain unfinished features or known bugs, they must enable any community member to contribute to the testing and QA efforts.
+
+The targeted schedule for these Testing/QA activities should be the **last week of each iteration** (or earlier during the *Release Preparation*).
+
+Testing and Quality Assurance criteria and procedures must be defined and documented across relevant repositories.
+
+Furthermore, given the strong reliance of Falco on [falcosecurity/libs](https://github.com/falcosecurity/libs), the above-mentioned pre-release/build for Testing/QA purposes must be based on the most recent *libs* development for the intended iteration. This means that during each interaction, a *libs* release (either pre or stable) must happen early enough to be used for this purpose.
+
+## Next Steps and Conclusions
+
+The Falco 0.36 release cycle, running from June to September 2023, will mark the initiation of the new process. This cycle will also serve as an experimental phase for refining the process.
+
+Furthermore, as soon as possible, we will kick off a Working Group specifically to ensure smooth execution. This group will involve community members in assisting maintainers with roadmap management. It will provide curated feature suggestions for the roadmap, informed by community needs. This approach would facilitate the core maintainers' decisions, as they would mostly need just to review and adopt these pre-vetted recommendations, enhancing efficiency.
+
+The Working Group's responsibilities will include (non-exhaustive list):
+
+- Address input from the [2023-04-27 Core Maintainers meeting](https://github.com/falcosecurity/community/blob/main/meeting-notes/2023-04-27-Falco-Roadmap-Discussion.md)
+- Sorting and reviewing pending issues to identify key topics for discussion and potential inclusion in the roadmap
+- Establishing protocols not explicitly covered in this document
+- Updating the documentation accordingly
+- Supporting Core Maintainers in managing the [Falco Roadmap GitHub project](https://github.com/orgs/falcosecurity/projects/5)
+- Gathering suggestions from all involved stakeholders to put forward potential enhancements
+
+Finally, we anticipate the need for minor adjustments, which will become apparent only after an initial period of experimentation. Thus we have to intend this process to be flexible enough to adapt to emerging needs and improvements as long as the fundamental spirit of this proposal is upheld.
+
--- a/scripts/falco-driver-loader
+++ b/scripts/falco-driver-loader
@@ -128,30 +128,76 @@ get_target_id() {

 	case "${OS_ID}" in
 	("amzn")
-		if [[ $VERSION_ID == "2" ]]; then
+		case "${VERSION_ID}" in
+		("2")
 			TARGET_ID="amazonlinux2"
-		else
+			;;
+		("2022")
+			TARGET_ID="amazonlinux2022"
+			;;
+		("2023")
+			TARGET_ID="amazonlinux2023"
+			;;
+		(*)
 			TARGET_ID="amazonlinux"
+			;;
+		esac
+		;;
+	("debian")
+		# Workaround: debian kernelreleases might now be actual kernel running;
+		# instead, they might be the Debian kernel package
+		# providing the compatible kernel ABI
+		# See https://lists.debian.org/debian-user/2017/03/msg00485.html
+		# Real kernel release is embedded inside the kernel version.
+		# Moreover, kernel arch, when present, is attached to the former,
+		# therefore make sure to properly take it and attach it to the latter.
+		# Moreover, we support 3 flavors for debian kernels: cloud, rt and normal.
+		# KERNEL-RELEASE will have a `-rt`, or `-cloud` if we are in one of these flavors.
+		# Manage it to download the correct driver.
+		#
+		# Example: KERNEL_RELEASE="5.10.0-0.deb10.22-rt-amd64" and `uname -v`="5.10.178-3"
+		# should lead to: KERNEL_RELEASE="5.10.178-3-rt-amd64"
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		local ARCH_extra=""
+		if [[ $KERNEL_RELEASE =~ -?(rt-|cloud-|)(amd64|arm64) ]];
+		then
+			ARCH_extra="-${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+		fi
+		if [[ $(uname -v) =~ ([0-9]+\.[0-9]+\.[0-9]+\-[0-9]+) ]];
+		then
+			KERNEL_RELEASE="${BASH_REMATCH[1]}${ARCH_extra}"
 		fi
 		;;
 	("ubuntu")
 		# Extract the flavor from the kernelrelease
 		# Examples:
-		# 5.0.0-1028-aws-5.0 -> ubuntu-aws-5.0
+		# 5.0.0-1028-aws-5.0 -> ubuntu-aws
 		# 5.15.0-1009-aws -> ubuntu-aws
 		if [[ $KERNEL_RELEASE =~ -([a-zA-Z]+)(-.*)?$ ]];
 		then
-			TARGET_ID="ubuntu-${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+			TARGET_ID="ubuntu-${BASH_REMATCH[1]}"
 		else
 			TARGET_ID="ubuntu-generic"
 		fi
+
+
+		# In the case that the kernelversion isn't just a number
+		# we keep also the remaining part excluding `-Ubuntu`.
+		# E.g.:
+		# from the following `uname -v` result
+		# `#26~22.04.1-Ubuntu SMP Mon Apr 24 01:58:15 UTC 2023`
+		# we obtain the kernelversion`26~22.04.1`
+		if [[ $(uname -v) =~ (^\#[0-9]+\~[^-]*-Ubuntu .*$) ]];
+		then
+			KERNEL_VERSION=$(uname -v | sed 's/#\([^-\\ ]*\).*/\1/g')
+		fi
 		;;
 	("flatcar")
 		KERNEL_RELEASE="${VERSION_ID}"
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		;;
 	("minikube")
-		TARGET_ID="${OS_ID}"
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		# Extract the minikube version. Ex. With minikube version equal to "v1.26.0-1655407986-14197" the extracted version
 		# will be "1.26.0"
 		if [[ $(cat ${HOST_ROOT}/etc/VERSION) =~ ([0-9]+(\.[0-9]+){2}) ]]; then
@@ -163,7 +209,7 @@ get_target_id() {
 		fi
 		;;
 	("bottlerocket")
-		TARGET_ID="${OS_ID}"
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		# variant_id has been sourced from os-release. Get only the first variant part
 		if [[ -n ${VARIANT_ID} ]];  then
 			# take just first part (eg: VARIANT_ID=aws-k8s-1.15 -> aws)
@@ -172,6 +218,11 @@ get_target_id() {
 		# version_id has been sourced from os-release. Build a kernel version like: 1_1.11.0-aws
 		KERNEL_VERSION="1_${VERSION_ID}-${VARIANT_ID_CUT}"
 		;;
+	("talos")
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		# version_id has been sourced from os-release. Build a kernel version like: 1_1.4.1
+		KERNEL_VERSION="1_${VERSION_ID}"
+		;;
 	(*)
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		;;
@@ -232,10 +283,10 @@ load_kernel_module_compile() {
 			continue
 		fi
 		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
-		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
-		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
-		chmod +x /tmp/falco-dkms-make
-		if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
+		echo "#!/usr/bin/env bash" > "${TMPDIR}/falco-dkms-make"
+		echo "make CC=${CURRENT_GCC} \$@" >> "${TMPDIR}/falco-dkms-make"
+		chmod +x "${TMPDIR}/falco-dkms-make"
+		if dkms install --directive="MAKE='${TMPDIR}/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
 			echo "* ${DRIVER_NAME} module installed in dkms"
 			KO_FILE="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}"
 			if [ -f "$KO_FILE.ko" ]; then
@@ -435,6 +486,12 @@ load_bpf_probe_compile() {
 		make modules_prepare > /dev/null
 	}

+	if [ "${TARGET_ID}" == "flatcar" ]; then
+		KERNEL_RELEASE=${DRIVER_KERNEL_RELEASE}
+		echo "* Flatcar detected (version ${VERSION_ID}); relocating kernel tools"
+		flatcar_relocate_tools
+	fi
+
 	if [ "${TARGET_ID}" == "cos" ]; then
 		echo "* COS detected (build ${BUILD_ID}), using COS kernel headers"

@@ -659,6 +716,8 @@ if [ -v FALCO_BPF_PROBE ]; then
 	DRIVER="bpf"
 fi

+TMPDIR=${TMPDIR:-"/tmp"}
+
 ENABLE_COMPILE=
 ENABLE_DOWNLOAD=

--- a/submodules/falcosecurity-rules
+++ b/submodules/falcosecurity-rules
--- a/submodules/falcosecurity-testing
+++ b/submodules/falcosecurity-testing
--- a/test/.gitignore
+++ b/test/.gitignore
@@ -1,2 +0,0 @@
-falco_traces.yaml
-venv/*
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -1,6 +0,0 @@
-add_subdirectory(trace_files)
-
-if(NOT MUSL_OPTIMIZED_BUILD)
-    add_subdirectory(plugins)
-    add_subdirectory(confs/plugins)
-endif()
--- a/test/OWNERS
+++ b/test/OWNERS
@@ -1,2 +0,0 @@
-labels:
-  - area/tests
--- a/test/README.md
+++ b/test/README.md
@@ -1,116 +0,0 @@
-# Falco regression tests
-
-This folder contains the Regression tests suite for Falco.
-
-You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/getting-started/source/#run-regression-tests).
-
-## Test suites
-
- [falco_tests](./falco_tests.yaml)
- [falco_traces](./falco_traces.yaml.in)
- [falco_tests_package](./falco_tests_package.yaml)
- [falco_k8s_audit_tests](./falco_k8s_audit_tests.yaml)
-
-## Running locally
-
-This step assumes you already built Falco.
-
-Note that the tests are intended to be run against a [release build](https://falco.org/docs/getting-started/source/#specify-the-build-type) of Falco, at the moment.
-
-Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below).
-
-**Requirements**
-
- Python 3.x
- [Virtualenv](https://virtualenv.pypa.io/en/latest/)
- [grpcurl](https://github.com/fullstorydev/grpcurl)
-
-**Setup and execution**
-
-Using `virtualenv` the steps to locally run a specific test suite are the following ones (**from this directory**):
-
-```console
-virtualenv venv
-source venv/bin/activate
-pip install -r requirements.txt
-BUILD_DIR="../build" avocado run --mux-yaml falco_tests.yaml --job-results-dir /tmp/job-results -- falco_test.py
-deactivate
-```
-
-The name of the specific test suite to run is `falco_tests.yaml` in this case. Change it to run others test suites.
-
-In case you want to only execute a specific test case, use the `--mux-filter-only` parameter as follows:
-
-```console
-BUILD_DIR="../build" avocado run --mux-yaml falco_tests.yaml --job-results-dir /tmp/job-results --mux-filter-only /run/trace_files/program_output -- falco_test.py
-```
-
-To obtain the path of all the available variants for a given test suite, execute:
-
-```console
-avocado variants --mux-yaml falco_tests.yaml
-```
-
-### falco_traces
-
-The `falco_traces.yaml` test suite gets generated through the `falco_traces.yaml.in` file and some fixtures (`scap` files) downloaded from the web at execution time.
-
-1. Ensure you have `unzip` and `xargs` utilities
-2. Prepare the test suite with the following command:
-
-    ```console
-    bash run_regression_tests.sh -p -v
-    ```
-
-### falco_tests_package
-
-The `falco_tests_package.yaml` test suite requires some additional setup steps to be successfully run on your local machine.
-
-In particular, it requires some runners (ie., docker images) to be already built and present into your local machine.
-
-1. Ensure you have `docker` up and running
-2. Ensure you build Falco (with bundled deps)
-
-    The recommended way of doing it by running the `falcosecurity/falco-builder` docker image from the project root:
-
-    ```console
-    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder cmake
-    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder falco
-    ```
-
-3. Ensure you build the Falco packages from the Falco above:
-
-    ```console
-    docker run -v $PWD/..:/source -v $PWD/mybuild:/build falcosecurity/falco-builder package
-    ```
-
-4. Ensure you build the runners:
-
-    ```console
-    FALCO_VERSION=$(./mybuild/release/userspace/falco/falco --version  | head -n 1 | cut -d' ' -f3 | tr -d '\r')
-    mkdir -p /tmp/runners-rootfs
-    cp -R ./test/rules /tmp/runners-rootfs
-    cp -R ./test/trace_files /tmp/runners-rootfs
-    cp ./mybuild/release/falco-${FALCO_VERSION}-x86_64.{deb,rpm,tar.gz} /tmp/runners-rootfs
-    docker build -f docker/tester/root/runners/deb.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-deb /tmp/runners-rootfs
-    docker build -f docker/tester/root/runners/rpm.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-rpm /tmp/runners-rootfs
-    docker build -f docker/tester/root/runners/tar.gz.Dockerfile --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:test-tar.gz /tmp/runners-rootfs
-    ```
-
-5. Run the `falco_tests_package.yaml` test suite from the `test` directory
-
-    ```console
-    cd test
-    BUILD_DIR="../mybuild" avocado run --mux-yaml falco_tests_package.yaml --job-results-dir /tmp/job-results -- falco_test.py
-    ```
-
-### Execute all the test suites
-
-In case you want to run all the test suites at once, you can directly use the `run_regression_tests.sh` runner script.
-
-```console
-cd test
-./run_regression_tests.sh -v -d ../build
-```
-
-Just make sure you followed all the previous setup steps.
--- a/test/confs/drops_alert.yaml
+++ b/test/confs/drops_alert.yaml
@@ -1,11 +0,0 @@
-syscall_event_drops:
-  actions:
-    - alert
-  rate: .03333
-  max_burst: 10
-  simulate_drops: true
-
-stdout_output:
-  enabled: true
-
-log_stderr: true
--- a/test/confs/drops_exit.yaml
+++ b/test/confs/drops_exit.yaml
@@ -1,11 +0,0 @@
-syscall_event_drops:
-  actions:
-    - exit
-  rate: .03333
-  max_burst: 10
-  simulate_drops: true
-
-stdout_output:
-  enabled: true
-
-log_stderr: true
--- a/test/confs/drops_ignore.yaml
+++ b/test/confs/drops_ignore.yaml
@@ -1,11 +0,0 @@
-syscall_event_drops:
-  actions:
-    - ignore
-  rate: .03333
-  max_burst: 10
-  simulate_drops: true
-
-stdout_output:
-  enabled: true
-
-log_stderr: true
--- a/test/confs/drops_ignore_log.yaml
+++ b/test/confs/drops_ignore_log.yaml
@@ -1,12 +0,0 @@
-syscall_event_drops:
-  actions:
-    - ignore
-    - log
-  rate: .03333
-  max_burst: 10
-  simulate_drops: true
-
-stdout_output:
-  enabled: true
-
-log_stderr: true
--- a/test/confs/drops_log.yaml
+++ b/test/confs/drops_log.yaml
@@ -1,13 +0,0 @@
-syscall_event_drops:
-  actions:
-    - log
-  rate: .03333
-  max_burst: 10
-  simulate_drops: true
-
-stdout_output:
-  enabled: true
-
-log_stderr: true
-
-log_level: debug
--- a/test/confs/drops_none.yaml
+++ b/test/confs/drops_none.yaml
@@ -1,11 +0,0 @@
-syscall_event_drops:
-  actions:
-    - log
-  rate: .03333
-  max_burst: 10
-  simulate_drops: false
-
-stdout_output:
-  enabled: true
-
-log_stderr: true
--- a/test/confs/drops_threshold_neg.yaml
+++ b/test/confs/drops_threshold_neg.yaml
@@ -1,12 +0,0 @@
-syscall_event_drops:
-  threshold: -1
-  actions:
-    - ignore
-  rate: .03333
-  max_burst: 10
-  simulate_drops: true
-
-stdout_output:
-  enabled: true
-
-log_stderr: true
--- a/test/confs/drops_threshold_oor.yaml
+++ b/test/confs/drops_threshold_oor.yaml
@@ -1,12 +0,0 @@
-syscall_event_drops:
-  threshold: 1.1
-  actions:
-    - ignore
-  rate: .03333
-  max_burst: 10
-  simulate_drops: true
-
-stdout_output:
-  enabled: true
-
-log_stderr: true
--- a/test/confs/file_output.yaml
+++ b/test/confs/file_output.yaml
@@ -1,44 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# File containing Falco rules, loaded at startup.
-rules_file: /etc/falco_rules.yaml
-
-# Whether to output events in json or text
-json_output: false
-
-# Send information logs to stderr and/or syslog Note these are *not* security
-# notification logs! These are just Falco lifecycle (and possibly error) logs.
-log_stderr: false
-log_syslog: false
-
-# Where security notifications should go.
-# Multiple outputs can be enabled.
-
-syslog_output:
-  enabled: false
-
-file_output:
-  enabled: true
-  filename: /tmp/falco_outputs/file_output.txt
-
-stdout_output:
-  enabled: true
-
-program_output:
-  enabled: false
-  program: mail -s "Falco Notification" someone@example.com
--- a/test/confs/grpc_unix_socket.yaml
+++ b/test/confs/grpc_unix_socket.yaml
@@ -1,38 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# Whether to output events in json or text.
-json_output: false
-
-# Send information logs to stderr and/or syslog
-# Note these are *not* security notification logs!
-# These are just Falco lifecycle (and possibly error) logs.
-log_stderr: false
-log_syslog: false
-
-# Where security notifications should go.
-stdout_output:
-  enabled: false
-
-# gRPC server using an unix socket.
-grpc:
-    enabled: true
-    bind_address: "unix:///tmp/falco/falco.sock"
-    threadiness: 8
-
-grpc_output:
-  enabled: true
--- a/test/confs/plugins/CMakeLists.txt
+++ b/test/confs/plugins/CMakeLists.txt
@@ -1,16 +0,0 @@
-# This list is populated at cmake time, not build time
-file(GLOB test_conf_files
-	"${CMAKE_CURRENT_SOURCE_DIR}/*.yaml")
-
-foreach(conf_file_path ${test_conf_files})
-	get_filename_component(conf_file ${conf_file_path} NAME)
-	add_custom_target(test-conf-${conf_file} ALL
-		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${conf_file})
-	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${conf_file}
-		COMMAND sed -e s!BUILD_DIR!${CMAKE_BINARY_DIR}! < ${CMAKE_CURRENT_SOURCE_DIR}/${conf_file} > ${CMAKE_CURRENT_BINARY_DIR}/${conf_file}
-		DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/${conf_file})
-	list(APPEND PLUGINS_CONF_FILES_TARGETS test-conf-${conf_file})
-endforeach()
-
-add_custom_target(conf-files-plugins ALL)
-add_dependencies(conf-files-plugins ${PLUGINS_CONF_FILES_TARGETS})
--- a/test/confs/plugins/cloudtrail_json_create_instances.yaml
+++ b/test/confs/plugins/cloudtrail_json_create_instances.yaml
@@ -1,14 +0,0 @@
-stdout_output:
-  enabled: true
-
-plugins:
-  - name: cloudtrail
-    library_path: BUILD_DIR/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so
-    init_config: ""
-    open_params: "BUILD_DIR/test/trace_files/plugins/alice_start_instances.json"
-  - name: json
-    library_path: BUILD_DIR/json-plugin-prefix/src/json-plugin/libjson.so
-    init_config: ""
-
-# Optional
-load_plugins: [cloudtrail, json]
--- a/test/confs/plugins/cloudtrail_json_create_instances_bigevent.yaml
+++ b/test/confs/plugins/cloudtrail_json_create_instances_bigevent.yaml
@@ -1,14 +0,0 @@
-stdout_output:
-  enabled: true
-
-plugins:
-  - name: cloudtrail
-    library_path: BUILD_DIR/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so
-    init_config: ""
-    open_params: "BUILD_DIR/test/trace_files/plugins/alice_start_instances_bigevent.json"
-  - name: json
-    library_path: BUILD_DIR/json-plugin-prefix/src/json-plugin/libjson.so
-    init_config: ""
-
-# Optional
-load_plugins: [cloudtrail, json]
--- a/test/confs/plugins/incompatible_extract_sources.yaml
+++ b/test/confs/plugins/incompatible_extract_sources.yaml
@@ -1,14 +0,0 @@
-stdout_output:
-  enabled: true
-
-plugins:
-  - name: cloudtrail
-    library_path: BUILD_DIR/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so
-    init_config: ""
-    open_params: ""
-  - name: test_extract_p1
-    library_path: BUILD_DIR/test/plugins/libtest_extract_p1.so
-    init_config: ""
-
-# Optional
-load_plugins: [cloudtrail, test_extract_p1]
--- a/test/confs/plugins/incompatible_plugin_api.yaml
+++ b/test/confs/plugins/incompatible_plugin_api.yaml
@@ -1,10 +0,0 @@
-stdout_output:
-  enabled: true
-
-plugins:
-  - name: incompatible_plugin_api
-    library_path: BUILD_DIR/test/plugins/libtest_incompat_api.so
-    init_config: ""
-
-# Optional
-load_plugins: [incompatible_plugin_api]
--- a/test/confs/plugins/k8s_audit.yaml
+++ b/test/confs/plugins/k8s_audit.yaml
@@ -1,29 +0,0 @@
-#
-# Copyright (C) 2022 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-stdout_output:
-  enabled: true
-
-plugins:
-  - name: k8saudit
-    library_path: BUILD_DIR/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so
-    init_config: ""
-    open_params: "" # to be filled out by each test case
-  - name: json
-    library_path: BUILD_DIR/json-plugin-prefix/src/json-plugin/libjson.so
-    init_config: ""
-
-load_plugins: [k8saudit, json]
--- a/test/confs/plugins/overlap_extract_sources.yaml
+++ b/test/confs/plugins/overlap_extract_sources.yaml
@@ -1,17 +0,0 @@
-stdout_output:
-  enabled: true
-
-plugins:
-  - name: test_source
-    library_path: BUILD_DIR/test/plugins/libtest_source.so
-    init_config: ""
-    open_params: ""
-  - name: test_extract_p1
-    library_path: BUILD_DIR/test/plugins/libtest_extract_p1.so
-    init_config: ""
-  - name: test_extract_p2
-    library_path: BUILD_DIR/test/plugins/libtest_extract_p2.so
-    init_config: ""
-
-# Optional
-load_plugins: [test_source, test_extract_p1, test_extract_p2]
--- a/test/confs/plugins/wrong_plugin_path.yaml
+++ b/test/confs/plugins/wrong_plugin_path.yaml
@@ -1,10 +0,0 @@
-stdout_output:
-  enabled: true
-
-plugins:
-  - name: wrong_plugin_path
-    library_path: BUILD_DIR/test/plugins/wrong_plugin_path.so
-    init_config: ""
-
-# Optional
-load_plugins: [wrong_plugin_path]
--- a/test/confs/program_output.yaml
+++ b/test/confs/program_output.yaml
@@ -1,44 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# File containing Falco rules, loaded at startup.
-rules_file: /etc/falco_rules.yaml
-
-# Whether to output events in json or text
-json_output: false
-
-# Send information logs to stderr and/or syslog
-# Note these are *not* security notification logs!
-# These are just Falco lifecycle (and possibly error) logs.
-log_stderr: false
-log_syslog: false
-
-# Where security notifications should go.
-# Multiple outputs can be enabled.
-syslog_output:
-  enabled: false
-
-file_output:
-  enabled: false
-  filename: ./output.txt
-
-stdout_output:
-  enabled: true
-
-program_output:
-  enabled: true
-  program: cat >> /tmp/falco_outputs/program_output.txt
--- a/test/confs/stdout_output.yaml
+++ b/test/confs/stdout_output.yaml
@@ -1,42 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# File containing Falco rules, loaded at startup.
-rules_file: /etc/falco_rules.yaml
-
-# Whether to output events in json or text
-json_output: false
-
-# Send information logs to stderr and/or syslog Note these are *not* security
-# notification logs! These are just Falco lifecycle (and possibly error) logs.
-log_stderr: false
-log_syslog: false
-
-# Where security notifications should go.
-# Multiple outputs can be enabled.
-
-syslog_output:
-  enabled: false
-
-file_output:
-  enabled: false
-
-stdout_output:
-  enabled: true
-
-program_output:
-  enabled: false
--- a/test/driver-loader/run_test.sh
+++ b/test/driver-loader/run_test.sh
@@ -1,48 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-set -euo pipefail
-
-BUILD_DIR=$1
-
-SCRIPT=$(readlink -f $0)
-SCRIPTDIR=$(dirname "$SCRIPT")
-RUNNERDIR="${SCRIPTDIR}/runner"
-FALCO_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-DRIVER_VERSION=$(cat ${BUILD_DIR}/userspace/falco/config_falco.h | grep 'DRIVER_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-FALCO_PACKAGE="falco-${FALCO_VERSION}-x86_64.tar.gz"
-
-cp "${BUILD_DIR}/${FALCO_PACKAGE}" "${RUNNERDIR}"
-pushd "${RUNNERDIR}"
-docker build --build-arg FALCO_VERSION="$FALCO_VERSION" \
-    -t falcosecurity/falco:test-driver-loader \
-    -f "${RUNNERDIR}/Dockerfile" "${RUNNERDIR}"
-popd
-rm -f "${RUNNERDIR}/${FALCO_PACKAGE}"
-
-docker run --rm --privileged \
-    -e FALCO_VERSION="$FALCO_VERSION" \
-    -e DRIVER_VERSION="$DRIVER_VERSION" \
-    -v /dev:/host/dev \
-    -v /proc:/host/proc:ro \
-    -v /boot:/host/boot:ro \
-    -v /lib/modules:/host/lib/modules:ro \
-    -v /usr:/host/usr:ro \
-    -v /etc:/host/etc:ro \
-    falcosecurity/falco:test-driver-loader
-
-docker rmi -f falcosecurity/falco:test-driver-loader
--- a/test/driver-loader/runner/Dockerfile
+++ b/test/driver-loader/runner/Dockerfile
@@ -1,32 +0,0 @@
-FROM ubuntu:18.04
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-ENV DRIVER_VERSION=
-ENV HOST_ROOT=/host
-
-# Minimal set of deps required to run falco-driver-loader and falco
-RUN apt-get update -y
-RUN apt-get install -y --no-install-recommends \
-	ca-certificates \
-	dkms \
-	curl \
-	gcc \
-	clang-7 \
-	llvm-7 \
-	libelf-dev
-
-RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
-
-RUN rm -rf /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
-
-ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
-RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
-
-COPY test.sh /
-CMD /test.sh
--- a/test/driver-loader/runner/test.sh
+++ b/test/driver-loader/runner/test.sh
@@ -1,136 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-set -euo pipefail
-
-FALCO="falco -M 1"
-FALCO_DRIVER_LOADER=falco-driver-loader
-
-
-function init() {
-
-	# We need this here since is not part of the falco-driver-loader script
-	#
-	# todo(leogr): maybe this can be moved into falco-driver-loader directly
-	# since it depends on HOST_ROOT
-	if [ -n "${HOST_ROOT}" ]; then
-		echo "INIT: Setting up /usr/src links from host"
-		for i in "$HOST_ROOT/usr/src"/*
-		do
-			base=$(basename "$i")
-			ln -s "$i" "/usr/src/$base"
-		done
-	fi
-
-	local EXPECTED_DRIVER_VERSION=${DRIVER_VERSION}
-
-	# We need some env vars to be populated
-	# Just source falco-driver-loader, and call get_target_id
-	# Loaded driver will be cleaned up later, if any.
-	echo "INIT: Sourcing ${FALCO_DRIVER_LOADER} to get env vars populated"
-	set +eu
-	source $FALCO_DRIVER_LOADER --source-only
-	get_target_id
-	set -eu
-
-	if [ ! "${EXPECTED_DRIVER_VERSION}" = "${DRIVER_VERSION}" ]; then
-		echo "INIT: Unexpected DRIVER_VERSION in falco-driver-loader"
-		echo "Expected: ${EXPECTED_DRIVER_VERSION}"
-		echo "Found: ${DRIVER_VERSION}"
-		exit 1
-	fi
-
-	FALCO_KERNEL_MODULE_PATH="${HOME}/.falco/${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
-	FALCO_BPF_PROBE_PATH="${HOME}/.falco/${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
-	cleanup_drivers
-}
-
-function cleanup_drivers() {
-    echo "CLEANUP: remove drivers, if any"
-
-    # kernel module
-    rmmod "$DRIVER_NAME" > /dev/null 2>&1 || true
-    dkms uninstall "$DRIVER_NAME/$DRIVER_VERSION" > /dev/null 2>&1 || true
-    rm -f "$FALCO_KERNEL_MODULE_PATH"
-
-    # bpf probe
-	local PROBE_INSTALL_PATH="${HOME}/.falco/${DRIVER_NAME}-bpf.o"
-    rm -f "$FALCO_BPF_PROBE_PATH"
-    rm -f "$PROBE_INSTALL_PATH"
-}
-
-function run_test() {
-    echo ""
-    echo "TEST: $1"
-	echo ""
-    $1
-	echo ""
-    echo "PASS: $1"
-    echo ""
-	cleanup_drivers
-}
-
-function assert_kernel_module() {
-	echo "ASSERT: module loaded"
-    local KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-    if ! lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
-        echo "FAIL: module not loaded"
-        exit 1
-    fi
-	echo "ASSERT: falco works with module"
-	if ! $FALCO; then
-		echo "FAIL: falco does not work with module"
-		exit 1
-	fi
-}
-
-function assert_bpf_probe() {
-	local PROBE_INSTALL_PATH="${HOME}/.falco/${DRIVER_NAME}-bpf.o"
-	echo "ASSERT: eBPF probe at $PROBE_INSTALL_PATH"
-    if ! test -f "$PROBE_INSTALL_PATH"; then 
-        echo "FAIL: eBPF probe not found"
-        exit 1
-    fi
-	echo "ASSERT: falco works with bpf"
-	if ! FALCO_BPF_PROBE="" $FALCO; then
-		echo "FAIL: falco does not work with bpf"
-		exit 1
-	fi
-}
-
-function test_kernel_module() {
-    $FALCO_DRIVER_LOADER
-	assert_kernel_module
-}
-
-
-function test_bpf_probe() {
-    $FALCO_DRIVER_LOADER bpf
-	assert_bpf_probe
-}
-
-echo "falco-driver-loader tester"
-echo ""
-echo "Falco version: $FALCO_VERSION"
-echo "Driver version: $DRIVER_VERSION"
-echo "HOST_ROOT: ${HOST_ROOT}"
-echo ""
-
-init
-
-run_test "test_kernel_module"
-run_test "test_bpf_probe"
--- a/test/falco_k8s_audit_tests.yaml
+++ b/test/falco_k8s_audit_tests.yaml
@@ -1,776 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-trace_files: !mux
-
-  compat_engine_v4_create_disallowed_pod:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
-      - ./rules/k8s_audit/engine_v4/allow_only_apache_container.yaml
-    detect_counts:
-      - Create Disallowed Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
-
-  compat_engine_v4_create_allowed_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
-      - ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
-
-  compat_engine_v4_create_privileged_pod:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
-    detect_counts:
-      - Create Privileged Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
-
-  compat_engine_v4_create_privileged_trusted_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
-      - ./rules/k8s_audit/trust_nginx_container.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
-
-  compat_engine_v4_create_unprivileged_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
-
-  compat_engine_v4_create_hostnetwork_pod:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
-    detect_counts:
-      - Create HostNetwork Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
-
-  compat_engine_v4_create_hostnetwork_trusted_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
-      - ./rules/k8s_audit/trust_nginx_container.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
-
-  user_outside_allowed_set:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/allow_namespace_foo.yaml
-    detect_counts:
-      - Disallowed K8s User: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
-
-  user_in_allowed_set:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/allow_namespace_foo.yaml
-      - ./rules/k8s_audit/allow_user_some-user.yaml
-      - ./rules/k8s_audit/disallow_kactivity.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
-
-  create_disallowed_pod:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/allow_only_apache_container.yaml
-    detect_counts:
-      - Create Disallowed Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
-
-  create_allowed_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/allow_nginx_container.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
-
-  create_privileged_pod:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Create Privileged Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
-
-  create_privileged_no_secctx_1st_container_2nd_container_pod:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Create Privileged Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
-
-  create_privileged_2nd_container_pod:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Create Privileged Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
-
-  create_privileged_trusted_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/trust_nginx_container.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
-
-  create_unprivileged_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
-
-  create_unprivileged_trusted_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/trust_nginx_container.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
-
-  create_sensitive_mount_pod:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Create Sensitive Mount Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
-
-  create_sensitive_mount_2nd_container_pod:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Create Sensitive Mount Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
-
-  create_sensitive_mount_trusted_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/trust_nginx_container.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
-
-  create_unsensitive_mount_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
-
-  create_unsensitive_mount_trusted_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/trust_nginx_container.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
-
-  create_hostnetwork_pod:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Create HostNetwork Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
-
-  create_hostnetwork_trusted_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/trust_nginx_container.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
-
-  create_nohostnetwork_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
-
-  create_nohostnetwork_trusted_pod:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/trust_nginx_container.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
-
-  create_nodeport_service:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/disallow_kactivity.yaml
-    detect_counts:
-      - Create NodePort Service: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nodeport.json
-
-  create_nonodeport_service:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/disallow_kactivity.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nonodeport.json
-
-  create_configmap_private_creds:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/disallow_kactivity.yaml
-    detect_counts:
-      - Create/Modify Configmap With Private Credentials: 6
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_sensitive_values.json
-
-  create_configmap_no_private_creds:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/disallow_kactivity.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_no_sensitive_values.json
-
-  anonymous_user:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Anonymous Request Allowed: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/anonymous_creates_namespace_foo.json
-
-  pod_exec:
-    detect: True
-    detect_level: NOTICE
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Attach/Exec Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/exec_pod.json
-
-  pod_attach:
-    detect: True
-    detect_level: NOTICE
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Attach/Exec Pod: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_pod.json
-
-  namespace_outside_allowed_set:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/allow_user_some-user.yaml
-    detect_counts:
-      - Create Disallowed Namespace: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
-
-  namespace_in_allowed_set:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/allow_namespace_foo.yaml
-      - ./rules/k8s_audit/disallow_kactivity.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/minikube_creates_namespace_foo.json
-
-  create_pod_in_kube_system_namespace:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Pod Created in Kube Namespace: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_system_namespace.json
-
-  create_pod_in_kube_public_namespace:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Pod Created in Kube Namespace: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_public_namespace.json
-
-  create_serviceaccount_in_kube_system_namespace:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Service Account Created in Kube Namespace: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
-
-  create_serviceaccount_in_kube_public_namespace:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Service Account Created in Kube Namespace: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
-
-  system_clusterrole_deleted:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - System ClusterRole Modified/Deleted: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
-
-  system_clusterrole_modified:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - System ClusterRole Modified/Deleted: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
-
-  attach_cluster_admin_role:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - Attach to cluster-admin Role: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_cluster_admin_role.json
-
-  create_cluster_role_wildcard_resources:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - ClusterRole With Wildcard Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
-
-  create_cluster_role_wildcard_verbs:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - ClusterRole With Wildcard Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
-
-  create_writable_cluster_role:
-    detect: True
-    detect_level: NOTICE
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - ClusterRole With Write Privileges Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_write_privileges.json
-
-  create_pod_exec_cluster_role:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - ClusterRole With Pod Exec Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_pod_exec.json
-
-  create_deployment:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Deployment Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_deployment.json
-
-  delete_deployment:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Deployment Deleted: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_deployment.json
-
-  create_service:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Service Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service.json
-
-  delete_service:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Service Deleted: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_service.json
-
-  create_configmap:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s ConfigMap Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap.json
-
-  delete_configmap:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s ConfigMap Deleted: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_configmap.json
-
-  create_namespace:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-      - ./rules/k8s_audit/allow_namespace_foo.yaml
-      - ./rules/k8s_audit/allow_user_some-user.yaml
-    detect_counts:
-      - K8s Namespace Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
-
-  delete_namespace:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Namespace Deleted: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_namespace_foo.json
-
-  create_serviceaccount:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Serviceaccount Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount.json
-
-  delete_serviceaccount:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Serviceaccount Deleted: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_serviceaccount.json
-
-  create_clusterrole:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Role/Clusterrole Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrole.json
-
-  delete_clusterrole:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Role/Clusterrole Deleted: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrole.json
-
-  create_clusterrolebinding:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Role/Clusterrolebinding Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrolebinding.json
-
-  delete_clusterrolebinding:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Role/Clusterrolebinding Deleted: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrolebinding.json
-
-  create_secret:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Secret Created: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_secret.json
-
-  # Should *not* result in any event as the secret rules skip service account token secrets
-  create_service_account_token_secret:
-    detect: False
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service_account_token_secret.json
-
-  create_kube_system_secret:
-    detect: False
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_kube_system_secret.json
-
-  delete_secret:
-    detect: True
-    detect_level: INFO
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Secret Deleted: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_secret.json
-
-  fal_01_003:
-    detect: False
-    enable_source: k8s_audit
-    rules_file:
-      - BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml
-      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/fal_01_003.json
-    stderr_contains: 'data not recognized as a k8s audit event'
-
-  json_pointer_correct_parse:
-    detect: True
-    detect_level: WARNING
-    enable_source: k8s_audit
-    rules_file:
-      - ./rules/k8s_audit/single_rule_with_json_pointer.yaml
-    detect_counts:
-      - json_pointer_example: 1
-    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
-    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -1,730 +0,0 @@
-#!/usr/bin/env python
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-import os
-import re
-import json
-import glob
-import shutil
-import stat
-import subprocess
-import sys
-import urllib.request
-
-from avocado import Test
-from avocado import main
-from avocado.utils import process
-from watchdog.observers import Observer
-from watchdog.events import PatternMatchingEventHandler
-
-
-class FalcoTest(Test):
-
-    def setUp(self):
-        """
-        Load the kernel module if not already loaded.
-        """
-        build_dir = "/build"
-        if 'BUILD_DIR' in os.environ:
-            build_dir = os.environ['BUILD_DIR']
-
-        self.falcodir = self.params.get('falcodir', '/', default=build_dir)
-
-        self.stdout_is = self.params.get('stdout_is', '*', default='')
-        self.stderr_is = self.params.get('stderr_is', '*', default='')
-
-        self.stdout_contains = self.params.get(
-            'stdout_contains', '*', default='')
-
-        if not isinstance(self.stdout_contains, list):
-            self.stdout_contains = [self.stdout_contains]
-
-        self.stderr_contains = self.params.get(
-            'stderr_contains', '*', default='')
-
-        if not isinstance(self.stderr_contains, list):
-            self.stderr_contains = [self.stderr_contains]
-
-        self.stdout_not_contains = self.params.get(
-            'stdout_not_contains', '*', default='')
-
-        if not isinstance(self.stdout_not_contains, list):
-            if self.stdout_not_contains == '':
-                self.stdout_not_contains = []
-            else:
-                self.stdout_not_contains = [self.stdout_not_contains]
-
-        self.stderr_not_contains = self.params.get(
-            'stderr_not_contains', '*', default='')
-
-        if not isinstance(self.stderr_not_contains, list):
-            if self.stderr_not_contains == '':
-                self.stderr_not_contains = []
-            else:
-                self.stderr_not_contains = [self.stderr_not_contains]
-
-        self.validate_ok = self.params.get('validate_ok', '*', default='')
-        self.validate_warnings = self.params.get('validate_warnings', '*', default='')
-        self.validate_errors = self.params.get('validate_errors', '*', default='')
-
-        self.exit_status = self.params.get('exit_status', '*', default=0)
-        self.should_detect = self.params.get('detect', '*', default=False)
-        self.check_detection_counts = self.params.get('check_detection_counts', '*', default=True)
-        self.trace_file = self.params.get('trace_file', '*', default='')
-
-        if self.trace_file and not os.path.isabs(self.trace_file):
-            self.trace_file = os.path.join(build_dir, "test", self.trace_file)
-
-        self.json_output = self.params.get('json_output', '*', default=False)
-        self.json_include_output_property = self.params.get(
-            'json_include_output_property', '*', default=True)
-        self.json_include_tags_property = self.params.get(
-            'json_include_tags_property', '*', default=True)
-        self.all_events = self.params.get('all_events', '*', default=False)
-        self.priority = self.params.get('priority', '*', default='debug')
-        self.addl_cmdline_opts = self.params.get('addl_cmdline_opts', '*', default='')
-        self.enable_source = self.params.get('enable_source', '*', default='')
-        self.rules_file = self.params.get(
-            'rules_file', '*', default='BUILD_DIR/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml')
-
-        if not isinstance(self.rules_file, list):
-            self.rules_file = [self.rules_file]
-
-        self.validate_rules_file = self.params.get(
-            'validate_rules_file', '*', default=False)
-
-        if self.validate_rules_file == False:
-            self.validate_rules_file = []
-        else:
-            # Always enable json output when validating rules
-            # files. Makes parsing errors/warnings easier
-            self.json_output = True
-            if not isinstance(self.validate_rules_file, list):
-                self.validate_rules_file = [self.validate_rules_file]
-        
-        # can be either empty, a string, or a list
-        if self.enable_source == '':
-            self.enable_source = []
-        else:
-            if not isinstance(self.enable_source, list):
-                self.enable_source = [self.enable_source]
-
-        self.rules_args = ""
-
-        for file in self.validate_rules_file:
-            if not os.path.isabs(file):
-                file = os.path.join(self.basedir, file)
-            self.rules_args = self.rules_args + "-V " + file + " "
-
-        for file in self.rules_file:
-            if not os.path.isabs(file):
-                file = os.path.join(self.basedir, file.replace("BUILD_DIR", build_dir))
-            self.rules_args = self.rules_args + "-r " + file + " "
-
-        self.conf_file = self.params.get(
-            'conf_file', '*', default=os.path.join(self.basedir, '../falco.yaml'))
-        self.conf_file = self.conf_file.replace("BUILD_DIR", build_dir)
-        if not os.path.isabs(self.conf_file):
-            self.conf_file = os.path.join(self.basedir, self.conf_file)
-
-        self.run_duration = self.params.get('run_duration', '*', default='')
-
-        self.disabled_rules = self.params.get(
-            'disabled_rules', '*', default='')
-
-        if self.disabled_rules == '':
-            self.disabled_rules = []
-
-        if not isinstance(self.disabled_rules, list):
-            self.disabled_rules = [self.disabled_rules]
-
-        self.disabled_args = ""
-
-        for rule in self.disabled_rules:
-            self.disabled_args = self.disabled_args + "-D " + rule + " "
-
-        self.detect_counts = self.params.get(
-            'detect_counts', '*', default=False)
-        if self.detect_counts == False:
-            self.detect_counts = {}
-        else:
-            detect_counts = {}
-            for item in self.detect_counts:
-                for key, value in list(item.items()):
-                    detect_counts[key] = value
-            self.detect_counts = detect_counts
-
-        # Maps from rule name to set of evttypes
-        self.rules_events = self.params.get('rules_events', '*', default=False)
-        if self.rules_events == False:
-            self.rules_events = {}
-        else:
-            events = {}
-            for item in self.rules_events:
-                for item2 in item:
-                    events[item2[0]] = set(item2[1])
-            self.rules_events = events
-
-        if self.should_detect:
-            self.detect_level = self.params.get('detect_level', '*')
-
-            if not isinstance(self.detect_level, list):
-                self.detect_level = [self.detect_level]
-
-        self.package = self.params.get('package', '*', default='None')
-
-        self.addl_docker_run_args = self.params.get(
-            'addl_docker_run_args', '*', default='')
-
-        self.copy_local_driver = self.params.get(
-            'copy_local_driver', '*', default=False)
-
-        # Used by possibly_copy_local_driver as well as docker run
-        self.module_dir = os.path.expanduser("~/.falco")
-
-        self.outputs = self.params.get('outputs', '*', default='')
-
-        if self.outputs == '':
-            self.outputs = {}
-        else:
-            outputs = []
-            for item in self.outputs:
-                for key, value in list(item.items()):
-                    output = {}
-                    output['file'] = key
-                    output['line'] = value
-                    outputs.append(output)
-                    filedir = os.path.dirname(output['file'])
-                    # Create the parent directory for the trace file if it doesn't exist.
-                    if not os.path.isdir(filedir):
-                        os.makedirs(filedir)
-            self.outputs = outputs
-
-        self.output_strictly_contains = self.params.get(
-            'output_strictly_contains', '*', default='')
-
-        if self.output_strictly_contains == '':
-            self.output_strictly_contains = {}
-        else:
-            output_strictly_contains = []
-            for item in self.output_strictly_contains:
-                for key, value in list(item.items()):
-                    output = {}
-                    output['actual'] = key
-                    output['expected'] = value
-                    output_strictly_contains.append(output)
-                    if not output['actual'] == 'stdout':
-                        # Clean up file from previous tests, if any
-                        if os.path.exists(output['actual']):
-                            os.remove(output['actual'])
-                        # Create the parent directory for the file if it doesn't exist.
-                        filedir = os.path.dirname(output['actual'])
-                        if not os.path.isdir(filedir):
-                            os.makedirs(filedir)
-            self.output_strictly_contains = output_strictly_contains
-
-        self.grpcurl_res = None
-        self.grpc_observer = None
-        self.grpc_address = self.params.get(
-            'address', 'grpc/*', default='/run/falco/falco.sock')
-        if self.grpc_address.startswith("unix://"):
-            self.is_grpc_using_unix_socket = True
-            self.grpc_address = self.grpc_address[len("unix://"):]
-        else:
-            self.is_grpc_using_unix_socket = False
-        self.grpc_proto = self.params.get('proto', 'grpc/*', default='')
-        self.grpc_service = self.params.get('service', 'grpc/*', default='')
-        self.grpc_method = self.params.get('method', 'grpc/*', default='')
-        self.grpc_results = self.params.get('results', 'grpc/*', default='')
-        if self.grpc_results == '':
-            self.grpc_results = []
-        else:
-            if type(self.grpc_results) == str:
-                self.grpc_results = [self.grpc_results]
-
-        self.disable_tags = self.params.get('disable_tags', '*', default='')
-
-        if self.disable_tags == '':
-            self.disable_tags = []
-
-        self.run_tags = self.params.get('run_tags', '*', default='')
-
-        if self.run_tags == '':
-            self.run_tags = []
-
-        self.time_iso_8601 = self.params.get(
-            'time_iso_8601', '*', default=False)
-
-    def tearDown(self):
-        if self.package != 'None':
-            self.uninstall_package()
-
-    def check_rules_events(self, res):
-
-        found_events = {}
-
-        for match in re.finditer('Event types for rule ([^:]+): (\S+)', res.stderr.decode("utf-8")):
-            rule = match.group(1)
-            events = set(match.group(2).split(","))
-            found_events[rule] = events
-
-        self.log.debug(
-            "Expected events for rules: {}".format(self.rules_events))
-        self.log.debug("Actual events for rules: {}".format(found_events))
-
-        for rule in list(found_events.keys()):
-            if found_events.get(rule) != self.rules_events.get(rule):
-                self.fail("rule {}: expected events {} differs from actual events {}".format(
-                    rule, self.rules_events.get(rule), found_events.get(rule)))
-
-    def check_detections(self, res):
-        # Get the number of events detected.
-        match = re.search('Events detected: (\d+)', res.stdout.decode("utf-8"))
-        if match is None:
-            self.fail(
-                "Could not find a line 'Events detected: <count>' in falco output")
-
-        events_detected = int(match.group(1))
-
-        if not self.should_detect and events_detected > 0:
-            self.fail("Detected {} events when should have detected none".format(
-                events_detected))
-
-        if self.should_detect:
-            if events_detected == 0:
-                self.fail("Detected {} events when should have detected > 0".format(
-                    events_detected))
-
-            for level in self.detect_level:
-                level_line = '(?i){}: (\d+)'.format(level)
-                match = re.search(level_line, res.stdout.decode("utf-8"))
-
-                if match is None:
-                    self.fail(
-                        "Could not find a line '{}: <count>' in falco output".format(level))
-
-                    events_detected = int(match.group(1))
-
-                    if not events_detected > 0:
-                        self.fail("Detected {} events at level {} when should have detected > 0".format(
-                            events_detected, level))
-
-    def check_detections_by_rule(self, res):
-        # Get the number of events detected for each rule. Must match the expected counts.
-        match = re.search('Triggered rules by rule name:(.*)',
-                          res.stdout.decode("utf-8"), re.DOTALL)
-        if match is None:
-            self.fail(
-                "Could not find a block 'Triggered rules by rule name: ...' in falco output")
-
-        triggered_rules = match.group(1)
-
-        for rule, count in list(self.detect_counts.items()):
-            expected = '\s{}: (\d+)'.format(
-                re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
-            match = re.search(expected, triggered_rules)
-
-            if match is None:
-                actual_count = 0
-            else:
-                actual_count = int(match.group(1))
-
-            if actual_count != count:
-                self.fail("Different counts for rule {}: expected={}, actual={}".format(
-                    rule, count, actual_count))
-            else:
-                self.log.debug(
-                    "Found expected count for rule {}: {}".format(rule, count))
-
-    def check_outputs(self):
-        for output in self.outputs:
-            # Open the provided file and match each line against the
-            # regex in line.
-            file = open(output['file'], 'r')
-            found = False
-            for line in file:
-                match = re.search(output['line'], line)
-
-                if match is not None:
-                    found = True
-
-            if found == False:
-                self.fail("Could not find a line '{}' in file '{}'".format(
-                    output['line'], output['file']))
-
-        return True
-
-    def get_validate_json(self, res):
-        if self.validate_json is None:
-            # The first line of stdout should be the validation result as json
-            self.validate_json = json.loads(res.stdout.decode("utf-8").partition('\n')[0])
-        return self.validate_json
-
-    def check_validate_ok(self, res):
-        if self.validate_ok != '':
-            vobj = self.get_validate_json(res)
-            for expected in self.validate_ok:
-                found = False
-                for vres in vobj["falco_load_results"]:
-                    if vres["successful"] and os.path.basename(vres["name"]) == expected:
-                        found = True
-                        break
-                if not found:
-                    self.fail("Validation json did not contain a successful result for file '{}'".format(expected))
-
-    def check_validate_warnings(self, res):
-        if self.validate_warnings != '':
-            vobj = self.get_validate_json(res)
-            for warnobj in self.validate_warnings:
-                found = False
-                for vres in vobj["falco_load_results"]:
-                    for warning in vres["warnings"]:
-                        if warning["code"] == warnobj["code"]:
-                            if ("message" in warnobj and warning["message"] == warnobj["message"]) or ("message_contains" in warnobj and warnobj["message_contains"] in warning["message"]):
-                                for loc in warning["context"]["locations"]:
-                                    if loc["item_type"] == warnobj["item_type"] and loc["item_name"] == warnobj["item_name"]:
-                                        found = True
-                                        break
-                if not found:
-                    if "message" in warnobj:
-                        self.fail("Validation json did not contain a warning '{}' for '{}' '{}' with message '{}'".format(
-                            warnobj["code"], warnobj["item_type"], warnobj["item_name"], warnobj["message"]))
-                    else:
-                        self.fail("Validation json did not contain a warning '{}' for '{}' '{}' with message containing '{}'".format(
-                            warnobj["code"], warnobj["item_type"], warnobj["item_name"], warnobj["message_contains"]))
-
-    def check_validate_errors(self, res):
-        if self.validate_errors != '':
-            vobj = self.get_validate_json(res)
-            for errobj in self.validate_errors:
-                found = False
-                for vres in vobj["falco_load_results"]:
-                    for error in vres["errors"]:
-                        if error["code"] == errobj["code"]:
-                            if ("message" in errobj and error["message"] == errobj["message"]) or ("message_contains" in errobj and errobj["message_contains"] in error["message"]):
-                                for loc in error["context"]["locations"]:
-                                    if loc["item_type"] == errobj["item_type"] and loc["item_name"] == errobj["item_name"]:
-                                        found = True
-                                        break
-                if not found:
-                    if "message" in errobj:
-                        self.fail("Validation json did not contain a error '{}' for '{}' '{}' with message '{}'".format(
-                            errobj["code"], errobj["item_type"], errobj["item_name"], errobj["message"]))
-                    else:
-                        self.fail("Validation json did not contain a error '{}' for '{}' '{}' with message containing '{}'".format(
-                            errobj["code"], errobj["item_type"], errobj["item_name"], errobj["message_contains"]))
-
-
-    def check_json_event_output(self, res):
-        if self.json_output:
-            # Just verify that any lines starting with '{' are valid json objects.
-            # Doesn't do any deep inspection of the contents.
-            for line in res.stdout.decode("utf-8").splitlines():
-                if line.startswith('{'):
-                    obj = json.loads(line)
-                    attrs = ['time', 'rule', 'priority']
-                    if self.json_include_output_property:
-                        attrs.append('output')
-                    if self.json_include_tags_property:
-                        attrs.append('tags')
-                    for attr in attrs:
-                        if not attr in obj:
-                            self.fail(
-                                "Falco JSON object {} does not contain property \"{}\"".format(line, attr))
-
-    def check_output_strictly_contains(self, res):
-        for output in self.output_strictly_contains:
-            # Read the expected output (from a file) and actual output (either from a file or the stdout),
-            # then check if the actual one strictly contains the expected one.
-
-            expected = open(output['expected']).read()
-
-            if output['actual'] == 'stdout':
-                actual = res.stdout.decode("utf-8")
-            else:
-                actual = open(output['actual']).read()
-
-            actual_cursor = actual
-            expected_lines = expected.splitlines()
-            for line in expected_lines:
-                pos = actual_cursor.find(line)
-                if pos < 0:
-                    self.fail("Output '{}' does not strictly contains the expected content '{}'".format(
-                        output['actual'], output['expected']))
-                    return False
-                actual_cursor = actual_cursor[pos + len(line):]
-
-        return True
-
-    def install_package(self):
-
-        if self.package.startswith("docker:"):
-
-            image = self.package.split(":", 1)[1]
-            # Remove an existing falco-test container first. Note we don't check the output--docker rm
-            # doesn't have an -i equivalent.
-            res = process.run("docker rm falco-test", ignore_status=True)
-
-            self.falco_binary_path = "docker run --rm --name falco-test --privileged " \
-                                     "-v /var/run/docker.sock:/host/var/run/docker.sock " \
-                                     "-v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro " \
-                                     "-v /lib/modules:/host/lib/modules:ro -v {}:/root/.falco:ro " \
-                                     "-v /usr:/host/usr:ro {} {} falco".format(
-                                         self.module_dir, self.addl_docker_run_args, image)
-
-        elif self.package.endswith(".deb"):
-            self.falco_binary_path = '/usr/bin/falco'
-
-            package_glob = "{}/{}".format(self.falcodir, self.package)
-
-            matches = glob.glob(package_glob)
-
-            if len(matches) != 1:
-                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}",
-                          package_glob, ",".join(matches))
-
-            package_path = matches[0]
-
-            cmdline = "dpkg -i {}".format(package_path)
-            self.log.debug(
-                "Installing debian package via \"{}\"".format(cmdline))
-            res = process.run(cmdline, timeout=120, sudo=True)
-
-        elif self.package.endswith(".rpm"):
-            self.falco_binary_path = '/usr/bin/falco'
-
-            package_glob = "{}/{}".format(self.falcodir, self.package)
-
-            matches = glob.glob(package_glob)
-
-            if len(matches) != 1:
-                self.fail("Package path {} did not match exactly 1 file. Instead it matched: {}",
-                          package_glob, ",".join(matches))
-
-            package_path = matches[0]
-
-            cmdline = "rpm -i --nodeps --noscripts {}".format(package_path)
-            self.log.debug(
-                "Installing centos package via \"{}\"".format(cmdline))
-            res = process.run(cmdline, timeout=120, sudo=True)
-
-    def uninstall_package(self):
-
-        if self.package.startswith("docker:"):
-            self.log.debug("Nothing to do, docker run with --rm")
-
-        elif self.package.endswith(".rpm"):
-            cmdline = "rpm -e --noscripts --nodeps falco"
-            self.log.debug(
-                "Uninstalling centos package via \"{}\"".format(cmdline))
-            res = process.run(cmdline, timeout=120, sudo=True)
-
-        elif self.package.endswith(".deb"):
-            cmdline = "dpkg --purge falco"
-            self.log.debug(
-                "Uninstalling debian package via \"{}\"".format(cmdline))
-            res = process.run(cmdline, timeout=120, sudo=True)
-
-    def possibly_copy_driver(self):
-        # Remove the contents of ~/.falco regardless of copy_local_driver.
-        self.log.debug("Checking for module dir {}".format(self.module_dir))
-        if os.path.isdir(self.module_dir):
-            self.log.info(
-                "Removing files below directory {}".format(self.module_dir))
-            for rmfile in glob.glob(self.module_dir + "/*"):
-                self.log.debug("Removing file {}".format(rmfile))
-                os.remove(rmfile)
-
-        if self.copy_local_driver:
-            verlines = [str.strip() for str in subprocess.check_output(
-                [self.falco_binary_path, "--version"]).splitlines()]
-            verstr = verlines[0].decode("utf-8")
-            self.log.info("verstr {}".format(verstr))
-            falco_version = verstr.split(" ")[2]
-            self.log.info("falco_version {}".format(falco_version))
-            arch = subprocess.check_output(["uname", "-m"]).rstrip()
-            self.log.info("arch {}".format(arch))
-            kernel_release = subprocess.check_output(["uname", "-r"]).rstrip()
-            self.log.info("kernel release {}".format(kernel_release))
-
-            # falco-driver-loader has a more comprehensive set of ways to
-            # find the config hash. We only look at /boot/config-<kernel release>
-            md5_output = subprocess.check_output(
-                ["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
-            config_hash = md5_output.split(" ")[0]
-
-            driver_filename = "falco-{}-{}-{}-{}.ko".format(
-                falco_version, arch, kernel_release, config_hash)
-            driver_path = os.path.join(self.falcodir, "driver", "falco.ko")
-            module_path = os.path.join(self.module_dir, driver_filename)
-            self.log.debug("Copying {} to {}".format(driver_path, module_path))
-            shutil.copyfile(driver_path, module_path)
-
-    def init_grpc_handler(self):
-        self.grpcurl_res = None
-        if len(self.grpc_results) > 0:
-            if not self.is_grpc_using_unix_socket:
-                self.fail("This test suite supports gRPC with unix socket only")
-
-            cmdline = "grpcurl -format text -import-path ../userspace/falco " \
-                "-proto {} -plaintext -unix {} " \
-                "{}/{}".format(self.grpc_proto, self.grpc_address,
-                               self.grpc_service, self.grpc_method)
-            that = self
-
-            class GRPCUnixSocketEventHandler(PatternMatchingEventHandler):
-                def on_created(self, event):
-                    # that.log.info("EVENT: {}", event)
-                    that.grpcurl_res = process.run(cmdline)
-
-            path = os.path.dirname(self.grpc_address)
-            process.run("mkdir -p {}".format(path))
-            event_handler = GRPCUnixSocketEventHandler(patterns=['*'],
-                                                       ignore_directories=True)
-            self.grpc_observer = Observer()
-            self.grpc_observer.schedule(event_handler, path, recursive=False)
-            self.grpc_observer.start()
-
-    def check_grpc(self):
-        if self.grpc_observer is not None:
-            self.grpc_observer.stop()
-            self.grpc_observer = None
-            if self.grpcurl_res is None:
-                self.fail("gRPC responses not found")
-
-            for exp_result in self.grpc_results:
-                found = False
-                for line in self.grpcurl_res.stdout.decode("utf-8").splitlines():
-                    if exp_result in line:
-                        found = True
-                        break
-
-                if found == False:
-                    self.fail(
-                        "Could not find a line with '{}' in gRPC responses (protobuf text".format(exp_result))
-
-    def test(self):
-        self.log.info("Trace file %s", self.trace_file)
-
-        self.falco_binary_path = '{}/userspace/falco/falco'.format(
-            self.falcodir)
-
-        self.possibly_copy_driver()
-
-        self.init_grpc_handler()
-
-        if self.package != 'None':
-            # This sets falco_binary_path as a side-effect.
-            self.install_package()
-
-        self.validate_json = None
-
-        trace_arg = self.trace_file
-
-        if self.trace_file:
-            trace_arg = "-e {}".format(self.trace_file)
-
-        extra_cmdline = ''
-        for source in self.enable_source:
-            extra_cmdline += ' --enable-source="{}"'.format(source)
-        extra_cmdline += ' ' + self.addl_cmdline_opts
-
-        # Run falco
-        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o json_include_tags_property={} -o priority={} -v {}'.format(
-            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output,
-            self.json_include_output_property, self.json_include_tags_property, self.priority, extra_cmdline)
-
-        for tag in self.disable_tags:
-            cmd += ' -T {}'.format(tag)
-
-        for tag in self.run_tags:
-            cmd += ' -t {}'.format(tag)
-
-        if self.run_duration:
-            cmd += ' -M {}'.format(self.run_duration)
-
-        if self.all_events:
-            cmd += ' -A'
-
-        if self.time_iso_8601:
-            cmd += ' -o time_format_iso_8601=true'
-
-        self.falco_proc = process.SubProcess(cmd, env=dict(os.environ, FALCO_HOSTNAME="test-falco-hostname"))
-
-        res = self.falco_proc.run(timeout=180, sig=9)
-
-        if self.stdout_is != '':
-            print(self.stdout_is)
-            if self.stdout_is != res.stdout.decode("utf-8"):
-                self.fail("Stdout was not exactly {}".format(self.stdout_is))
-
-        if self.stderr_is != '':
-            if self.stderr_is != res.stdout.decode("utf-8"):
-                self.fail("Stdout was not exactly {}".format(self.stderr_is))
-
-        for pattern in self.stderr_contains:
-            match = re.search(pattern, res.stderr.decode("utf-8"), re.DOTALL)
-            if match is None:
-                self.fail(
-                    "Stderr of falco process did not contain content matching {}".format(pattern))
-
-        for pattern in self.stdout_contains:
-            match = re.search(pattern, res.stdout.decode("utf-8"), re.DOTALL)
-            if match is None:
-                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(
-                    res.stdout.decode("utf-8"), pattern))
-
-        for pattern in self.stderr_not_contains:
-            match = re.search(pattern, res.stderr.decode("utf-8"))
-            if match is not None:
-                self.fail(
-                    "Stderr of falco process contained content matching {} when it should have not".format(pattern))
-
-        for pattern in self.stdout_not_contains:
-            match = re.search(pattern, res.stdout.decode("utf-8"))
-            if match is not None:
-                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(
-                    res.stdout.decode("utf-8"), pattern))
-
-        if res.exit_status != self.exit_status:
-            self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(
-                cmd, res.exit_status, self.exit_status))
-
-        self.check_validate_ok(res)
-        self.check_validate_errors(res)
-        self.check_validate_warnings(res)
-
-        # No need to check any outputs if the falco process exited abnormally.
-        if res.exit_status != 0:
-            return
-
-        if len(self.rules_events) > 0:
-            self.check_rules_events(res)
-        if len(self.validate_rules_file) == 0 and self.check_detection_counts:
-            self.check_detections(res)
-        if len(self.detect_counts) > 0:
-            self.check_detections_by_rule(res)
-        if not self.validate_rules_file:
-            self.check_json_event_output(res)
-        self.check_outputs()
-        self.check_output_strictly_contains(res)
-        self.check_grpc()
-        pass
-
-
-if __name__ == "__main__":
-    main()
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
--- a/test/falco_tests_exceptions.yaml
+++ b/test/falco_tests_exceptions.yaml
@@ -1,270 +0,0 @@
-#
-# Copyright (C) 2016-2020 The Falco Authors..
-#
-# This file is part of falco.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-trace_files: !mux
-
-  rule_exception_no_fields:
-    exit_status: 1
-    validate_errors:
-      - item_type: exception
-        item_name: ex1
-        code: LOAD_ERR_YAML_VALIDATE
-        message: "Item has no mapping for key 'fields'"
-    validate_rules_file:
-      - rules/exceptions/item_no_fields.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_no_name:
-    exit_status: 1
-    validate_errors:
-      - item_type: exception
-        item_name: ""
-        code: LOAD_ERR_YAML_VALIDATE
-        message: "Item has no mapping for key 'name'"
-    validate_rules_file:
-      - rules/exceptions/item_no_name.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append_no_name:
-    exit_status: 1
-    validate_errors:
-      - item_type: exception
-        item_name: ""
-        code: LOAD_ERR_YAML_VALIDATE
-        message: "Item has no mapping for key 'name'"
-    validate_rules_file:
-      - rules/exceptions/append_item_no_name.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_unknown_fields:
-    exit_status: 1
-    validate_errors:
-      - item_type: exception
-        item_name: ex1
-        code: LOAD_ERR_VALIDATE
-        message: "'not.exist' is not a supported filter field"
-    validate_rules_file:
-      - rules/exceptions/item_unknown_fields.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_comps_fields_len_mismatch:
-    exit_status: 1
-    validate_errors:
-      - item_type: exception
-        item_name: ex1
-        code: LOAD_ERR_VALIDATE
-        message: "Fields and comps lists must have equal length"
-    validate_rules_file:
-      - rules/exceptions/item_comps_fields_len_mismatch.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_unknown_comp:
-    exit_status: 1
-    validate_errors:
-      - item_type: exception
-        item_name: ex1
-        code: LOAD_ERR_VALIDATE
-        message: "'no-comp' is not a supported comparison operator"
-    validate_rules_file:
-      - rules/exceptions/item_unknown_comp.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_fields_values_len_mismatch:
-    exit_status: 1
-    validate_errors:
-      - item_type: exception
-        item_name: ex1
-        code: LOAD_ERR_VALIDATE
-        message: "Fields and values lists must have equal length"
-    validate_rules_file:
-      - rules/exceptions/item_fields_values_len_mismatch.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append_fields_values_len_mismatch:
-    exit_status: 1
-    validate_errors:
-      - item_type: exception
-        item_name: ex1
-        code: LOAD_ERR_VALIDATE
-        message: "Fields and values lists must have equal length"
-    validate_rules_file:
-      - rules/exceptions/append_item_fields_values_len_mismatch.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append_item_not_in_rule:
-    exit_status: 1
-    validate_errors:
-      - item_type: exception
-        item_name: ex2
-        code: LOAD_ERR_VALIDATE
-        message: "Rule exception must have fields property with a list of fields"
-    validate_rules_file:
-      - rules/exceptions/append_item_not_in_rule.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_no_values:
-    detect: True
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_no_values.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_one_value:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_one_value.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append_one_value:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append_one_value.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_second_value:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_second_value.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append_second_value:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append_second_value.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_second_item:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_second_item.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append_second_item:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append_second_item.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_third_item:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_third_item.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append_third_item:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append_third_item.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_quoted:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_quoted.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append_multiple_values:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append_multiple.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_comp:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_comp.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_append_comp:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_append_comp.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_values_listref:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_values_listref.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_values_listref_noparens:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_values_listref_noparens.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_values_list:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_values_list.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_single_field:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_single_field.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_single_field_append:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_single_field_append.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_new_single_field_append:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_new_single_field_append.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_new_second_field_append:
-    detect: False
-    detect_level: WARNING
-    rules_file:
-      - rules/exceptions/rule_exception_new_second_field_append.yaml
-    trace_file: trace_files/cat_write.scap
-
-  rule_exception_new_append_no_field:
-    exit_status: 1
-    validate_errors:
-      - item_type: exception
-        item_name: proc_cmdline
-        code: LOAD_ERR_VALIDATE
-        message: "Rule exception must have fields property with a list of fields"
-    validate_rules_file:
-      - rules/exceptions/rule_exception_new_no_field_append.yaml
-    trace_file: trace_files/cat_write.scap
-
--- a/test/falco_tests_package.yaml
+++ b/test/falco_tests_package.yaml
@@ -1,41 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-trace_files: !mux
-
-  docker_deb_package:
-    package: docker:falcosecurity/falco:test-deb
-    detect: True
-    detect_level: WARNING
-    rules_file: /rules/rule_names_with_spaces.yaml
-    trace_file: /traces/cat_write.scap
-    conf_file: /etc/falco/falco.yaml
-
-  docker_rpm_package:
-    package: docker:falcosecurity/falco:test-rpm
-    detect: True
-    detect_level: WARNING
-    rules_file: /rules/rule_names_with_spaces.yaml
-    trace_file: /traces/cat_write.scap
-    conf_file: /etc/falco/falco.yaml
-
-  docker_bin_package:
-    package: docker:falcosecurity/falco:test-tar.gz
-    detect: True
-    detect_level: WARNING
-    rules_file: /rules/rule_names_with_spaces.yaml
-    trace_file: /traces/cat_write.scap
-    conf_file: /etc/falco/falco.yaml
--- a/Show More
+++ b/Show More