chore(ci): only install awscli from repo.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.circleci/config.yml

@@ -203,7 +203,7 @@ jobs:
           path: /tmp/build-arm64/release/integration-tests-xunit
   "tests-driver-loader-integration":
     machine:
-      image: ubuntu-2004:202107-02
+      image: ubuntu-2004:2023.04.2
     steps:
       - attach_workspace:
           at: /tmp/ws

.github/workflows/ci.yml

@@ -11,8 +11,36 @@ concurrency:
   cancel-in-progress: true  
 
 jobs:
-  build-minimal:
-    runs-on: ubuntu-20.04
+  fetch-version:
+    uses: ./.github/workflows/reusable_fetch_version.yaml
+
+  build-dev-packages:
+    needs: [fetch-version]
+    uses: ./.github/workflows/reusable_build_packages.yaml
+    with:
+      arch: x86_64
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  test-dev-packages:
+    needs: [fetch-version, build-dev-packages]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    strategy:
+      fail-fast: false
+      matrix:
+        static: ["static", ""]
+    with:
+      arch: x86_64
+      static: ${{ matrix.static != '' && true || false }}
+      version: ${{ needs.fetch-version.outputs.version }}
+
+  build-dev:
+    strategy:
+      fail-fast: false
+      matrix:
+        machine: ['ubuntu-20.04']
+        buildmode: ['Debug', 'Release']
+        minimal: ['', 'minimal']
+    runs-on: ${{ matrix.machine }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -22,83 +50,25 @@ jobs:
 
       - name: Update base image
         run: sudo apt update -y
-
+      
       - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
-
-      - name: Prepare project
-        run: |
-          mkdir build-minimal
-          pushd build-minimal
-          cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DBUILD_FALCO_UNIT_TESTS=On ..
-          popd
-
-      - name: Build
-        run: |
-          pushd build-minimal
-          make -j4 all
-          popd
-
-      - name: Run unit tests
-        run: |
-          pushd build-minimal
-          sudo ./unit_tests/falco_unit_tests 
-          popd
-
-  build-ubuntu-focal:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libelf-dev libyaml-cpp-dev cmake build-essential git -y
 
+      - name: Install build dependencies (non-minimal)
+        if: matrix.minimal != 'minimal'
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libgrpc++-dev protobuf-compiler-grpc rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y
+      
       - name: Prepare project
         run: |
           mkdir build
           pushd build
-          cmake -DBUILD_BPF=On -DCMAKE_BUILD_TYPE=Release -DBUILD_FALCO_UNIT_TESTS=On ..
-          popd
-
-      - name: Build
-        run: |
-          pushd build
-          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
-          popd
-
-      - name: Run unit tests
-        run: |
-          pushd build
-          sudo ./unit_tests/falco_unit_tests 
-          popd
-
-  build-ubuntu-focal-debug:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Update base image
-        run: sudo apt update -y
-
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
-
-      - name: Prepare project
-        run: |
-          mkdir build
-          pushd build
-          cmake -DCMAKE_BUILD_TYPE=Debug -DBUILD_BPF=On -DBUILD_FALCO_UNIT_TESTS=On ..
+          cmake \
+            -DBUILD_FALCO_UNIT_TESTS=On \
+            -DCMAKE_BUILD_TYPE=${{ matrix.buildmode }} \
+            -DBUILD_BPF=${{ matrix.minimal == 'minimal' && 'OFF' || 'ON' }} \
+            -DBUILD_DRIVER=${{ matrix.minimal == 'minimal' && 'OFF' || 'ON' }} \
+            -DMINIMAL_BUILD=${{ matrix.minimal == 'minimal' && 'ON' || 'OFF' }} \
+            ..
           popd
 
       - name: Build

.github/workflows/master.yaml

@@ -9,37 +9,8 @@ concurrency:
   cancel-in-progress: true  
 
 jobs:
-  # We need to use an ubuntu-latest to fetch Falco version because
-  # Falco version is computed by some cmake scripts that do git sorceries
-  # to get the current version.
-  # But centos7 jobs have a git version too old and actions/checkout does not 
-  # fully clone the repo, but uses http rest api instead.
   fetch-version:
-    runs-on: ubuntu-latest
-    # Map the job outputs to step outputs
-    outputs:
-      version: ${{ steps.store_version.outputs.version }}  
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          
-      - name: Install build dependencies
-        run: |
-          sudo apt update 
-          sudo apt install -y cmake build-essential
-      
-      - name: Configure project
-        run: |
-          mkdir build && cd build
-          cmake -DUSE_BUNDLED_DEPS=On ..
-          
-      - name: Load and store Falco version output
-        id: store_version
-        run: |
-          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT     
+    uses: ./.github/workflows/reusable_fetch_version.yaml 
 
   build-dev-packages:
     needs: [fetch-version]
@@ -56,9 +27,28 @@ jobs:
       arch: aarch64
       version: ${{ needs.fetch-version.outputs.version }}
     secrets: inherit
-    
+
+  test-dev-packages:
+    needs: [fetch-version, build-dev-packages]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    strategy:
+      fail-fast: false
+      matrix:
+        static: ["static", ""]
+    with:
+      arch: x86_64
+      static: ${{ matrix.static != '' && true || false }}
+      version: ${{ needs.fetch-version.outputs.version }}
+  
+  test-dev-packages-arm64:
+    needs: [fetch-version, build-dev-packages-arm64]
+    uses: ./.github/workflows/reusable_test_packages.yaml
+    with:
+      arch: aarch64
+      version: ${{ needs.fetch-version.outputs.version }}
+
   publish-dev-packages:
-    needs: [fetch-version, build-dev-packages, build-dev-packages-arm64]
+    needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: '-dev'

.github/workflows/reusable_fetch_version.yaml

@@ -0,0 +1,40 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    outputs:
+      version:
+        description: "Falco version"
+        value: ${{ jobs.fetch-version.outputs.version }}
+    
+jobs:
+  # We need to use an ubuntu-latest to fetch Falco version because
+  # Falco version is computed by some cmake scripts that do git sorceries
+  # to get the current version.
+  # But centos7 jobs have a git version too old and actions/checkout does not 
+  # fully clone the repo, but uses http rest api instead.
+  fetch-version:
+    runs-on: ubuntu-latest
+    # Map the job outputs to step outputs
+    outputs:
+      version: ${{ steps.store_version.outputs.version }}  
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          
+      - name: Install build dependencies
+        run: |
+          sudo apt update 
+          sudo apt install -y cmake build-essential
+      
+      - name: Configure project
+        run: |
+          mkdir build && cd build
+          cmake -DUSE_BUNDLED_DEPS=On ..
+          
+      - name: Load and store Falco version output
+        id: store_version
+        run: |
+          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT

.github/workflows/reusable_publish_packages.yaml

@@ -117,8 +117,7 @@ jobs:
       - name: Install dependencies
         run: |
           apt update -y
-          apt-get install apt-utils bzip2 gpg python python3-pip -y
-          pip install awscli
+          apt-get install apt-utils bzip2 gpg awscli -y
       
       # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
       # Note: master CI can only push dev packages as we have 2 different roles for master and release.

.github/workflows/reusable_test_packages.yaml

@@ -0,0 +1,73 @@
+# This is a reusable workflow used by master and release CI
+on:
+  workflow_call:
+    inputs:
+      arch:
+        description: x86_64 or aarch64
+        required: true
+        type: string
+      static:
+        description: Falco packages use a static build
+        required: false
+        type: boolean
+        default: false
+      version:
+        description: The Falco version to use when testing packages
+        required: true
+        type: string
+
+jobs:
+  test-packages:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: 'true'
+      
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '>=1.17.0'
+
+      - name: Download binary
+        uses: actions/download-artifact@v3
+        with:
+          name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}.tar.gz
+      
+      - name: Install Falco package
+        run: |
+          ls falco-*.tar.gz
+          tar -xvf $(ls falco-*.tar.gz)
+          cd falco-${{ inputs.version }}-${{ inputs.arch }}
+          sudo cp -r * /
+
+      - name: Install go-junit-report
+        run: |
+          pushd submodules/falcosecurity-testing
+          go install github.com/jstemmer/go-junit-report/v2@latest
+          popd
+  
+      - name: Generate regression test files
+        run: |
+          pushd submodules/falcosecurity-testing
+          go generate ./...
+          popd
+
+      - name: Run regression tests
+        run: |
+          pushd submodules/falcosecurity-testing
+          ./build/falco.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+          ./build/falcoctl.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+          ./build/k8saudit.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
+          cat ./report.txt | go-junit-report -set-exit-code > report.xml
+          popd
+
+      - name: Test Summary
+        if: always() # run this even if previous step fails
+        uses: test-summary/action@v2
+        with:
+          paths: "submodules/falcosecurity-testing/report.xml"
+          show: "fail"

.gitmodules

@@ -2,3 +2,7 @@
 	path = submodules/falcosecurity-rules
 	url = https://github.com/falcosecurity/rules.git
 	branch = main
+[submodule "submodules/falcosecurity-testing"]
+	path = submodules/falcosecurity-testing
+	url = https://github.com/falcosecurity/testing.git
+	branch = main

CHANGELOG.md

@@ -1,5 +1,35 @@
 # Change Log
 
+## v0.35.1
+
+Released on 2023-06-29
+
+### Major Changes
+
+
+### Minor Changes
+
+* update(userspace): change description of snaplen option stating only performance implications [[#2634](https://github.com/falcosecurity/falco/pull/2634)] - [@loresuso](https://github.com/loresuso)
+* update(cmake): bump libs to 0.11.3 [[#2662](https://github.com/falcosecurity/falco/pull/2662)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup(config): minor config clarifications [[#2651](https://github.com/falcosecurity/falco/pull/2651)] - [@incertum](https://github.com/incertum)
+* update(cmake): bump falco rules to v1.0.1 [[#2648](https://github.com/falcosecurity/falco/pull/2648)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(userspace/falco): make source matching error more expressive [[#2623](https://github.com/falcosecurity/falco/pull/2623)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(.github): integrate Go regression tests [[#2437](https://github.com/falcosecurity/falco/pull/2437)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Bug Fixes
+
+* fix(scripts): fixed falco-driver-loader to manage debian kernel rt and cloud flavors. [[#2627](https://github.com/falcosecurity/falco/pull/2627)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): solve live multi-source issues when loading more than two sources [[#2653](https://github.com/falcosecurity/falco/pull/2653)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(driver-loader): fix ubuntu kernel version parsing [[#2635](https://github.com/falcosecurity/falco/pull/2635)] - [@therealbobo](https://github.com/therealbobo)
+* fix(userspace): switch to timer_settime API for stats writer. [[#2646](https://github.com/falcosecurity/falco/pull/2646)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* CI: bump ubuntu version for tests-driver-loader-integration job [[#2661](https://github.com/falcosecurity/falco/pull/2661)] - [@Andreagit97](https://github.com/Andreagit97)
+
 ## v0.35.0
 
 Released on 2023-06-07

cmake/modules/falcoctl.cmake

@@ -15,14 +15,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.5.0")
+set(FALCOCTL_VERSION "0.5.1")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "ba82ee14ee72fe5737f1b5601e403d8a9422dfe2c467d1754eb488001eeea5f1")
+    set(FALCOCTL_HASH "ea7c89134dc745a1cbdbcf8f839d3b47851a40e1aebee20702a606b03b45b897")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "be145ece641d439011cc4a512d0fd2dac5974cab7399f9a7cd43f08eb43dd446")
+    set(FALCOCTL_HASH "22797200bf0e4c7c45f69207ed85218a3839115a302dc07939d3006778d41300")
 endif()
 
 ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.11.2")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=f70364038f88f88cb86de12fddbaf295b932681a920dfb1f0b7d1f88495d027a")
+    set(FALCOSECURITY_LIBS_VERSION "0.11.3")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=b4f9dc8c1612f4b14207d107bce323a0684dce0dbf018e5b846177992569367b")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/rules.cmake

@@ -15,8 +15,8 @@ include(GNUInstallDirs)
 include(ExternalProject)
 
 # falco_rules.yaml
-set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-1.0.0")
-set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=3474d170e6cd1ac5c6ee0cfe6a226e3fd8ef5f7191b0363ecd69672601e7914f")
+set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-1.0.1")
+set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=2348d43196bbbdea92e3f67fa928721a241b0406d0ef369693bdefcec2b3fa13")
 set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
 ExternalProject_Add(
   falcosecurity-rules-falco

falco.yaml

@@ -148,7 +148,7 @@ rules_file:
 #
 # --- [Description]
 #
-# Falco plugins enable integration with other services in the your ecosystem.
+# Falco plugins enable integration with other services in your ecosystem.
 # They allow Falco to extend its functionality and leverage data sources such as
 # Kubernetes audit logs or AWS CloudTrail logs. This enables Falco to perform
 # fast on-host detections beyond syscalls and container events. The plugin
@@ -162,10 +162,11 @@ rules_file:
 #
 # Please note that if your intention is to enrich Falco syscall logs with fields
 # such as `k8s.ns.name`, `k8s.pod.name`, and `k8s.pod.*`, you do not need to use
-# the `k8saudit` plugin. This information is automatically extracted from the
-# container runtime socket. The `k8saudit` plugin is specifically designed to
-# integrate with Kubernetes audit logs and is not required for basic enrichment
-# of syscall logs with Kubernetes-related fields.
+# the `k8saudit` plugin nor the `-k`/`-K` Kubernetes metadata enrichment. This
+# information is automatically extracted from the container runtime socket. The
+# `k8saudit` plugin is specifically designed to integrate with Kubernetes audit
+# logs and is not required for basic enrichment of syscall logs with
+# Kubernetes-related fields.
 #
 # --- [Usage]
 #
@@ -328,6 +329,9 @@ file_output:
 # [Stable] `http_output`
 #
 # Send logs to an HTTP endpoint or webhook.
+#
+# When using falcosidekick, it is necessary to set `json_output` to true, which is
+# conveniently done automatically for you when using `falcosidekick.enabled=true`.
 http_output:
   enabled: false
   url: http://some.url
@@ -598,6 +602,7 @@ syscall_event_drops:
 # [Experimental] `metrics`
 #
 # Generates "Falco internal: metrics snapshot" rule output when `priority=info` at minimum
+# By selecting `output_file`, equivalent JSON output will be appended to a file.
 #
 # periodic metric snapshots (including stats and resource utilization) captured
 # at regular intervals
@@ -629,6 +634,9 @@ syscall_event_drops:
 #
 # It's important to note that the output fields and their names can be subject
 # to change until the metrics feature reaches a stable release.
+# In addition, the majority of fields represent an instant snapshot, with the
+# exception of event rates per second and drop percentage stats. These values
+# are computed based on the delta between two snapshots.
 #
 # To customize the hostname in Falco, you can set the environment variable
 # `FALCO_HOSTNAME` to your desired hostname. This is particularly useful in
@@ -672,7 +680,8 @@ syscall_event_drops:
 # must be set to `info` at a minimum.
 #
 # `output_file`: Append stats to a `jsonl` file. Use with caution in production
-# as Falco does not automatically rotate the file.
+# as Falco does not automatically rotate the file. It can be used in combination
+# with `output_rule`.
 #
 # `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage
 # is reported as a percentage of one CPU and can be normalized to the total

scripts/falco-driver-loader

@@ -151,11 +151,17 @@ get_target_id() {
 		# Real kernel release is embedded inside the kernel version.
 		# Moreover, kernel arch, when present, is attached to the former,
 		# therefore make sure to properly take it and attach it to the latter.
+		# Moreover, we support 3 flavors for debian kernels: cloud, rt and normal.
+		# KERNEL-RELEASE will have a `-rt`, or `-cloud` if we are in one of these flavors.
+		# Manage it to download the correct driver.
+		#
+		# Example: KERNEL_RELEASE="5.10.0-0.deb10.22-rt-amd64" and `uname -v`="5.10.178-3"
+		# should lead to: KERNEL_RELEASE="5.10.178-3-rt-amd64"
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		local ARCH_extra=""
-		if [[ $KERNEL_RELEASE =~ -(amd64|arm64) ]];
+		if [[ $KERNEL_RELEASE =~ -?(rt-|cloud-|)(amd64|arm64) ]];
 		then
-			ARCH_extra="-${BASH_REMATCH[1]}"
+			ARCH_extra="-${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
 		fi
 		if [[ $(uname -v) =~ ([0-9]+\.[0-9]+\.[0-9]+\-[0-9]+) ]];
 		then
@@ -165,14 +171,26 @@ get_target_id() {
 	("ubuntu")
 		# Extract the flavor from the kernelrelease
 		# Examples:
-		# 5.0.0-1028-aws-5.0 -> ubuntu-aws-5.0
+		# 5.0.0-1028-aws-5.0 -> ubuntu-aws
 		# 5.15.0-1009-aws -> ubuntu-aws
 		if [[ $KERNEL_RELEASE =~ -([a-zA-Z]+)(-.*)?$ ]];
 		then
-			TARGET_ID="ubuntu-${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+			TARGET_ID="ubuntu-${BASH_REMATCH[1]}"
 		else
 			TARGET_ID="ubuntu-generic"
 		fi
+
+
+		# In the case that the kernelversion isn't just a number
+		# we keep also the remaining part excluding `-Ubuntu`.
+		# E.g.:
+		# from the following `uname -v` result
+		# `#26~22.04.1-Ubuntu SMP Mon Apr 24 01:58:15 UTC 2023`
+		# we obtain the kernelversion`26~22.04.1`
+		if [[ $(uname -v) =~ (^\#[0-9]+\~[^-]*-Ubuntu .*$) ]];
+		then
+			KERNEL_VERSION=$(uname -v | sed 's/#\([^-\\ ]*\).*/\1/g')
+		fi
 		;;
 	("flatcar")
 		KERNEL_RELEASE="${VERSION_ID}"

userspace/falco/app/actions/helpers_generic.cpp

@@ -39,8 +39,17 @@ bool falco::app::actions::check_rules_plugin_requirements(falco::app::state& s,
 
 void falco::app::actions::print_enabled_event_sources(falco::app::state& s)
 {
-	/* Print all enabled sources. */
+	/* Print all loaded sources. */
 	std::string str;
+	for (const auto &src : s.loaded_sources)
+	{
+		str += str.empty() ? "" : ", ";
+		str += src;
+	}
+	falco_logger::log(LOG_INFO, "Loaded event sources: " + str);
+
+	/* Print all enabled sources. */
+	str.clear();
 	for (const auto &src : s.enabled_sources)
 	{
 		str += str.empty() ? "" : ", ";

userspace/falco/app/actions/init_inspectors.cpp

@@ -187,6 +187,23 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 		{
 			return run_result::fatal(err);
 		}
+
+		// in live mode, each inspector should have registered at most two event sources:
+		// the "syscall" on, loaded at default at index 0, and optionally another
+		// one defined by a plugin, at index 1
+		if (!s.is_capture_mode())
+		{
+			const auto& sources = src_info->inspector->event_sources();
+			if (sources.size() == 0 || sources.size() > 2 || sources[0] != falco_common::syscall_source)
+			{
+				std::string err;
+				for (const auto &s : sources)
+				{
+					err += (err.empty() ? "" : ", ") + s;
+				}
+				return run_result::fatal("Illegal sources setup in live inspector for source '" + src + "': " + err);
+			}
+		}
 	}
 
 	// check if some plugin remains unused

userspace/falco/app/actions/process_events.cpp

@@ -144,6 +144,13 @@ static falco::app::run_result do_inspect(
 	const bool is_capture_mode = source.empty();
 	size_t source_engine_idx = 0;
 
+	// note(jasondellaluce): The "syscall" event source will always be loaded
+	// by default in an inspector, and at index 0. As such, in live mode we would
+	// expect the event source index to always be 0 in case of "syscall" source,
+	// and 1 in case of any other plugin event source, because it would be
+	// the only other source loaded in its relative live inspector.
+	size_t expected_live_evt_src_idx = source == falco_common::syscall_source ? 0 : 1;
+
 	if (!is_capture_mode)
 	{
 		// note: in live mode, each inspector gets assigned a distinct event
@@ -265,10 +272,13 @@ static falco::app::run_result do_inspect(
 			if (source_engine_idx == sinsp_no_event_source_idx)
 			{
 				std::string msg = "Unknown event source for inspector's event";
-				if (ev->get_type() == PPME_PLUGINEVENT_E)
+				if (ev->get_type() == PPME_PLUGINEVENT_E || ev->get_type() == PPME_ASYNCEVENT_E)
 				{
-					auto pluginID = *(int32_t *)ev->get_param(0)->m_val;
-					msg += " (plugin ID: " + std::to_string(pluginID) + ")";
+					auto pluginID = *(uint32_t *)ev->get_param(0)->m_val;
+					if (pluginID != 0)
+					{
+						msg += " (plugin ID: " + std::to_string(pluginID) + ")";
+					}
 				}
 				return run_result::fatal(msg);
 			}
@@ -280,12 +290,15 @@ static falco::app::run_result do_inspect(
 		{
 			// in live mode, each inspector gets assigned a distinct event source,
 			// so we report an error if we fetch an event of a different source.
-			if (source_engine_idx != ev->get_source_idx())
+			if (expected_live_evt_src_idx != ev->get_source_idx())
 			{
-				auto msg = "Unexpected event source for inspector's event: expected='" + source + "', actual=";
-				msg += (ev->get_source_name() != NULL)
+				std::string actual = (ev->get_source_name() != NULL)
 					? ("'" + std::string(ev->get_source_name()) + "'")
 					: ("<NA>");
+				std::string msg = "Unexpected event source for inspector's event:";
+				msg += " type=" + std::to_string(ev->get_type());
+				msg += ", expected='" + source + " (idx=" + std::to_string(expected_live_evt_src_idx) + ")";
+				msg += "', actual=" + actual + " (idx=" + std::to_string(ev->get_source_idx()) + ")";
 				return run_result::fatal(msg);
 			}
 

userspace/falco/app/options.cpp

@@ -221,7 +221,7 @@ void options::define(cxxopts::Options& opts)
 		("r",                             "Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml). This option can be passed multiple times to read from multiple files/directories.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
 		("s",                             "If specified, append statistics related to Falco's reading/processing of events to this file (only useful in live mode).", cxxopts::value(stats_output_file), "<stats_file>")
 		("stats-interval",                "When using -s <stats_file>, write statistics every <msec> ms. This uses signals, and has a minimum threshold of 100 ms. Defaults to 5000 (5 seconds).", cxxopts::value(stats_interval),  "<msec>")
-		("S,snaplen",                     "Capture the first <len> bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files.", cxxopts::value(snaplen)->default_value("0"), "<len>")
+		("S,snaplen",                     "Capture the first <len> bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can have a strong performance impact.", cxxopts::value(snaplen)->default_value("0"), "<len>")
 		("support",                       "Print support information including version, rules files used, etc. and exit.", cxxopts::value(print_support)->default_value("false"))
 		("T",                             "Disable any rules with a tag=<tag>. This option can be passed multiple times. Can not be mized with -t", cxxopts::value<std::vector<std::string>>(), "<tag>")
 		("t",                             "Only run those rules with a tag=<tag>. This option can be passed multiple times. Can not be mixed with -T/-D.", cxxopts::value<std::vector<std::string>>(), "<tag>")

userspace/falco/stats_writer.cpp

@@ -15,7 +15,8 @@ limitations under the License.
 */
 
 #include <sys/time.h>
-#include <signal.h>
+#include <ctime>
+#include <csignal>
 #include <nlohmann/json.hpp>
 #include <atomic>
 
@@ -39,22 +40,32 @@ static void timer_handler(int signum)
 
 bool stats_writer::init_ticker(uint32_t interval_msec, std::string &err)
 {
-	struct itimerval timer;
-	struct sigaction handler;
+	struct itimerspec timer = {};
+	struct sigaction handler = {};
 
-	memset (&handler, 0, sizeof (handler));
+	memset (&handler, 0, sizeof(handler));
 	handler.sa_handler = &timer_handler;
 	if (sigaction(SIGALRM, &handler, NULL) == -1)
 	{
 		err = std::string("Could not set up signal handler for periodic timer: ") + strerror(errno);
 		return false;
 	}
-
+	
+	timer_t timerid;
+	struct sigevent sev = {};
+	/* Create the timer */
+	sev.sigev_notify = SIGEV_SIGNAL;
+	sev.sigev_signo = SIGALRM;
+	sev.sigev_value.sival_ptr = &timerid;
+	if (timer_create(CLOCK_MONOTONIC, &sev, &timerid) == -1) {
+		err = std::string("Could not create periodic timer: ") + strerror(errno);
+		return false;
+	}
 	timer.it_value.tv_sec = interval_msec / 1000;
-	timer.it_value.tv_usec = (interval_msec % 1000) * 1000;
+	timer.it_value.tv_nsec = (interval_msec % 1000) * 1000 * 1000;
 	timer.it_interval = timer.it_value;
-	if (setitimer(ITIMER_REAL, &timer, NULL) == -1)
-	{
+
+	if (timer_settime(timerid, 0, &timer, NULL) == -1) {
 		err = std::string("Could not set up periodic timer: ") + strerror(errno);
 		return false;
 	}