Modify evttype_index_ruleset to derive from indexable_ruleset

Modify evttype_index_ruleset to derive from indexable_ruleset instead of having its own implementation of segregating filters by ruleset id/event type. An evttype_index_ruleset::wrapper contains a falco rule and filter, and run_wrappers() evaluate the filter as before, without the segregation by ruleset id/event type. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Actually add indexable_ruleset to build
2026-03-31 17:12:41 +00:00 · 2024-06-18 10:26:49 -07:00 · 2024-06-14 11:39:32 -07:00 · 2024-06-14 11:39:32 -07:00 · 2024-06-13 16:32:48 +02:00 · 2024-06-13 13:40:48 +02:00
27 changed files with 898 additions and 549 deletions
--- a/.github/workflows/reusable_publish_docker.yaml
+++ b/.github/workflows/reusable_publish_docker.yaml
@@ -152,9 +152,7 @@ jobs:

      - name: Setup Cosign
        if: inputs.sign
-        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
-        with:
-          cosign-release: v2.0.2
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: Sign images with cosign
        if: inputs.sign
--- a/.github/workflows/reusable_test_packages.yaml
+++ b/.github/workflows/reusable_test_packages.yaml
@@ -59,6 +59,7 @@ jobs:
          test-falco: 'true'
          test-falcoctl: 'true'
          test-k8saudit: 'true'
+          test-dummy: 'true'
          static: ${{ inputs.static && 'true' || 'false' }}
          test-drivers: ${{ inputs.arch == 'x86_64' && 'true' || 'false' }}
          show-all: 'true'
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,141 @@
 # Change Log

+## v0.38.0
+
+Released on 2024-05-30
+
+### Breaking Changes :warning:
+
+* new(scripts,docker)!: enable automatic driver selection logic in packages and docker images. Modern eBPF is now also the default driver and the highest priority one in the new driver selection logic. [[#3154](https://github.com/falcosecurity/falco/pull/3154)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(falco.yaml)!: remove some deprecated configs [[#3087](https://github.com/falcosecurity/falco/pull/3087)] - [@Andreagit97](https://github.com/Andreagit97)
+* cleanup(docker)!: remove unused builder dockerfile [[#3088](https://github.com/falcosecurity/falco/pull/3088)] - [@Andreagit97](https://github.com/Andreagit97)
+
+More details: https://falco.org/blog/falco-0-38-0/#breaking-changes-and-deprecations
+
+### Major Changes
+
+* new(webserver): a metrics endpoint has been added providing prometheus metrics. It can be optionally enabled using the new `metrics.prometheus_enabled` configuration option. It will only be activated if the `metrics.enabled` is true as well. [[#3140](https://github.com/falcosecurity/falco/pull/3140)] - [@sgaist](https://github.com/sgaist)
+* new(metrics): add `rules_counters_enabled` option [[#3192](https://github.com/falcosecurity/falco/pull/3192)] - [@incertum](https://github.com/incertum)
+* new(build): provide signatures for .tar.gz packages [[#3201](https://github.com/falcosecurity/falco/pull/3201)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(engine): add print_enabled_rules_falco_logger when log_level debug [[#3189](https://github.com/falcosecurity/falco/pull/3189)] - [@incertum](https://github.com/incertum)
+* new(falco): allow selecting which rules to load from the configuration file or command line [[#3178](https://github.com/falcosecurity/falco/pull/3178)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(metrics): add file sha256sum metrics for loaded config and rules files [[#3187](https://github.com/falcosecurity/falco/pull/3187)] - [@incertum](https://github.com/incertum)
+* new(engine): throw an error when an invalid macro/list name is used [[#3116](https://github.com/falcosecurity/falco/pull/3116)] - [@mrgian](https://github.com/mrgian)
+* new(engine): raise warning instead of error on invalid macro/list name [[#3167](https://github.com/falcosecurity/falco/pull/3167)] - [@mrgian](https://github.com/mrgian)
+* new(userspace): support split config files [[#3024](https://github.com/falcosecurity/falco/pull/3024)] - [@FedeDP](https://github.com/FedeDP)
+* new(engine): enforce unique exceptions names [[#3134](https://github.com/falcosecurity/falco/pull/3134)] - [@mrgian](https://github.com/mrgian)
+* new(engine): add warning when appending an exception with no values [[#3133](https://github.com/falcosecurity/falco/pull/3133)] - [@mrgian](https://github.com/mrgian)
+* feat(metrics): coherent metrics stats model  including few metrics naming changes [[#3129](https://github.com/falcosecurity/falco/pull/3129)] - [@incertum](https://github.com/incertum)
+* new(config): add `falco_libs.thread_table_size` [[#3071](https://github.com/falcosecurity/falco/pull/3071)] - [@incertum](https://github.com/incertum)
+* new(proposals): introduce on host anomaly detection framework [[#2655](https://github.com/falcosecurity/falco/pull/2655)] - [@incertum](https://github.com/incertum)
+
+
+### Minor Changes
+
+* update(cmake): bump falcoctl to v0.8.0. [[#3219](https://github.com/falcosecurity/falco/pull/3219)] - [@FedeDP](https://github.com/FedeDP)
+* update(rules): update falco-rules to 3.1.0 [[#3217](https://github.com/falcosecurity/falco/pull/3217)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* refactor(userspace): move falco logger under falco engine [[#3208](https://github.com/falcosecurity/falco/pull/3208)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(docs): apply features adoption and deprecation proposal to config file keys [[#3206](https://github.com/falcosecurity/falco/pull/3206)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(metrics): add original rule name as label [[#3205](https://github.com/falcosecurity/falco/pull/3205)] - [@incertum](https://github.com/incertum)
+* update(falco): deprecate options -T, -t and -D [[#3193](https://github.com/falcosecurity/falco/pull/3193)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* refactor: bump libs and driver, support field modifiers [[#3186](https://github.com/falcosecurity/falco/pull/3186)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(userspace/falco): deprecated old 'rules_file' config key [[#3162](https://github.com/falcosecurity/falco/pull/3162)] - [@FedeDP](https://github.com/FedeDP)
+* chore(falco): update falco libs and driver to master (Apr 8th 2024) [[#3158](https://github.com/falcosecurity/falco/pull/3158)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(build): update libs to 026ffe1d8f1b25c6ccdc09afa2c02afdd3e3f672 [[#3151](https://github.com/falcosecurity/falco/pull/3151)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup: minor adjustments to readme, add new testing section [[#3072](https://github.com/falcosecurity/falco/pull/3072)] - [@incertum](https://github.com/incertum)
+* refactor(userspace/engine): reduce allocations during rules loading [[#3065](https://github.com/falcosecurity/falco/pull/3065)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(CI): publish wasm package as dev-wasm [[#3017](https://github.com/falcosecurity/falco/pull/3017)] - [@Rohith-Raju](https://github.com/Rohith-Raju)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): fix state initialization avoid a crash during hot reload [[#3190](https://github.com/falcosecurity/falco/pull/3190)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/engine): make sure exception fields are not optional in replace mode [[#3108](https://github.com/falcosecurity/falco/pull/3108)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(docker): added zstd to driver loader images [[#3203](https://github.com/falcosecurity/falco/pull/3203)] - [@FedeDP](https://github.com/FedeDP)
+* fix(engine): raise warning instead of error on not-unique exceptions names [[#3159](https://github.com/falcosecurity/falco/pull/3159)] - [@mrgian](https://github.com/mrgian)
+* fix(engine): apply output substitutions for all sources [[#3135](https://github.com/falcosecurity/falco/pull/3135)] - [@mrgian](https://github.com/mrgian)
+* fix(userspace/configuration): make sure that folders that would trigger permission denied are not traversed [[#3127](https://github.com/falcosecurity/falco/pull/3127)] - [@sgaist](https://github.com/sgaist)
+* fix(engine): logical issue in exceptions condition [[#3115](https://github.com/falcosecurity/falco/pull/3115)] - [@mrgian](https://github.com/mrgian)
+* fix(cmake): properly let falcoctl cmake module create /usr/share/falco/plugins/ folder. [[#3105](https://github.com/falcosecurity/falco/pull/3105)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* update(scripts/falcoctl): bump falco-rules version to 3 [[#3128](https://github.com/falcosecurity/falco/pull/3128)] - [@alacuku](https://github.com/alacuku)
+* build(deps): Bump submodules/falcosecurity-rules from `59bf03b` to `9e56293` [[#3212](https://github.com/falcosecurity/falco/pull/3212)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(gha): update cosign to v3.5.0 [[#3209](https://github.com/falcosecurity/falco/pull/3209)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `29c41c4` to `59bf03b` [[#3207](https://github.com/falcosecurity/falco/pull/3207)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bumped libs to 0.17.0-rc1 and falcoctl to v0.8.0-rc6. [[#3204](https://github.com/falcosecurity/falco/pull/3204)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `3f668d0` to `3cac61c` [[#3044](https://github.com/falcosecurity/falco/pull/3044)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-testing from `ae3950a` to `7abf76f` [[#3094](https://github.com/falcosecurity/falco/pull/3094)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(ci): enforce bundled deps OFF in build-dev CI [[#3118](https://github.com/falcosecurity/falco/pull/3118)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `88a40c8` to `869c9a7` [[#3156](https://github.com/falcosecurity/falco/pull/3156)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bumped falcoctl to v0.8.0-rc5. [[#3199](https://github.com/falcosecurity/falco/pull/3199)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `4f153f5` to `29c41c4` [[#3198](https://github.com/falcosecurity/falco/pull/3198)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bump falcoctl to v0.8.0-rc4 [[#3191](https://github.com/falcosecurity/falco/pull/3191)] - [@FedeDP](https://github.com/FedeDP)
+* refactor: smart pointer usage [[#3184](https://github.com/falcosecurity/falco/pull/3184)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* build(deps): Bump submodules/falcosecurity-rules from `ec255e6` to `4f153f5` [[#3182](https://github.com/falcosecurity/falco/pull/3182)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bumped libs and driver to latest master. [[#3177](https://github.com/falcosecurity/falco/pull/3177)] - [@FedeDP](https://github.com/FedeDP)
+* chore(cmake): enable modern bpf build by default. [[#3180](https://github.com/falcosecurity/falco/pull/3180)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(docs): fix typo in license blocks [[#3175](https://github.com/falcosecurity/falco/pull/3175)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(docker,scripts): set old eBPF probe as lowest priority driver. [[#3173](https://github.com/falcosecurity/falco/pull/3173)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `869c9a7` to `ec255e6` [[#3170](https://github.com/falcosecurity/falco/pull/3170)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(app): close inspectors at teardown time [[#3169](https://github.com/falcosecurity/falco/pull/3169)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(docker): fixed docker entrypoints for driver loading. [[#3168](https://github.com/falcosecurity/falco/pull/3168)] - [@FedeDP](https://github.com/FedeDP)
+* fix(docker,scripts): do not load falcoctl driver loader when installing Falco deb package in docker images [[#3166](https://github.com/falcosecurity/falco/pull/3166)] - [@FedeDP](https://github.com/FedeDP)
+* update(ci): build both release and debug versions [[#3161](https://github.com/falcosecurity/falco/pull/3161)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(userspace/falco): watch all configs files. [[#3160](https://github.com/falcosecurity/falco/pull/3160)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): update scorecard-action to v2.3.1 [[#3153](https://github.com/falcosecurity/falco/pull/3153)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(falco): consolidate falco::grpc::server in one class [[#3150](https://github.com/falcosecurity/falco/pull/3150)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(build): enable ASan and UBSan builds with options and in CI [[#3147](https://github.com/falcosecurity/falco/pull/3147)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace): variable / function shadowing [[#3123](https://github.com/falcosecurity/falco/pull/3123)] - [@sgaist](https://github.com/sgaist)
+* build(deps): Bump submodules/falcosecurity-rules from `fbf0a4e` to `88a40c8` [[#3145](https://github.com/falcosecurity/falco/pull/3145)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(cmake): fix USE_BUNDLED_DEPS=ON and BUILD_FALCO_UNIT_TESTS=ON [[#3146](https://github.com/falcosecurity/falco/pull/3146)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* Add --kernelversion and --kernelrelease options to falco driver loader entrypoint [[#3143](https://github.com/falcosecurity/falco/pull/3143)] - [@Sryther](https://github.com/Sryther)
+* build(deps): Bump submodules/falcosecurity-rules from `44addef` to `fbf0a4e` [[#3139](https://github.com/falcosecurity/falco/pull/3139)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: bump to latest libs commit [[#3137](https://github.com/falcosecurity/falco/pull/3137)] - [@Andreagit97](https://github.com/Andreagit97)
+* refactor: Use FetchContent for integrating three bundled libs [[#3107](https://github.com/falcosecurity/falco/pull/3107)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* build(deps): Bump submodules/falcosecurity-rules from `dc7970d` to `44addef` [[#3136](https://github.com/falcosecurity/falco/pull/3136)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `f88b991` to `dc7970d` [[#3126](https://github.com/falcosecurity/falco/pull/3126)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* refactor(ci): Avoid using command make directly [[#3101](https://github.com/falcosecurity/falco/pull/3101)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* docs(proposal): 20231220-features-adoption-and-deprecation.md [[#2986](https://github.com/falcosecurity/falco/pull/2986)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `b499a1d` to `f88b991` [[#3125](https://github.com/falcosecurity/falco/pull/3125)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs(README.md): Falco Graduates within the CNCF [[#3124](https://github.com/falcosecurity/falco/pull/3124)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `497e011` to `b499a1d` [[#3111](https://github.com/falcosecurity/falco/pull/3111)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore(ci): bumped codeql actions. [[#3114](https://github.com/falcosecurity/falco/pull/3114)] - [@FedeDP](https://github.com/FedeDP)
+* Cleanup warnings and smart ptrs [[#3112](https://github.com/falcosecurity/falco/pull/3112)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* new(build): add options to use bundled dependencies [[#3092](https://github.com/falcosecurity/falco/pull/3092)] - [@mrgian](https://github.com/mrgian)
+* fix(ci): test-dev-packages-arm64 needs build-dev-packages-arm64. [[#3110](https://github.com/falcosecurity/falco/pull/3110)] - [@FedeDP](https://github.com/FedeDP)
+* refactor: bump libs and driver, and adopt unique pointers wherever possible [[#3109](https://github.com/falcosecurity/falco/pull/3109)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup: falco_engine test fixture [[#3099](https://github.com/falcosecurity/falco/pull/3099)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* refactor: test AtomicSignalHandler.handle_once_wait_consistency [[#3100](https://github.com/falcosecurity/falco/pull/3100)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* Cleanup variable use [[#3097](https://github.com/falcosecurity/falco/pull/3097)] - [@sgaist](https://github.com/sgaist)
+* cleanup(submodules): dropped testing submodule. [[#3098](https://github.com/falcosecurity/falco/pull/3098)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(ci): make use of falcosecurity/testing provided composite action [[#3093](https://github.com/falcosecurity/falco/pull/3093)] - [@FedeDP](https://github.com/FedeDP)
+* Improve const correctness [[#3083](https://github.com/falcosecurity/falco/pull/3083)] - [@sgaist](https://github.com/sgaist)
+* Improve exception throwing [[#3085](https://github.com/falcosecurity/falco/pull/3085)] - [@sgaist](https://github.com/sgaist)
+* fix(ci): update sync in deb and rpm scripts with acl [[#3062](https://github.com/falcosecurity/falco/pull/3062)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(tests): consolidate Falco engine and rule loader tests [[#3066](https://github.com/falcosecurity/falco/pull/3066)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup: falco_engine deps and include paths [[#3090](https://github.com/falcosecurity/falco/pull/3090)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* fix: Some compiler warnings [[#3089](https://github.com/falcosecurity/falco/pull/3089)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* build(deps): Bump submodules/falcosecurity-rules from `0f60976` to `497e011` [[#3081](https://github.com/falcosecurity/falco/pull/3081)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(c++): add missing explicit to single argument constructors [[#3069](https://github.com/falcosecurity/falco/pull/3069)] - [@sgaist](https://github.com/sgaist)
+* Improve class initialization [[#3074](https://github.com/falcosecurity/falco/pull/3074)] - [@sgaist](https://github.com/sgaist)
+* build(deps): Bump submodules/falcosecurity-rules from `6ed2036` to `0f60976` [[#3078](https://github.com/falcosecurity/falco/pull/3078)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `1053b2d` to `6ed2036` [[#3067](https://github.com/falcosecurity/falco/pull/3067)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(c++): add missing overrides [[#3064](https://github.com/falcosecurity/falco/pull/3064)] - [@sgaist](https://github.com/sgaist)
+* new(build): prune deb-dev and rpm-dev directories [[#3056](https://github.com/falcosecurity/falco/pull/3056)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* refactor(userspace): align falco to gen-event class family deprecation [[#3051](https://github.com/falcosecurity/falco/pull/3051)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* build(deps): Bump submodules/falcosecurity-rules from `3cac61c` to `1053b2d` [[#3047](https://github.com/falcosecurity/falco/pull/3047)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix: adopt new libsinsp logger [[#3026](https://github.com/falcosecurity/falco/pull/3026)] - [@therealbobo](https://github.com/therealbobo)
+* refactor: cleanup libs relative include paths [[#2936](https://github.com/falcosecurity/falco/pull/2936)] - [@therealbobo](https://github.com/therealbobo)
+* chore(ci): bumped rn2md to latest master. [[#3046](https://github.com/falcosecurity/falco/pull/3046)] - [@FedeDP](https://github.com/FedeDP)
+* Support alternate rules loader [[#3008](https://github.com/falcosecurity/falco/pull/3008)] - [@mstemm](https://github.com/mstemm)
+* fix(ci): fixed release body driver version. [[#3042](https://github.com/falcosecurity/falco/pull/3042)] - [@FedeDP](https://github.com/FedeDP)
+* build(deps): Bump submodules/falcosecurity-rules from `c39d31a` to `3f668d0` [[#3039](https://github.com/falcosecurity/falco/pull/3039)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+
+
 ## v0.37.1

 Released on 2024-02-13
--- a/cmake/modules/driver.cmake
+++ b/cmake/modules/driver.cmake
@@ -34,8 +34,8 @@ else()
  # In case you want to test against another driver version (or branch, or commit) just pass the variable -
  # ie., `cmake -DDRIVER_VERSION=dev ..`
  if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "0.17.0-rc1")
-    set(DRIVER_CHECKSUM "SHA256=63809beb5e448911f153b8c25f814075238a55f301923aeb3d2374be6309460b")
+    set(DRIVER_VERSION "774db6b944cb4c7bca692400cec89cf14312cac2")
+    set(DRIVER_CHECKSUM "SHA256=61984089d71cc96e4fdf1ffe82b4da16802a0228859d7f15745173f0c9673b5e")
  endif()

  # cd /path/to/build && cmake /path/to/source
--- a/cmake/modules/falcoctl.cmake
+++ b/cmake/modules/falcoctl.cmake
@@ -16,14 +16,14 @@ include(ExternalProject)

 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)

-set(FALCOCTL_VERSION "0.8.0-rc6")
+set(FALCOCTL_VERSION "0.8.0")

 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
    set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "af49a15f28281aff37aa57808211cdd0772966a694da3b5a256d0e58e27bd16b")
+    set(FALCOCTL_HASH "7b763bfaf38faf582840af22750dca7150d03958a5dc47f6118748713d661589")
 else() # aarch64
    set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "262189f954be20372ff79c5e984b64e530cdfeecc6df74be3b8846fb52ee2bdf")
+    set(FALCOCTL_HASH "7f826de7a8a84e65c46a160e7e59d1deca874f39b79a8251721a2669905baf14")
 endif()

 ExternalProject_Add(
--- a/cmake/modules/falcosecurity-libs.cmake
+++ b/cmake/modules/falcosecurity-libs.cmake
@@ -35,8 +35,8 @@ else()
  # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
  if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.17.0-rc1")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=63809beb5e448911f153b8c25f814075238a55f301923aeb3d2374be6309460b")
+    set(FALCOSECURITY_LIBS_VERSION "774db6b944cb4c7bca692400cec89cf14312cac2")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=61984089d71cc96e4fdf1ffe82b4da16802a0228859d7f15745173f0c9673b5e")
  endif()

  # cd /path/to/build && cmake /path/to/source
--- a/cmake/modules/rules.cmake
+++ b/cmake/modules/rules.cmake
@@ -16,8 +16,8 @@ include(GNUInstallDirs)
 include(ExternalProject)

 # falco_rules.yaml
-set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-3.0.0")
-set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=2e91799fee49c2daf58fb482e47410a21433eb116e02cde18206f7af87449ddb")
+set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-3.1.0")
+set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=3b617920c0b66128627613e591a954eb9572747a4c287bc13b53b38786250162")
 set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
 ExternalProject_Add(
  falcosecurity-rules-falco
--- a/falco.yaml
+++ b/falco.yaml
@@ -1037,6 +1037,11 @@ syscall_event_drops:
 # beneficial for exploring the data schema and ensuring that fields with empty
 # values are included in the output.
 #
+# `plugins_metrics_enabled`: Falco can now expose your custom plugins' 
+# metrics. Please note that if the respective plugin has no metrics implemented, 
+# there will be no metrics available. In other words, there are no default or 
+# generic plugin metrics at this time. This may be subject to change.
+#
 # If metrics are enabled, the web server can be configured to activate the
 # corresponding Prometheus endpoint using `webserver.prometheus_metrics_enabled`.
 # Prometheus output can be used in combination with the other output options.
@@ -1055,6 +1060,7 @@ metrics:
  state_counters_enabled: true
  kernel_event_counters_enabled: true
  libbpf_stats_enabled: true
+  plugins_metrics_enabled: true
  convert_memory_to_mb: true
  include_empty_values: false

--- a/proposals/20210501-plugin-system.md
+++ b/proposals/20210501-plugin-system.md
@@ -335,7 +335,7 @@ typedef struct
 	// the type of the value they return (string, integer...).
 	// Required: no
 	// Arguments:
-	// - evtnum: the number of the event that is bein processed
+	// - evtnum: the number of the event that is being processed
 	// - id: the numeric identifier of the field to extract. It corresponds to the
 	//   position of the field in the array returned by get_fields().
 	// - arg: the field argument, if an argument has been specified for the field,
--- a/submodules/falcosecurity-rules
+++ b/submodules/falcosecurity-rules
--- a/unit_tests/falco/test_atomic_signal_handler.cpp
+++ b/unit_tests/falco/test_atomic_signal_handler.cpp
@@ -16,7 +16,7 @@ limitations under the License.
 */

 #include <falco/atomic_signal_handler.h>
-#include <falco/logger.h>
+#include <engine/logger.h>

 #include <gtest/gtest.h>

--- a/userspace/engine/CMakeLists.txt
+++ b/userspace/engine/CMakeLists.txt
@@ -22,6 +22,8 @@ add_library(falco_engine STATIC
    filter_details_resolver.cpp
    filter_macro_resolver.cpp
    filter_warning_resolver.cpp
+    indexable_ruleset.cpp
+    logger.cpp
    stats_manager.cpp
    rule_loader.cpp
    rule_loader_reader.cpp
--- a/userspace/engine/evttype_index_ruleset.cpp
+++ b/userspace/engine/evttype_index_ruleset.cpp
@@ -17,14 +17,13 @@ limitations under the License.

 #include "evttype_index_ruleset.h"

-#include "falco_utils.h"
-
-#include "../falco/logger.h"
+#include "logger.h"

 #include <algorithm>

 evttype_index_ruleset::evttype_index_ruleset(
-	std::shared_ptr<sinsp_filter_factory> f): m_filter_factory(f)
+	std::shared_ptr<sinsp_filter_factory> f):
+	m_filter_factory(f)
 {
 }

@@ -32,170 +31,6 @@ evttype_index_ruleset::~evttype_index_ruleset()
 {
 }

-evttype_index_ruleset::ruleset_filters::ruleset_filters()
-{
-}
-
-evttype_index_ruleset::ruleset_filters::~ruleset_filters()
-{
-}
-
-void evttype_index_ruleset::ruleset_filters::add_wrapper_to_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap)
-{
-	// This is O(n) but it's also uncommon
-	// (when loading rules only).
-	auto pos = std::find(wrappers.begin(),
-			     wrappers.end(),
-			     wrap);
-
-	if(pos == wrappers.end())
-	{
-		wrappers.push_back(wrap);
-	}
-}
-
-void evttype_index_ruleset::ruleset_filters::remove_wrapper_from_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap)
-{
-	// This is O(n) but it's also uncommon
-	// (when loading rules only).
-	auto pos = std::find(wrappers.begin(),
-			     wrappers.end(),
-			     wrap);
-	if(pos != wrappers.end())
-	{
-		wrappers.erase(pos);
-	}
-}
-
-void evttype_index_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper> wrap)
-{
-	if(wrap->event_codes.empty())
-	{
-		// Should run for all event types
-		add_wrapper_to_list(m_filter_all_event_types, wrap);
-	}
-	else
-	{
-		for(auto &etype : wrap->event_codes)
-		{
-			if(m_filter_by_event_type.size() <= etype)
-			{
-				m_filter_by_event_type.resize(etype + 1);
-			}
-
-			add_wrapper_to_list(m_filter_by_event_type[etype], wrap);
-		}
-	}
-
-	m_filters.insert(wrap);
-}
-
-void evttype_index_ruleset::ruleset_filters::remove_filter(std::shared_ptr<filter_wrapper> wrap)
-{
-	if(wrap->event_codes.empty())
-	{
-		remove_wrapper_from_list(m_filter_all_event_types, wrap);
-	}
-	else
-	{
-		for(auto &etype : wrap->event_codes)
-		{
-			if( etype < m_filter_by_event_type.size() )
-			{
-				remove_wrapper_from_list(m_filter_by_event_type[etype], wrap);
-			}
-		}
-	}
-
-	m_filters.erase(wrap);
-}
-
-uint64_t evttype_index_ruleset::ruleset_filters::num_filters()
-{
-	return m_filters.size();
-}
-
-bool evttype_index_ruleset::ruleset_filters::run(sinsp_evt *evt, falco_rule& match)
-{
-    if(evt->get_type() < m_filter_by_event_type.size())
-    {
-        for(const auto &wrap : m_filter_by_event_type[evt->get_type()])
-        {
-            if(wrap->filter->run(evt))
-            {
-				match = wrap->rule;
-                return true;
-            }
-        }
-    }
-
-	// Finally, try filters that are not specific to an event type.
-	for(const auto &wrap : m_filter_all_event_types)
-	{
-		if(wrap->filter->run(evt))
-		{
-			match = wrap->rule;
-			return true;
-		}
-	}
-
-	return false;
-}
-
-bool evttype_index_ruleset::ruleset_filters::run(sinsp_evt *evt, std::vector<falco_rule>& matches)
-{
-	bool match_found = false;
-
-	if(evt->get_type() < m_filter_by_event_type.size())
-	{
-		for(const auto &wrap : m_filter_by_event_type[evt->get_type()])
-		{
-			if(wrap->filter->run(evt))
-			{
-				matches.push_back(wrap->rule);
-				match_found = true;
-			}
-		}
-	}
-
-	if(match_found)
-	{
-		return true;
-	}
-
-	// Finally, try filters that are not specific to an event type.
-	for(const auto &wrap : m_filter_all_event_types)
-	{
-		if(wrap->filter->run(evt))
-		{
-			matches.push_back(wrap->rule);
-			match_found = true;
-		}
-	}
-
-	return match_found;
-}
-
-libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::ruleset_filters::sc_codes()
-{
-	libsinsp::events::set<ppm_sc_code> res;
-	for(const auto &wrap : m_filters)
-	{
-		res.insert(wrap->sc_codes.begin(), wrap->sc_codes.end());
-	}
-	return res;
-}
-
-libsinsp::events::set<ppm_event_code> evttype_index_ruleset::ruleset_filters::event_codes()
-{
-	libsinsp::events::set<ppm_event_code> res;
-	for(const auto &wrap : m_filters)
-	{
-		res.insert(wrap->event_codes.begin(), wrap->event_codes.end());
-	}
-	return res;
-}
-
 void evttype_index_ruleset::add(
 		const falco_rule& rule,
 		std::shared_ptr<sinsp_filter> filter,
@@ -203,21 +38,22 @@ void evttype_index_ruleset::add(
 {
 	try
 	{
-		auto wrap = std::make_shared<filter_wrapper>();
-		wrap->rule = rule;
-		wrap->filter = filter;
+		auto wrap = std::make_shared<wrapper>();
+		wrap->m_rule = rule;
+		wrap->m_filter = filter;
 		if(rule.source == falco_common::syscall_source)
 		{
-			wrap->sc_codes = libsinsp::filter::ast::ppm_sc_codes(condition.get());
-			wrap->event_codes = libsinsp::filter::ast::ppm_event_codes(condition.get());
+			wrap->m_sc_codes = libsinsp::filter::ast::ppm_sc_codes(condition.get());
+			wrap->m_event_codes = libsinsp::filter::ast::ppm_event_codes(condition.get());
 		}
 		else
 		{
-			wrap->sc_codes = { };
-			wrap->event_codes = { ppm_event_code::PPME_PLUGINEVENT_E };
+			wrap->m_sc_codes = {};
+			wrap->m_event_codes = {ppm_event_code::PPME_PLUGINEVENT_E};
 		}
-		wrap->event_codes.insert(ppm_event_code::PPME_ASYNCEVENT_E);
-		m_filters.insert(wrap);
+		wrap->m_event_codes.insert(ppm_event_code::PPME_ASYNCEVENT_E);
+
+		add_wrapper(wrap);
 	}
 	catch (const sinsp_exception& e)
 	{
@@ -230,180 +66,48 @@ void evttype_index_ruleset::on_loading_complete()
 	print_enabled_rules_falco_logger();
 }

+bool evttype_index_ruleset::run_wrappers(sinsp_evt *evt, filter_wrapper_list &wrappers, uint16_t ruleset_id, falco_rule &match)
+{
+	for(auto &wrap : wrappers)
+	{
+		wrapper *derived = static_cast<wrapper *>(wrap.get());
+		if(derived->m_filter->run(evt))
+		{
+			match = derived->m_rule;
+			return true;
+		}
+	}
+
+	return false;
+}
+
+bool evttype_index_ruleset::run_wrappers(sinsp_evt *evt, filter_wrapper_list &wrappers, uint16_t ruleset_id, std::vector<falco_rule> &matches)
+{
+	bool match_found = false;
+
+	for(auto &wrap : wrappers)
+	{
+		wrapper *derived = static_cast<wrapper *>(wrap.get());
+		if(derived->m_filter->run(evt))
+		{
+			matches.push_back(derived->m_rule);
+			match_found = true;
+		}
+	}
+
+	return match_found;
+}
+
 void evttype_index_ruleset::print_enabled_rules_falco_logger()
 {
 	falco_logger::log(falco_logger::level::DEBUG, "Enabled rules:\n");
-	int n = 0;
-	for (const auto& ruleset_ptr : m_rulesets)
+
+	auto logger = [](std::shared_ptr<filter_wrapper> wrap)
 	{
-		if (ruleset_ptr)
-		{
-			for (const auto& wrap : ruleset_ptr->get_filters())
-			{
-				n++;
-				falco_logger::log(falco_logger::level::DEBUG, std::string("   ") + wrap->rule.name + "\n");
-			}
-		}
-	}
-	falco_logger::log(falco_logger::level::DEBUG, "(" + std::to_string(n) + ") enabled rules in total\n");
-}
-
-void evttype_index_ruleset::clear()
-{
-	for (size_t i = 0; i < m_rulesets.size(); i++)
-	{
-		m_rulesets[i] = std::make_shared<ruleset_filters>();
-	}
-	m_filters.clear();
-}
-
-void evttype_index_ruleset::enable(const std::string &pattern, match_type match, uint16_t ruleset_id)
-{
-	enable_disable(pattern, match, true, ruleset_id);
-}
-
-void evttype_index_ruleset::disable(const std::string &pattern, match_type match, uint16_t ruleset_id)
-{
-	enable_disable(pattern, match, false, ruleset_id);
-}
-
-void evttype_index_ruleset::enable_disable(const std::string &pattern, match_type match, bool enabled, uint16_t ruleset_id)
-{
-	while(m_rulesets.size() < (size_t)ruleset_id + 1)
-	{
-		m_rulesets.emplace_back(std::make_shared<ruleset_filters>());
-	}
-
-	for(const auto &wrap : m_filters)
-	{
-		bool matches;
-		std::string::size_type pos;
-
-		switch(match)
-		{
-		case match_type::exact:
-			pos = wrap->rule.name.find(pattern);
-
-			matches = (pattern == "" || (pos == 0 &&
-						       pattern.size() == wrap->rule.name.size()));
-			break;
-		case match_type::substring:
-			matches = (pattern == "" || (wrap->rule.name.find(pattern) != std::string::npos));
-			break;
-		case match_type::wildcard:
-			matches = falco::utils::matches_wildcard(pattern, wrap->rule.name);
-			break;
-		default:
-			// should never happen
-			matches = false;
-		}
-
-		if(matches)
-		{
-			if(enabled)
-			{
-				m_rulesets[ruleset_id]->add_filter(wrap);
-			}
-			else
-			{
-				m_rulesets[ruleset_id]->remove_filter(wrap);
-			}
-		}
-	}
-}
-
-void evttype_index_ruleset::enable_tags(const std::set<std::string> &tags, uint16_t ruleset_id)
-{
-	enable_disable_tags(tags, true, ruleset_id);
-}
-
-void evttype_index_ruleset::disable_tags(const std::set<std::string> &tags, uint16_t ruleset_id)
-{
-	enable_disable_tags(tags, false, ruleset_id);
-}
-
-void evttype_index_ruleset::enable_disable_tags(const std::set<std::string> &tags, bool enabled, uint16_t ruleset_id)
-{
-	while(m_rulesets.size() < (size_t)ruleset_id + 1)
-	{
-		m_rulesets.emplace_back(std::make_shared<ruleset_filters>());
-	}
-
-	for(const auto &wrap : m_filters)
-	{
-		std::set<std::string> intersect;
-
-		set_intersection(tags.begin(), tags.end(),
-				 wrap->rule.tags.begin(), wrap->rule.tags.end(),
-				 inserter(intersect, intersect.begin()));
-
-		if(!intersect.empty())
-		{
-			if(enabled)
-			{
-				m_rulesets[ruleset_id]->add_filter(wrap);
-			}
-			else
-			{
-				m_rulesets[ruleset_id]->remove_filter(wrap);
-			}
-		}
-	}
-}
-
-uint64_t evttype_index_ruleset::enabled_count(uint16_t ruleset_id)
-{
-	while(m_rulesets.size() < (size_t)ruleset_id + 1)
-	{
-		m_rulesets.emplace_back(std::make_shared<ruleset_filters>());
-	}
-
-	return m_rulesets[ruleset_id]->num_filters();
-}
-
-bool evttype_index_ruleset::run(sinsp_evt *evt, falco_rule& match, uint16_t ruleset_id)
-{
-	if(m_rulesets.size() < (size_t)ruleset_id + 1)
-	{
-		return false;
-	}
-
-	return m_rulesets[ruleset_id]->run(evt, match);
-}
-
-bool evttype_index_ruleset::run(sinsp_evt *evt, std::vector<falco_rule>& matches, uint16_t ruleset_id)
-{
-	if(m_rulesets.size() < (size_t)ruleset_id + 1)
-	{
-		return false;
-	}
-
-	return m_rulesets[ruleset_id]->run(evt, matches);
-}
-
-void evttype_index_ruleset::enabled_evttypes(std::set<uint16_t> &evttypes, uint16_t ruleset_id)
-{
-	evttypes.clear();
-	for (const auto& e : enabled_event_codes(ruleset_id))
-	{
-		evttypes.insert((uint16_t) e);
-	}
-}
-
-libsinsp::events::set<ppm_sc_code> evttype_index_ruleset::enabled_sc_codes(uint16_t ruleset)
-{
-	if(m_rulesets.size() < (size_t)ruleset + 1)
-	{
-		return {};
-	}
-	return m_rulesets[ruleset]->sc_codes();
-}
-
-libsinsp::events::set<ppm_event_code> evttype_index_ruleset::enabled_event_codes(uint16_t ruleset)
-{
-	if(m_rulesets.size() < (size_t)ruleset + 1)
-	{
-		return {};
-	}
-	return m_rulesets[ruleset]->event_codes();
+		falco_logger::log(falco_logger::level::DEBUG, std::string("   ") + wrap->name() + "\n");
+	};
+
+	uint64_t num_filters = iterate(logger);
+
+	falco_logger::log(falco_logger::level::DEBUG, "(" + std::to_string(num_filters) + ") enabled rules in total\n");
 }
--- a/userspace/engine/evttype_index_ruleset.h
+++ b/userspace/engine/evttype_index_ruleset.h
@@ -17,151 +17,53 @@ limitations under the License.

 #pragma once

+#include "indexable_ruleset.h"
+
 #include <string>
 #include <set>
 #include <vector>
-#include <list>
-#include <map>
-
-#include "filter_ruleset.h"
-#include <libsinsp/sinsp.h>
-#include <libsinsp/filter.h>
-#include <libsinsp/event.h>

 /*!
 	\brief A filter_ruleset that indexes enabled rules by event type,
 	and performs linear search on each event type bucket
 */
-class evttype_index_ruleset: public filter_ruleset
+class evttype_index_ruleset : public indexable_ruleset
 {
 public:
 	explicit evttype_index_ruleset(std::shared_ptr<sinsp_filter_factory> factory);
 	virtual ~evttype_index_ruleset();

+	// From filter_ruleset
 	void add(
 		const falco_rule& rule,
 		std::shared_ptr<sinsp_filter> filter,
 		std::shared_ptr<libsinsp::filter::ast::expr> condition) override;

-	void clear() override;
-
-	bool run(sinsp_evt *evt, falco_rule& match, uint16_t ruleset_id) override;
-	bool run(sinsp_evt *evt, std::vector<falco_rule>&matches, uint16_t ruleset_id) override;
-
-	uint64_t enabled_count(uint16_t ruleset_id) override;
-
 	void on_loading_complete() override;

+	// From indexable_ruleset
+	bool run_wrappers(sinsp_evt *evt, filter_wrapper_list &wrappers, uint16_t ruleset_id, falco_rule &match) override;
+	bool run_wrappers(sinsp_evt *evt, filter_wrapper_list &wrappers, uint16_t ruleset_id, std::vector<falco_rule> &matches) override;
+
 	// Print each enabled rule when running Falco with falco logger
 	// log_level=debug; invoked within on_loading_complete()
 	void print_enabled_rules_falco_logger();

-	void enable(
-		const std::string &pattern,
-		match_type match,
-		uint16_t rulset_id) override;
-
-	void disable(
-		const std::string &pattern,
-		match_type match,
-		uint16_t rulset_id) override;
-
-	void enable_tags(
-		const std::set<std::string> &tags,
-		uint16_t rulset_id) override;
-
-	void disable_tags(
-		const std::set<std::string> &tags,
-		uint16_t rulset_id) override;
-
-	// note(jasondellaluce): this is deprecated, must use the new
-	// typing-improved `enabled_event_codes` and `enabled_sc_codes` instead
-	// todo(jasondellaluce): remove this in future code refactors
-	void enabled_evttypes(
-		std::set<uint16_t> &evttypes,
-		uint16_t ruleset) override;
-
-	libsinsp::events::set<ppm_sc_code> enabled_sc_codes(uint16_t ruleset) override;
-
-	libsinsp::events::set<ppm_event_code> enabled_event_codes(uint16_t ruleset) override;
-
 private:
-
-	// Helper used by enable()/disable()
-	void enable_disable(
-		const std::string &pattern,
-		match_type match,
-		bool enabled,
-		uint16_t rulset_id);
-
-	// Helper used by enable_tags()/disable_tags()
-	void enable_disable_tags(
-		const std::set<std::string> &tags,
-		bool enabled,
-		uint16_t rulset_id);
-
-	struct filter_wrapper
+	struct wrapper : public indexable_ruleset::filter_wrapper
 	{
-		falco_rule rule;
-		libsinsp::events::set<ppm_sc_code> sc_codes;
-		libsinsp::events::set<ppm_event_code> event_codes;
-		std::shared_ptr<sinsp_filter> filter;
+		const std::string &name() override { return m_rule.name; }
+		const std::set<std::string> &tags() override { return m_rule.tags; }
+		const libsinsp::events::set<ppm_sc_code> &sc_codes() override { return m_sc_codes; }
+		const libsinsp::events::set<ppm_event_code> &event_codes() override { return m_event_codes; }
+
+		falco_rule m_rule;
+		libsinsp::events::set<ppm_sc_code> m_sc_codes;
+		libsinsp::events::set<ppm_event_code> m_event_codes;
+		std::shared_ptr<sinsp_filter> m_filter;
 	};

-	typedef std::list<std::shared_ptr<filter_wrapper>> filter_wrapper_list;
-
-	// A group of filters all having the same ruleset
-	class ruleset_filters {
-	public:
-		ruleset_filters();
-
-		virtual ~ruleset_filters();
-
-		void add_filter(std::shared_ptr<filter_wrapper> wrap);
-		void remove_filter(std::shared_ptr<filter_wrapper> wrap);
-
-		uint64_t num_filters();
-
-		inline const std::set<std::shared_ptr<filter_wrapper>>& get_filters() const
-		{
-			return m_filters;
-		}
-
-		// Evaluate an event against the ruleset and return the first rule
-		// that matched.
-		bool run(sinsp_evt *evt, falco_rule& match);
-
-		//  Evaluate an event against the ruleset and return all the
-		//	matching rules.
-		bool run(sinsp_evt *evt, std::vector<falco_rule>& matches);
-
-		libsinsp::events::set<ppm_sc_code> sc_codes();
-
-		libsinsp::events::set<ppm_event_code> event_codes();
-
-	private:
-		void add_wrapper_to_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap);
-		void remove_wrapper_from_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap);
-
-		// Vector indexes from event type to a set of filters. There can
-		// be multiple filters for a given event type.
-		// NOTE: This is used only when the event sub-type is 0.
-		std::vector<filter_wrapper_list> m_filter_by_event_type;
-
-		filter_wrapper_list m_filter_all_event_types;
-
-		// All filters added. Used to make num_filters() fast.
-		std::set<std::shared_ptr<filter_wrapper>> m_filters;
-	};
-
-	// Vector indexes from ruleset id to set of rules.
-	std::vector<std::shared_ptr<ruleset_filters>> m_rulesets;
-
-	// All filters added. The set of enabled filters is held in m_rulesets
-	std::set<std::shared_ptr<filter_wrapper>> m_filters;
-
 	std::shared_ptr<sinsp_filter_factory> m_filter_factory;
-	std::vector<std::string> m_ruleset_names;
 };

 class evttype_index_ruleset_factory: public filter_ruleset_factory
--- a/userspace/engine/falco_engine_version.h
+++ b/userspace/engine/falco_engine_version.h
@@ -20,7 +20,7 @@ limitations under the License.

 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 40
+#define FALCO_ENGINE_VERSION_MINOR 41
 #define FALCO_ENGINE_VERSION_PATCH 0

 #define FALCO_ENGINE_VERSION \
@@ -34,4 +34,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "bc9d0d94ae70ef26b7cf814f62273a48b2bb4133dff0baff5f194f6f1711875a"
+#define FALCO_ENGINE_CHECKSUM "9246c7739677ea9ec5ea3a1928755f83a1149e693cdb6d7dab4612f919a30aa3"
--- a/userspace/engine/indexable_ruleset.cpp
+++ b/userspace/engine/indexable_ruleset.cpp
@@ -0,0 +1,347 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "indexable_ruleset.h"
+
+#include "falco_utils.h"
+
+#include <algorithm>
+
+void indexable_ruleset::clear()
+{
+	for(size_t i = 0; i < m_rulesets.size(); i++)
+	{
+		m_rulesets[i] = std::make_shared<ruleset_filters>(i);
+	}
+	m_filters.clear();
+}
+
+uint64_t indexable_ruleset::enabled_count(uint16_t ruleset_id)
+{
+	while(m_rulesets.size() < (size_t)ruleset_id + 1)
+	{
+		m_rulesets.emplace_back(std::make_shared<ruleset_filters>(m_rulesets.size()));
+	}
+
+	return m_rulesets[ruleset_id]->num_filters();
+}
+
+void indexable_ruleset::enabled_evttypes(std::set<uint16_t> &evttypes, uint16_t ruleset_id)
+{
+	evttypes.clear();
+	for(const auto &e : enabled_event_codes(ruleset_id))
+	{
+		evttypes.insert((uint16_t)e);
+	}
+}
+
+libsinsp::events::set<ppm_sc_code> indexable_ruleset::enabled_sc_codes(uint16_t ruleset)
+{
+	if(m_rulesets.size() < (size_t)ruleset + 1)
+	{
+		return {};
+	}
+	return m_rulesets[ruleset]->sc_codes();
+}
+
+libsinsp::events::set<ppm_event_code> indexable_ruleset::enabled_event_codes(uint16_t ruleset)
+{
+	if(m_rulesets.size() < (size_t)ruleset + 1)
+	{
+		return {};
+	}
+	return m_rulesets[ruleset]->event_codes();
+}
+
+void indexable_ruleset::enable(const std::string &pattern, match_type match, uint16_t ruleset_id)
+{
+	enable_disable(pattern, match, true, ruleset_id);
+}
+
+void indexable_ruleset::disable(const std::string &pattern, match_type match, uint16_t ruleset_id)
+{
+	enable_disable(pattern, match, false, ruleset_id);
+}
+
+void indexable_ruleset::enable_disable(const std::string &pattern, match_type match, bool enabled, uint16_t ruleset_id)
+{
+	while(m_rulesets.size() < (size_t)ruleset_id + 1)
+	{
+		m_rulesets.emplace_back(std::make_shared<ruleset_filters>(m_rulesets.size()));
+	}
+
+	for(const auto &wrap : m_filters)
+	{
+		bool matches;
+		std::string::size_type pos;
+
+		switch(match)
+		{
+		case match_type::exact:
+			pos = wrap->name().find(pattern);
+
+			matches = (pattern == "" || (pos == 0 &&
+						     pattern.size() == wrap->name().size()));
+			break;
+		case match_type::substring:
+			matches = (pattern == "" || (wrap->name().find(pattern) != std::string::npos));
+			break;
+		case match_type::wildcard:
+			matches = falco::utils::matches_wildcard(pattern, wrap->name());
+			break;
+		default:
+			// should never happen
+			matches = false;
+		}
+
+		if(matches)
+		{
+			if(enabled)
+			{
+				m_rulesets[ruleset_id]->add_filter(wrap);
+			}
+			else
+			{
+				m_rulesets[ruleset_id]->remove_filter(wrap);
+			}
+		}
+	}
+}
+
+void indexable_ruleset::enable_tags(const std::set<std::string> &tags, uint16_t ruleset_id)
+{
+	enable_disable_tags(tags, true, ruleset_id);
+}
+
+void indexable_ruleset::disable_tags(const std::set<std::string> &tags, uint16_t ruleset_id)
+{
+	enable_disable_tags(tags, false, ruleset_id);
+}
+
+void indexable_ruleset::enable_disable_tags(const std::set<std::string> &tags, bool enabled, uint16_t ruleset_id)
+{
+	while(m_rulesets.size() < (size_t)ruleset_id + 1)
+	{
+		m_rulesets.emplace_back(std::make_shared<ruleset_filters>(m_rulesets.size()));
+	}
+
+	for(const auto &wrap : m_filters)
+	{
+		std::set<std::string> intersect;
+
+		set_intersection(tags.begin(), tags.end(),
+				 wrap->tags().begin(), wrap->tags().end(),
+				 inserter(intersect, intersect.begin()));
+
+		if(!intersect.empty())
+		{
+			if(enabled)
+			{
+				m_rulesets[ruleset_id]->add_filter(wrap);
+			}
+			else
+			{
+				m_rulesets[ruleset_id]->remove_filter(wrap);
+			}
+		}
+	}
+}
+
+bool indexable_ruleset::run(sinsp_evt *evt, falco_rule &match, uint16_t ruleset_id)
+{
+	if(m_rulesets.size() < (size_t)ruleset_id + 1)
+	{
+		return false;
+	}
+
+	return m_rulesets[ruleset_id]->run(*this, evt, match);
+}
+
+bool indexable_ruleset::run(sinsp_evt *evt, std::vector<falco_rule> &matches, uint16_t ruleset_id)
+{
+	if(m_rulesets.size() < (size_t)ruleset_id + 1)
+	{
+		return false;
+	}
+
+	return m_rulesets[ruleset_id]->run(*this, evt, matches);
+}
+
+void indexable_ruleset::add_wrapper(std::shared_ptr<filter_wrapper> wrap)
+{
+	m_filters.insert(wrap);
+}
+
+uint64_t indexable_ruleset::iterate(filter_wrapper_func func)
+{
+	uint64_t num_filters = 0;
+
+	for(const auto &ruleset_ptr : m_rulesets)
+	{
+		if(ruleset_ptr)
+		{
+			for(const auto &wrap : ruleset_ptr->get_filters())
+			{
+				num_filters++;
+				func(wrap);
+			}
+		}
+	}
+
+	return num_filters;
+}
+
+void indexable_ruleset::ruleset_filters::add_wrapper_to_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap)
+{
+	// This is O(n) but it's also uncommon
+	// (when loading rules only).
+	auto pos = std::find(wrappers.begin(),
+			     wrappers.end(),
+			     wrap);
+
+	if(pos == wrappers.end())
+	{
+		wrappers.push_back(wrap);
+	}
+}
+
+void indexable_ruleset::ruleset_filters::remove_wrapper_from_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap)
+{
+	// This is O(n) but it's also uncommon
+	// (when loading rules only).
+	auto pos = std::find(wrappers.begin(),
+			     wrappers.end(),
+			     wrap);
+	if(pos != wrappers.end())
+	{
+		wrappers.erase(pos);
+	}
+}
+
+void indexable_ruleset::ruleset_filters::add_filter(std::shared_ptr<filter_wrapper> wrap)
+{
+	if(wrap->event_codes().empty())
+	{
+		// Should run for all event types
+		add_wrapper_to_list(m_filter_all_event_types, wrap);
+	}
+	else
+	{
+		for(auto &etype : wrap->event_codes())
+		{
+			if(m_filter_by_event_type.size() <= etype)
+			{
+				m_filter_by_event_type.resize(etype + 1);
+			}
+
+			add_wrapper_to_list(m_filter_by_event_type[etype], wrap);
+		}
+	}
+
+	m_filters.insert(wrap);
+}
+
+void indexable_ruleset::ruleset_filters::remove_filter(std::shared_ptr<filter_wrapper> wrap)
+{
+	if(wrap->event_codes().empty())
+	{
+		remove_wrapper_from_list(m_filter_all_event_types, wrap);
+	}
+	else
+	{
+		for(auto &etype : wrap->event_codes())
+		{
+			if(etype < m_filter_by_event_type.size())
+			{
+				remove_wrapper_from_list(m_filter_by_event_type[etype], wrap);
+			}
+		}
+	}
+
+	m_filters.erase(wrap);
+}
+
+uint64_t indexable_ruleset::ruleset_filters::num_filters()
+{
+	return m_filters.size();
+}
+
+bool indexable_ruleset::ruleset_filters::run(indexable_ruleset &ruleset, sinsp_evt *evt, falco_rule &match)
+{
+	if(evt->get_type() < m_filter_by_event_type.size() &&
+	   m_filter_by_event_type[evt->get_type()].size() > 0)
+	{
+		if(ruleset.run_wrappers(evt, m_filter_by_event_type[evt->get_type()], m_ruleset_id, match))
+		{
+			return true;
+		}
+	}
+
+	// Finally, try filters that are not specific to an event type.
+	if(m_filter_all_event_types.size() > 0)
+	{
+		if(ruleset.run_wrappers(evt, m_filter_all_event_types, m_ruleset_id, match))
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+bool indexable_ruleset::ruleset_filters::run(indexable_ruleset &ruleset, sinsp_evt *evt, std::vector<falco_rule> &matches)
+{
+	if(evt->get_type() < m_filter_by_event_type.size() &&
+	   m_filter_by_event_type[evt->get_type()].size() > 0)
+	{
+		if(ruleset.run_wrappers(evt, m_filter_by_event_type[evt->get_type()], m_ruleset_id, matches))
+		{
+			return true;
+		}
+	}
+
+	// Finally, try filters that are not specific to an event type.
+	if(m_filter_all_event_types.size() > 0)
+	{
+		if(ruleset.run_wrappers(evt, m_filter_all_event_types, m_ruleset_id, matches))
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+libsinsp::events::set<ppm_sc_code> indexable_ruleset::ruleset_filters::sc_codes()
+{
+	libsinsp::events::set<ppm_sc_code> res;
+	for(const auto &wrap : m_filters)
+	{
+		res.insert(wrap->sc_codes().begin(), wrap->sc_codes().end());
+	}
+	return res;
+}
+
+libsinsp::events::set<ppm_event_code> indexable_ruleset::ruleset_filters::event_codes()
+{
+	libsinsp::events::set<ppm_event_code> res;
+	for(const auto &wrap : m_filters)
+	{
+		res.insert(wrap->event_codes().begin(), wrap->event_codes().end());
+	}
+	return res;
+}
--- a/userspace/engine/indexable_ruleset.h
+++ b/userspace/engine/indexable_ruleset.h
@@ -0,0 +1,182 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2024 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/* This describes the interface for an "indexable" ruleset, that is, a
+ * ruleset that can enable/disable abstract filters for various
+ * ruleset ids.
+ *
+ * It's used by evttype_index_ruleset as well as other rulesets that
+ * need the same functionality but don't want to copy the same code.
+ */
+
+#pragma once
+
+#include "filter_ruleset.h"
+
+#include <libsinsp/sinsp.h>
+#include <libsinsp/filter.h>
+#include <libsinsp/event.h>
+
+#include <functional>
+#include <memory>
+#include <string>
+
+class indexable_ruleset : public filter_ruleset
+{
+public:
+	indexable_ruleset() = default;
+	virtual ~indexable_ruleset() = default;
+
+	// Required to implement filter_ruleset
+	void clear() override;
+
+	uint64_t enabled_count(uint16_t ruleset_id) override;
+
+	void enabled_evttypes(
+		std::set<uint16_t> &evttypes,
+		uint16_t ruleset) override;
+
+	libsinsp::events::set<ppm_sc_code> enabled_sc_codes(
+		uint16_t ruleset) override;
+
+	libsinsp::events::set<ppm_event_code> enabled_event_codes(
+		uint16_t ruleset) override;
+
+	void enable(
+		const std::string &pattern,
+		match_type match,
+		uint16_t ruleset_id) override;
+
+	void disable(
+		const std::string &pattern,
+		match_type match,
+		uint16_t ruleset_id) override;
+
+	void enable_tags(
+		const std::set<std::string> &tags,
+		uint16_t ruleset_id) override;
+
+	void disable_tags(
+		const std::set<std::string> &tags,
+		uint16_t ruleset_id) override;
+
+	// Note that subclasses do *not* implement run. Instead, they
+	// implement run_wrappers.
+	bool run(sinsp_evt *evt, falco_rule &match, uint16_t ruleset_id) override;
+	bool run(sinsp_evt *evt, std::vector<falco_rule> &matches, uint16_t ruleset_id) override;
+
+	// Methods for working with filter wrappers
+
+	// A derived class should add "filter wrappers" that implement
+	// these methods. They return the necessary information
+	// required to segregate filters by name, tags, and event
+	// types.
+	struct filter_wrapper
+	{
+		virtual const std::string &name() = 0;
+		virtual const std::set<std::string> &tags() = 0;
+		virtual const libsinsp::events::set<ppm_sc_code> &sc_codes() = 0;
+		virtual const libsinsp::events::set<ppm_event_code> &event_codes() = 0;
+	};
+
+	typedef std::list<std::shared_ptr<filter_wrapper>>
+		filter_wrapper_list;
+
+	// Subclasses should call add_wrapper (most likely from
+	// filter_ruleset::add or ::add_compile_output) to add filters.
+	void add_wrapper(std::shared_ptr<filter_wrapper> wrap);
+
+	// If a subclass needs to iterate over all filters, they can
+	// call iterate with this function, which will be called for
+	// all filters.
+	typedef std::function<void(const std::shared_ptr<filter_wrapper> &wrap)> filter_wrapper_func;
+	uint64_t iterate(filter_wrapper_func func);
+
+	// A subclass must implement these methods. They are analogous
+	// to run() but take care of selecting filters that match a
+	// ruleset and possibly an event type.
+	virtual bool run_wrappers(sinsp_evt *evt, filter_wrapper_list &wrappers, uint16_t ruleset_id, std::vector<falco_rule> &matches) = 0;
+	virtual bool run_wrappers(sinsp_evt *evt, filter_wrapper_list &wrappers, uint16_t ruleset_id, falco_rule &match) = 0;
+
+private:
+	// Helper used by enable()/disable()
+	void enable_disable(
+		const std::string &pattern,
+		match_type match,
+		bool enabled,
+		uint16_t ruleset_id);
+
+	// Helper used by enable_tags()/disable_tags()
+	void enable_disable_tags(
+		const std::set<std::string> &tags,
+		bool enabled,
+		uint16_t ruleset_id);
+
+	// A group of filters all having the same ruleset
+	class ruleset_filters
+	{
+	public:
+		ruleset_filters(uint16_t ruleset_id):
+			m_ruleset_id(ruleset_id) {}
+
+		virtual ~ruleset_filters(){};
+
+		void add_filter(std::shared_ptr<filter_wrapper> wrap);
+		void remove_filter(std::shared_ptr<filter_wrapper> wrap);
+
+		uint64_t num_filters();
+
+		inline const std::set<std::shared_ptr<filter_wrapper>> &get_filters() const
+		{
+			return m_filters;
+		}
+
+		// Evaluate an event against the ruleset and return the first rule
+		// that matched.
+		bool run(indexable_ruleset &ruleset, sinsp_evt *evt, falco_rule &match);
+
+		//  Evaluate an event against the ruleset and return all the
+		//	matching rules.
+		bool run(indexable_ruleset &ruleset, sinsp_evt *evt, std::vector<falco_rule> &matches);
+
+		libsinsp::events::set<ppm_sc_code> sc_codes();
+
+		libsinsp::events::set<ppm_event_code> event_codes();
+
+	private:
+		void add_wrapper_to_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap);
+		void remove_wrapper_from_list(filter_wrapper_list &wrappers, std::shared_ptr<filter_wrapper> wrap);
+
+		uint16_t m_ruleset_id;
+
+		// Vector indexes from event type to a set of filters. There can
+		// be multiple filters for a given event type.
+		// NOTE: This is used only when the event sub-type is 0.
+		std::vector<filter_wrapper_list> m_filter_by_event_type;
+
+		filter_wrapper_list m_filter_all_event_types;
+
+		// All filters added. Used to make num_filters() fast.
+		std::set<std::shared_ptr<filter_wrapper>> m_filters;
+	};
+
+	// Vector indexes from ruleset id to set of rules.
+	std::vector<std::shared_ptr<ruleset_filters>> m_rulesets;
+
+	// All filters added. The set of enabled filters is held in m_rulesets
+	std::set<std::shared_ptr<filter_wrapper>> m_filters;
+};
--- a/userspace/engine/logger.cpp
+++ b/userspace/engine/logger.cpp
--- a/userspace/engine/logger.h
+++ b/userspace/engine/logger.h
--- a/userspace/engine/rule_loader_compiler.cpp
+++ b/userspace/engine/rule_loader_compiler.cpp
@@ -509,7 +509,15 @@ void rule_loader::compiler::compile_rule_infos(

 		// build rule output message
 		rule.output = r.output;
-		apply_output_substitutions(cfg, rule.output);
+
+		// plugins sources do not have any container info and so we won't apply -pk, -pc, etc.
+		// on the other hand, when using plugins you might want to append custom output based on the plugin
+		// TODO: this is not flexible enough (esp. if you mix plugin with syscalls),
+		// it would be better to add configuration options to control the output.
+		if (!cfg.replace_output_container_info || r.source == falco_common::syscall_source)
+		{
+			apply_output_substitutions(cfg, rule.output);
+		}

 		// validate the rule's output
 		if(!is_format_valid(*cfg.sources.at(r.source), rule.output, err))
--- a/userspace/falco/CMakeLists.txt
+++ b/userspace/falco/CMakeLists.txt
@@ -50,7 +50,6 @@ add_library(falco_application STATIC
  app/actions/create_requested_paths.cpp
  app/actions/close_inspectors.cpp
  configuration.cpp
-  logger.cpp
  falco_outputs.cpp
  outputs_file.cpp
  outputs_stdout.cpp
--- a/userspace/falco/app/actions/process_events.cpp
+++ b/userspace/falco/app/actions/process_events.cpp
@@ -413,9 +413,9 @@ static falco::app::run_result init_stats_writer(
 		return falco::app::run_result::fatal("Metrics interval was passed as numeric value without Prometheus time unit. Please specify a time unit");
 	}

-	if (config->m_metrics_enabled && !sw->has_output())
+	if (config->m_metrics_enabled && !(sw->has_output() || config->m_webserver_config.m_prometheus_metrics_enabled))
 	{
-		return falco::app::run_result::fatal("Metrics are enabled with no output configured. Please enable at least one output channel");
+		return falco::app::run_result::fatal("Metrics are enabled with no output configured. Please enable at least one output channel ('metrics.output_rule', 'metrics.output_file' or 'webserver.prometheus_metrics_enabled')");
 	}

 	falco_logger::log(falco_logger::level::INFO, "Setting metrics interval to " + config->m_metrics_interval_str + ", equivalent to " + std::to_string(config->m_metrics_interval) + " (ms)\n");
--- a/userspace/falco/app/options.cpp
+++ b/userspace/falco/app/options.cpp
@@ -172,7 +172,7 @@ void options::define(cxxopts::Options& opts)
 		("N",                             "Only print field names when used in conjunction with the --list option. It has no effect when used with other options.", cxxopts::value(names_only)->default_value("false"))
 		("o,option",                      "Set the value of option <opt> to <val>. Overrides values in the configuration file. <opt> can be identified using its location in the configuration file using dot notation. Elements of list entries can be accessed via square brackets [].\n    E.g. base.id = val\n         base.subvalue.subvalue2 = val\n         base.list[1]=val", cxxopts::value(cmdline_config_options), "<opt>=<val>")
 		("plugin-info",                   "Print info for the plugin specified by <plugin_name> and exit.\nThis includes all descriptive information like name and author, along with the\nschema format for the init configuration and a list of suggested open parameters.\n<plugin_name> can be the plugin's name or its configured 'library_path'.", cxxopts::value(print_plugin_info), "<plugin_name>")
-		("p,print",                       "Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details.\nUse -pk or -pkubernetes to add both container and Kubernetes details.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p <output_format> for a custom format. In this case, the given <output_format> will be appended to the rule's output without any replacement.", cxxopts::value(print_additional), "<output_format>")
+		("p,print",                       "Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a syscall rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p <output_format> for a custom format. In this case, the given <output_format> will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "<output_format>")
 		("P,pidfile",                     "Write PID to specified <pid_file> path. By default, no PID file is created.", cxxopts::value(pidfilename)->default_value(""), "<pid_file>")
 		("r",                             "Rules file or directory to be loaded. This option can be passed multiple times. Falco defaults to the values in the configuration file when this option is not specified.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
 		("S,snaplen",                     "Collect only the first <len> bytes of each I/O buffer for 'syscall' events. By default, the first 80 bytes are collected by the driver and sent to the user space for processing. Use this option with caution since it can have a strong performance impact.", cxxopts::value(snaplen)->default_value("0"), "<len>")
--- a/userspace/falco/app/restart_handler.cpp
+++ b/userspace/falco/app/restart_handler.cpp
@@ -17,7 +17,7 @@ limitations under the License.

 #include "restart_handler.h"
 #include "signals.h"
-#include "../logger.h"
+#include "logger.h"

 #include <string.h>
 #include <fcntl.h>
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -72,7 +72,7 @@ falco_configuration::falco_configuration():
 	m_metrics_interval(5000),
 	m_metrics_stats_rule_enabled(false),
 	m_metrics_output_file(""),
-	m_metrics_flags((METRICS_V2_KERNEL_COUNTERS | METRICS_V2_LIBBPF_STATS | METRICS_V2_RESOURCE_UTILIZATION | METRICS_V2_STATE_COUNTERS | METRICS_V2_RULE_COUNTERS)),
+	m_metrics_flags(0),
 	m_metrics_convert_memory_to_mb(true),
 	m_metrics_include_empty_values(false)
 {
@@ -555,6 +555,10 @@ void falco_configuration::load_yaml(const std::string& config_name)
 	{
 		m_metrics_flags |= METRICS_V2_LIBBPF_STATS;
 	}
+	if (config.get_scalar<bool>("metrics.plugins_metrics_enabled", true))
+	{
+		m_metrics_flags |= METRICS_V2_PLUGINS;
+	}

 	m_metrics_convert_memory_to_mb = config.get_scalar<bool>("metrics.convert_memory_to_mb", true);
 	m_metrics_include_empty_values = config.get_scalar<bool>("metrics.include_empty_values", false);
--- a/userspace/falco/falco_metrics.cpp
+++ b/userspace/falco/falco_metrics.cpp
@@ -53,20 +53,20 @@ std::string falco_metrics::to_text(const falco::app::state& state)
 		BPF_ENGINE, KMOD_ENGINE, MODERN_BPF_ENGINE,
 		SOURCE_PLUGIN_ENGINE, NODRIVER_ENGINE, GVISOR_ENGINE };

-	std::vector<sinsp*> inspectors;
+	std::vector<std::shared_ptr<sinsp>> inspectors;
 	std::vector<libs::metrics::libs_metrics_collector> metrics_collectors;

-	for (const auto& source_info: state.source_infos)
+	for (const auto& source: state.enabled_sources)
 	{
-		sinsp *source_inspector = source_info.inspector.get();
+		auto source_info = state.source_infos.at(source);
+		auto source_inspector = source_info->inspector;
 		inspectors.emplace_back(source_inspector);
-		metrics_collectors.emplace_back(libs::metrics::libs_metrics_collector(source_inspector, state.config->m_metrics_flags));
+		metrics_collectors.emplace_back(libs::metrics::libs_metrics_collector(source_inspector.get(), state.config->m_metrics_flags));
 	}
-
 	libs::metrics::prometheus_metrics_converter prometheus_metrics_converter;
 	std::string prometheus_text;

-	for (auto* inspector: inspectors)
+	for (auto inspector: inspectors)
 	{
 		// Falco wrapper metrics
 		//
@@ -79,21 +79,28 @@ std::string falco_metrics::to_text(const falco::app::state& state)
 			}
 		}

+
 		const scap_agent_info* agent_info = inspector->get_agent_info();
 		const scap_machine_info* machine_info = inspector->get_machine_info();
-
-		libs::metrics::libs_metrics_collector libs_metrics_collector(inspector, 0);
-
+		libs::metrics::libs_metrics_collector libs_metrics_collector(inspector.get(), 0);
 		prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("version", "falcosecurity", "falco", {{"version", FALCO_VERSION}});
-		prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("kernel_release", "falcosecurity", "falco", {{"kernel_release", agent_info->uname_r}});
-		prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("hostname", "falcosecurity", "evt", {{"hostname", machine_info->hostname}});
+
+		// Not all scap engines report agent and machine infos.
+		if (agent_info)
+		{
+			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("kernel_release", "falcosecurity", "falco", {{"kernel_release", agent_info->uname_r}});
+		}
+		if (machine_info)
+		{
+			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("hostname", "falcosecurity", "evt", {{"hostname", machine_info->hostname}});
+		}

 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
 		for (const auto& item : state.config.get()->m_loaded_rules_filenames_sha256sum)
 		{
 			fs::path fs_path = item.first;
 			std::string metric_name_file_sha256 = fs_path.filename().stem();
-			metric_name_file_sha256 = "falco.sha256_rules_file." + falco::utils::sanitize_metric_name(metric_name_file_sha256);
+			metric_name_file_sha256 = "falco_sha256_rules_file_" + falco::utils::sanitize_metric_name(metric_name_file_sha256);
 			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric_name_file_sha256, "falcosecurity", "falco", {{metric_name_file_sha256, item.second}});
 		}

@@ -101,7 +108,7 @@ std::string falco_metrics::to_text(const falco::app::state& state)
 		{
 			fs::path fs_path = item.first;
 			std::string metric_name_file_sha256 = fs_path.filename().stem();
-			metric_name_file_sha256 = "falco.sha256_config_file." + falco::utils::sanitize_metric_name(metric_name_file_sha256);
+			metric_name_file_sha256 = "falco_sha256_config_file_" + falco::utils::sanitize_metric_name(metric_name_file_sha256);
 			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric_name_file_sha256, "falcosecurity", "falco", {{metric_name_file_sha256, item.second}});
 		}
 #endif
@@ -112,39 +119,47 @@ std::string falco_metrics::to_text(const falco::app::state& state)
 		}
 		std::vector<metrics_v2> additional_wrapper_metrics;

-		additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("start_ts",
-																	METRICS_V2_MISC,
-																	METRIC_VALUE_TYPE_U64,
-																	METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS,
-																	METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
-																	agent_info->start_ts_epoch));
-		additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("host_boot_ts",
-																	METRICS_V2_MISC,
-																	METRIC_VALUE_TYPE_U64,
-																	METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS,
-																	METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
-																	machine_info->boot_ts_epoch));
-		additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("host_num_cpus",
-																	METRICS_V2_MISC,
-																	METRIC_VALUE_TYPE_U32,
-																	METRIC_VALUE_UNIT_COUNT,
-																	METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
-																	machine_info->num_cpus));
+		if (agent_info)
+		{
+			additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("start_ts",
+												  METRICS_V2_MISC,
+												  METRIC_VALUE_TYPE_U64,
+												  METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS,
+												  METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
+												  agent_info->start_ts_epoch));
+		}
+		if (machine_info)
+		{
+			additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("host_boot_ts",
+												  METRICS_V2_MISC,
+												  METRIC_VALUE_TYPE_U64,
+												  METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS,
+												  METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
+												  machine_info->boot_ts_epoch));
+			additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("host_num_cpus",
+												  METRICS_V2_MISC,
+												  METRIC_VALUE_TYPE_U32,
+												  METRIC_VALUE_UNIT_COUNT,
+												  METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
+												  machine_info->num_cpus));
+		}
 		additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("outputs_queue_num_drops",
-																	METRICS_V2_MISC,
-																	METRIC_VALUE_TYPE_U64,
-																	METRIC_VALUE_UNIT_COUNT,
-																	METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-																	state.outputs->get_outputs_queue_num_drops()));
+												METRICS_V2_MISC,
+												METRIC_VALUE_TYPE_U64,
+												METRIC_VALUE_UNIT_COUNT,
+												METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+												state.outputs->get_outputs_queue_num_drops()));

-		auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::system_clock::now().time_since_epoch()).count();
-
-		additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("duration_sec",
-																	METRICS_V2_MISC,
-																	METRIC_VALUE_TYPE_U64,
-																	METRIC_VALUE_UNIT_TIME_S_COUNT,
-																	METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-																	(uint64_t)((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS)));
+		if (agent_info)
+		{
+			auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::system_clock::now().time_since_epoch()).count();
+			additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("duration_sec",
+												  METRICS_V2_MISC,
+												  METRIC_VALUE_TYPE_U64,
+												  METRIC_VALUE_UNIT_TIME_S_COUNT,
+												  METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+												  (uint64_t)((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS)));
+		}

 		for (auto metric: additional_wrapper_metrics)
 		{
@@ -160,11 +175,11 @@ std::string falco_metrics::to_text(const falco::app::state& state)
 			const stats_manager& rule_stats_manager = state.engine->get_rule_stats_manager();
 			const indexed_vector<falco_rule>& rules = state.engine->get_rules();
 			auto metric = libs_metrics_collector.new_metric("rules.matches_total",
-																	METRICS_V2_RULE_COUNTERS,
-																	METRIC_VALUE_TYPE_U64,
-																	METRIC_VALUE_UNIT_COUNT,
-																	METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-																	rule_stats_manager.get_total().load());
+										METRICS_V2_RULE_COUNTERS,
+										METRIC_VALUE_TYPE_U64,
+										METRIC_VALUE_UNIT_COUNT,
+										METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+										rule_stats_manager.get_total().load());

 			prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
 			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric, "falcosecurity", "falco");
@@ -175,11 +190,11 @@ std::string falco_metrics::to_text(const falco::app::state& state)
 				std::string rules_metric_name = "rules." + falco::utils::sanitize_metric_name(rule->name);
 				// Separate processing of rules counter metrics given we add extra tags
 				auto metric = libs_metrics_collector.new_metric(rules_metric_name.c_str(),
-																	METRICS_V2_RULE_COUNTERS,
-																	METRIC_VALUE_TYPE_U64,
-																	METRIC_VALUE_UNIT_COUNT,
-																	METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-																	rules_by_id[i]->load());
+											METRICS_V2_RULE_COUNTERS,
+											METRIC_VALUE_TYPE_U64,
+											METRIC_VALUE_UNIT_COUNT,
+											METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+											rules_by_id[i]->load());
 				prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
 				const std::map<std::string, std::string>& const_labels = {
 					{"rule", rule->name},
@@ -207,10 +222,17 @@ std::string falco_metrics::to_text(const falco::app::state& state)
 		{
 			prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
 			std::string namespace_name = "scap";
+			
 			if (metric.flags & METRICS_V2_RESOURCE_UTILIZATION || metric.flags & METRICS_V2_KERNEL_COUNTERS)
 			{
 				namespace_name = "falco";
 			}
+
+			if (metric.flags & METRICS_V2_PLUGINS)
+			{
+				namespace_name = "plugins";
+			}
+
 			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric, "falcosecurity", namespace_name);
 		}

--- a/userspace/falco/stats_writer.cpp
+++ b/userspace/falco/stats_writer.cpp
@@ -327,12 +327,18 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
 	/* Wrapper fields useful for statistical analyses and attributions. Always enabled. */
 	output_fields["evt.time"] = now; /* Some ETLs may prefer a consistent timestamp within output_fields. */
 	output_fields["falco.version"] = FALCO_VERSION;
-	output_fields["falco.start_ts"] = agent_info->start_ts_epoch;
-	output_fields["falco.duration_sec"] = (uint64_t)((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS);
-	output_fields["falco.kernel_release"] = agent_info->uname_r;
-	output_fields["evt.hostname"] = machine_info->hostname; /* Explicitly add hostname to log msg in case hostname rule output field is disabled. */
-	output_fields["falco.host_boot_ts"] = machine_info->boot_ts_epoch;
-	output_fields["falco.host_num_cpus"] = machine_info->num_cpus;
+	if (agent_info)
+	{
+		output_fields["falco.start_ts"] = agent_info->start_ts_epoch;
+		output_fields["falco.duration_sec"] = (uint64_t)((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS);
+		output_fields["falco.kernel_release"] = agent_info->uname_r;
+	}
+	if (machine_info)
+	{
+		output_fields["evt.hostname"] = machine_info->hostname; /* Explicitly add hostname to log msg in case hostname rule output field is disabled. */
+		output_fields["falco.host_boot_ts"] = machine_info->boot_ts_epoch;
+		output_fields["falco.host_num_cpus"] = machine_info->num_cpus;
+	}
 	output_fields["falco.outputs_queue_num_drops"] = m_writer->m_outputs->get_outputs_queue_num_drops();

 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
@@ -434,6 +440,10 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 			{
 				strlcpy(metric_name, "scap.", sizeof(metric_name));
 			}
+			if(metric.flags & METRICS_V2_PLUGINS)
+			{
+				strlcpy(metric_name, "plugins.", sizeof(metric_name));
+			}
 			strlcat(metric_name, metric.name, sizeof(metric_name));

 			switch (metric.type)
@@ -445,6 +455,13 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 				}
 				output_fields[metric_name] = metric.value.u32;
 				break;
+			case METRIC_VALUE_TYPE_S32:
+				if (metric.value.s32 == 0 && !m_writer->m_config->m_metrics_include_empty_values)
+				{
+					break;
+				}
+				output_fields[metric_name] = metric.value.s32;
+				break;
 			case METRIC_VALUE_TYPE_U64:
 				if (strncmp(metric.name, "n_evts", 7) == 0)
 				{
@@ -486,6 +503,13 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 				}
 				output_fields[metric_name] = metric.value.u64;
 				break;
+			case METRIC_VALUE_TYPE_S64:
+				if (metric.value.s64 == 0 && !m_writer->m_config->m_metrics_include_empty_values)
+				{
+					break;
+				}
+				output_fields[metric_name] = metric.value.s64;
+				break;
 			case METRIC_VALUE_TYPE_D:
 				if (metric.value.d == 0 && !m_writer->m_config->m_metrics_include_empty_values)
 				{
@@ -493,6 +517,20 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 				}
 				output_fields[metric_name] = metric.value.d;
 				break;
+			case METRIC_VALUE_TYPE_F:
+				if (metric.value.f == 0 && !m_writer->m_config->m_metrics_include_empty_values)
+				{
+					break;
+				}
+				output_fields[metric_name] = metric.value.f;
+				break;
+			case METRIC_VALUE_TYPE_I:
+				if (metric.value.i == 0 && !m_writer->m_config->m_metrics_include_empty_values)
+				{
+					break;
+				}
+				output_fields[metric_name] = metric.value.i;
+				break;
 			default:
 				break;
 			}
Author	SHA1	Message	Date
Mark Stemm	c2011ac9c6	Modify evttype_index_ruleset to derive from indexable_ruleset Modify evttype_index_ruleset to derive from indexable_ruleset instead of having its own implementation of segregating filters by ruleset id/event type. An evttype_index_ruleset::wrapper contains a falco rule and filter, and run_wrappers() evaluate the filter as before, without the segregation by ruleset id/event type. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2024-06-18 10:26:49 -07:00
Mark Stemm	7dfc4e3447	Actually add indexable_ruleset to build Done separately just in case we ever have github checks that track files separate from cmake changes. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2024-06-14 11:39:32 -07:00
Mark Stemm	605e69cf0e	Add an indexable ruleset that can split filters by ruleset/evttype Now that custom rules loading implementations (and related, custom rulesets) can be swapped into falco in a customizable way, there is some functionality in evttype_index_ruleset that could be used by other rulesets, specifically the part that segregates filters by ruleset and enables/disables filters based on name substring + tags. To allow for this, create a new base class indexable_ruleset that takes a generic filter_wrapper object that can return a name, tags, and sc/event codes, and segregates the filters by ruleset. It also optionally segregates filters by event type. The main interfaces are: - an implementation of filter_wrapper to provide a name/tags/event codes. - add_wrapper(), which provides a filter_wrapper to the indexable_ruleset. - run_wrappers(), which must be implemented by the derived class and is called for event processing. Most of the methods required by filter_ruleset are implemented by indexable_ruleset and do not need to be implemented by the derived class. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2024-06-14 11:39:32 -07:00
Gianmatteo Palmieri	3e91a27538	new(metrics): enable plugins metrics Signed-off-by: Gianmatteo Palmieri <mail@gian.im> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>	2024-06-13 16:32:48 +02:00
Federico Di Pierro	0e754aec14	chore(userspace): bump engine version and checksum. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-06-13 13:40:48 +02:00
Federico Di Pierro	0e4c580c1e	update(cmake): bump libs to master. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-06-13 13:40:48 +02:00
Luca Guerra	b8e5e2e8dd	update(engine): allow using -p to pass a format to plugin events Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-06-11 09:19:39 +02:00
dependabot[bot]	1c31390c56	chore(deps): Bump submodules/falcosecurity-rules Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `df963b6` to `ea57e78`. - [Release notes](https://github.com/falcosecurity/rules/releases) - [Commits](`df963b6bcd...ea57e78ea1`) --- updated-dependencies: - dependency-name: submodules/falcosecurity-rules dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-06-11 09:18:40 +02:00
Luca Guerra	8a59cee355	cleanup(falco): clarify that --print variants only affect syscalls Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-06-06 09:46:22 +02:00
Gianmatteo Palmieri	1c66b640f2	Revert "fix(engine): apply output substitutions for all sources" This reverts commit `4ef7c9553a`. Signed-off-by: Gianmatteo Palmieri <mail@gian.im>	2024-06-05 12:43:19 +02:00
Federico Di Pierro	35395728cc	chore(ci): enable dummy tests on the testing framework. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-06-04 10:15:13 +02:00
Melissa Kilby	5777a44ca1	fix(metrics): fix sha256 metric names for prometheus Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>	2024-06-04 09:52:13 +02:00
Melissa Kilby	97207d309a	fix(metrics): allow each metric output channel to be selected independently Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>	2024-06-04 09:52:13 +02:00
dependabot[bot]	f43347da45	chore(deps): Bump submodules/falcosecurity-rules Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `679a50a` to `df963b6`. - [Release notes](https://github.com/falcosecurity/rules/releases) - [Commits](`679a50aa5c...df963b6bcd`) --- updated-dependencies: - dependency-name: submodules/falcosecurity-rules dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-06-03 17:01:10 +02:00
Federico Di Pierro	6687d50fc2	chore(userspace/falco): more extra safety checks on stats collector too. Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>	2024-06-03 15:56:14 +02:00
Federico Di Pierro	ae71cec507	fix(userspace/falco): fixed `falco_metrics::to_text` implementation when running with plugins. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-06-03 15:56:14 +02:00
Federico Di Pierro	ba85afa2ab	update(cmake): bump libs and driver to master. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-05-31 11:26:59 +02:00
dependabot[bot]	048b9e3dd0	chore(deps): Bump submodules/falcosecurity-rules Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `9e56293` to `679a50a`. - [Release notes](https://github.com/falcosecurity/rules/releases) - [Commits](`9e56293b55...679a50aa5c`) --- updated-dependencies: - dependency-name: submodules/falcosecurity-rules dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-05-30 16:36:56 +02:00
Luca Guerra	1ddfde61f5	update(docs): update CHANGELOG for 0.38.0 Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-05-30 16:35:56 +02:00
Federico Di Pierro	edd93054fd	chore(proposals): fix typo. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-05-28 11:05:46 +02:00
Federico Di Pierro	b5316c98bc	update(cmake): bump falcoctl to v0.8.0. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>	2024-05-28 11:05:46 +02:00
Luca Guerra	6c66294e72	chore(build): bump rules to 3.1.0 Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-05-27 16:29:43 +02:00
dependabot[bot]	9fd26eaa2e	--- updated-dependencies: - dependency-name: submodules/falcosecurity-rules dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-05-23 09:51:23 +02:00
Jason Dellaluce	cd1c5f911c	refactor(userspace): move falco logger under falco engine Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>	2024-05-23 09:29:23 +02:00
Luca Guerra	40765ca77b	chore(gha): update cosign Signed-off-by: Luca Guerra <luca@guerra.sh>	2024-05-21 11:41:13 +02:00
dependabot[bot]	1e942129b2	build(deps): Bump submodules/falcosecurity-rules Bumps [submodules/falcosecurity-rules](https://github.com/falcosecurity/rules) from `29c41c4` to `59bf03b`. - [Release notes](https://github.com/falcosecurity/rules/releases) - [Commits](`29c41c4eed...59bf03bf74`) --- updated-dependencies: - dependency-name: submodules/falcosecurity-rules dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2024-05-21 11:37:13 +02:00