Don't create rulesets a second time when loading rules

Currently, m_sources.ruleset is created twice:

1. When calling add_source()
2. When calling load_rules()

We shouldn't do this twice, so remove the second create.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

README.md

@@ -5,12 +5,8 @@
 
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Latest](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) ![Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)
 
-Want to talk? Join us on the [#falco](https://kubernetes.slack.com/messages/falco) channel in the [Kubernetes Slack](https://slack.k8s.io).
-
 ## Latest releases
 
-Read the [change log](CHANGELOG.md).
-
 <!-- 
 Badges in the following table are constructed by using the
 https://img.shields.io/badge/dynamic/xml endpoint.
@@ -49,116 +45,90 @@ Notes:
 
 -->
 
-|              | development                                                                                                                                                                                                                                                                                                                                                                                                                                                                | stable                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| rpm-x86_64          | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-%26delimiter=aarch64)][1]          | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=aarch64)][2]          |
-| deb-x86_64          | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-%26delimiter=aarch64)][3] | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=aarch64)][4] |
-| binary-x86_64       | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Fx86_64%2Ffalco-)][5]                                                     | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6]                                                     |
-| rpm-aarch64    | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-%26delimiter=x86_64)][1]           | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=x86_64)][2]           |
-| deb-aarch64    | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-%26delimiter=x86_64)][3]  | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=x86_64)][4]  |
-| binary-aarch64 | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Faarch64%2Ffalco-)][7]                                                    | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Faarch64%2Ffalco-)][8]                                                    |
+|              | stable                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+|--------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| rpm-x86_64          | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=aarch64)][2]          |
+| deb-x86_64          | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=aarch64)][4] |
+| binary-x86_64       | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6]                                                     |
+| rpm-aarch64    | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=x86_64)][2]           |
+| deb-aarch64    | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=x86_64)][4]  |
+| binary-aarch64 | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Faarch64%2Ffalco-)][8]                                                    |
 
----
+For comprehensive information on the latest updates and changes to the project, please refer to the [change log](CHANGELOG.md). Additionally, we have documented the [release process](RELEASE.md) for delivering new versions of Falco.
 
-The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
-Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. 
-Falco can also be extended to other data sources by using plugins.
-Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native.
-If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
+## Introduction to Falco
 
-## What can Falco detect?
+[Falco](https://falco.org/), originally created by [Sysdig](https://sysdig.com), is an incubating project under the [CNCF](https://cncf.io).
 
-Falco can detect and alert on any behavior that involves making Linux system calls.
-Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
-For example, Falco can easily detect incidents including but not limited to:
+Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time.
 
-- A shell is running inside a container or pod in Kubernetes.
-- A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
-- A server process is spawning a child process of an unexpected type.
-- Unexpected read of a sensitive file, such as `/etc/shadow`.
-- A non-device file is written to `/dev`.
-- A standard system binary, such as `ls`, is making an outbound network connection.
-- A privileged pod is started in a Kubernetes cluster.
+At its core, Falco is a kernel event monitoring and detection agent that captures events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems.
 
-The official Falco rules are maintained and released in [falcosecurity/rules](https://github.com/falcosecurity/rules/). That repository also contains the Falco rules inventory [document](https://github.com/falcosecurity/rules/blob/main/rules_inventory/rules_overview.md), which provides additional details around the default rules Falco ships with.
-
-## Installing Falco
-
-If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).
-
-### Kubernetes
-
-| Tool     | Link                                                                                       | Note                                                               |
-|----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
-| Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
-| Minikube | [Tutorial](https://falco.org/docs/getting-started/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
-| Kind     | [Tutorial](https://falco.org/docs/getting-started/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
-| GKE      | [Tutorial](https://falco.org/docs/getting-started/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
-
-## Developing
-
-Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
-
-Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/master/userspace/falco/outputs.proto).
-The Falco Project supports various SDKs for this endpoint.
-
-### SDKs
-
-| Language | Repository                                              |
-|----------|---------------------------------------------------------|
-| Go       | [client-go](https://github.com/falcosecurity/client-go) |
-
-## Plugins
-
-Falco comes with a [plugin framework](https://falco.org/docs/plugins/) that extends it to potentially any cloud detection scenario. Plugins are shared libraries that conform to a documented API and allow for:
-
-- Adding new event sources that can be used in rules;
-- Adding the ability to define new fields and extract information from events.
-
-The Falco Project maintains [various plugins](https://github.com/falcosecurity/plugins) and provides SDKs for plugin development.
+For detailed technical information and insights into the cyber threats that Falco can detect, visit the official [Falco](https://falco.org/) website.
 
 
-### SDKs
+## Falco Repo: Powering the Core of The Falco Project
 
-| Language | Repository                                                                    |
-|----------|-------------------------------------------------------------------------------|
-| Go       | [falcosecurity/plugin-sdk-go](https://github.com/falcosecurity/plugin-sdk-go) |
+This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its [libraries](https://github.com/falcosecurity/libs) and the [falco.yaml](falco.yaml) configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following *core* repositories:
+
+- [falcosecurity/libs](https://github.com/falcosecurity/libs): Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
+- [falcosecurity/rules](https://github.com/falcosecurity/rules): Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
+- [falcosecurity/plugins](https://github.com/falcosecurity/plugins/): Falco plugins facilitate integration with external services, expand Falco's capabilities beyond syscalls and container events, and are designed to evolve with specialized functionality in future releases.
+- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): Command-line utility for managing and interacting with Falco.
+
+For more information, visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution). It provides valuable insights and information about the project's repositories.
+
+## Getting Started with Falco
+
+Carefully review and follow the [official guide and documentation](https://falco.org/docs/getting-started/).
+
+Considerations and guidance for Falco adopters:
+
+1. Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.
+
+2. Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.
+
+3. Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.
+
+4. Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.
+
+5. Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.
 
 
-## Documentation
+## How to Contribute
+
+Please refer to the [contributing guide](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) and the [code of conduct](https://github.com/falcosecurity/evolution/CODE_OF_CONDUCT.md) for more information on how to contribute.
 
-The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco.
 
 ## Join the Community
 
-To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.
+To get involved with the Falco Project please visit the [community repository](https://github.com/falcosecurity/community) to find more information and ways to get involved.
+
+If you have any questions about Falco or contributing, do not hesitate to file an issue or contact the Falco maintainers and community members for assistance.
 
 How to reach out?
 
- - Join the [#falco](https://kubernetes.slack.com/messages/falco) channel on the [Kubernetes Slack](https://slack.k8s.io)
- - [Join the Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev)
- - [Read the Falco documentation](https://falco.org/docs/)
+ - Join the [#falco](https://kubernetes.slack.com/messages/falco) channel on the [Kubernetes Slack](https://slack.k8s.io).
+ - Join the [Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev).
+ - File an [issue](https://github.com/falcosecurity/falco/issues) or make feature requests.
 
-## How to contribute
+## Commitment to Falco's Own Security
 
-See the [contributing guide](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) and the [code of conduct](https://github.com/falcosecurity/evolution/CODE_OF_CONDUCT.md).
- 
-## Security Audit
+Full reports of various security audits can be found [here](./audits/).
 
-A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).
+In addition, you can refer to the [falco security](https://github.com/falcosecurity/falco/security) and [libs security](https://github.com/falcosecurity/libs/security) sections for detailed updates on security advisories and policies.
 
-## Reporting security vulnerabilities
+To report security vulnerabilities, please follow the community process outlined in the documentation found [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).
+
+## What's next for Falco?
+
+Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.
 
-Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).
 
 ## License
 
 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 
-## Project Evolution
-
-The [falcosecurity/evolution](https://github.com/falcosecurity/evolution) repository is the official space for the community to work together, discuss ideas, and document processes. It is also a place to make decisions. Check it out to find more helpful resources.
-
 ## Resources
 
  - [Governance](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md)

RELEASE.md

@@ -5,18 +5,22 @@
 
 This document provides the process to create a new Falco release. In addition, it provides information about the versioning of the Falco components. At a high level each Falco release consists of the following main components:
 
-- Falco binary (userspace)
-- Falco kernel driver object files (kernel space)
+- Falco binary (userspace), includes `modern_bpf` driver object code (kernel space) starting with Falco 0.34.x releases
+- Falco kernel driver object files, separate artifacts for `kmod` and `bpf` drivers, not applicable for `modern_bpf` driver (kernel space)
     - Option 1: Kernel module (`.ko` files)
     - Option 2: eBPF (`.o` files)
-- Falco config and primary rules `.yaml` files (userspace)
+- Falco config and rules `.yaml` files (userspace)
 - Falco plugins (userspace - optional)
 
-One nice trait about releasing separate artifacts for userspace and kernel space is that Falco is amenable to supporting a large array of environments, that is, multiple kernel versions, distros and architectures (see `libs` [driver - kernel version support matrix](https://github.com/falcosecurity/libs#drivers-officially-supported-architectures)). The Falco project manages the release of both the Falco userspace binary and pre-compiled Falco kernel drivers for the most popular kernel versions and distros. The build and publish process is managed by the [test-infra](https://github.com/falcosecurity/test-infra) repo. The Falco userspace executable includes bundled dependencies, so that it can be run from anywhere.
+> Note: Starting with Falco 0.34.x releases, the Falco userspace binary includes the `modern_bpf` driver object code during the linking process. This integration is made possible by the CO-RE (Compile Once - Run Everywhere) feature of the modern BPF driver. CO-RE allows the driver to function on kernels that have backported BTF (BPF Type Format) support or have a kernel version >= 5.8. For the older `kmod` and `bpf` drivers, separate artifacts are released for the kernel space. This is because these drivers need to be explicitly compiled for the specific kernel release, using the exact kernel headers. This approach ensures that Falco can support a wide range of environments, including multiple kernel versions, distributions, and architectures.  (see `libs` [driver - kernel version support matrix](https://github.com/falcosecurity/libs#drivers-officially-supported-architectures)).
 
-The Falco project also publishes all sources for each component. In fact, sources are included in the Falco release in the same way as some plugins (k8saudit and cloudtrail) as well as the rules that are shipped together with Falco. This empowers the end user to audit the integrity of the project as well as build kernel drivers for custom kernels or not officially supported kernels / distros (see [driverkit](https://github.com/falcosecurity/driverkit) for more information). While the Falco project is deeply embedded into an ecosystem of supporting [Falco sub-projects](https://github.com/falcosecurity/evolution) that aim to make the deployment of Falco easy, user-friendly, extendible and cloud-native, core Falco is split across two repos, [falco](https://github.com/falcosecurity/falco) (this repo) and [libs](https://github.com/falcosecurity/libs). The `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines. More details are provided in the [Falco Components Versioning](#falco-components-versioning) section.
+The Falco Project manages the release of both the Falco userspace binary and pre-compiled Falco kernel drivers for the most popular kernel versions and distros. The build and publish process is managed by the [test-infra](https://github.com/falcosecurity/test-infra) repo.
 
-Finally, the release process follows a transparent process described in more detail in the following sections and the official [Falco docs](https://falco.org/) contain rich information around building, installing and using Falco.
+The Falco userspace executable includes bundled dependencies, so that it can be run from anywhere.
+
+Falco publishes all sources, enabling users to audit the project's integrity and build kernel drivers for custom or unsupported kernels/distributions, specifically for non-modern BPF drivers (see [driverkit](https://github.com/falcosecurity/driverkit) for more information).
+
+Finally, the release process follows a transparent process described in more detail in the following sections and the official [Falco guide and documentation](https://falco.org/) provide rich information around building, installing and using Falco.
 
 
 ### Falco Binaries, Rules and Sources Artifacts - Quick Links
@@ -42,8 +46,9 @@ Alternatively Falco binaries or plugins can be downloaded from the Falco Artifac
 
 ### Falco Drivers Artifacts Repo - Quick Links
 
+> Note: This section specifically applies to non-modern BPF drivers.
 
-The Falco project publishes all drivers for each release for all popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers or for example the eBPF verifier are not perfect. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
+The Falco Project publishes all drivers for each release for popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project's managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers sometimes fail to build the artifacts for a specific kernel version. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
 
 - [Falco Artifacts Repo Drivers Root](https://download.falco.org/?prefix=driver/)
     - Option 1: Kernel module (`.ko` files) - all under same driver version directory
@@ -52,16 +57,16 @@ The Falco project publishes all drivers for each release for all popular kernel
 
 ### Timeline
 
-Falco releases are due to happen 3 times per year. Our current schedule sees a new release by the end of January, May, and September each year. Hotfix releases can happen whenever it's needed.
+Falco follows a release schedule of three times per year, with releases expected at the end of January, May, and September. Hotfix releases are issued as needed.
 
-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+Changes and new features are organized into [milestones](https://github.com/falcosecurity/falco/milestones). The milestone corresponding to the next version represents the content that will be included in the upcoming release.
 
 
 ### Procedures
 
-The release process is mostly automated requiring only a few manual steps to initiate and complete it.
+The release process is mostly automated, requiring only a few manual steps to initiate and complete.
 
-Moreover, we need to assign owners for each release (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community).
+Moreover, we assign owners for each release (typically pairing a new person with an experienced one). Assignees and due dates for releases are proposed during the [weekly community call](https://github.com/falcosecurity/community).
 
 At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order:
 
@@ -69,11 +74,13 @@ At a high level each Falco release needs to follow a pre-determined sequencing o
 - [4] Falco driver pre-compiled object files push to Falco's Artifacts repo
 - [5] Falco userspace binary release
 
-Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.  
+Assignees are responsible for creating a Falco GitHub issue to track the release tasks and monitor the progress of the release. This issue serves as a central point for communication and provides updates on the release dates. You can refer to the [Falco v0.35 release](https://github.com/falcosecurity/falco/issues/2554) or [Libs Release (0.11.0+5.0.1+driver)](https://github.com/falcosecurity/libs/issues/1092) issues as examples/templates for creating the release issue.
+
+Finally, on the proposed due date, the assignees for the upcoming release proceed with the processes described below.  
 
 ## Pre-Release Checklist
 
-Prior to cutting a release the following preparatory steps should take 5 minutes using the GitHub UI.
+Before proceeding with the release, make sure to complete the following preparatory steps, which can be easily done using the GitHub UI:
 
 ### 1. Release notes
 - Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
@@ -205,13 +212,13 @@ Announce the new release to the world!
 
 ## Falco Components Versioning
 
-This section provides more details around the versioning of all components that make up core Falco. It can also be a useful guide for the uninitiated to be more informed about Falco's source. Because the `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines, the [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) is an excellent additional resource. In addition, the [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) provides similar details around Falco's plugins. `SHA256` checksums are provided throughout Falco's source code to empower the end user to perform integrity checks. All Falco releases also contain the sources as part of the packages.
+This section provides more details around the versioning of the components that make up Falco's core. It can also be a useful guide for the uninitiated to be more informed about Falco's source. Because `libs` makes up the greater portion of the source code of the Falco binary and is the home of each of the kernel drivers and engines, the [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) is an excellent additional resource. In addition, the [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) provides similar details around Falco's plugins. `SHA256` checksums are provided throughout Falco's source code to empower the end user to perform integrity checks. All Falco releases also contain the sources as part of the packages.
 
 
 ### Falco repo (this repo)
 - Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.
-- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax or `falco --list -N | sha256sum` has changed. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The primary idea behind the hash is that when new filter / display fields (see currently supported [Falco fields](https://falco.org/docs/rules/supported-fields/)) are introduced a version bump indicates that this field was not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules.
-- During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable Libs version is used (read below).
+- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax and/or `FALCO_FIELDS_CHECKSUM` computed via `falco --list -N | sha256sum` has changed. The primary idea is that when new filter / display fields (see currently supported [Falco fields](https://falco.org/docs/rules/supported-fields/)) are introduced, a version change indicates that these fields were not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. Lastly, `FALCO_ENGINE_VERSION` is typically incremented once during a Falco release cycle, while `FALCO_FIELDS_CHECKSUM` is bumped whenever necessary during the development and testing phases of the release cycle.
+- During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice, they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable libs version is used (read below).
 - Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release.
 - At release time Plugin, Libs and Driver versions are compatible with Falco.
 - If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with (read more below under Libs).
@@ -231,7 +238,7 @@ Driver:
 
 ### Libs repo
 - Libs version is a git tag (`x.y.z`) and when building Falco the libs version is set via the `FALCOSECURITY_LIBS_VERSION` flag (see above).
-- Driver version itself is not directly tied to the Falco binary as opposed to the libs version being part of the source code used to compile Falco's userspace binary. This is because of the strict separation between userspace and kernel space artifacts, so things become a bit more interesting here. This is why the concept of a `Default driver` has been introduced to still implicitly declare the compatible driver versions. For example, if the default driver version is `2.0.0+driver`, Falco works with all driver versions >= 2.0.0 and < 3.0.0. This is a consequence of how the driver version is constructed starting from the `Driver API version` and `Driver Schema version`. Driver API and Schema versions are explained in the respective [libs driver doc](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md) -> Falco's `driver-loader` will always fetch the default driver, therefore a Falco release is always "shipped" with the driver version corresponding to the default driver.
+- The driver version is not directly linked to the userspace components of the Falco binary. This is because of the clear separation between userspace and kernel space, which adds an additional layer of complexity. To address this, the concept of a `Default driver` has been introduced, allowing for implicit declaration of compatible driver versions. For example, if the default driver version is `5.0.1+driver`, Falco works with all driver versions >= 5.0.1 and < 6.0.0. This is a consequence of how the driver version is constructed starting from the `Driver API version` and `Driver Schema version`. Driver API and Schema versions are explained in the respective [libs driver doc](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md) -> Falco's `driver-loader` will always fetch the default driver, therefore a Falco release is always "shipped" with the driver version corresponding to the default driver.
 - See [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) for more information.
 
 ### Plugins repo

cmake/modules/driver.cmake

@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "5.0.0+driver")
-    set(DRIVER_CHECKSUM "SHA256=c988ca7ac7d174f62d1bfbaaca49efd117f7b329f474d1b46b643635b2e35083")
+    set(DRIVER_VERSION "5.0.1+driver")
+    set(DRIVER_CHECKSUM "SHA256=8b197b916b6419dac8fb41807aa05d822164c7bfd2c3eef66d20d060a05a485a")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcoctl.cmake

@@ -15,14 +15,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.4.0")
+set(FALCOCTL_VERSION "0.5.0")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "13c88e612efe955bc014918a7af30bae28dc5ba99b2962af57e36b1b87f527f9")
+    set(FALCOCTL_HASH "ba82ee14ee72fe5737f1b5601e403d8a9422dfe2c467d1754eb488001eeea5f1")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "0f8898853e99a2cd1b4dd6b161e8545cf20ce0e3ce79cddc539f6002257d5de5")
+    set(FALCOCTL_HASH "be145ece641d439011cc4a512d0fd2dac5974cab7399f9a7cd43f08eb43dd446")
 endif()
 
 ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -25,10 +25,10 @@ if(FALCOSECURITY_LIBS_SOURCE_DIR)
 else()
   # FALCOSECURITY_LIBS_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository.
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
-  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
+  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "2e9e6346eefeddd0afce7b6a06cb42d4265615dd")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=d5f37545ddc456f1e1489800b856f9770d8a092f2bd5841893669a0b7eb5ed55")
+    set(FALCOSECURITY_LIBS_VERSION "0.11.0-rc5")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=079ab5f596a0d8af2a7f843e8159f83cb7c864331019aaed822daa737c75e9e7")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/plugins.cmake

@@ -23,11 +23,11 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME)
 endif()
 
 # k8saudit
-set(PLUGIN_K8S_AUDIT_VERSION "0.5.3-0.5.3-27%2B7b07a4b")
+set(PLUGIN_K8S_AUDIT_VERSION "0.6.0-0.5.3-33%2B81ffddd")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_K8S_AUDIT_HASH "22c15e5aa2c86cf2216cd767f8766047696e9ba637d63c5ae5e00893f0efad9c")
+    set(PLUGIN_K8S_AUDIT_HASH "990e5c67d3b3c7cf5d30c73d73871b58767171ce7c998c1ca1d94d70c67db290")
 else() # aarch64
-    set(PLUGIN_K8S_AUDIT_HASH "564f95031b973296fd7ccdda6c4a4f6820bb6da8106bcd48a549a7fca8c02540")
+    set(PLUGIN_K8S_AUDIT_HASH "c3634dfa83c8c8898811ab6b7587ea6d1c6dfffbdfa56def28cab43aaf01f88c")
 endif()
 
 ExternalProject_Add(
@@ -43,7 +43,7 @@ install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/
 ExternalProject_Add(
   k8saudit-rules
   URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
-  URL_HASH "SHA256=d1add6c4dfe7e8aca85f536fd7577dd0d93662927ab604e6db6757e89b99f2b2"
+  URL_HASH "SHA256=2e3214fee00a012b32402aad5198df889773fc5f86b8ab87583fbc56ae5fb78c"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
@@ -51,11 +51,11 @@ ExternalProject_Add(
 install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
 # cloudtrail
-set(PLUGIN_CLOUDTRAIL_VERSION "0.7.3-0.7.3-27%2B7b07a4b")
+set(PLUGIN_CLOUDTRAIL_VERSION "0.8.0-0.7.3-33%2B81ffddd")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_CLOUDTRAIL_HASH "856f5f5505c72776a188ba29633d81e5f21924b20c2cfb5a2da3f8f21410e248")
+    set(PLUGIN_CLOUDTRAIL_HASH "144c297ae4285ea84b04af272f708a8b824f58bc9427a2eb91b467a6285d9e10")
 else() # aarch64
-    set(PLUGIN_CLOUDTRAIL_HASH "935a96d68f182cec0f650186355bb245e36fdd884a596442992b55f066993fc1")
+    set(PLUGIN_CLOUDTRAIL_HASH "19e7e8e11aaecd16442f65a265d3cd80ffb736ca4d3d8215893900fa0f04b926")
 endif()
 
 ExternalProject_Add(
@@ -71,7 +71,7 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu
 ExternalProject_Add(
   cloudtrail-rules
   URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
-  URL_HASH "SHA256=4b92cb5f81be0734a87babbd48eb1dc15e1297168024072c3fd02ccee7550b73"
+  URL_HASH "SHA256=4f51d4bd9679f7f244c225b6fe530323f3536663da26a5b9d94d6953ed4e2cbc"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
@@ -79,11 +79,11 @@ ExternalProject_Add(
 install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
 # json
-set(PLUGIN_JSON_VERSION "0.6.2-0.6.2-30%2B7b07a4b")
+set(PLUGIN_JSON_VERSION "0.7.0-0.6.2-36%2B81ffddd")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_JSON_HASH "9d3ef271667d9662fd47672b59ccace800ae1cc4f6d4c6d34edc1d9e26a87179")
+    set(PLUGIN_JSON_HASH "a9d8c595a139df5dc0cf2117127b496c94a9d3a3d0e84c1f18b3ccc9163f5f4a")
 else() # aarch64
-    set(PLUGIN_JSON_HASH "113a632f4dd05ef7c4537fafdc0114fbe736a1da10b8225d8aa1679442157d5b")
+    set(PLUGIN_JSON_HASH "7d78620395526d1e6a948cc915d1d52a343c2b637c9ac0e3892e76826fcdc2df")
 endif()
 
 ExternalProject_Add(

docker/builder/Dockerfile

@@ -3,6 +3,7 @@ FROM centos:7
 LABEL name="falcosecurity/falco-builder"
 LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
 ARG BUILD_TYPE=release
 ARG BUILD_DRIVER=OFF

docker/builder/modern-falco-builder.Dockerfile

@@ -34,6 +34,8 @@ RUN make all -j${MAKE_JOBS}
 
 FROM scratch AS export-stage
 
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+
 ARG DEST_BUILD_DIR="/build"
 
 COPY --from=build-stage /build/release/falco-*.tar.gz /packages/

docker/driver-loader/Dockerfile

@@ -2,6 +2,7 @@ ARG FALCO_IMAGE_TAG=latest
 FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
 LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"
 
@@ -10,4 +11,4 @@ ENV HOME /root
 
 COPY ./docker-entrypoint.sh /
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+ENTRYPOINT ["/docker-entrypoint.sh"]

docker/falco/Dockerfile

@@ -1,6 +1,7 @@
 FROM debian:buster
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
 

docker/local/Dockerfile

@@ -2,6 +2,7 @@ FROM debian:buster
 
 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
 ARG TARGETARCH
 

docker/no-driver/Dockerfile

@@ -23,11 +23,13 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/
 FROM debian:11-slim
 
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 
-RUN apt-get -y update && apt-get -y install ca-certificates
+RUN apt-get -y update && apt-get -y install ca-certificates curl jq \
+    && apt clean -y && rm -rf /var/lib/apt/lists/*
 
 ENV HOST_ROOT /host
 ENV HOME /root

docker/tester/Dockerfile

@@ -3,6 +3,7 @@ FROM fedora:31
 LABEL name="falcosecurity/falco-tester"
 LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 
 ARG TARGETARCH
 

docker/ubi/Dockerfile

@@ -15,6 +15,7 @@ LABEL "description"="Falco is a security policy engine that monitors system call
 LABEL "io.k8s.display-name"="Falco"
 LABEL "io.k8s.description"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
 
 

proposals/20230511-roadmap-management.md

@@ -0,0 +1,100 @@
+# Falco Roadmap Management Proposal
+
+## Summary 
+
+This document proposes the introduction of a structured process for managing Falco's roadmap and implementing related changes in our development process. The goal is to ensure the efficient execution of our roadmap objectives.
+
+### Goals
+
+The pillars of this proposal are:
+
+- Define processes for release cycles and development iterations
+- Provide guidelines for planning and prioritizing efforts
+- Introduce regular meetings for core maintainers
+- Using *GitHub Project* as the primary tool for managing *The Falco Project* roadmap
+
+
+### Non-Goals
+
+- Providing an exact set of criteria for task prioritization
+- Detailing testing procedures
+- Providing detailed instructions for GitHub Project usage
+- Addressing hotfix releases
+
+### Scope of this Proposal
+
+Primarily, the roadmap targets the planning of Falco development and releases. However, given Falco's dependence on numerous components, it's inevitable that scheduling and planning activities span across multiple repositories. We anticipate that all [core repositories](https://github.com/falcosecurity/evolution#official) will be interconnected with the roadmap, making it comprehensive enough to incorporate items from all related [Falcosecurity repositories](https://github.com/falcosecurity) as necessary.
+
+This proposal does **not apply to hotfix releases** that may happen whenever needed at the maintainers' discretion.
+
+## Release Cycles and Development Iterations
+
+Falco releases happen 3 times per year. Each release cycle completes, respectively, by the end of January, May, and September.
+
+A **release cycle is a 16-week time frame** between two subsequent releases.
+
+Using this schema, in a 52-week calendar year, we allocate 48 weeks for scheduled activities (16 weeks *x* 3 releases), leaving 4 weeks for breaks.
+
+The 16-week release cycle is further divided into three distinct iterations:
+
+| Iteration Name | Duration | Description |
+|---------------|----------|-------------|
+| Development | 8 weeks | Development phase |
+| Stabilization | 4 weeks | Feature completion and bug fixing |
+| Release Preparation | 4 weeks | Release preparation, testing, bug fixing, no new feature |
+
+### Targeted Release Date
+
+The final week of the *Release Preparation* should conclude before the *last Monday of the release month* (ie. January/May/September). This *last Monday* is designated as the **targeted release date** (when the release is being published), and the remaining part of the week is considered a break period.
+
+### Milestones
+
+For each release, we create a [GitHub Milestone](https://github.com/falcosecurity/falco/milestones) (whose due date must be equal to the target release date). We use the milestone to collect all items to be tentatively completed within the release. 
+
+### Alignment of Falco Components
+
+The release schedule of the [components Falco depends on](https://github.com/falcosecurity/falco/blob/master/RELEASE.md#falco-components-versioning) needs to be synchronized to conform to these stipulations. For instance, a [falcosecurity/libs](https://github.com/falcosecurity/libs) release may be required at least one week prior to the termination of each iteration.
+
+The maintainers are responsible for adapting those components' release schedules and procedures to release cycles and development iterations of Falco. Furthermore, all release processes must be documented and provide clear expectations regarding release dates.
+
+## Project Roadmap
+
+We use the [GitHub Project called *Falco Roadmap*](https://github.com/orgs/falcosecurity/projects/5) to plan and track the progress of each release cycle. The GitHub Project needs to be configured with the above mentioned iterations and break periods, compiled with actual dates. It's recommended to preconfigure the GitHub Project to accommodate the current plus the following three release cycles.
+
+### Roadmap Planning
+
+The roadmap serves as a strategic planning tool that outlines the goals and objectives for Falco. Its purpose is to visually represent the overall direction and timeline, enhance transparency and engage the community.
+
+The onus is on the [Core Maintainers](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md#core-maintainers) to manage the roadmap. In this regard, Core Maintainers meet in **planning sessions on the first week of each calendar month**. 
+
+During these planning sessions, tasks are allocated to the current iteration or postponed to one of the following iterations. The assigned iteration indicates the projected completion date for a particular workstream.
+
+When a session matches with the commencement of an iteration, maintainers convene to assess the planning and prioritize tasks for the iteration. The first planning session of a release cycle must define top priorities for the related release.
+
+## Testing and Quality Assurance (QA)
+
+Each iteration's output must include at least one Falco pre-release (or a viable development build) designated for testing and QA activities. While it's acceptable for these builds to contain unfinished features or known bugs, they must enable any community member to contribute to the testing and QA efforts.
+
+The targeted schedule for these Testing/QA activities should be the **last week of each iteration** (or earlier during the *Release Preparation*).
+
+Testing and Quality Assurance criteria and procedures must be defined and documented across relevant repositories.
+
+Furthermore, given the strong reliance of Falco on [falcosecurity/libs](https://github.com/falcosecurity/libs), the above-mentioned pre-release/build for Testing/QA purposes must be based on the most recent *libs* development for the intended iteration. This means that during each interaction, a *libs* release (either pre or stable) must happen early enough to be used for this purpose.
+
+## Next Steps and Conclusions
+
+The Falco 0.36 release cycle, running from June to September 2023, will mark the initiation of the new process. This cycle will also serve as an experimental phase for refining the process.
+
+Furthermore, as soon as possible, we will kick off a Working Group specifically to ensure smooth execution. This group will involve community members in assisting maintainers with roadmap management. It will provide curated feature suggestions for the roadmap, informed by community needs. This approach would facilitate the core maintainers' decisions, as they would mostly need just to review and adopt these pre-vetted recommendations, enhancing efficiency.
+
+The Working Group's responsibilities will include (non-exhaustive list):
+
+- Address input from the [2023-04-27 Core Maintainers meeting](https://github.com/falcosecurity/community/blob/main/meeting-notes/2023-04-27-Falco-Roadmap-Discussion.md)
+- Sorting and reviewing pending issues to identify key topics for discussion and potential inclusion in the roadmap
+- Establishing protocols not explicitly covered in this document
+- Updating the documentation accordingly
+- Supporting Core Maintainers in managing the [Falco Roadmap GitHub project](https://github.com/orgs/falcosecurity/projects/5)
+- Gathering suggestions from all involved stakeholders to put forward potential enhancements
+
+Finally, we anticipate the need for minor adjustments, which will become apparent only after an initial period of experimentation. Thus we have to intend this process to be flexible enough to adapt to emerging needs and improvements as long as the fundamental spirit of this proposal is upheld.
+

unit_tests/falco/app/actions/app_action_helpers.h

@@ -0,0 +1,7 @@
+#pragma once
+#include <gtest/gtest.h>
+#include <falco/app/state.h>
+#include <falco/app/actions/actions.h>
+
+#define EXPECT_ACTION_OK(r)     { EXPECT_TRUE(r.success); EXPECT_TRUE(r.proceed); EXPECT_EQ(r.errstr, ""); }
+#define EXPECT_ACTION_FAIL(r)   { EXPECT_FALSE(r.success); EXPECT_FALSE(r.proceed); EXPECT_NE(r.errstr, ""); }

unit_tests/falco/app/actions/test_configure_interesting_sets.cpp

@@ -18,10 +18,7 @@ limitations under the License.
 #include <falco_engine.h>
 
 #include <falco/app/app.h>
-#include <falco/app/state.h>
-#include <falco/app/actions/actions.h>
-
-#include <gtest/gtest.h>
+#include "app_action_helpers.h"
 
 #define ASSERT_NAMES_EQ(a, b) { \
 	EXPECT_EQ(_order(a).size(), _order(b).size()); \

unit_tests/falco/app/actions/test_configure_syscall_buffer_num.cpp

@@ -0,0 +1,55 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless ASSERTd by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "app_action_helpers.h"
+
+TEST(ActionConfigureSyscallBufferNum, variable_number_of_CPUs)
+{
+	auto action = falco::app::actions::configure_syscall_buffer_num;
+
+	ssize_t online_cpus = sysconf(_SC_NPROCESSORS_ONLN);
+	if(online_cpus <= 0)
+	{
+		FAIL() << "cannot get the number of online CPUs from the system\n";
+	}
+
+	// not modern bpf engine, we do nothing
+	{
+		falco::app::state s;
+		s.options.modern_bpf = false;
+		EXPECT_ACTION_OK(action(s));
+	}
+
+	// modern bpf engine, with an invalid number of CPUs
+	// default `m_cpus_for_each_syscall_buffer` to online CPU number
+	{
+		falco::app::state s;
+		s.options.modern_bpf = true;
+		s.config->m_cpus_for_each_syscall_buffer = online_cpus + 1;
+		EXPECT_ACTION_OK(action(s));
+		EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, online_cpus);
+	}
+
+	// modern bpf engine, with an valid number of CPUs
+	// we don't modify `m_cpus_for_each_syscall_buffer`
+	{
+		falco::app::state s;
+		s.options.modern_bpf = true;
+		s.config->m_cpus_for_each_syscall_buffer = online_cpus - 1;
+		EXPECT_ACTION_OK(action(s));
+		EXPECT_EQ(s.config->m_cpus_for_each_syscall_buffer, online_cpus - 1);
+	}
+}

unit_tests/falco/app/actions/test_select_event_sources.cpp

@@ -14,12 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-#include <gtest/gtest.h>
-#include <falco/app/state.h>
-#include <falco/app/actions/actions.h>
-
-#define EXPECT_ACTION_OK(r)     { EXPECT_TRUE(r.success); EXPECT_TRUE(r.proceed); EXPECT_EQ(r.errstr, ""); }
-#define EXPECT_ACTION_FAIL(r)   { EXPECT_FALSE(r.success); EXPECT_FALSE(r.proceed); EXPECT_NE(r.errstr, ""); }
+#include "app_action_helpers.h"
 
 TEST(ActionSelectEventSources, pre_post_conditions)
 {

userspace/engine/falco_engine.cpp

@@ -199,11 +199,6 @@ std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_c
 	rule_loader::reader reader;
 	if (reader.read(cfg, m_rule_collector))
 	{
-		for (auto &src : m_sources)
-		{
-			src.ruleset = src.ruleset_factory->new_ruleset();
-		}
-
 		rule_loader::compiler compiler;
 		m_rules.clear();
 		compiler.compile(cfg, m_rule_collector, m_rules);
@@ -470,6 +465,33 @@ void falco_engine::describe_rule(std::string *rule, bool json) const
 		// all rules, macros and lists
 		Json::Value output;
 
+		// Store required engine version
+		auto required_engine_version = m_rule_collector.required_engine_version();
+		output["required_engine_version"] = std::to_string(required_engine_version.version);
+
+		// Store required plugin versions
+		Json::Value plugin_versions = Json::arrayValue;
+		auto required_plugin_versions = m_rule_collector.required_plugin_versions();
+		for(const auto& req : required_plugin_versions)
+		{
+			Json::Value r;
+			r["name"] = req.at(0).name;
+			r["version"] = req.at(0).version;
+
+			Json::Value alternatives = Json::arrayValue;
+			for(size_t i = 1; i < req.size(); i++)
+			{
+				Json::Value alternative;
+				alternative["name"] = req[i].name;
+				alternative["version"] = req[i].version;
+				alternatives.append(alternative);
+			}
+			r["alternatives"] = alternatives;
+			
+			plugin_versions.append(r);
+		}
+		output["required_plugin_versions"] = plugin_versions;
+
 		// Store information about rules
 		Json::Value rules_array = Json::arrayValue;
 		for(const auto& r : m_rules)
@@ -553,9 +575,9 @@ void falco_engine::get_json_details(const falco_rule &r,
 	rule["details"] = json_details;
 
 	// Get fields from output string
-	sinsp_evt_formatter fmt(insp, r.output);
+	auto fmt = create_formatter(r.source, r.output);
 	std::vector<std::string> out_fields;
-	fmt.get_field_names(out_fields);
+	fmt->get_field_names(out_fields);
 	Json::Value outputFields = Json::arrayValue;
 	for(const auto &of : out_fields)
 	{
@@ -571,10 +593,12 @@ void falco_engine::get_json_details(const falco_rule &r,
 	}
 	rule["details"]["exception_fields"] = exception_fields;
 
-	// Get operators from exceptions
+	// Get names and operators from exceptions
+	Json::Value exception_names = Json::arrayValue;
 	Json::Value exception_operators = Json::arrayValue;
 	for(const auto &e : ri.exceptions)
 	{
+		exception_names.append(e.name);
 		if(e.comps.is_list)
 		{
 			for(const auto& c : e.comps.items)
@@ -598,6 +622,7 @@ void falco_engine::get_json_details(const falco_rule &r,
 			exception_operators.append(e.comps.item);
 		}	
 	}
+	rule["details"]["exceptions"] = exception_names;
 	rule["details"]["exception_operators"] = exception_operators;
 
 	if(ri.source == falco_common::syscall_source)
@@ -708,15 +733,12 @@ void falco_engine::get_json_evt_types(libsinsp::filter::ast::expr* ast,
 {
 	output = Json::arrayValue;
 	auto evtcodes = libsinsp::filter::ast::ppm_event_codes(ast);
-	if(evtcodes.size() != libsinsp::events::all_event_set().size())
+	auto syscodes = libsinsp::filter::ast::ppm_sc_codes(ast);
+	auto syscodes_to_evt_names = libsinsp::events::sc_set_to_event_names(syscodes);
+	auto evtcodes_to_evt_names = libsinsp::events::event_set_to_names(evtcodes, false);
+	for (const auto& n : unordered_set_union(syscodes_to_evt_names, evtcodes_to_evt_names))
 	{
-		auto syscodes = libsinsp::filter::ast::ppm_sc_codes(ast);
-		auto syscodes_to_evt_names = libsinsp::events::sc_set_to_event_names(syscodes);
-		auto evtcodes_to_evt_names = libsinsp::events::event_set_to_names(evtcodes, false);
-		for (const auto& n : unordered_set_union(syscodes_to_evt_names, evtcodes_to_evt_names))
-		{
-			output.append(n);
-		}
+		output.append(n);
 	}
 }
 

userspace/engine/json_evt.h

@@ -26,6 +26,7 @@ limitations under the License.
 
 #include <nlohmann/json.hpp>
 
+#include "falco_common.h"
 #include "prefix_search.h"
 #include <sinsp.h>
 
@@ -435,6 +436,10 @@ public:
 	bool tostring(gen_event *evt, std::string &output) override;
 	bool tostring_withformat(gen_event *evt, std::string &output, gen_event_formatter::output_format of) override;
 	bool get_field_values(gen_event *evt, std::map<std::string, std::string> &fields) override;
+	void get_field_names(std::vector<std::string> &fields) override 
+	{
+		throw falco_exception("json_event_formatter::get_field_names operation not supported");
+	}
 	output_format get_output_format() override;
 
 	std::string tojson(json_event *ev);

userspace/engine/rule_loader.h

@@ -297,6 +297,7 @@ namespace rule_loader
 	*/
 	struct engine_version_info
 	{
+		engine_version_info() : ctx("no-filename-given"), version(0) { };
 		engine_version_info(context &ctx);
 		~engine_version_info() = default;
 		engine_version_info(engine_version_info&&) = default;

userspace/engine/rule_loader_collector.cpp

@@ -116,6 +116,11 @@ const std::vector<rule_loader::plugin_version_info::requirement_alternatives>& r
 	return m_required_plugin_versions;
 }
 
+const rule_loader::engine_version_info& rule_loader::collector::required_engine_version() const
+{
+	return m_required_engine_version;
+}
+
 const indexed_vector<rule_loader::list_info>& rule_loader::collector::lists() const
 {
 	return m_list_infos;
@@ -137,6 +142,10 @@ void rule_loader::collector::define(configuration& cfg, engine_version_info& inf
 	THROW(v < info.version, "Rules require engine version "
 	      + std::to_string(info.version) + ", but engine version is " + std::to_string(v),
 	      info.ctx);
+	if(m_required_engine_version.version < info.version)
+	{
+		m_required_engine_version = info;
+	}
 }
 
 void rule_loader::collector::define(configuration& cfg, plugin_version_info& info)

userspace/engine/rule_loader_collector.h

@@ -46,6 +46,11 @@ public:
 	*/
 	virtual const std::vector<plugin_version_info::requirement_alternatives>& required_plugin_versions() const;
 
+	/*!
+		\brief Returns the required engine versions
+	*/
+	virtual const engine_version_info& required_engine_version() const;
+
 	/*!
 		\brief Returns the list of defined lists
 	*/
@@ -92,6 +97,7 @@ private:
 	indexed_vector<macro_info> m_macro_infos;
 	indexed_vector<list_info> m_list_infos;
 	std::vector<plugin_version_info::requirement_alternatives> m_required_plugin_versions;
+	engine_version_info m_required_engine_version;
 };
 
 }; // namespace rule_loader

userspace/falco/CMakeLists.txt

@@ -41,7 +41,8 @@ set(
   app/actions/print_syscall_events.cpp
   app/actions/print_version.cpp
   app/actions/print_page_size.cpp
-  app/actions/compute_syscall_buffer_size.cpp
+  app/actions/configure_syscall_buffer_size.cpp
+  app/actions/configure_syscall_buffer_num.cpp
   app/actions/select_event_sources.cpp
   app/actions/start_grpc_server.cpp
   app/actions/start_webserver.cpp

userspace/falco/app/actions/actions.h

@@ -25,6 +25,7 @@ namespace actions {
 
 falco::app::run_result configure_interesting_sets(falco::app::state& s);
 falco::app::run_result configure_syscall_buffer_size(falco::app::state& s);
+falco::app::run_result configure_syscall_buffer_num(falco::app::state& s);
 falco::app::run_result create_requested_paths(falco::app::state& s);
 falco::app::run_result create_signal_handlers(falco::app::state& s);
 falco::app::run_result daemonize(falco::app::state& s);

userspace/falco/app/actions/configure_interesting_sets.cpp

@@ -91,6 +91,7 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
 	auto user_positive_sc_set = libsinsp::events::event_names_to_sc_set(user_positive_names);
 	auto user_negative_sc_set = libsinsp::events::event_names_to_sc_set(user_negative_names);
 
+	auto user_positive_sc_set_names = libsinsp::events::sc_set_to_event_names(user_positive_sc_set);
 	if (!user_positive_sc_set.empty())
 	{
 		// user overrides base event set
@@ -98,16 +99,15 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
 
 		// we re-transform from sc_set to names to make
 		// sure that bad user inputs are ignored
-		auto user_positive_sc_set_names = libsinsp::events::sc_set_to_event_names(user_positive_sc_set);
 		falco_logger::log(LOG_DEBUG, "+(" + std::to_string(user_positive_sc_set_names.size())
 			+ ") syscalls added (base_syscalls override): "
 			+ concat_set_in_order(user_positive_sc_set_names) + "\n");
-		auto invalid_positive_sc_set_names = unordered_set_difference(user_positive_names, user_positive_sc_set_names);
-		if (!invalid_positive_sc_set_names.empty())
-		{
-			falco_logger::log(LOG_WARNING, "Invalid (positive) syscall names: warning (base_syscalls override): "
-				+ concat_set_in_order(invalid_positive_sc_set_names));
-		}
+	}
+	auto invalid_positive_sc_set_names = unordered_set_difference(user_positive_names, user_positive_sc_set_names);
+	if (!invalid_positive_sc_set_names.empty())
+	{
+		falco_logger::log(LOG_WARNING, "Invalid (positive) syscall names: warning (base_syscalls override): "
+			+ concat_set_in_order(invalid_positive_sc_set_names));
 	}
 
 	// selected events are the union of the rules events set and the
@@ -127,6 +127,7 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
 		s.selected_sc_set = libsinsp::events::sinsp_repair_state_sc_set(rules_sc_set);
 	}
 
+	auto user_negative_sc_set_names = libsinsp::events::sc_set_to_event_names(user_negative_sc_set);
 	if (!user_negative_sc_set.empty())
 	{
 		/* Remove negative base_syscalls events. */
@@ -134,16 +135,15 @@ static void select_event_set(falco::app::state& s, const libsinsp::events::set<p
 
 		// we re-transform from sc_set to names to make
 		// sure that bad user inputs are ignored
-		auto user_negative_sc_set_names = libsinsp::events::sc_set_to_event_names(user_negative_sc_set);
 		falco_logger::log(LOG_DEBUG, "-(" + std::to_string(user_negative_sc_set_names.size())
 			+ ") syscalls removed (base_syscalls override): "
 			+ concat_set_in_order(user_negative_sc_set_names) + "\n");
-		auto invalid_negative_sc_set_names = unordered_set_difference(user_negative_names, user_negative_sc_set_names);
-		if (!invalid_negative_sc_set_names.empty())
-		{
-			falco_logger::log(LOG_WARNING, "Invalid (negative) syscall names: warning (base_syscalls override): "
-				+ concat_set_in_order(invalid_negative_sc_set_names));
-		}
+	}
+	auto invalid_negative_sc_set_names = unordered_set_difference(user_negative_names, user_negative_sc_set_names);
+	if (!invalid_negative_sc_set_names.empty())
+	{
+		falco_logger::log(LOG_WARNING, "Invalid (negative) syscall names: warning (base_syscalls override): "
+			+ concat_set_in_order(invalid_negative_sc_set_names));
 	}
 
 	/* Derive the diff between the additional syscalls added via libsinsp state

userspace/falco/app/actions/configure_syscall_buffer_num.cpp

@@ -0,0 +1,42 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "actions.h"
+
+using namespace falco::app;
+using namespace falco::app::actions;
+
+falco::app::run_result falco::app::actions::configure_syscall_buffer_num(falco::app::state& s)
+{
+	if(!s.options.modern_bpf)
+	{
+		return run_result::ok();
+	}
+
+	ssize_t online_cpus = sysconf(_SC_NPROCESSORS_ONLN);
+	if(online_cpus <= 0)
+	{
+		return run_result::fatal("cannot get the number of online CPUs from the system\n");
+	}
+
+	if(s.config->m_cpus_for_each_syscall_buffer > online_cpus)
+	{
+		falco_logger::log(LOG_WARNING, "you required a buffer every '" + std::to_string(s.config->m_cpus_for_each_syscall_buffer) + "' CPUs but there are only '" + std::to_string(online_cpus) + "' online CPUs. Falco changed the config to: one buffer every '" + std::to_string(online_cpus) + "' CPUs\n");
+		s.config->m_cpus_for_each_syscall_buffer = online_cpus;
+	}
+
+	return run_result::ok();
+}

userspace/falco/app/actions/create_signal_handlers.cpp

@@ -131,9 +131,9 @@ falco::app::run_result falco::app::actions::create_signal_handlers(falco::app::s
 		{
 			std::string rule = "Falco internal: hot restart failure";
 			std::string msg = rule + ": " + err;
-			std::map<std::string, std::string> o = {};
+			auto fields = nlohmann::json::object();
 			auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::system_clock::now().time_since_epoch()).count();
-			s.outputs->handle_msg(now, falco_common::PRIORITY_CRITICAL, msg, rule, o);
+			s.outputs->handle_msg(now, falco_common::PRIORITY_CRITICAL, msg, rule, fields);
 		}
 
 		return success;

userspace/falco/app/actions/load_rules_files.cpp

@@ -63,6 +63,7 @@ falco::app::run_result falco::app::actions::load_rules_files(falco::app::state&
 		return run_result::fatal(e.what());
 	}
 
+	std::string err = "";
 	for(auto &filename : s.config->m_loaded_rules_filenames)
 	{
 		falco_logger::log(LOG_INFO, "Loading rules from file " + filename + "\n");
@@ -73,7 +74,8 @@ falco::app::run_result falco::app::actions::load_rules_files(falco::app::state&
 		if(!res->successful())
 		{
 			// Return the summary version as the error
-			return run_result::fatal(res->as_string(true, rc));
+			err = res->as_string(true, rc);
+			break;
 		}
 
 		// If verbose is true, also print any warnings
@@ -83,8 +85,44 @@ falco::app::run_result falco::app::actions::load_rules_files(falco::app::state&
 		}
 	}
 
-	std::string err = "";
-	if (!check_rules_plugin_requirements(s, err))
+	// note: we have an egg-and-chicken problem here. We would like to check
+	// plugin requirements before loading any rule, so that we avoid having
+	// all the "unknown field XXX" errors caused when a plugin is required but
+	// not loaded. On the other hand, we can't check the requirements before
+	// loading the rules file, because that's where the plugin dependencies
+	// are specified. This issue is visible only for dependencies over extractor
+	// plugins, due to the fact that if a source plugin is not loaded, its
+	// source will be unknown for the engine and so it will skip loading all of
+	// the rules to that source, to finally end up here and return a fatal error
+	// due to plugin dependency not satisfied being the actual problem.
+	//
+	// The long-term solution would be to pass information about all the loaded
+	// plugins to the falco engine before or when loading a rules file, so that
+	// plugin version checks can be performed properly by the engine, just
+	// like it does for the engine version requirement. On the other hand,
+	// This also requires refactoring a big chunk of the API and code of the
+	// engine responsible of loading rules.
+	// 
+	// Since we're close to releasing Falco v0.35, the chosen workaround is
+	// to first collect any error from the engine, then checking if there is
+	// also a version dependency not being satisfied, and give that failure
+	// cause priority in case we encounter it. This is indeed not perfect, but
+	// suits us for the time being. The non-covered corner case is when
+	// the `required_plugin_versions` YAML block is defined after the first
+	// rule definition (which is wrong anyways but currently allowed by the
+	// engine), in which case Falco would stop at the first error (which
+	// behavior we'll still want to change in the near future), not collect the
+	// plugin deps info, and the checks below will pass with success wrongly.
+	//
+	// todo(jasondellaluce): perform plugin deps checks inside the
+	// falco engine in the middle of the loading procedure of a rules file
+	std::string req_err = "";
+	if (!check_rules_plugin_requirements(s, req_err))
+	{
+		err = req_err;
+	}
+
+	if (!err.empty())
 	{
 		return run_result::fatal(err);
 	}

userspace/falco/app/actions/process_events.cpp

@@ -228,11 +228,10 @@ static falco::app::run_result do_inspect(
 					{
 						sinsp_utils::ts_to_string(duration_start, &last_event_time_str, false, true);
 					}
-					std::map<std::string, std::string> o = {
-						{"last_event_time", last_event_time_str},
-					};
+					nlohmann::json fields;
+					fields["last_event_time"] = last_event_time_str;
 					auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::system_clock::now().time_since_epoch()).count();
-					s.outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, o);
+					s.outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, fields);
 					// Reset the timeouts counter, Falco alerted
 					timeouts_since_last_success_or_msg = 0;
 				}
@@ -399,7 +398,8 @@ static void process_inspector_events(
 
 static falco::app::run_result init_stats_writer(
 		const std::shared_ptr<const stats_writer>& sw,
-		const std::shared_ptr<const falco_configuration>& config)
+		const std::shared_ptr<const falco_configuration>& config,
+		bool is_dry_run)
 {
 	if (!config->m_metrics_enabled)
 	{
@@ -426,6 +426,10 @@ static falco::app::run_result init_stats_writer(
 	falco_logger::log(LOG_INFO, "Setting metrics interval to " + config->m_metrics_interval_str + ", equivalent to " + std::to_string(config->m_metrics_interval) + " (ms)\n");
 
 	auto res = falco::app::run_result::ok();
+	if (is_dry_run)
+	{
+		return res;
+	}
 	res.success = stats_writer::init_ticker(config->m_metrics_interval, res.errstr);
 	res.proceed = res.success;
 	return res;
@@ -436,15 +440,16 @@ falco::app::run_result falco::app::actions::process_events(falco::app::state& s)
 	// Notify engine that we finished loading and enabling all rules
 	s.engine->complete_rule_loading();
 
+	// Initialize stats writer
+	auto statsw = std::make_shared<stats_writer>(s.outputs, s.config);
+	auto res = init_stats_writer(statsw, s.config, s.options.dry_run);
+
 	if (s.options.dry_run)
 	{
 		falco_logger::log(LOG_DEBUG, "Skipping event processing in dry-run\n");
-		return run_result::ok();
+		return res;
 	}
 
-	// Initialize stats writer
-	auto statsw = std::make_shared<stats_writer>(s.outputs, s.config);
-	auto res = init_stats_writer(statsw, s.config);
 	if (!res.success)
 	{
 		return res;
@@ -533,14 +538,6 @@ falco::app::run_result falco::app::actions::process_events(falco::app::state& s)
 		size_t closed_count = 0;
 		while (closed_count < ctxs.size())
 		{
-			// This is shared across all running event source threads an
-			// keeps the main thread sleepy until one of the parallel
-			// threads terminates and invokes release(). At that point,
-			// we know that at least one thread finished running and we can
-			// attempt joining it. Not that this also works when only one
-			// event source is enabled, in which we have no additional threads.
-			termination_sem.acquire();
-
 			if (!res.success && !termination_forced)
 			{
 				falco_logger::log(LOG_INFO, "An error occurred in an event source, forcing termination...\n");
@@ -549,6 +546,14 @@ falco::app::run_result falco::app::actions::process_events(falco::app::state& s)
 				termination_forced = true;
 			}
 
+			// This is shared across all running event source threads an
+			// keeps the main thread sleepy until one of the parallel
+			// threads terminates and invokes release(). At that point,
+			// we know that at least one thread finished running and we can
+			// attempt joining it. Not that this also works when only one
+			// event source is enabled, in which we have no additional threads.
+			termination_sem.acquire();
+
 			for (auto &ctx : ctxs)
 			{
 				if (ctx.sync->finished() && !ctx.sync->joined())

userspace/falco/app/app.cpp

@@ -84,6 +84,7 @@ bool falco::app::run(falco::app::state& s, bool& restart, std::string& errstr)
 		falco::app::actions::init_clients,
 		falco::app::actions::configure_interesting_sets,
 		falco::app::actions::configure_syscall_buffer_size,
+		falco::app::actions::configure_syscall_buffer_num,
 		falco::app::actions::start_grpc_server,
 		falco::app::actions::start_webserver,
 		falco::app::actions::process_events,

userspace/falco/app/options.cpp

@@ -203,8 +203,8 @@ void options::define(cxxopts::Options& opts)
 		("K,k8s-api-cert",                "Use the provided files names to authenticate user and (optionally) verify the K8S API server identity. Each entry must specify full (absolute, or relative to the current directory) path to the respective file. Private key password is optional (needed only if key is password protected). CA certificate is optional. For all files, only PEM file format is supported. Specifying CA certificate only is obsoleted - when single entry is provided for this option, it will be interpreted as the name of a file containing bearer token. Note that the format of this command-line option prohibits use of files whose names contain ':' or '#' characters in the file name.", cxxopts::value(k8s_api_cert), "(<bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>])")
 		("k8s-node",                      "The node name will be used as a filter when requesting metadata of pods to the API server. Usually, this should be set to the current node on which Falco is running. If empty, no filter is set, which may have a performance penalty on large clusters.", cxxopts::value(k8s_node_name), "<node_name>")
 #endif
-		("L",                             "Show the name and description of all rules and exit.", cxxopts::value(describe_all_rules)->default_value("false"))
-		("l",                             "Show the name and description of the rule with name <rule> and exit.", cxxopts::value(describe_rule), "<rule>")
+		("L",                             "Show the name and description of all rules and exit. If json_output is set to true, it prints details about all rules, macros and lists in JSON format", cxxopts::value(describe_all_rules)->default_value("false"))
+		("l",                             "Show the name and description of the rule with name <rule> and exit. If json_output is set to true, it prints details about the rule in JSON format", cxxopts::value(describe_rule), "<rule>")
 		("list",                          "List all defined fields. If <source> is provided, only list those fields for the source <source>. Current values for <source> are \"syscall\" or any source from a configured plugin with event sourcing capability.", cxxopts::value(list_source_fields)->implicit_value(""), "<source>")
 		("list-syscall-events",  		  "List all defined system call events.", cxxopts::value<bool>(list_syscall_events))
 #ifndef MUSL_OPTIMIZED

userspace/falco/configuration.cpp

@@ -68,7 +68,8 @@ falco_configuration::falco_configuration():
 	m_metrics_resource_utilization_enabled(true),
 	m_metrics_kernel_event_counters_enabled(true),
 	m_metrics_libbpf_stats_enabled(true),
-	m_metrics_convert_memory_to_mb(true)
+	m_metrics_convert_memory_to_mb(true),
+	m_metrics_include_empty_values(false)
 {
 	init({});
 }
@@ -356,6 +357,7 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 	m_metrics_kernel_event_counters_enabled = config.get_scalar<bool>("metrics.kernel_event_counters_enabled", true);
 	m_metrics_libbpf_stats_enabled = config.get_scalar<bool>("metrics.libbpf_stats_enabled", true);
 	m_metrics_convert_memory_to_mb = config.get_scalar<bool>("metrics.convert_memory_to_mb", true);
+	m_metrics_include_empty_values = config.get_scalar<bool>("metrics.include_empty_values", false);
 
 	std::vector<std::string> load_plugins;
 

userspace/falco/configuration.h

@@ -122,6 +122,7 @@ public:
 	bool m_metrics_kernel_event_counters_enabled;
 	bool m_metrics_libbpf_stats_enabled;
 	bool m_metrics_convert_memory_to_mb;
+	bool m_metrics_include_empty_values;
 
 	std::vector<plugin_config> m_plugins;
 

userspace/falco/event_drops.cpp

@@ -156,7 +156,7 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now, scap_stats &delta, bool
 
 		case syscall_evt_drop_action::ALERT:
 		{
-			std::map<std::string, std::string> output_fields;
+			nlohmann::json output_fields;
 			output_fields["n_evts"] = std::to_string(delta.n_evts);		/* Total number of kernel side events actively traced (not including events discarded due to simple consumer mode in eBPF case). */
 			output_fields["n_drops"] = std::to_string(delta.n_drops);		/* Number of all kernel side event drops out of n_evts. */
 			output_fields["n_drops_buffer_total"] = std::to_string(delta.n_drops_buffer);		/* Total number of kernel side drops due to full buffer, includes all categories below, likely higher than sum of syscall categories. */

userspace/falco/falco_outputs.cpp

@@ -161,8 +161,13 @@ void falco_outputs::handle_msg(uint64_t ts,
 			       falco_common::priority_type priority,
 			       std::string &msg,
 			       std::string &rule,
-			       std::map<std::string, std::string> &output_fields)
+			       nlohmann::json &output_fields)
 {
+	if (!output_fields.is_object())
+	{
+		throw falco_exception("falco_outputs: output fields must be key-value maps");
+	}
+
 	falco_outputs::ctrl_msg cmsg = {};
 	cmsg.ts = ts;
 	cmsg.priority = priority;
@@ -202,7 +207,7 @@ void falco_outputs::handle_msg(uint64_t ts,
 
 		sinsp_utils::ts_to_string(ts, &timestr, false, true);
 		cmsg.msg = timestr + ": " + falco_common::format_priority(priority) + " " + msg + " (";
-		for(auto &pair : output_fields)
+		for(auto &pair : output_fields.items())
 		{
 			if(first)
 			{
@@ -212,7 +217,11 @@ void falco_outputs::handle_msg(uint64_t ts,
 			{
 				cmsg.msg += " ";
 			}
-			cmsg.msg += pair.first + "=" + pair.second;
+			if (!pair.value().is_primitive())
+			{
+				throw falco_exception("falco_outputs: output fields must be key-value maps");
+			}
+			cmsg.msg += pair.key() + "=" + pair.value().dump();
 		}
 		cmsg.msg += ")";
 	}

userspace/falco/falco_outputs.h

@@ -66,7 +66,7 @@ public:
 			falco_common::priority_type priority,
 			std::string &msg,
 			std::string &rule,
-			std::map<std::string, std::string> &output_fields);
+			nlohmann::json &output_fields);
 
 	/*!
 		\brief Sends a cleanup message to all outputs.

userspace/falco/outputs.h

@@ -21,6 +21,7 @@ limitations under the License.
 
 #include "falco_common.h"
 #include "gen_filter.h"
+#include <nlohmann/json.hpp>
 
 namespace falco
 {
@@ -49,7 +50,7 @@ struct message
 	std::string msg;
 	std::string rule;
 	std::string source;
-	std::map<std::string, std::string> fields;
+	nlohmann::json fields;
 	std::set<std::string> tags;
 };
 

userspace/falco/outputs_grpc.cpp

@@ -79,9 +79,15 @@ void falco::outputs::output_grpc::output(const message *msg)
 
 	// output fields
 	auto &fields = *grpc_res.mutable_output_fields();
-	for(const auto &kv : msg->fields)
+	for(const auto &kv : msg->fields.items())
 	{
-		fields[kv.first] = kv.second;
+		if (!kv.value().is_primitive())
+		{
+			throw falco_exception("output_grpc: output fields must be key-value maps");
+		}
+		fields[kv.key()] = (kv.value().is_string())
+			? kv.value().get<std::string>()
+			: kv.value().dump();
 	}
 
 	// hostname

userspace/falco/stats_writer.cpp

@@ -162,8 +162,7 @@ void stats_writer::worker() noexcept
 				{
 					std::string rule = "Falco internal: metrics snapshot";
 					std::string msg = "Falco metrics snapshot";
-					std::map<std::string,std::string> fields = {m.output_fields.begin(), m.output_fields.end()}; 
-					m_outputs->handle_msg(m.ts, falco_common::PRIORITY_INFORMATIONAL, msg, rule, fields);
+					m_outputs->handle_msg(m.ts, falco_common::PRIORITY_INFORMATIONAL, msg, rule, m.output_fields);
 				}
 
 				if (use_file)
@@ -188,7 +187,7 @@ stats_writer::collector::collector(const std::shared_ptr<stats_writer>& writer)
 }
 
 void stats_writer::collector::get_metrics_output_fields_wrapper(
-		std::unordered_map<std::string, std::string>& output_fields,
+		nlohmann::json& output_fields,
 		const std::shared_ptr<sinsp>& inspector, uint64_t now,
 		const std::string& src, uint64_t num_evts, double stats_snapshot_time_delta_sec)
 {
@@ -199,14 +198,14 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
 	const scap_machine_info* machine_info = inspector->get_machine_info();
 
 	/* Wrapper fields useful for statistical analyses and attributions. Always enabled. */
-	output_fields["evt.time"] = std::to_string(now); /* Some ETLs may prefer a consistent timestamp within output_fields. */
+	output_fields["evt.time"] = now; /* Some ETLs may prefer a consistent timestamp within output_fields. */
 	output_fields["falco.version"] = FALCO_VERSION;
-	output_fields["falco.start_ts"] = std::to_string(agent_info->start_ts_epoch);
-	output_fields["falco.duration_sec"] = std::to_string((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS);
+	output_fields["falco.start_ts"] = agent_info->start_ts_epoch;
+	output_fields["falco.duration_sec"] = (uint64_t)((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS);
 	output_fields["falco.kernel_release"] = agent_info->uname_r;
-	output_fields["falco.host_boot_ts"] = std::to_string(machine_info->boot_ts_epoch);
+	output_fields["falco.host_boot_ts"] = machine_info->boot_ts_epoch;
 	output_fields["falco.hostname"] = machine_info->hostname; /* Explicitly add hostname to log msg in case hostname rule output field is disabled. */
-	output_fields["falco.host_num_cpus"] = std::to_string(machine_info->num_cpus);
+	output_fields["falco.host_num_cpus"] = machine_info->num_cpus;
 
 	output_fields["evt.source"] = src;
 	for (size_t i = 0; i < sizeof(all_driver_engines) / sizeof(const char*); i++)
@@ -222,15 +221,15 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
 	if (m_last_num_evts != 0 && stats_snapshot_time_delta_sec > 0)
 	{
 		/* Successfully processed userspace event rate. */
-		output_fields["falco.evts_rate_sec"] = std::to_string((num_evts - m_last_num_evts) / (double)stats_snapshot_time_delta_sec);
+		output_fields["falco.evts_rate_sec"] = (double)((num_evts - m_last_num_evts) / (double)stats_snapshot_time_delta_sec);
 	}
-	output_fields["falco.num_evts"] = std::to_string(num_evts);
-	output_fields["falco.num_evts_prev"] = std::to_string(m_last_num_evts);
+	output_fields["falco.num_evts"] = num_evts;
+	output_fields["falco.num_evts_prev"] = m_last_num_evts;
 	m_last_num_evts = num_evts;
 }
 
 void stats_writer::collector::get_metrics_output_fields_additional(
-		std::unordered_map<std::string, std::string>& output_fields,
+		nlohmann::json& output_fields,
 		const std::shared_ptr<sinsp>& inspector,
 		double stats_snapshot_time_delta_sec, const std::string& src)
 {
@@ -251,32 +250,43 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 			for(uint32_t stat = 0; stat < nstats; stat++)
 			{
 				char metric_name[STATS_NAME_MAX] = "falco.";
-				strncat(metric_name, utilization[stat].name, sizeof(metric_name) - strlen(metric_name));
+				strncat(metric_name, utilization[stat].name, sizeof(metric_name) - strlen(metric_name) - 1);
 				switch(utilization[stat].type)
 				{
 				case STATS_VALUE_TYPE_U64:
-
-					if (m_writer->m_config->m_metrics_convert_memory_to_mb && strncmp(utilization[stat].name, "container_memory_used", 21) == 0)
+					if (utilization[stat].value.u64 == 0 && !m_writer->m_config->m_metrics_include_empty_values)
 					{
-						output_fields[metric_name] = std::to_string(utilization[stat].value.u64 / (double)1024 / (double)1024);
+						break;
+					}
+					if (m_writer->m_config->m_metrics_convert_memory_to_mb && strncmp(utilization[stat].name, "container_memory_used", 22) == 0) // exact str match
+					{
+						output_fields[metric_name] = (uint64_t)(utilization[stat].value.u64 / (double)1024 / (double)1024);
 					}
 					else
 					{
-						output_fields[metric_name] = std::to_string(utilization[stat].value.u64);
+						output_fields[metric_name] = utilization[stat].value.u64;
 					}
 					break;
 				case STATS_VALUE_TYPE_U32:
-					if (m_writer->m_config->m_metrics_convert_memory_to_mb && strncmp(utilization[stat].name, "memory_", 7) == 0)
+					if (utilization[stat].value.u32 == 0 && !m_writer->m_config->m_metrics_include_empty_values)
 					{
-						output_fields[metric_name] = std::to_string(utilization[stat].value.u32 / (double)1024);
+						break;
+					}
+					if (m_writer->m_config->m_metrics_convert_memory_to_mb && strncmp(utilization[stat].name, "memory_", 7) == 0) // prefix match
+					{
+						output_fields[metric_name] = (uint32_t)(utilization[stat].value.u32 / (double)1024);
 					}
 					else
 					{
-						output_fields[metric_name] = std::to_string(utilization[stat].value.u32);
+						output_fields[metric_name] = utilization[stat].value.u32;
 					}
 					break;
 				case STATS_VALUE_TYPE_D:
-					output_fields[metric_name] = std::to_string(utilization[stat].value.d);
+					if (utilization[stat].value.d == 0 && !m_writer->m_config->m_metrics_include_empty_values)
+					{
+						break;
+					}
+					output_fields[metric_name] = utilization[stat].value.d;
 					break;
 				default:
 					break;
@@ -306,62 +316,76 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 	const scap_stats_v2* stats_v2 = inspector->get_capture_stats_v2(flags, &nstats, &rc);
 	if (stats_v2 && nstats > 0 && rc == 0)
 	{
-		/* Cache n_evts and n_drops to derice n_drops_perc. */
+		/* Cache n_evts and n_drops to derive n_drops_perc. */
 		uint64_t n_evts = 0;
 		uint64_t n_drops = 0;
+		uint64_t n_evts_delta = 0;
+		uint64_t n_drops_delta = 0;
 		for(uint32_t stat = 0; stat < nstats; stat++)
 		{
 			// todo: as we expand scap_stats_v2 prefix may be pushed to scap or we may need to expand
 			// functionality here for example if we add userspace syscall counters that should be prefixed w/ `falco.`
 			char metric_name[STATS_NAME_MAX] = "scap.";
-			strncat(metric_name, stats_v2[stat].name, sizeof(metric_name) - strlen(metric_name));
+			strncat(metric_name, stats_v2[stat].name, sizeof(metric_name) - strlen(metric_name) - 1);
 			switch(stats_v2[stat].type)
 			{
 			case STATS_VALUE_TYPE_U64:
-				if (strncmp(stats_v2[stat].name, "n_evts", 6) == 0)
+				/* Always send high level n_evts related fields, even if zero. */
+				if (strncmp(stats_v2[stat].name, "n_evts", 7) == 0) // exact not prefix match here
 				{
 					n_evts = stats_v2[stat].value.u64;
-					if (m_last_n_evts != 0 && stats_snapshot_time_delta_sec > 0)
+					output_fields[metric_name] = n_evts;
+					output_fields["scap.n_evts_prev"] = m_last_n_evts;
+					n_evts_delta = n_evts - m_last_n_evts;
+					if (n_evts_delta != 0 && stats_snapshot_time_delta_sec > 0)
 					{
 						/* n_evts is total number of kernel side events. */
-						output_fields["scap.evts_rate_sec"] = std::to_string((n_evts - m_last_n_evts) / stats_snapshot_time_delta_sec);
+						output_fields["scap.evts_rate_sec"] = (double)(n_evts_delta / stats_snapshot_time_delta_sec);
 					}
 					else
 					{
-						output_fields["scap.evts_rate_sec"] = std::to_string(0);
+						output_fields["scap.evts_rate_sec"] = (double)(0);
 					}
-					output_fields["scap.n_evts_prev"] = std::to_string(m_last_n_evts);
+					m_last_n_evts = n_evts;
 				}
-				else if (strncmp(stats_v2[stat].name, "n_drops", 7) == 0)
+				/* Always send high level n_drops related fields, even if zero. */
+				else if (strncmp(stats_v2[stat].name, "n_drops", 8) == 0) // exact not prefix match here
 				{
 					n_drops = stats_v2[stat].value.u64;
-					if (m_last_n_drops != 0 && stats_snapshot_time_delta_sec > 0)
+					output_fields[metric_name] = n_drops;
+					output_fields["scap.n_drops_prev"] = m_last_n_drops;
+					n_drops_delta = n_drops - m_last_n_drops;
+					if (n_drops_delta != 0 && stats_snapshot_time_delta_sec > 0)
 					{
 						/* n_drops is total number of kernel side event drops. */
-						output_fields["scap.evts_drop_rate_sec"] = std::to_string((n_drops - m_last_n_drops) / stats_snapshot_time_delta_sec);
+						output_fields["scap.evts_drop_rate_sec"] = (double)(n_drops_delta / stats_snapshot_time_delta_sec);
 					}
 					else
 					{
-						output_fields["scap.evts_drop_rate_sec"] = std::to_string(0);
+						output_fields["scap.evts_drop_rate_sec"] = (double)(0);
 					}
-					output_fields["scap.n_drops_prev"] = std::to_string(m_last_n_drops);
+					m_last_n_drops = n_drops;
 				}
-				output_fields[metric_name] = std::to_string(stats_v2[stat].value.u64);
+				if (stats_v2[stat].value.u64 == 0 && !m_writer->m_config->m_metrics_include_empty_values)
+				{
+					break;
+				}
+				output_fields[metric_name] = stats_v2[stat].value.u64;
 				break;
 			default:
 				break;
 			}
 		}
-		if((n_evts - m_last_n_evts) > 0)
+		/* n_drops_perc needs to be calculated outside the loop given no field ordering guarantees.
+		 * Always send n_drops_perc, even if zero. */
+		if(n_evts_delta > 0)
 		{
-			output_fields["scap.n_drops_perc"] = std::to_string((100.0 * (n_drops - m_last_n_drops)) / (n_evts - m_last_n_evts));
+			output_fields["scap.n_drops_perc"] = (double)((100.0 * n_drops_delta) / n_evts_delta);
 		}
 		else
 		{
-			output_fields["scap.n_drops_perc"] = std::to_string(0);
+			output_fields["scap.n_drops_perc"] = (double)(0);
 		}
-		m_last_n_evts = n_evts;
-		m_last_n_drops = n_drops;
 	}
 #endif
 }
@@ -386,7 +410,7 @@ void stats_writer::collector::collect(const std::shared_ptr<sinsp>& inspector, c
 			double stats_snapshot_time_delta_sec = (stats_snapshot_time_delta / (double)ONE_SECOND_IN_NS);
 
 			/* Get respective metrics output_fields. */
-			std::unordered_map<std::string, std::string> output_fields;
+			nlohmann::json output_fields;
 			get_metrics_output_fields_wrapper(output_fields, inspector, now, src, num_evts, stats_snapshot_time_delta_sec);
 			get_metrics_output_fields_additional(output_fields, inspector, stats_snapshot_time_delta_sec, src);
 

userspace/falco/stats_writer.h

@@ -64,12 +64,12 @@ public:
 		/*!
 			\brief Collect snapshot metrics wrapper fields as internal rule formatted output fields.
 		*/
-		void get_metrics_output_fields_wrapper(std::unordered_map<std::string, std::string>& output_fields, const std::shared_ptr<sinsp>& inspector, uint64_t now, const std::string& src, uint64_t num_evts, double stats_snapshot_time_delta_sec);
+		void get_metrics_output_fields_wrapper(nlohmann::json& output_fields, const std::shared_ptr<sinsp>& inspector, uint64_t now, const std::string& src, uint64_t num_evts, double stats_snapshot_time_delta_sec);
 
 		/*!
 			\brief Collect snapshot metrics syscalls related metrics as internal rule formatted output fields.
 		*/
-		void get_metrics_output_fields_additional(std::unordered_map<std::string, std::string>& output_fields, const std::shared_ptr<sinsp>& inspector, double stats_snapshot_time_delta_sec, const std::string& src);
+		void get_metrics_output_fields_additional(nlohmann::json& output_fields, const std::shared_ptr<sinsp>& inspector, double stats_snapshot_time_delta_sec, const std::string& src);
 
 	
 		std::shared_ptr<stats_writer> m_writer;
@@ -132,7 +132,7 @@ private:
 		bool stop;
 		uint64_t ts;
 		std::string source;
-		std::unordered_map<std::string, std::string> output_fields;
+		nlohmann::json output_fields;
 	};
 
 	void worker() noexcept;