update(CHANGELOG.md): release 0.41.2

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>

.dockerignore

@@ -0,0 +1,3 @@
+*
+!config/
+!docker/

.github/release_template.md

@@ -6,16 +6,16 @@
 | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-x86_64.rpm)        |
 | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-x86_64.deb) |
 | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-x86_64.tar.gz) |
+| tgz-static-x86_64      | [![tgz-static](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-static-x86_64.tar.gz) |
 | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-aarch64.rpm)        |
 | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-aarch64.deb) |
 | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/aarch64/falco-FALCOVER-aarch64.tar.gz) |
 
-| Images                                                                      |
-| --------------------------------------------------------------------------- |
-| `docker pull docker.io/falcosecurity/falco:FALCOVER`                           |
-| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER`                      |
-| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER`             |
-| `docker pull docker.io/falcosecurity/falco-driver-loader-legacy:FALCOVER`      |
-| `docker pull docker.io/falcosecurity/falco-no-driver:FALCOVER`                 |
-| `docker pull docker.io/falcosecurity/falco-distroless:FALCOVER`                |
+| Images                                                                    |
+|---------------------------------------------------------------------------|
+| `docker pull docker.io/falcosecurity/falco:FALCOVER`                      |
+| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER`                 |
+| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER`        |
+| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER-buster` |
+| `docker pull docker.io/falcosecurity/falco:FALCOVER-debian`               |
 

.github/workflows/bump-libs.yaml

@@ -0,0 +1,63 @@
+---
+name: Bump Libs
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '30 6 * * 1' # on each monday 6:30
+
+# Checks if any concurrent jobs is running for kernels CI and eventually cancel it.
+concurrency:
+  group: bump-libs-ci
+  cancel-in-progress: true
+
+jobs:
+  bump-libs:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Download libs master tar.gz
+        run: |
+          wget https://github.com/falcosecurity/libs/archive/refs/heads/master.tar.gz
+
+      - name: Store libs hash and shasum
+        id: store
+        run: |
+          gunzip -c master.tar.gz > master.tar
+          commit=$(cat master.tar | git get-tar-commit-id)
+          echo "COMMIT=$commit" >> "$GITHUB_OUTPUT"
+          wget https://github.com/falcosecurity/libs/archive/$commit.tar.gz
+          echo "SHASUM=$(sha256sum $commit.tar.gz | awk '{print $1}')" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          path: falco
+
+      - name: Bump libs version and hash
+        run: |
+          cd falco
+          sed -i -E '45s/FALCOSECURITY_LIBS_VERSION "(.+)"/FALCOSECURITY_LIBS_VERSION "${{ steps.store.outputs.COMMIT }}"/' cmake/modules/falcosecurity-libs.cmake
+          sed -i -E '47s/"SHA256=(.+)"/"SHA256=${{ steps.store.outputs.SHASUM }}"/' cmake/modules/falcosecurity-libs.cmake
+          sed -i -E '38s/DRIVER_VERSION "(.+)"/DRIVER_VERSION "${{ steps.store.outputs.COMMIT }}"/' cmake/modules/driver.cmake
+          sed -i -E '40s/"SHA256=(.+)"/"SHA256=${{ steps.store.outputs.SHASUM }}"/' cmake/modules/driver.cmake
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        with:
+          path: falco
+          signoff: true
+          base: master
+          branch: update/libs
+          title: 'update(cmake): update libs and driver to latest master'
+          body: |
+            This PR updates libs and driver to latest commit.
+            /kind release
+            /area build
+            ```release-note
+            NONE
+            ```
+          commit-message: 'update(cmake): update libs and driver to latest master.'
+          token: ${{ secrets.GITHUB_TOKEN }}	  

.github/workflows/ci.yml

@@ -19,22 +19,14 @@ jobs:
   fetch-version:
     uses: ./.github/workflows/reusable_fetch_version.yaml
 
-  build-dev-packages-sanitizers-x86_64:
-    needs: [fetch-version]
-    uses: ./.github/workflows/reusable_build_packages.yaml
-    with:
-      arch: x86_64
-      version: ${{ needs.fetch-version.outputs.version }}
-      build_type: Debug
-      sanitizers: true
-
   build-dev-packages-x86_64:
     needs: [fetch-version]
     uses: ./.github/workflows/reusable_build_packages.yaml
     with:
       arch: x86_64
       version: ${{ needs.fetch-version.outputs.version }}
-      build_type: Release
+      enable_debug: true
+      enable_sanitizers: true
 
   build-dev-packages-arm64:
     needs: [fetch-version]
@@ -42,32 +34,31 @@ jobs:
     with:
       arch: aarch64
       version: ${{ needs.fetch-version.outputs.version }}
-      build_type: Debug
-      sanitizers: false
+      enable_debug: true
 
   test-dev-packages:
-    needs: [fetch-version, build-dev-packages-sanitizers-x86_64]
+    needs: [fetch-version, build-dev-packages-x86_64]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    # The musl build job is currently disabled because we link libelf dynamically and it is
-    # not possible to dynamically link with musl
-    # strategy:
-    #   fail-fast: false
-    #   matrix:
-    #     static: ["static", ""]
+    # See https://github.com/falcosecurity/falco/pull/3482
+    # Since musl build does not support dynamically loaded plugins,
+    # many tests would fail (the ones using `container.foo` fields).
+    # Disable tests on static builds for now.
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        static: ["static", ""]
     with:
       arch: x86_64
+#      sanitizers: ${{ matrix.static == '' && true || false }}
       sanitizers: true
-      # static: ${{ matrix.static != '' && true || false }}
+#      static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
 
   test-dev-packages-arm64:
     needs: [fetch-version, build-dev-packages-arm64]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
     with:
       arch: aarch64
-      static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
 
   build-dev-minimal:

.github/workflows/format.yaml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Upload the git diff artifact 📦
         if: failure()
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: format_diff.patch
           path: ./format_diff.patch

.github/workflows/master.yaml

@@ -31,15 +31,17 @@ jobs:
   test-dev-packages:
     needs: [fetch-version, build-dev-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    # The musl build job is currently disabled because we link libelf dynamically and it is
-    # not possible to dynamically link with musl
-    # strategy:
-    #   fail-fast: false
-    #   matrix:
-    #     static: ["static", ""]
+    # See https://github.com/falcosecurity/falco/pull/3482
+    # Since musl build does not support dynamically loaded plugins,
+    # many tests would fail (the ones using `container.foo` fields).
+    # Disable tests on static builds for now.
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        static: ["static", ""]
     with:
       arch: x86_64
-      # static: ${{ matrix.static != '' && true || false }}
+#      static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
   
   test-dev-packages-arm64:

.github/workflows/release.yaml

@@ -6,13 +6,13 @@ on:
 # Checks if any concurrent jobs is running for release CI and eventually cancel it.
 concurrency:
   group: ci-release
-  cancel-in-progress: true  
-  
+  cancel-in-progress: true
+
 jobs:
   release-settings:
     runs-on: ubuntu-latest
     outputs:
-      is_latest: ${{ steps.get_settings.outputs.is_latest }} 
+      is_latest: ${{ steps.get_settings.outputs.is_latest }}
       bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
     steps:
       - name: Get latest release
@@ -69,25 +69,26 @@ jobs:
   test-packages:
     needs: [release-settings, build-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-
-    # The musl build job is currently disabled because we link libelf dynamically and it is
-    # not possible to dynamically link with musl
-    # strategy:
-    #   fail-fast: false
-    #   matrix:
-    #     static: ["static", ""]
+    # See https://github.com/falcosecurity/falco/pull/3482
+    # Since musl build does not support dynamically loaded plugins,
+    # many tests would fail (the ones using `container.foo` fields).
+    # Disable tests on static builds for now.
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        static: ["static", ""]
     with:
       arch: x86_64
-      # static: ${{ matrix.static != '' && true || false }}
+#      static: ${{ matrix.static != '' && true || false }}
       version: ${{ github.event.release.tag_name }}
-  
+
   test-packages-arm64:
     needs: [release-settings, build-packages-arm64]
     uses: ./.github/workflows/reusable_test_packages.yaml
     with:
       arch: aarch64
       version: ${{ github.event.release.tag_name }}
-    
+
   publish-packages:
     needs: [release-settings, test-packages, test-packages-arm64]
     uses: ./.github/workflows/reusable_publish_packages.yaml
@@ -95,7 +96,7 @@ jobs:
       bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
       version: ${{ github.event.release.tag_name }}
     secrets: inherit
-  
+
   # Both build-docker and its arm64 counterpart require build-packages because they use its output
   build-docker:
     needs: [release-settings, build-packages, publish-packages]
@@ -106,7 +107,7 @@ jobs:
       version: ${{ github.event.release.tag_name }}
       tag: ${{ github.event.release.tag_name }}
     secrets: inherit
-    
+
   build-docker-arm64:
     needs: [release-settings, build-packages, publish-packages]
     uses: ./.github/workflows/reusable_build_docker.yaml
@@ -125,7 +126,7 @@ jobs:
       is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
       tag: ${{ github.event.release.tag_name }}
       sign: true
-      
+
   release-body:
     needs: [release-settings, publish-docker]
     if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
@@ -135,7 +136,7 @@ jobs:
     steps:
       - name: Clone repo
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-          
+
       - name: Extract LIBS and DRIVER versions
         run: |
           cp .github/release_template.md release-body.md
@@ -143,29 +144,48 @@ jobs:
           DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver')
           sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
           sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
-          
+
       - name: Append release matrixes
         run: |
           sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md
           sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
-          
+
       - name: Generate release notes
         uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
         with:
           milestone: ${{ github.event.release.tag_name }}
           output: ./notes.md
-        
+
       - name: Merge release notes to pre existent body
         run: cat notes.md >> release-body.md
-        
+
       - name: Attach release creator to release body
         run: |
           echo "" >> release-body.md
           echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
-        
+
+      - name: Download debug symbols for Falco x86_64
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-${{ github.event.release.tag_name }}-x86_64.debug
+
+      - name: Rename x86_64 debug symbols
+        run: mv falco.debug falco-x86_64.debug
+
+      - name: Download debug symbols for Falco aarch64
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-${{ github.event.release.tag_name }}-aarch64.debug
+
+      - name: Rename aarch64 debug symbols
+        run: mv falco.debug falco-aarch64.debug
+
       - name: Release
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
           body_path: ./release-body.md
           tag_name: ${{ github.event.release.tag_name }}
           name: ${{ github.event.release.name }}
+          files: |
+            falco-x86_64.debug
+            falco-aarch64.debug

.github/workflows/reusable_build_dev.yaml

@@ -39,7 +39,7 @@ permissions:
 jobs:
   build-and-test:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
     outputs:
       cmdout: ${{ steps.run_cmd.outputs.out }}
     steps:

.github/workflows/reusable_build_docker.yaml

@@ -20,79 +20,65 @@ on:
         required: true
         type: string
 
-# Here we just build all docker images as tarballs, 
+# Here we just build all docker images as tarballs,
 # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
-# In this way, we don't need to publish any arch specific image, 
+# In this way, we don't need to publish any arch specific image,
 # and this "build" workflow is actually only building images.
 
-permissions:  
+permissions:
   contents: read
 
 jobs:
   build-docker:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
     env:
       TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
     steps:
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-        
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-          
-      - name: Build no-driver image
-        run: |
-          cd ${{ github.workspace }}/docker/no-driver/
-          docker build -t docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} \
-            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
-            --build-arg FALCO_VERSION=${{ inputs.version }} \
-            --build-arg TARGETARCH=${TARGETARCH} \
-            .
-            docker save docker.io/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-no-driver-${{ inputs.arch }}.tar
 
-      - name: Build distroless image
-        run: |
-          cd ${{ github.workspace }}/docker/no-driver/
-          docker build -f Dockerfile.distroless -t docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} \
-            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
-            --build-arg FALCO_VERSION=${{ inputs.version }} \
-            --build-arg TARGETARCH=${TARGETARCH} \
-            .
-            docker save docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-distroless-${{ inputs.arch }}.tar
-            
       - name: Build falco image
         run: |
-          cd ${{ github.workspace }}/docker/falco/
-          docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
-            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
+          docker build -f docker/falco/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
             --build-arg FALCO_VERSION=${{ inputs.version }} \
             --build-arg TARGETARCH=${TARGETARCH} \
             .
             docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar
 
+      - name: Build falco-debian image
+        run: |
+          docker build -f docker/falco-debian/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian \
+            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
+            --build-arg TARGETARCH=${TARGETARCH} \
+            .
+            docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian --output /tmp/falco-${{ inputs.arch }}-debian.tar
+
       - name: Build falco-driver-loader image
         run: |
-          cd ${{ github.workspace }}/docker/driver-loader/
-          docker build -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
+          docker build -f docker/driver-loader/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
             --build-arg FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tag }} \
             --build-arg TARGETARCH=${TARGETARCH} \
             .
             docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar
 
-      - name: Build falco-driver-loader-legacy image
+      - name: Build falco-driver-loader-buster image
         run: |
-          cd ${{ github.workspace }}/docker/driver-loader-legacy/
-          docker build -t docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} \
+          docker build -f docker/driver-loader-buster/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster \
             --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
             --build-arg FALCO_VERSION=${{ inputs.version }} \
             --build-arg TARGETARCH=${TARGETARCH} \
             .
-            docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar
+            docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster --output /tmp/falco-driver-loader-${{ inputs.arch }}-buster.tar
 
       - name: Upload images tarballs
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-images
+          name: falco-images-${{ inputs.arch }}
           path: /tmp/falco-*.tar
           retention-days: 1

.github/workflows/reusable_build_packages.yaml

@@ -10,13 +10,13 @@ on:
         description: The Falco version to use when building packages
         required: true
         type: string
-      build_type:
-        description: The build type
+      enable_debug:
+        description: Also create a debug build
         required: false
-        type: string
-        default: 'Release'
-      sanitizers:
-        description: enable sanitizer support
+        type: boolean
+        default: false
+      enable_sanitizers:
+        description: Also create a sanitizer build
         required: false
         type: boolean
         default: false
@@ -27,13 +27,13 @@ permissions:
 jobs:
   build-modern-bpf-skeleton:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
-    container: fedora:latest
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
+    container: fedora:41
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
         run: |
-          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake libbpf-devel elfutils-libelf-devel
+          dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake
 
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
@@ -45,120 +45,202 @@ jobs:
           cmake --build skeleton-build --target ProbeSkeleton -j6
 
       - name: Upload skeleton
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: bpf_probe_${{ inputs.arch }}.skel.h
           path: skeleton-build/skel_dir/bpf_probe.skel.h
           retention-days: 1
 
-  build-packages:
-    env:
-      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+  build-packages-release:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
     needs: [build-modern-bpf-skeleton]
-    container: centos:7
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
-      - name: Fix mirrors to use vault.centos.org
-        run: |
-          sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
-          sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
-          sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
-
-      - name: Install scl repos
-        run: |
-          yum -y install centos-release-scl
-
-      - name: Fix new mirrors to use vault.centos.org
-        run: |
-          sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo
-          sed -i s/^#.*baseurl=http/baseurl=https/g /etc/yum.repos.d/*.repo
-          sed -i s/^mirrorlist=http/#mirrorlist=https/g /etc/yum.repos.d/*.repo
-
-      - name: Fix arm64 scl repos to use correct mirror
-        if: inputs.arch == 'aarch64'
-        run: |
-          sed -i 's/vault.centos.org\/centos/vault.centos.org\/altarch/g' /etc/yum.repos.d/CentOS-SCLo-scl*.repo
-
       - name: Install build deps
         run: |
-          yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
-          source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build elfutils-libelf-devel perl-IPC-Cmd devtoolset-9-libasan-devel devtoolset-9-libubsan-devel
+          sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm alien
+
+      - name: Install systemd rpm macros
+        run: |
+          wget https://www.rpmfind.net/linux/centos-stream/9-stream/BaseOS/${{ inputs.arch }}/os/Packages/systemd-rpm-macros-252-51.el9.noarch.rpm
+          sudo alien -d -i systemd-rpm-macros-252-51.el9.noarch.rpm
 
       - name: Checkout
-        # It is not possible to upgrade the checkout action to versions >= v4.0.0 because of incompatibilities with centos 7's libc.
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
 
       - name: Download skeleton
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: bpf_probe_${{ inputs.arch }}.skel.h
           path: /tmp
 
-      - name: Install updated cmake
-        run: |
-          curl -L https://github.com/Kitware/CMake/releases/download/v3.22.5/cmake-3.22.5-linux-$(uname -m).tar.gz \
-            | tar --directory=/usr --strip-components=1 -xzp
+      - name: Install zig
+        if: inputs.sanitizers == false
+        uses: falcosecurity/libs/.github/actions/install-zig@master
 
       - name: Prepare project
         run: |
-          source /opt/rh/devtoolset-9/enable
           cmake -B build -S . \
-              -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+              -DCMAKE_BUILD_TYPE=RelWithDebInfo \
               -DUSE_BUNDLED_DEPS=On \
               -DFALCO_ETC_DIR=/etc/falco \
               -DMODERN_BPF_SKEL_DIR=/tmp \
               -DBUILD_DRIVER=Off \
               -DBUILD_BPF=Off \
-              -DUSE_ASAN=${{ (inputs.sanitizers == true && inputs.arch == 'x86_64' && 'ON') || 'OFF' }} \
+              -DUSE_JEMALLOC=ON \
               -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
         run: |
-          source /opt/rh/devtoolset-9/enable
           cmake --build build --target falco -j6
 
       - name: Build packages
         run: |
-          source /opt/rh/devtoolset-9/enable
           cmake --build build --target package
 
       - name: Upload Falco tar.gz package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
           path: |
             ${{ github.workspace }}/build/falco-*.tar.gz
 
       - name: Upload Falco deb package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.deb
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
           path: |
             ${{ github.workspace }}/build/falco-*.deb
 
       - name: Upload Falco rpm package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-${{ inputs.version }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.rpm
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
           path: |
             ${{ github.workspace }}/build/falco-*.rpm
 
-  # The musl build job is currently disabled because we link libelf dynamically and it is
-  # not possible to dynamically link with musl
+      - name: Upload Falco debug symbols
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}.debug
+          path: |
+            ${{ github.workspace }}/build/userspace/falco/falco.debug
+
+  build-packages-debug:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
+    if: ${{ inputs.enable_debug == true }}
+    needs: [build-modern-bpf-skeleton]
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build deps
+        run: |
+          sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
+
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      - name: Download skeleton
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: bpf_probe_${{ inputs.arch }}.skel.h
+          path: /tmp
+
+      - name: Install zig
+        if: inputs.sanitizers == false
+        uses: falcosecurity/libs/.github/actions/install-zig@master
+
+      - name: Prepare project
+        run: |
+          cmake -B build -S . \
+              -DCMAKE_BUILD_TYPE=Debug \
+              -DUSE_BUNDLED_DEPS=On \
+              -DFALCO_ETC_DIR=/etc/falco \
+              -DMODERN_BPF_SKEL_DIR=/tmp \
+              -DBUILD_DRIVER=Off \
+              -DBUILD_BPF=Off \
+              -DUSE_JEMALLOC=On \
+              -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cmake --build build --target falco -j6
+
+      - name: Build packages
+        run: |
+          cmake --build build --target package
+
+      - name: Upload Falco tar.gz package
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}-debug.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-*.tar.gz
+
+  build-packages-sanitizers:
+    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
+    if: ${{ inputs.enable_sanitizers == true }}
+    needs: [build-modern-bpf-skeleton]
+    steps:
+      # Always install deps before invoking checkout action, to properly perform a full clone.
+      - name: Install build deps
+        run: |
+          sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
+
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      - name: Download skeleton
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: bpf_probe_${{ inputs.arch }}.skel.h
+          path: /tmp
+
+      - name: Prepare project
+        # Jemalloc and ASAN don't play very well together.
+        run: |
+          cmake -B build -S . \
+              -DCMAKE_BUILD_TYPE=Debug \
+              -DUSE_BUNDLED_DEPS=On \
+              -DFALCO_ETC_DIR=/etc/falco \
+              -DMODERN_BPF_SKEL_DIR=/tmp \
+              -DBUILD_DRIVER=Off \
+              -DBUILD_BPF=Off \
+              -DUSE_JEMALLOC=Off \
+              -DUSE_ASAN=On \
+              -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cmake --build build --target falco -j6
+
+      - name: Build packages
+        run: |
+          cmake --build build --target package
+
+      - name: Upload Falco tar.gz package
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-${{ inputs.version }}-${{ inputs.arch }}-sanitizers.tar.gz
+          path: |
+            ${{ github.workspace }}/build/falco-*.tar.gz
+
   build-musl-package:
     # x86_64 only for now
-    # if: ${{ inputs.arch == 'x86_64' }}
-    if: false
+    if: ${{ inputs.arch == 'x86_64' }}
     runs-on: ubuntu-latest
     container: alpine:3.17
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
         run: |
-          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
+          apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils clang llvm
+          git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
+          cd bpftool
+          git submodule update --init
+          cd src && make install
 
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
@@ -168,10 +250,14 @@ jobs:
       - name: Prepare project
         run: |
           cmake -B build -S . \
-                -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+                -DCMAKE_BUILD_TYPE=Release \
                 -DCPACK_GENERATOR=TGZ \
                 -DBUILD_BPF=Off -DBUILD_DRIVER=Off \
-                -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco -DFALCO_VERSION=${{ inputs.version }}
+                -DUSE_JEMALLOC=On \
+                -DUSE_BUNDLED_DEPS=On \
+                -DMUSL_OPTIMIZED_BUILD=On \
+                -DFALCO_ETC_DIR=/etc/falco \
+                -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
         run: |
@@ -187,7 +273,7 @@ jobs:
           mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz
 
       - name: Upload Falco static package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
           path: |
@@ -195,7 +281,7 @@ jobs:
 
   build-wasm-package:
     if: ${{ inputs.arch == 'x86_64' }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build dependencies
@@ -216,10 +302,7 @@ jobs:
       - name: Prepare project
         run: |
           emcmake cmake -B build -S . \
-            -DBUILD_BPF=Off \
-            -DBUILD_DRIVER=Off \
-            -DBUILD_FALCO_MODERN_BPF=Off \
-            -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
+            -DCMAKE_BUILD_TYPE=Release \
             -DUSE_BUNDLED_DEPS=On \
             -DFALCO_ETC_DIR=/etc/falco \
             -DBUILD_FALCO_UNIT_TESTS=On \
@@ -241,7 +324,7 @@ jobs:
           emmake make -j6 package
 
       - name: Upload Falco WASM package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: falco-${{ inputs.version }}-wasm.tar.gz
           path: |
@@ -259,28 +342,28 @@ jobs:
       # NOTE: Backslash doesn't work as line continuation on Windows.
       - name: Prepare project
         run: |
-          cmake -B build -S . -DCMAKE_BUILD_TYPE=${{ inputs.build_type }} -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
+          cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
         run: |
-          cmake --build build --target package --config ${{ inputs.build_type }}
+          cmake --build build --target package --config Release
 
       - name: Run unit Tests
         run: |
-          build/unit_tests/${{ inputs.build_type }}/falco_unit_tests.exe
+          build/unit_tests/Release/falco_unit_tests.exe
 
       - name: Upload Falco win32 installer
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-installer-${{ inputs.version }}-win32.exe
+          name: falco-installer-Release-win32.exe
           path: build/falco-*.exe
 
       - name: Upload Falco win32 package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-${{ inputs.version }}-win32.exe
+          name: falco-Release-win32.exe
           path: |
-            ${{ github.workspace }}/build/userspace/falco/${{ inputs.build_type }}/falco.exe
+            ${{ github.workspace }}/build/userspace/falco/Release/falco.exe
 
   build-macos-package:
     if: ${{ inputs.arch == 'x86_64' }}
@@ -305,7 +388,7 @@ jobs:
           sudo build/unit_tests/falco_unit_tests
 
       - name: Upload Falco macos package
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: falco-${{ inputs.version }}-macos
           path: |

.github/workflows/reusable_publish_docker.yaml

@@ -18,44 +18,55 @@ on:
         default: false
 
 permissions:
-  id-token: write
   contents: read
-  
+
 jobs:
   publish-docker:
     runs-on: ubuntu-latest
+
+    permissions:
+      attestations: write
+      id-token: write
+      contents: read
+
     steps:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-    
-      - name: Download images tarballs
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+
+      - name: Download x86_64 images tarballs
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          name: falco-images
+          name: falco-images-x86_64
           path: /tmp/falco-images
-      
+
+      - name: Download aarch64 images tarballs
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-images-aarch64
+          path: /tmp/falco-images
+
       - name: Load all images
         run: |
           for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
-    
+
       - name: Login to Docker Hub
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_SECRET }}
-      
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
           aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
-          
+
       - name: Login to Amazon ECR
         id: login-ecr-public
         uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
         with:
-          registry-type: public    
-      
+          registry-type: public
+
       - name: Setup Crane
         uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
         with:
@@ -64,42 +75,29 @@ jobs:
       # We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later
       - name: Push arch-specific images to Docker Hub
         run: |
-          docker push docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian
+          docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
           docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
           docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }}
-          docker push docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
+          docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster
+          docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
 
-      - name: Create no-driver manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
-        with:
-          inputs: docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }}
-          images: docker.io/falcosecurity/falco-no-driver:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-no-driver:x86_64-${{ inputs.tag }}
-          push: true
-
-      - name: Create distroless manifest on Docker Hub
-        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
-        with:
-          inputs: docker.io/falcosecurity/falco-distroless:${{ inputs.tag }}
-          images: docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }}
-          push: true
-          
-      - name: Tag slim manifest on Docker Hub
-        run: |
-          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim
-
-      - name: Create falco manifest on Docker Hub
+      - name: Create Falco manifest on Docker Hub
         uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
         with:
           inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}
           images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
           push: true
-          
+
+      - name: Create falco-debian manifest on Docker Hub
+        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
+        with:
+          inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}-debian
+          images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian,docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
+          push: true
+
       - name: Create falco-driver-loader manifest on Docker Hub
         uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
         with:
@@ -107,48 +105,41 @@ jobs:
           images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
           push: true
 
-      - name: Create falco-driver-loader-legacy manifest on Docker Hub
+      - name: Create falco-driver-loader-buster manifest on Docker Hub
         uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
         with:
-          inputs: docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
-          images: docker.io/falcosecurity/falco-driver-loader-legacy:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader-legacy:x86_64-${{ inputs.tag }}
+          inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
+          images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster,docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
           push: true
 
       - name: Get Digests for images
         id: digests
         # We could probably use the docker-manifest-action output instead of recomputing those with crane
         run: |
-          echo "falco-no-driver=$(crane digest docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }})" >> $GITHUB_OUTPUT
-          echo "falco-distroless=$(crane digest docker.io/falcosecurity/falco-distroless:${{ inputs.tag }})" >> $GITHUB_OUTPUT
           echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco-debian=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }}-debian)" >> $GITHUB_OUTPUT
           echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
-          echo "falco-driver-loader-legacy=$(crane digest docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }})" >> $GITHUB_OUTPUT
+          echo "falco-driver-loader-buster=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster)" >> $GITHUB_OUTPUT
 
       - name: Publish images to ECR
         run: |
-          crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }}
-          crane copy docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }}
           crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
+          crane copy docker.io/falcosecurity/falco:${{ inputs.tag }}-debian public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian
           crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
-          crane copy docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }}
-          crane copy public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim
+          crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
 
       - name: Tag latest on Docker Hub and ECR
         if: inputs.is_latest
         run: |
-          crane tag docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
-          crane tag docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} latest
           crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
+          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
           crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
-          crane tag docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
-          crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
+          crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
 
-          crane tag public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.tag }} latest
-          crane tag public.ecr.aws/falcosecurity/falco-distroless:${{ inputs.tag }} latest
           crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
+          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
           crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
-          crane tag public.ecr.aws/falcosecurity/falco-driver-loader-legacy:${{ inputs.tag }} latest
-          crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-slim latest-slim
+          crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
 
       - name: Setup Cosign
         if: inputs.sign
@@ -160,14 +151,24 @@ jobs:
           COSIGN_EXPERIMENTAL: "true"
           COSIGN_YES: "true"
         run: |
-          cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
-          cosign sign docker.io/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
-          cosign sign docker.io/falcosecurity/falco@${{ steps.digests.outputs.falco }}
-          cosign sign docker.io/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
-          cosign sign docker.io/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}
+          cosign sign docker.io/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
+          cosign sign docker.io/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
+          cosign sign docker.io/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
+          cosign sign docker.io/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
 
-          cosign sign public.ecr.aws/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }}
-          cosign sign public.ecr.aws/falcosecurity/falco-distroless@${{ steps.digests.outputs.falco-distroless }}
-          cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }}
-          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }}
-          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }}
+          cosign sign public.ecr.aws/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
+          cosign sign public.ecr.aws/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
+          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
+          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
+
+      - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-name: docker.io/falcosecurity/falco
+          subject-digest: ${{ steps.digests.outputs.falco }}
+          push-to-registry: true
+
+      - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-name: docker.io/falcosecurity/falco-driver-loader
+          subject-digest: ${{ steps.digests.outputs.falco-driver-loader }}
+          push-to-registry: true

.github/workflows/reusable_publish_packages.yaml

@@ -42,40 +42,37 @@ jobs:
           aws-region: ${{ env.AWS_S3_REGION }}    
           
       - name: Download RPM x86_64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-x86_64.rpm
           path: /tmp/falco-build-rpm
 
       - name: Download RPM aarch64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-aarch64.rpm
           path: /tmp/falco-build-rpm
 
       - name: Download binary x86_64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-x86_64.tar.gz
           path: /tmp/falco-build-bin
 
       - name: Download binary aarch64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-aarch64.tar.gz
           path: /tmp/falco-build-bin
 
-      # The musl build job is currently disabled because we link libelf dynamically and it is
-      # not possible to dynamically link with musl
       - name: Download static binary x86_64
-        if: false
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-static-x86_64.tar.gz
           path: /tmp/falco-build-bin-static
 
       - name: Download WASM package
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-wasm.tar.gz
           path: /tmp/falco-wasm
@@ -88,7 +85,7 @@ jobs:
       - name: Sign rpms
         run: |
           rpmsign --define '_gpg_name Falcosecurity Package Signing' --addsign /tmp/falco-build-rpm/falco-*.rpm
-          rpm --qf %{SIGPGP:pgpsig} -qp /tmp/falco-build-rpm/falco-*.rpm | grep SHA256
+          rpm -qp --qf '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' /tmp/falco-build-rpm/falco-*.rpm
 
       - name: Publish wasm
         run: |
@@ -102,11 +99,8 @@ jobs:
         run: |
           ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
           ./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
-
-      # The musl build job is currently disabled because we link libelf dynamically and it is
-      # not possible to dynamically link with musl
+          
       - name: Publish static
-        if: false
         run: |
           ./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
 
@@ -131,13 +125,13 @@ jobs:
           aws-region: ${{ env.AWS_S3_REGION }}     
       
       - name: Download deb x86_64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-x86_64.deb
           path: /tmp/falco-build-deb
 
       - name: Download deb aarch64
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}-aarch64.deb
           path: /tmp/falco-build-deb

.github/workflows/reusable_test_packages.yaml

@@ -27,10 +27,10 @@ permissions:
 jobs:
   test-packages:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-latest' }}
+    runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
     steps:
       - name: Download binary
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
       
@@ -40,16 +40,15 @@ jobs:
           tar -xvf $(ls falco-*.tar.gz)
           cd falco-${{ inputs.version }}-${{ inputs.arch }}
           sudo cp -r * /
-     
-      # We only run driver loader tests on x86_64
+    
       - name: Install kernel headers for falco-driver-loader tests
-        if: ${{ inputs.arch == 'x86_64' }}
         run: |
           sudo apt update -y
           sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
 
       # Some builds use sanitizers, we always install support for them so they can run
       - name: Install sanitizer support
+        if: inputs.sanitizers
         run: |
           sudo apt update -y
           sudo apt install -y libasan5 libubsan1
@@ -57,12 +56,13 @@ jobs:
       - name: Run tests
         env:
           LSAN_OPTIONS: "intercept_tls_get_addr=0"
-        uses: falcosecurity/testing@main 
+        uses: falcosecurity/testing@main
         with:
           test-falco: 'true'
           test-falcoctl: 'true'
           test-k8saudit: 'true'
           test-dummy: 'true'
           static: ${{ inputs.static && 'true' || 'false' }}
-          test-drivers: ${{ inputs.arch == 'x86_64' && 'true' || 'false' }}
+          test-drivers: 'true'
           show-all: 'true'
+          report-name-suffix: ${{ inputs.static && '-static' || '' }}${{ inputs.sanitizers && '-sanitizers' || '' }}

.github/workflows/scorecard.yaml

@@ -65,7 +65,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/staticanalysis.yaml

@@ -29,7 +29,7 @@ jobs:
           cmake --build build -j4 --target cppcheck_htmlreport
 
       - name: Upload reports ⬆️
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: static-analysis-reports
           path: ./build/static-analysis-reports

ADOPTERS.md

@@ -43,6 +43,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).
 
+* [NETWAYS Web Services](https://nws.netways.de/en/) - NETWAYS Web Services provides cloud and managed services tailored to their customers needs. From VPCs to managed databases and Kubernetes clusters, NETWAYS Web Services enables their customers to run infrastructure and applications without worries. Falco plays its part for NETWAYS Managed Services to ensure their platform conforms to ISO 27001 at all times and that their clients' workloads behave as expected by detecting anomalies in real-time.
+
 * [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
 
 * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPAA compliance requirements.
@@ -58,6 +60,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
 
+* [SafeDep](https://safedep.io/) - SafeDep is a open source software supply chain security platform that helps organizations identify and mitigate risks in their dependencies. At its core, SafeDep offers [`vet`](https://github.com/safedep/vet) a free and open source tool for detecting vulnerabilities, malicious code, and quality issues in open source components, while the enterprise offering, SafeDep Cloud, provides centralized control, data aggregation, and advanced features like malware analysis for large-scale deployments across thousands of repositories. 
+ 
 * [Sight Machine](https://www.sightmachine.com) - Sight Machine is the category leader for manufacturing analytics and used by Global 500 companies to make better, faster decisions about their operations. Sight Machine uses Falco to help enforce SOC2 compliance as well as a tool for real time security monitoring and alerting in Kubernetes.
 
 * [Skyscanner](https://www.skyscanner.net) - Skyscanner is the world's travel search engine for flights, hotels and car rentals. Most of our infrastructure is based on Kubernetes, and our Security team is using Falco to monitor anomalies at runtime, integrating Falco's findings with our internal ChatOps tooling to provide insight on the behavior of our machines in production. We also postprocess and store Falco's results to generate dashboards for auditing purposes.

CHANGELOG.md

@@ -1,5 +1,253 @@
 # Change Log
 
+## v0.41.2
+
+Released on 2025-06-17
+
+
+
+### Minor Changes
+
+* update(build): update container plugin to 0.3.0 [[#3619](https://github.com/falcosecurity/falco/pull/3619)] - [@ekoops](https://github.com/ekoops)
+
+
+
+### Non user-facing changes
+
+* update(build): update container plugin to 0.2.6 [[#3611](https://github.com/falcosecurity/falco/pull/3611)] - [@leogr](https://github.com/leogr)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      1 |
+| Release note    |      1 |
+| Total           |      2 |
+
+## v0.41.1
+
+Released on 2025-06-05
+
+### Bug Fixes
+
+* fix(userspace/falco): when collecting metrics for stats_writer, create a `libs_metrics_collector` for each source [[#3585](https://github.com/falcosecurity/falco/pull/3585)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): only enable prometheus metrics once all inspectors have been opened [[#3588](https://github.com/falcosecurity/falco/pull/3588)] - [@FedeDP](https://github.com/FedeDP)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      0 |
+| Release note    |      2 |
+| Total           |      2 |
+
+## v0.41.0
+
+Released on 2025-05-29
+
+### Breaking Changes :warning:
+
+* cleanup(engine)!: only consider .yaml/.yml rule files [[#3551](https://github.com/falcosecurity/falco/pull/3551)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(userspace)!: deprecate print of `container.info` [[#3543](https://github.com/falcosecurity/falco/pull/3543)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(userspace/falco)!: drop deprecated in 0.40.0 CLI flags. [[#3496](https://github.com/falcosecurity/falco/pull/3496)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Major Changes
+
+* new(falco): add json_include_output_fields option [[#3527](https://github.com/falcosecurity/falco/pull/3527)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(build,userspace): switch to use container plugin [[#3482](https://github.com/falcosecurity/falco/pull/3482)] - [@FedeDP](https://github.com/FedeDP)
+* new(docker,scripts,ci): use an override config file to enable ISO 8601 output timeformat on docker images [[#3488](https://github.com/falcosecurity/falco/pull/3488)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Minor Changes
+
+* chore(build): update falcoctl to v0.11.2, rules for artifact follow to v4 [[#3580](https://github.com/falcosecurity/falco/pull/3580)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(cmake): bumped falcoctl to 0.11.1 and rules to 4.0.0. [[#3577](https://github.com/falcosecurity/falco/pull/3577)] - [@FedeDP](https://github.com/FedeDP)
+* update(containers): update opencontainers labels [[#3575](https://github.com/falcosecurity/falco/pull/3575)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(metrics): improve restart/hot_reload conditions inspection [[#3562](https://github.com/falcosecurity/falco/pull/3562)] - [@incertum](https://github.com/incertum)
+* update: empty `values` in `exceptions` won't emit a warning anymore [[#3529](https://github.com/falcosecurity/falco/pull/3529)] - [@leogr](https://github.com/leogr)
+* chore(falco.yaml): enable libs_logger by default with info level [[#3507](https://github.com/falcosecurity/falco/pull/3507)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Bug Fixes
+
+* fix(metrics/prometheus): gracefully handle multiple event sources, avoid erroneous duplicate metrics [[#3563](https://github.com/falcosecurity/falco/pull/3563)] - [@incertum](https://github.com/incertum)
+* fix(ci): properly install rpm systemd-rpm-macro package on building packages pipeline [[#3521](https://github.com/falcosecurity/falco/pull/3521)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): init cmdline options after loading all config files [[#3493](https://github.com/falcosecurity/falco/pull/3493)] - [@FedeDP](https://github.com/FedeDP)
+* fix(cmake): add support for 16K kernel page to jemalloc [[#3490](https://github.com/falcosecurity/falco/pull/3490)] - [@Darkness4](https://github.com/Darkness4)
+* fix(userspace/falco): fix jemalloc enabled in minimal build. [[#3478](https://github.com/falcosecurity/falco/pull/3478)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* chore(deps): Bump submodules/falcosecurity-rules from `4ccf111` to `cb17833` [[#3572](https://github.com/falcosecurity/falco/pull/3572)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake/rules): bump to falco-rules-4.0.0-rc1 [[#3567](https://github.com/falcosecurity/falco/pull/3567)] - [@leogr](https://github.com/leogr)
+* cleanup(userspace/falco): drop unused `libs_metrics_collector` variable. [[#3566](https://github.com/falcosecurity/falco/pull/3566)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3564](https://github.com/falcosecurity/falco/pull/3564)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix(build): fixed container custom_target `sed` command. [[#3556](https://github.com/falcosecurity/falco/pull/3556)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `ae6ed41` to `4ccf111` [[#3555](https://github.com/falcosecurity/falco/pull/3555)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(cmake): fix bundled c-ares cmake issue with e.g. SLES [[#3559](https://github.com/falcosecurity/falco/pull/3559)] - [@terror96](https://github.com/terror96)
+* chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `ae6ed41` [[#3553](https://github.com/falcosecurity/falco/pull/3553)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: revert "chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `371e431`" [[#3552](https://github.com/falcosecurity/falco/pull/3552)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3550](https://github.com/falcosecurity/falco/pull/3550)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3549](https://github.com/falcosecurity/falco/pull/3549)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(adopters): added SafeDep as adopter [[#3548](https://github.com/falcosecurity/falco/pull/3548)] - [@KunalSin9h](https://github.com/KunalSin9h)
+* update(cmake): update libs and driver to latest master [[#3547](https://github.com/falcosecurity/falco/pull/3547)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3541](https://github.com/falcosecurity/falco/pull/3541)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix(userspace): fixed engine `openssl` dep. [[#3535](https://github.com/falcosecurity/falco/pull/3535)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): fix outputs_http timeout [[#3523](https://github.com/falcosecurity/falco/pull/3523)] - [@benierc](https://github.com/benierc)
+* fix(ci): use clang-19 to build modern_ebpf skeleton. [[#3537](https://github.com/falcosecurity/falco/pull/3537)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3531](https://github.com/falcosecurity/falco/pull/3531)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3530](https://github.com/falcosecurity/falco/pull/3530)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3525](https://github.com/falcosecurity/falco/pull/3525)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3520](https://github.com/falcosecurity/falco/pull/3520)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3516](https://github.com/falcosecurity/falco/pull/3516)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* docs(README.md): cleanups and enhancements [[#3514](https://github.com/falcosecurity/falco/pull/3514)] - [@leogr](https://github.com/leogr)
+* update(cmake): update libs and driver to latest master [[#3511](https://github.com/falcosecurity/falco/pull/3511)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `371e431` [[#3510](https://github.com/falcosecurity/falco/pull/3510)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): update libs and driver to latest master [[#3508](https://github.com/falcosecurity/falco/pull/3508)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3506](https://github.com/falcosecurity/falco/pull/3506)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix(userspace/falco): when counting `-M` timeout, do not account for async events [[#3505](https://github.com/falcosecurity/falco/pull/3505)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `d8415c1` to `1d2c6b1` [[#3504](https://github.com/falcosecurity/falco/pull/3504)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs(proposals): correct typo in example [[#3499](https://github.com/falcosecurity/falco/pull/3499)] - [@leogr](https://github.com/leogr)
+* fix(docker): fixed entrypoints paths with new docker context. [[#3492](https://github.com/falcosecurity/falco/pull/3492)] - [@FedeDP](https://github.com/FedeDP)
+* feat(falco/app): move actions not using config before `load_config` [[#3483](https://github.com/falcosecurity/falco/pull/3483)] - [@ekoops](https://github.com/ekoops)
+* refactor(falco/app): apply early return pattern in actions code [[#3484](https://github.com/falcosecurity/falco/pull/3484)] - [@ekoops](https://github.com/ekoops)
+* chore(deps): Bump submodules/falcosecurity-rules from `abf6637` to `d8415c1` [[#3489](https://github.com/falcosecurity/falco/pull/3489)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* Add NETWAYS Web Services to ADOPTERS.md [[#3487](https://github.com/falcosecurity/falco/pull/3487)] - [@mocdaniel](https://github.com/mocdaniel)
+* chore: add back Falco static package to the release template. [[#3472](https://github.com/falcosecurity/falco/pull/3472)] - [@FedeDP](https://github.com/FedeDP)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |     36 |
+| Release note    |     17 |
+| Total           |     53 |
+
+## v0.40.0
+
+Released on 2025-01-28
+
+### Breaking Changes :warning:
+
+* cleanup(userspac/falco)!: drop deprecated options. [[#3361](https://github.com/falcosecurity/falco/pull/3361)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Major Changes
+
+* new(docker): streamline docker images [[#3273](https://github.com/falcosecurity/falco/pull/3273)] - [@FedeDP](https://github.com/FedeDP)
+* new(build): reintroduce static build [[#3428](https://github.com/falcosecurity/falco/pull/3428)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(cmake,ci): added support for using jemalloc allocator instead of glibc one and use it by default for release artifacts [[#3406](https://github.com/falcosecurity/falco/pull/3406)] - [@FedeDP](https://github.com/FedeDP)
+* new(userspace,cmake): honor new plugins exposed suggested output formats [[#3388](https://github.com/falcosecurity/falco/pull/3388)] - [@FedeDP](https://github.com/FedeDP)
+* new(userspace/falco): allow entirely disabling plugin hostinfo support. [[#3412](https://github.com/falcosecurity/falco/pull/3412)] - [@FedeDP](https://github.com/FedeDP)
+* new(ci): use `zig` compiler instead of relying on centos7. [[#3307](https://github.com/falcosecurity/falco/pull/3307)] - [@FedeDP](https://github.com/FedeDP)
+* new(falco): add buffer_format_base64 option, deprecate -b [[#3358](https://github.com/falcosecurity/falco/pull/3358)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(falco): add base_syscalls.all option to falco.yaml, deprecate -A [[#3352](https://github.com/falcosecurity/falco/pull/3352)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(falco): add falco_libs.snaplen option, deprecate -S / --snaplen [[#3362](https://github.com/falcosecurity/falco/pull/3362)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+
+### Minor Changes
+
+* update(cmake): bump falcoctl to v0.11.0 [[#3467](https://github.com/falcosecurity/falco/pull/3467)] - [@alacuku](https://github.com/alacuku)
+* chore(ci): add attestation for falco [[#3216](https://github.com/falcosecurity/falco/pull/3216)] - [@cpanato](https://github.com/cpanato)
+* chore(ci): build Falco in RelWithDebInfo, and upload Falco debug symbols as github artifacts [[#3452](https://github.com/falcosecurity/falco/pull/3452)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): DEB and RPM package requirements for dkms and kernel-devel are now suggestions [[#3450](https://github.com/falcosecurity/falco/pull/3450)] - [@jthiltges](https://github.com/jthiltges)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): fix container_engines.cri.sockets not loading from config file [[#3453](https://github.com/falcosecurity/falco/pull/3453)] - [@zayaanmoez](https://github.com/zayaanmoez)
+* fix(docker): /usr/src/'*' no longer created if $HOST_PATH/usr/src didn't exist at startup [[#3434](https://github.com/falcosecurity/falco/pull/3434)] - [@shane-lawrence](https://github.com/shane-lawrence)
+* fix(docker): add brotli to the Falco image [[#3399](https://github.com/falcosecurity/falco/pull/3399)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace/engine): explicitly disallow appending/modifying a rule with different sources [[#3383](https://github.com/falcosecurity/falco/pull/3383)] - [@mstemm](https://github.com/mstemm)
+
+
+
+### Non user-facing changes
+
+* chore(falco.yaml): remove comments about cri cli arguments [[#3458](https://github.com/falcosecurity/falco/pull/3458)] - [@alacuku](https://github.com/alacuku)
+* fix(ci): fixed reusable_build/publish_docker workflows. [[#3459](https://github.com/falcosecurity/falco/pull/3459)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3455](https://github.com/falcosecurity/falco/pull/3455)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* chore(ci): bumped actions/upload-download-artifact. [[#3454](https://github.com/falcosecurity/falco/pull/3454)] - [@FedeDP](https://github.com/FedeDP)
+* chore(docker): drop unused libelf dep from container images [[#3451](https://github.com/falcosecurity/falco/pull/3451)] - [@leogr](https://github.com/leogr)
+* chore(docs): update `plugins_hostinfo` config file comment. [[#3449](https://github.com/falcosecurity/falco/pull/3449)] - [@FedeDP](https://github.com/FedeDP)
+* new(build): add RelWithDebInfo target [[#3440](https://github.com/falcosecurity/falco/pull/3440)] - [@shane-lawrence](https://github.com/shane-lawrence)
+* chore(deps): Bump submodules/falcosecurity-rules from `283a62f` to `abf6637` [[#3448](https://github.com/falcosecurity/falco/pull/3448)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(ci): use 4cpu-16gb arm runners [[#3447](https://github.com/falcosecurity/falco/pull/3447)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(cmake): update libs and driver to latest master [[#3439](https://github.com/falcosecurity/falco/pull/3439)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* chore: avoid deprecated funcs to calculate sha256 [[#3442](https://github.com/falcosecurity/falco/pull/3442)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* chore(ci): enable jemalloc in musl build. [[#3436](https://github.com/falcosecurity/falco/pull/3436)] - [@FedeDP](https://github.com/FedeDP)
+* docs(falco.yaml): correct `buffered_outputs` description [[#3427](https://github.com/falcosecurity/falco/pull/3427)] - [@leogr](https://github.com/leogr)
+* fix(userspace/falco): use correct filtercheck_field_info. [[#3426](https://github.com/falcosecurity/falco/pull/3426)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3421](https://github.com/falcosecurity/falco/pull/3421)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix: update the url for the docs about the concurrent queue classes [[#3415](https://github.com/falcosecurity/falco/pull/3415)] - [@Issif](https://github.com/Issif)
+* update(changelog): updated changelog for 0.39.2. [[#3410](https://github.com/falcosecurity/falco/pull/3410)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3392](https://github.com/falcosecurity/falco/pull/3392)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix(cmake,docker): avoid cpp-httplib requiring brotli. [[#3400](https://github.com/falcosecurity/falco/pull/3400)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `407e997` to `283a62f` [[#3391](https://github.com/falcosecurity/falco/pull/3391)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bump libs to latest master. [[#3389](https://github.com/falcosecurity/falco/pull/3389)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3385](https://github.com/falcosecurity/falco/pull/3385)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* Make enable()/disable() virtual so they can be overridden [[#3375](https://github.com/falcosecurity/falco/pull/3375)] - [@mstemm](https://github.com/mstemm)
+* fix(ci): fixed shasum computation for bump-libs CI. [[#3379](https://github.com/falcosecurity/falco/pull/3379)] - [@FedeDP](https://github.com/FedeDP)
+* chore(ci): use redhat advised method to check rpmsign success. [[#3376](https://github.com/falcosecurity/falco/pull/3376)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `e38fb3f` to `407e997` [[#3374](https://github.com/falcosecurity/falco/pull/3374)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* Compile output clone [[#3364](https://github.com/falcosecurity/falco/pull/3364)] - [@mstemm](https://github.com/mstemm)
+* fix(ci): fixed bump-libs workflow syntax. [[#3369](https://github.com/falcosecurity/falco/pull/3369)] - [@FedeDP](https://github.com/FedeDP)
+* new(ci): add a workflow to automatically bump libs on each monday. [[#3360](https://github.com/falcosecurity/falco/pull/3360)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `b6ad373` to `e38fb3f` [[#3365](https://github.com/falcosecurity/falco/pull/3365)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(falco): reformat options::define [[#3356](https://github.com/falcosecurity/falco/pull/3356)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |     31 |
+| Release note    |     18 |
+| Total           |     49 |
+
+## v0.39.2
+
+Released on 2024-11-21
+
+### Minor Changes
+
+* update(cmake): bumped falcoctl to v0.10.1. [[#3408](https://github.com/falcosecurity/falco/pull/3408)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): bump yaml-cpp to latest master. [[#3394](https://github.com/falcosecurity/falco/pull/3394)] - [@FedeDP](https://github.com/FedeDP)
+
+### Non user-facing changes
+
+* update(ci): use arm64 CNCF runners for GH actions [[#3386](https://github.com/falcosecurity/falco/pull/3386)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      1 |
+| Release note    |      2 |
+| Total           |      3 |
+
+
+## v0.39.1
+
+Released on 2024-10-09
+
+### Bug Fixes
+
+* fix(engine): allow null init_config for plugin info [[#3372](https://github.com/falcosecurity/falco/pull/3372)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(engine): fix parsing issues in -o key={object} when the object definition contains a comma [[#3363](https://github.com/falcosecurity/falco/pull/3363)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace/falco): fix event set selection for plugin with parsing capability [[#3368](https://github.com/falcosecurity/falco/pull/3368)] - [@FedeDP](https://github.com/FedeDP)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      0 |
+| Release note    |      3 |
+| Total           |      3 |
+
+
 ## v0.39.0
 
 Released on 2024-10-01

CMakeLists.txt

@@ -17,7 +17,7 @@ cmake_minimum_required(VERSION 3.5.1)
 project(falco)
 
 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" ON)
-option(USE_DYNAMIC_LIBELF "Dynamically link libelf" ON)
+option(USE_DYNAMIC_LIBELF "Dynamically link libelf" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
 option(
 	MINIMAL_BUILD
@@ -29,6 +29,7 @@ option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF)
 option(USE_ASAN "Build with AddressSanitizer" OFF)
 option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
 option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON)
+option(USE_JEMALLOC "Use jemalloc allocator" OFF)
 
 if(WIN32)
 	if(POLICY CMP0091)
@@ -141,6 +142,13 @@ set(CMD_MAKE make)
 
 include(ExternalProject)
 
+if(USE_JEMALLOC)
+	if(USE_ASAN)
+		message(WARNING "Jemalloc and ASAN are known to have issues when combined")
+	endif()
+	include(jemalloc)
+endif()
+
 # libs
 include(falcosecurity-libs)
 
@@ -259,6 +267,41 @@ if(NOT WIN32
    AND NOT MUSL_OPTIMIZED_BUILD
 )
 	include(falcoctl)
+	set(CONTAINER_VERSION "0.3.0")
+	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+		set(CONTAINER_HASH "69816e9c2c72f896a1645d6fe0a2983ba351972c41b28c52f73684e998136746")
+	else() # arm64
+		set(CONTAINER_HASH "8daa93402e11622237c6cf2e4e27fea570d5a4023aba10c1339d991b3232a4a2")
+	endif()
+	include(container_plugin)
+
+	# Generate a binary_dir/falco.yaml that automatically enables the plugin to be used for local
+	# testing.
+	configure_file(${CMAKE_SOURCE_DIR}/falco.yaml ${CMAKE_BINARY_DIR} COPYONLY)
+	# The custom target configures the plugin and set its path
+	add_custom_target(
+		container
+		COMMAND sed -i 's,^load_plugins: .*,load_plugins: [container],g'
+				${CMAKE_BINARY_DIR}/falco.yaml
+		COMMAND sed -i 's,library_path: libcontainer.so,library_path: ${CONTAINER_LIBRARY},g'
+				${CMAKE_BINARY_DIR}/falco.yaml
+		DEPENDS container_plugin
+	)
+	# Let `make falco` also download container plugin
+	add_dependencies(falco container)
+
+	# Install the plugin
+	install(
+		FILES "${CONTAINER_LIBRARY}"
+		DESTINATION "${FALCO_ABSOLUTE_SHARE_DIR}/plugins"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+	# Install additional config override file to enable the container plugin
+	install(
+		FILES "${PROJECT_SOURCE_DIR}/config/falco.container_plugin.yaml"
+		DESTINATION "${FALCO_ETC_DIR}/config.d"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
 endif()
 
 # Packages configuration

README.md

@@ -2,7 +2,7 @@
 
 [![Latest release](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![Supported Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![License](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs)
 
-[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/falcosecurity/falco?label=openssf%20scorecard&style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/falcosecurity/falco)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) <a href="https://actuated.dev/"><img alt="Arm CI sponsored by Actuated" src="https://docs.actuated.dev/images/actuated-badge.png" width="120px"></img></a>
+[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/falcosecurity/falco?label=openssf%20scorecard&style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/falcosecurity/falco)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317)
 
 [![Falco](https://falco.org/img/brand/falco-horizontal-color.svg)](https://falco.org)
 
@@ -14,43 +14,30 @@ Falco, originally created by [Sysdig](https://sysdig.com), is a **graduated proj
 
 For detailed technical information and insights into the cyber threats that Falco can detect, visit the official [Falco](https://falco.org/) website.
 
-For comprehensive information on the latest updates and changes to the project, please refer to the [Change Log](CHANGELOG.md). Additionally, we have documented the [Release Process](RELEASE.md) for delivering new versions of Falco.
+For comprehensive information on the latest updates and changes to the project, please refer to the [Change Log](CHANGELOG.md).
 
-## Falco Repo: Powering the Core of The Falco Project
+## The Falco Project
 
-This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its [libs](https://github.com/falcosecurity/libs) and the [falco.yaml](falco.yaml) configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following *core* repositories:
+The Falco Project codebase is maintained under the [falcosecurity GitHub organization](https://github.com/falcosecurity). The primary repository, [falcosecurity/falco](https://github.com/falcosecurity/falco), holds the source code for the Falco binary, while other sub-projects are hosted in dedicated repositories. This approach of isolating components into specialized repositories enhances modularity and focused development. Notable [core repositories](https://github.com/falcosecurity/evolution?tab=readme-ov-file#core) include:
 
-- [falcosecurity/libs](https://github.com/falcosecurity/libs): Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
-- [falcosecurity/rules](https://github.com/falcosecurity/rules): Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
-- [falcosecurity/plugins](https://github.com/falcosecurity/plugins/): Falco plugins facilitate integration with external services, expand Falco's capabilities beyond syscalls and container events, and are designed to evolve with specialized functionality in future releases.
-- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): Command-line utility for managing and interacting with Falco.
+- [falcosecurity/libs](https://github.com/falcosecurity/libs): This repository hosts Falco's core libraries, which constitute the majority of the binary’s source code and provide essential features, such as kernel drivers.
+- [falcosecurity/rules](https://github.com/falcosecurity/rules): It contains the official ruleset for Falco, offering pre-defined detection rules for various security threats and abnormal behaviors.
+- [falcosecurity/plugins](https://github.com/falcosecurity/plugins): This repository supports integration with external services through plugins that extend Falco's capabilities beyond syscalls and container events, with plans for evolving specialized functionalities in future releases.
+- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): A command-line utility designed for managing and interacting with Falco.
+- [falcosecurity/charts](https://github.com/falcosecurity/charts): This repository provides Helm charts for deploying Falco and its ecosystem, simplifying the installation and management process.
 
-For more information, visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution). It provides valuable insights and information about the project's repositories.
+For further insights into our repositories and additional details about our governance model, please visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution).
 
 ## Getting Started with Falco
 
-Carefully review and follow the [Official Documentation](https://falco.org/docs/install-operate/).
+If you're new to Falco, begin your journey with our [Getting Started](https://falco.org/docs/getting-started/) guide. For production deployments, please refer to our comprehensive [Setup](https://falco.org/docs/setup/) documentation.
 
-Considerations and guidance for Falco adopters:
-
-1. Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.
-
-2. Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.
-
-3. Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.
-
-4. Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.
-
-5. Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.
+As final recommendations before deploying Falco, verify environment compatibility, define your detection goals, optimize performance, choose the appropriate build, and plan for SIEM or data lake integration to ensure effective incident response.
 
 ### Demo Environment
 
 A demo environment is provided via a docker-compose file that can be started on a docker host which includes falco, falcosidekick, falcosidekick-ui and its required redis database. For more information see the [docker-compose section](docker/docker-compose/)
 
-## How to Contribute
-
-Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) guide and the [Code of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.
-
 ## Join the Community
 
 To get involved with the Falco Project please visit the [Community](https://github.com/falcosecurity/community) repository to find more information and ways to get involved.
@@ -71,20 +58,16 @@ In addition, you can refer to the [falco](https://github.com/falcosecurity/falco
 
 To report security vulnerabilities, please follow the community process outlined in the documentation found [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).
 
-## What's next for Falco?
+## Building
 
-Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.
-
-## License
-
-Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
+For comprehensive, step-by-step instructions on building Falco from source, please refer to the [official documentation](https://falco.org/docs/developer-guide/source/).
 
 ## Testing
 
 <details>
 	<summary>Expand Testing Instructions</summary>
 
-Falco's [Build Falco from source](https://falco.org/docs/install-operate/source/) is the go-to resource to understand how to build Falco from source. In addition, the [falcosecurity/libs](https://github.com/falcosecurity/libs) repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.
+Falco's [Build Falco from source](https://falco.org/docs/developer-guide/source/) is the go-to resource to understand how to build Falco from source. In addition, the [falcosecurity/libs](https://github.com/falcosecurity/libs) repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.
 
 Here's an example of a `cmake` command that will enable everything you need for all unit tests of this repository:
 
@@ -117,7 +100,13 @@ Lastly, The Falco Project has moved its Falco regression tests to [falcosecurity
 
 </br>
 
-## Why is Falco in C++ rather than Go or {language}?
+ ## How to Contribute
+
+Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) guide and the [Code of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.
+
+## FAQs
+
+### Why is Falco in C++ rather than Go or {language}?
 
 <details>
 	<summary>Expand Information</summary>
@@ -136,6 +125,14 @@ Lastly, The Falco Project has moved its Falco regression tests to [falcosecurity
 </details>
 </br>
 
+### What's next for Falco?
+
+Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.
+
+## License
+
+Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
+
 ## Resources
 
  - [Governance](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md)
@@ -145,5 +142,6 @@ Lastly, The Falco Project has moved its Falco regression tests to [falcosecurity
  - [Repositories Guidelines](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md)
  - [Repositories List](https://github.com/falcosecurity/evolution/blob/main/README.md#repositories)
  - [Adopters List](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md)
- - [Install and Operate](https://falco.org/docs/install-operate/)
+ - [Release Process](RELEASE.md)
+ - [Setup documentation](https://falco.org/docs/setup/)
  - [Troubleshooting](https://falco.org/docs/troubleshooting/)

cmake/modules/CPackConfig.cmake

@@ -24,7 +24,11 @@ set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
 set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
 set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
-set(CPACK_STRIP_FILES "ON")
+if(CMAKE_BUILD_TYPE STREQUAL "debug")
+	set(CPACK_STRIP_FILES "OFF")
+else()
+	set(CPACK_STRIP_FILES "ON")
+endif()
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
 if(EMSCRIPTEN)
 	set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-wasm")
@@ -68,7 +72,7 @@ if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
 	set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
 endif()
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
+set(CPACK_DEBIAN_PACKAGE_SUGGESTS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
 	"${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )
@@ -76,7 +80,8 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, systemd")
+set(CPACK_RPM_PACKAGE_REQUIRES "systemd")
+set(CPACK_RPM_PACKAGE_SUGGESTS "dkms, kernel-devel")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")

cmake/modules/CompilerFlags.cmake

@@ -23,6 +23,9 @@ endif()
 string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
 if(CMAKE_BUILD_TYPE STREQUAL "debug")
 	set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
+elseif(CMAKE_BUILD_TYPE STREQUAL "relwithdebinfo")
+	set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
+	add_definitions(-DBUILD_TYPE_RELWITHDEBINFO)
 else()
 	set(CMAKE_BUILD_TYPE "release")
 	set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
@@ -70,7 +73,7 @@ if(NOT MSVC)
 
 	if(BUILD_WARNINGS_AS_ERRORS)
 		set(CMAKE_SUPPRESSED_WARNINGS
-			"-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict"
+			"-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict -Wno-deprecated-declarations"
 		)
 		set(CMAKE_COMPILE_WARNING_AS_ERROR ON)
 		set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra ${CMAKE_SUPPRESSED_WARNINGS}")
@@ -85,6 +88,17 @@ if(NOT MSVC)
 	set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 	set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 
+	set(CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELEASE} -g")
+	set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELEASE} -g")
+
+	# Add linker flags to generate separate debug files
+	set(CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO
+		"${CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO} -Wl,--build-id"
+	)
+	set(CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO
+		"${CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO} -Wl,--build-id"
+	)
+
 else() # MSVC
 	set(MINIMAL_BUILD ON)
 	set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
@@ -99,6 +113,13 @@ else() # MSVC
 	set(FALCOSECURITY_LIBS_COMMON_FLAGS "/EHsc /W3 /Zi /std:c++17")
 	set(FALCOSECURITY_LIBS_DEBUG_FLAGS "/MTd /Od")
 	set(FALCOSECURITY_LIBS_RELEASE_FLAGS "/MT")
+	set(FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS "/MT /Zi")
+
+	# Ensure linker generates PDB files for MSVC
+	set(CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO "${CMAKE_EXE_LINKER_FLAGS_RELWITHDEBINFO} /DEBUG")
+	set(CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO
+		"${CMAKE_SHARED_LINKER_FLAGS_RELWITHDEBINFO} /DEBUG"
+	)
 
 	set(CMAKE_C_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
 	set(CMAKE_CXX_FLAGS "${FALCOSECURITY_LIBS_COMMON_FLAGS}")
@@ -109,4 +130,7 @@ else() # MSVC
 	set(CMAKE_C_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
 	set(CMAKE_CXX_FLAGS_RELEASE "${FALCOSECURITY_LIBS_RELEASE_FLAGS}")
 
+	set(CMAKE_C_FLAGS_RELWITHDEBINFO "${FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS}")
+	set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${FALCOSECURITY_LIBS_RELWITHDEBINFO_FLAGS}")
+
 endif()

cmake/modules/cares.cmake

@@ -0,0 +1,78 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
+
+if(CARES_INCLUDE)
+	# we already have c-ares
+elseif(NOT USE_BUNDLED_CARES)
+	find_path(CARES_INCLUDE NAMES cares/ares.h ares.h)
+	find_library(CARES_LIB NAMES cares)
+	if(CARES_INCLUDE AND CARES_LIB)
+		message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system c-ares")
+	endif()
+else()
+	if(BUILD_SHARED_LIBS)
+		set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(CARES_STATIC_OPTION "Off")
+	else()
+		set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(CARES_STATIC_OPTION "On")
+	endif()
+	set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
+	set(CARES_INCLUDE "${CARES_SRC}/include/")
+	set(CARES_LIB "${CARES_SRC}/lib/libcares${CARES_LIB_SUFFIX}")
+
+	if(NOT TARGET c-ares)
+		message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
+		ExternalProject_Add(
+			c-ares
+			PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix"
+			URL "https://github.com/c-ares/c-ares/releases/download/v1.33.1/c-ares-1.33.1.tar.gz"
+			URL_HASH "SHA256=06869824094745872fa26efd4c48e622b9bd82a89ef0ce693dc682a23604f415"
+			BUILD_IN_SOURCE 1
+			CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
+					   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
+					   -DCMAKE_INSTALL_LIBDIR=lib
+					   -DCARES_SHARED=${BUILD_SHARED_LIBS}
+					   -DCARES_STATIC=${CARES_STATIC_OPTION}
+					   -DCARES_STATIC_PIC=${ENABLE_PIC}
+					   -DCARES_BUILD_TOOLS=Off
+					   -DCARES_INSTALL=Off
+					   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+			BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
+			INSTALL_COMMAND ""
+		)
+		install(
+			FILES "${CARES_LIB}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${CARES_INCLUDE}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+
+endif()
+
+if(NOT TARGET c-ares)
+	add_custom_target(c-ares)
+endif()
+
+include_directories("${CARES_INCLUDE}")

cmake/modules/cpp-httplib.cmake

@@ -16,6 +16,10 @@
 option(USE_BUNDLED_CPPHTTPLIB "Enable building of the bundled cpp-httplib" ${USE_BUNDLED_DEPS})
 
 if(USE_BUNDLED_CPPHTTPLIB)
+	set(HTTPLIB_USE_BROTLI_IF_AVAILABLE OFF)
+	set(HTTPLIB_REQUIRE_BROTLI OFF)
+	set(HTTPLIB_USE_ZLIB_IF_AVAILABLE OFF)
+	set(HTTPLIB_REQUIRE_ZLIB OFF)
 	include(FetchContent)
 	FetchContent_Declare(
 		cpp-httplib

cmake/modules/curl.cmake

@@ -0,0 +1,100 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
+
+include(openssl)
+include(zlib)
+
+if(CURL_INCLUDE_DIRS)
+	# we already have curl
+elseif(NOT USE_BUNDLED_CURL)
+	find_package(CURL REQUIRED)
+	message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}")
+else()
+	if(BUILD_SHARED_LIBS)
+		set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(CURL_STATIC_OPTION)
+	else()
+		set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(CURL_STATIC_OPTION --disable-shared)
+	endif()
+	set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
+	set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/")
+	set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}")
+
+	if(NOT USE_BUNDLED_OPENSSL)
+		set(CURL_SSL_OPTION "--with-ssl")
+	else()
+		set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+		message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'")
+	endif()
+
+	if(NOT USE_BUNDLED_ZLIB)
+		set(CURL_ZLIB_OPTION "--with-zlib")
+	else()
+		set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}")
+		message(STATUS "Using zlib for curl in '${ZLIB_SRC}'")
+	endif()
+	message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+
+	if(NOT ENABLE_PIC)
+		set(CURL_PIC_OPTION)
+	else()
+		set(CURL_PIC_OPTION "--with-pic")
+	endif()
+
+	if(NOT TARGET curl)
+		ExternalProject_Add(
+			curl
+			PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
+			DEPENDS openssl zlib
+			URL "https://github.com/curl/curl/releases/download/curl-8_7_1/curl-8.7.1.tar.bz2"
+			URL_HASH "SHA256=05bbd2b698e9cfbab477c33aa5e99b4975501835a41b7ca6ca71de03d8849e76"
+			CONFIGURE_COMMAND
+				./configure ${CURL_SSL_OPTION} ${CURL_ZLIB_OPTION} ${CURL_STATIC_OPTION}
+				${CURL_PIC_OPTION} --enable-optimize --disable-curldebug --disable-rt --enable-http
+				--disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp
+				--disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb
+				--disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp
+				--without-winssl --without-polarssl --without-cyassl --without-nss --without-axtls
+				--without-librtmp --without-winidn --without-libidn2 --without-libpsl
+				--without-nghttp2 --without-libssh2 --with-ca-path=/etc/ssl/certs/
+				--disable-threaded-resolver --without-brotli --without-zstd
+			BUILD_COMMAND make
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${CURL_LIBRARIES}
+			INSTALL_COMMAND ""
+		)
+		install(
+			FILES "${CURL_LIBRARIES}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${CURL_INCLUDE_DIRS}curl"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+			FILES_MATCHING
+			PATTERN "*.h"
+		)
+	endif()
+endif()
+
+if(NOT TARGET curl)
+	add_custom_target(curl)
+endif()
+
+include_directories("${CURL_INCLUDE_DIRS}")

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "7.3.0+driver")
+		set(DRIVER_VERSION "8.1.0+driver")
 		set(DRIVER_CHECKSUM
-			"SHA256=8f572d9a83feda635a3fa53b859d61e37af127c241e35068aadee3bc50d212c0"
+			"SHA256=182e6787bf86249a846a3baeb4dcd31578b76d4a13efa16ce3f44d66b18a77a6"
 		)
 	endif()
 

cmake/modules/falcoctl.cmake

@@ -20,16 +20,16 @@ option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON
 if(ADD_FALCOCTL_DEPENDENCY)
 	string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-	set(FALCOCTL_VERSION "0.10.0")
+	set(FALCOCTL_VERSION "0.11.2")
 
 	message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
 
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
 		set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-		set(FALCOCTL_HASH "32d1be4ab2335d9c3fc8ae8900341bcc26d3166094fc553ddb7bb783aa6c7b68")
+		set(FALCOCTL_HASH "8d55818987c90e54f7406e1c1441a18df1f485db858bb0b3efda5db217be3b48")
 	else() # aarch64
 		set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-		set(FALCOCTL_HASH "9186fd948c1230c338a7fa36d6569ce85d3c4aa8153b30e8d86d2e887eb76756")
+		set(FALCOCTL_HASH "7c36404b5b7a515df25e7dc6d827a74ebc8526b1b49850954bbdd40860961bc2")
 	endif()
 
 	ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "0.18.1")
+		set(FALCOSECURITY_LIBS_VERSION "0.21.0")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=1812e8236c4cb51d3fe5dd066d71be99f25da7ed22d8feeeebeed09bdc26325f"
+			"SHA256=9e977001dd42586df42a5dc7e7a948c297124865a233402e44bdec68839d322a"
 		)
 	endif()
 
@@ -73,7 +73,6 @@ set(LIBS_PACKAGE_NAME "falcosecurity")
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	add_definitions(-D_GNU_SOURCE)
-	add_definitions(-DHAS_CAPTURE)
 endif()
 
 if(MUSL_OPTIMIZED_BUILD)

cmake/modules/grpc.cmake

@@ -0,0 +1,274 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
+
+if(GRPC_INCLUDE)
+	# we already have grpc
+elseif(NOT USE_BUNDLED_GRPC)
+	# gRPC
+	find_package(gRPC CONFIG)
+	if(gRPC_FOUND)
+		message(STATUS "Using gRPC ${gRPC_VERSION}")
+		set(GPR_LIB gRPC::gpr)
+		set(GRPC_LIB gRPC::grpc)
+		set(GRPCPP_LIB gRPC::grpc++)
+
+		# gRPC C++ plugin
+		get_target_property(GRPC_CPP_PLUGIN gRPC::grpc_cpp_plugin LOCATION)
+		if(NOT GRPC_CPP_PLUGIN)
+			message(FATAL_ERROR "System grpc_cpp_plugin not found")
+		endif()
+
+		# gRPC include dir + properly handle grpc{++,pp}
+		get_target_property(GRPC_INCLUDE gRPC::grpc++ INTERFACE_INCLUDE_DIRECTORIES)
+		find_path(
+			GRPCXX_INCLUDE
+			NAMES grpc++/grpc++.h
+			PATHS ${GRPC_INCLUDE}
+		)
+		if(NOT GRPCXX_INCLUDE)
+			find_path(
+				GRPCPP_INCLUDE
+				NAMES grpcpp/grpcpp.h
+				PATHS ${GRPC_INCLUDE}
+			)
+			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
+		endif()
+	else()
+		# Fallback to manually find libraries; Some distro, namely Ubuntu focal, do not install gRPC
+		# config cmake module
+		find_library(GPR_LIB NAMES gpr)
+		if(GPR_LIB)
+			message(STATUS "Found gpr lib: ${GPR_LIB}")
+		else()
+			message(FATAL_ERROR "Couldn't find system gpr")
+		endif()
+		find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
+		if(GRPCXX_INCLUDE)
+			set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
+		else()
+			find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
+			set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
+			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
+		endif()
+		find_library(GRPC_LIB NAMES grpc)
+		find_library(GRPCPP_LIB NAMES grpc++)
+		if(GRPC_INCLUDE
+		   AND GRPC_LIB
+		   AND GRPCPP_LIB
+		)
+			message(
+				STATUS
+					"Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}"
+			)
+		else()
+			message(FATAL_ERROR "Couldn't find system grpc")
+		endif()
+		find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
+		if(NOT GRPC_CPP_PLUGIN)
+			message(FATAL_ERROR "System grpc_cpp_plugin not found")
+		endif()
+	endif()
+else()
+	include(cares)
+	include(protobuf)
+	include(zlib)
+	include(openssl)
+	if(BUILD_SHARED_LIBS)
+		set(GRPC_OPENSSL_STATIC_LIBS_OPTION FALSE)
+	else()
+		set(GRPC_OPENSSL_STATIC_LIBS_OPTION TRUE)
+	endif()
+	include(re2)
+	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
+	set(GRPC_INSTALL_DIR "${GRPC_SRC}/target")
+	set(GRPC_INCLUDE "${GRPC_INSTALL_DIR}/include" "${GRPC_SRC}/third_party/abseil-cpp")
+	set(GPR_LIB "${GRPC_SRC}/libgpr.a")
+	set(GRPC_LIB "${GRPC_SRC}/libgrpc.a")
+	set(GRPCPP_LIB "${GRPC_SRC}/libgrpc++.a")
+	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/grpc_cpp_plugin")
+	set(GRPC_MAIN_LIBS "")
+	list(
+		APPEND
+		GRPC_MAIN_LIBS
+		"${GPR_LIB}"
+		"${GRPC_LIB}"
+		"${GRPCPP_LIB}"
+		"${GRPC_SRC}/libgrpc++_alts.a"
+		"${GRPC_SRC}/libgrpc++_error_details.a"
+		"${GRPC_SRC}/libgrpc++_reflection.a"
+		"${GRPC_SRC}/libgrpc++_unsecure.a"
+		"${GRPC_SRC}/libgrpc_plugin_support.a"
+		"${GRPC_SRC}/libgrpc_unsecure.a"
+		"${GRPC_SRC}/libgrpcpp_channelz.a"
+	)
+
+	get_filename_component(PROTOC_DIR ${PROTOC} PATH)
+
+	if(NOT TARGET grpc)
+		message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
+
+		# fixme(leogr): this workaround is required to inject the missing deps (built by gRCP
+		# cmakefiles) into target_link_libraries later note: the list below is manually generated
+		# starting from the output of pkg-config --libs grpc++
+		set(GRPC_LIBRARIES "")
+		list(
+			APPEND
+			GRPC_LIBRARIES
+			"${GRPC_SRC}/libaddress_sorting.a"
+			"${GRPC_SRC}/libupb.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_hash.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_city.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_low_level_hash.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_raw_hash_set.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_hashtablez_sampler.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_statusor.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_status.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_functions.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/profiling/libabsl_exponential_biased.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_optional_access.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_variant_access.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_str_format_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_synchronization.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_graphcycles_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_stacktrace.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_symbolize.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_debugging_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_demangle_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_malloc_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_civil_time.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_base.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_spinlock_wait.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/numeric/libabsl_int128.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_throw_delegate.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_raw_logging_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_log_severity.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time_zone.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_info.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_handle.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_pool_urbg.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes_impl.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_slow.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_seed_material.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_platform.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_seed_gen_exception.a"
+		)
+
+		# Make abseil-cpp build compatible with gcc-13 See
+		# https://patchwork.yoctoproject.org/project/oe/patch/20230518093301.2938164-1-Martin.Jansa@gmail.com/
+		# TO BE DROPPED once we finally upgrade grpc...
+		set(GRPC_PATCH_CMD
+			sh
+			-c
+			"sed -i '20s/^/#include <cstdint>/' ${GRPC_SRC}/third_party/abseil-cpp/absl/strings/internal/str_format/extension.h"
+		)
+
+		# Zig workaround: Add a PATCH_COMMAND to grpc cmake to fixup emitted -march by abseil-cpp
+		# cmake module, making it use a name understood by zig for arm64. See
+		# https://github.com/abseil/abseil-cpp/blob/master/absl/copts/GENERATED_AbseilCopts.cmake#L226.
+		if(CMAKE_C_COMPILER MATCHES "zig")
+			message(STATUS "Enabling zig workaround for abseil-cpp")
+			set(GRPC_PATCH_CMD
+				${GRPC_PATCH_CMD}
+				&&
+				sh
+				-c
+				"sed -i 's/armv8-a/cortex_a57/g' ${GRPC_SRC}/third_party/abseil-cpp/absl/copts/GENERATED_AbseilCopts.cmake"
+			)
+		endif()
+
+		ExternalProject_Add(
+			grpc
+			PREFIX "${PROJECT_BINARY_DIR}/grpc-prefix"
+			DEPENDS openssl protobuf c-ares zlib re2
+			GIT_REPOSITORY https://github.com/grpc/grpc.git
+			GIT_TAG v1.44.0
+			GIT_SUBMODULES "third_party/abseil-cpp"
+			CMAKE_CACHE_ARGS
+				-DCMAKE_INSTALL_PREFIX:PATH=${GRPC_INSTALL_DIR}
+				-DCMAKE_BUILD_TYPE:STRING=${CMAKE_BUILD_TYPE}
+				-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=${ENABLE_PIC}
+				-DgRPC_INSTALL:BOOL=OFF
+				# disable unused stuff
+				-DgRPC_BUILD_TESTS:BOOL=OFF
+				-DgRPC_BUILD_CSHARP_EXT:BOOL=OFF
+				-DgRPC_BUILD_GRPC_CSHARP_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_NODE_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_PHP_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_PYTHON_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_RUBY_PLUGIN:BOOL=OFF
+				# deps provided by us
+				# https://github.com/grpc/grpc/blob/v1.32.0/cmake/modules/Findc-ares.cmake
+				-DgRPC_CARES_PROVIDER:STRING=package
+				-Dc-ares_DIR:PATH=${CARES_SRC}
+				-Dc-ares_INCLUDE_DIR:PATH=${CARES_INCLUDE}
+				-Dc-ares_LIBRARY:PATH=${CARES_LIB}
+				# https://cmake.org/cmake/help/v3.6/module/FindProtobuf.html
+				-DgRPC_PROTOBUF_PROVIDER:STRING=package
+				-DCMAKE_CXX_FLAGS:STRING=-I${PROTOBUF_INCLUDE}
+				-DProtobuf_INCLUDE_DIR:PATH=${PROTOBUF_INCLUDE}
+				-DProtobuf_LIBRARY:PATH=${PROTOBUF_LIB}
+				-DProtobuf_PROTOC_LIBRARY:PATH=${PROTOC_LIB}
+				-DProtobuf_PROTOC_EXECUTABLE:PATH=${PROTOC}
+				# https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html
+				-DgRPC_SSL_PROVIDER:STRING=package
+				-DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
+				-DOPENSSL_USE_STATIC_LIBS:BOOL=${GRPC_OPENSSL_STATIC_LIBS_OPTION}
+				# https://cmake.org/cmake/help/v3.6/module/FindZLIB.html
+				-DgRPC_ZLIB_PROVIDER:STRING=package
+				-DZLIB_ROOT:STRING=${ZLIB_SRC}
+				# RE2
+				-DgRPC_RE2_PROVIDER:STRING=package
+				-Dre2_DIR:PATH=${RE2_DIR}
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB} ${GPR_LIB} ${GRPC_LIBRARIES}
+			# Keep installation files into the local ${GRPC_INSTALL_DIR} since here is the case when
+			# we are embedding gRPC
+			UPDATE_COMMAND ""
+			PATCH_COMMAND ${GRPC_PATCH_CMD}
+			INSTALL_COMMAND DESTDIR= ${CMAKE_MAKE_PROGRAM} install
+		)
+		install(
+			FILES ${GRPC_MAIN_LIBS}
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			FILES ${GRPC_LIBRARIES}
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${GRPC_SRC}/target/include/"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+endif()
+
+if(NOT TARGET grpc)
+	add_custom_target(grpc)
+endif()
+
+include_directories("${GRPC_INCLUDE}")

cmake/modules/jemalloc.cmake

@@ -0,0 +1,76 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2024 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_JEMALLOC "Use bundled jemalloc allocator" ${USE_BUNDLED_DEPS})
+
+if(JEMALLOC_INCLUDE)
+	# we already have JEMALLOC
+elseif(NOT USE_BUNDLED_JEMALLOC)
+	find_path(JEMALLOC_INCLUDE jemalloc/jemalloc.h)
+	set(JEMALLOC_INCLUDE ${JEMALLOC_INCLUDE}/jemalloc)
+	if(BUILD_SHARED_LIBS)
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	find_library(JEMALLOC_LIB NAMES libjemalloc${JEMALLOC_LIB_SUFFIX})
+	if(JEMALLOC_LIB)
+		message(STATUS "Found JEMALLOC: include: ${JEMALLOC_INCLUDE}, lib: ${JEMALLOC_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system jemalloc")
+	endif()
+else()
+	if(BUILD_SHARED_LIBS)
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(JEMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	set(JEMALLOC_SRC "${PROJECT_BINARY_DIR}/jemalloc-prefix/src")
+	set(JEMALLOC_LIB "${JEMALLOC_SRC}/jemalloc/lib/libjemalloc${JEMALLOC_LIB_SUFFIX}")
+	set(JEMALLOC_INCLUDE "${JEMALLOC_SRC}/jemalloc/include/jemalloc")
+	if(CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64")
+		set(JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS --with-lg-page=14)
+	else()
+		set(JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS "")
+	endif()
+	ExternalProject_Add(
+		jemalloc
+		PREFIX "${PROJECT_BINARY_DIR}/jemalloc-prefix"
+		URL "https://github.com/jemalloc/jemalloc/archive/refs/tags/5.3.0.tar.gz"
+		URL_HASH "SHA256=ef6f74fd45e95ee4ef7f9e19ebe5b075ca6b7fbe0140612b2a161abafb7ee179"
+		CONFIGURE_COMMAND ./autogen.sh --enable-prof --disable-libdl
+						  ${JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS}
+		BUILD_IN_SOURCE 1
+		BUILD_COMMAND make build_lib_static
+		INSTALL_COMMAND ""
+		UPDATE_COMMAND ""
+		BUILD_BYPRODUCTS ${JEMALLOC_LIB}
+	)
+	message(STATUS "Using bundled jemalloc: include: ${JEMALLOC_INCLUDE}, lib: ${JEMALLOC_LIB}")
+	install(
+		FILES "${JEMALLOC_LIB}"
+		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
+endif()
+
+# We add a custom target, in this way we can always depend on `jemalloc` without distinguishing
+# between "bundled" and "not-bundled" case
+if(NOT TARGET jemalloc)
+	add_custom_target(jemalloc)
+endif()
+
+include_directories(${JEMALLOC_INCLUDE})
+add_compile_definitions(HAS_JEMALLOC)

cmake/modules/openssl.cmake

@@ -0,0 +1,81 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
+
+if(OPENSSL_INCLUDE_DIR)
+	# we already have openssl
+elseif(NOT USE_BUNDLED_OPENSSL)
+	find_package(OpenSSL REQUIRED)
+	message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
+else()
+	if(BUILD_SHARED_LIBS)
+		set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(OPENSSL_SHARED_OPTION shared)
+	else()
+		set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(OPENSSL_SHARED_OPTION no-shared)
+	endif()
+	set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
+	set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
+	set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/")
+	set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}")
+	set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}")
+	set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO})
+
+	if(NOT TARGET openssl)
+		if(NOT ENABLE_PIC)
+			set(OPENSSL_PIC_OPTION)
+		else()
+			set(OPENSSL_PIC_OPTION "-fPIC")
+		endif()
+
+		message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
+
+		ExternalProject_Add(
+			openssl
+			PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
+			URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.4/openssl-3.1.4.tar.gz"
+			URL_HASH "SHA256=840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
+			CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} ${OPENSSL_PIC_OPTION}
+							  --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
+			BUILD_COMMAND make
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}
+			INSTALL_COMMAND make install_sw
+		)
+		install(
+			FILES "${OPENSSL_LIBRARY_SSL}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			FILES "${OPENSSL_LIBRARY_CRYPTO}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${OPENSSL_INCLUDE_DIR}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+endif()
+
+if(NOT TARGET openssl)
+	add_custom_target(openssl)
+endif()
+
+include_directories("${OPENSSL_INCLUDE_DIR}")

cmake/modules/rules.cmake

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2024 The Falco Authors.
+# Copyright (C) 2025 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
 # in compliance with the License. You may obtain a copy of the License at
@@ -18,9 +18,9 @@ include(ExternalProject)
 
 if(NOT DEFINED FALCOSECURITY_RULES_FALCO_PATH)
 	# falco_rules.yaml
-	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-3.2.0")
+	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-4.0.0")
 	set(FALCOSECURITY_RULES_FALCO_CHECKSUM
-		"SHA256=b3990bf0209cfbf6a903b361e458a1f5851a9a5aeee808ad26a5ddbe1377157d"
+		"SHA256=132320ddbfa1e2580981ed1bdd3ee3d0128a1e2306b2bee8978d1f0a930d6127"
 	)
 	set(FALCOSECURITY_RULES_FALCO_PATH
 		"${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml"

cmake/modules/yaml-cpp.cmake

@@ -19,8 +19,8 @@ if(USE_BUNDLED_YAMLCPP)
 	include(FetchContent)
 	FetchContent_Declare(
 		yamlcpp
-		URL https://github.com/jbeder/yaml-cpp/archive/refs/tags/0.8.0.tar.gz
-		URL_HASH SHA256=fbe74bbdcee21d656715688706da3c8becfd946d92cd44705cc6098bb23b3a16
+		URL https://github.com/jbeder/yaml-cpp/archive/c2bec4c755c67ad86185a2a264996137904fb712.tar.gz
+		URL_HASH SHA256=faea1ffdbad81b958b3b45a63ba667f4db53a3fffb983ca5df4745cf90044797
 	)
 	FetchContent_MakeAvailable(yamlcpp)
 else()

config/falco.container_plugin.yaml

@@ -0,0 +1,2 @@
+# Enable container plugin for linux non musl installation.
+load_plugins: [container]

config/falco.iso8601_timeformat.yaml

@@ -0,0 +1,2 @@
+# Enable iso 8601 time format on docker
+time_format_iso_8601: true

docker/README.md

@@ -4,15 +4,9 @@ This directory contains various ways to package Falco as a container and related
 
 ## Currently Supported Images
 
-| Name | Directory | Description |
-|---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
-| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
-| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
-| [falcosecurity/falco-driver-loader-legacy:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy), [falcosecurity/falco-driver-loader-legacy:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy) | docker/driver-loader-legacy | `falco-driver-loader` as entrypoint with the legacy building toolchain. Recommended for kernels < 4.0 |
-
-## Experimental Images
-
-| Name | Directory | Description |
-|---|---|---|
-| [falcosecurity/falco-distroless:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless), [falcosecurity/falco-distroless:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless),[falcosecurity/falco-distroless:master](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless) | docker/no-driver/Dockerfile.distroless | Falco without the building toolchain built from a distroless base image. This results in a smaller image that has less potentially vulnerable components. |
+| Name                                                                                                                                                                                                                                                                                                                                                                                       | Directory                   | Description                                                                                                                                                                                                                |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco)                                                                                                          | docker/falco                | Distroless image based on the latest released tar.gz of Falco. No tools are included in the image.                                                                              |
+| [falcosecurity/falco:latest-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_-debian](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco)                                                                                     | docker/falco-debian         | Debian-based image. Include some tools (i.e. jq, curl). No driver-building toolchain support. |
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader)                      | docker/driver-loader        | Based on falcosecurity/falco:x.y.z-debian (see above) plus the driver building toolchain support and falcoctl. This is intended to be used as an installer or an init container when modern eBPF cannot be used.                     |
+| [falcosecurity/falco-driver-loader:latest-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_-buster](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master-debian](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader-buster | Similar to falcosecurity/falco-driver-loader (see above) but based on a legacy Debian image (i.e. buster ). Recommended only for old kernel versions.                                                                      |

docker/docker-compose/docker-compose.yaml

@@ -13,7 +13,7 @@ services:
       - /proc:/host/proc:ro
       - /etc:/host/etc:ro
       - ./config/http_output.yml:/etc/falco/config.d/http_output.yml
-    image: falcosecurity/falco-no-driver:latest
+    image: falcosecurity/falco:latest
 
   sidekick:
     container_name: falco-sidekick

docker/driver-loader-buster/Dockerfile

@@ -1,9 +1,13 @@
 FROM debian:buster
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]"
 
 ARG TARGETARCH
 
@@ -31,7 +35,6 @@ RUN apt-get update \
 	gcc \
 	jq \
 	libc6-dev \
-	libelf-dev \
 	libssl-dev \
 	llvm-7 \
 	netcat \
@@ -41,8 +44,8 @@ RUN apt-get update \
 	&& rm -rf /var/lib/apt/lists/*
 
 RUN if [ "$TARGETARCH" = "amd64" ]; \
-    then apt-get install -y --no-install-recommends libmpx2; \
-    fi
+	then apt-get install -y --no-install-recommends libmpx2; \
+	fi
 
 # gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
@@ -51,7 +54,7 @@ RUN if [ "$TARGETARCH" = "amd64" ]; \
 # or so.
 
 RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
+	curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
 	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
 	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
 	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
@@ -60,8 +63,8 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGE
 	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
 	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
 	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
+	if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+	dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
 	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
 
 # gcc 5 is no longer included in debian stable, but we need it to
@@ -70,15 +73,15 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGE
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
 RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
+	curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
 	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
 	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
-    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
-    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
+	if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+	dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
 	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
@@ -97,10 +100,8 @@ RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+# Change the falco config within the container to enable ISO 8601 output.
+ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
@@ -113,10 +114,10 @@ RUN rm -df /lib/modules \
 # forcibly install binutils 2.30-22 instead.
 
 RUN if [ "$TARGETARCH" = "amd64" ] ; then \
-    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    else  \
-    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
-    fi
+	curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+	else  \
+	curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+	fi
 
 RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
 	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
@@ -124,6 +125,6 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 
-COPY ./docker-entrypoint.sh /
+COPY ./docker/driver-loader-buster/docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]

docker/driver-loader-buster/docker-entrypoint.sh

@@ -21,7 +21,7 @@
 print_usage() {
 	echo ""
 	echo "Usage:"
-	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader-legacy:latest [driver] [options]"
+	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]"
 	echo ""
 	echo "Available drivers:"
 	echo "  auto	       leverage automatic driver selection logic (default)"

docker/driver-loader/Dockerfile

@@ -1,14 +1,50 @@
 ARG FALCO_IMAGE_TAG=latest
-FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}
+FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
-LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]"
 
 ENV HOST_ROOT /host
 ENV HOME /root
 
-COPY ./docker-entrypoint.sh /
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends \
+	bc \
+	bison \
+	ca-certificates \
+	clang \
+	curl \
+	dkms \
+	dwarves \
+	flex \
+	gcc \
+	gcc-11 \
+	gnupg2 \
+	jq \
+	libc6-dev \
+	libssl-dev \
+	llvm \
+	make \
+	netcat-openbsd \
+	patchelf \
+	xz-utils \
+	zstd \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+
+COPY ./docker/driver-loader/docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]

docker/driver-loader/docker-entrypoint.sh

@@ -50,6 +50,7 @@ echo "* Setting up /usr/src links from host"
 
 for i in "$HOST_ROOT/usr/src"/*
 do
+    [[ -e $i ]] || continue
     base=$(basename "$i")
     ln -s "$i" "/usr/src/$base"
 done

docker/falco-debian/Dockerfile

@@ -0,0 +1,36 @@
+FROM debian:12-slim
+
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest-debian"
+
+ARG FALCO_VERSION
+ARG VERSION_BUCKET=deb
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+RUN apt-get -y update && apt-get -y install ca-certificates curl jq ca-certificates gnupg2 \
+	&& apt clean -y && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /
+
+RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
+	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& apt-get update -y \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601 output.
+ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
+
+CMD ["/usr/bin/falco"]

docker/falco/Dockerfile

@@ -1,67 +1,41 @@
-FROM debian:bookworm
+FROM cgr.dev/chainguard/wolfi-base
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro  -v /etc:/host/etc:ro falcosecurity/falco:latest"
+# NOTE: for the "least privileged" use case, please refer to the official documentation
 
-ARG TARGETARCH
-
-ARG FALCO_VERSION=latest
-ARG VERSION_BUCKET=deb
-ENV VERSION_BUCKET=${VERSION_BUCKET}
+ARG FALCO_VERSION
+ARG VERSION_BUCKET=bin
 
 ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
 ENV HOST_ROOT /host
 ENV HOME /root
 
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+RUN apk update && apk add curl ca-certificates jq libstdc++
 
-RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
-	bc \
-	bison \
-	ca-certificates \
-	clang \
-	curl \
-	dkms \
-	dwarves \
-	flex \
-	gcc \
-	gcc-11 \
-	gnupg2 \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	libssl-dev \
-	llvm \
-	make \
-	netcat-openbsd \
-	patchelf \
-	xz-utils \
-	zstd \
-	&& rm -rf /var/lib/apt/lists/*
+WORKDIR /
 
-RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
-	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
-	&& apt-get update -y \
-	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
-	&& apt-get clean \
-	&& rm -rf /var/lib/apt/lists/*
+RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
+    curl -L -o falco.tar.gz \
+    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
+    tar -xvf falco.tar.gz && \
+    rm -f falco.tar.gz && \
+    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
+    rm -rf /falco/usr/src/falco-* && \
+    cp -r /falco/* / && \
+    rm -rf /falco
 
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+# Change the falco config within the container to enable ISO 8601 output.
+ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
+# Falcoctl is not included here.
+RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/
 
 CMD ["/usr/bin/falco"]

docker/falco/docker-entrypoint.sh

@@ -1,136 +0,0 @@
-#!/usr/bin/env bash
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-
-print_usage() {
-	echo ""
-	echo "Usage:"
-	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e 'FALCO_DRIVER_LOADER_OPTIONS=[driver] [options]' falcosecurity/falco:latest"
-	echo ""
-	echo "Available FALCO_DRIVER_LOADER_OPTIONS drivers:"
-	echo "  auto	       leverage automatic driver selection logic (default)"
-	echo "  modern_ebpf    modern eBPF CORE probe"
-	echo "  kmod           kernel module"
-	echo "  ebpf           eBPF probe"
-	echo ""
-	echo "FALCO_DRIVER_LOADER_OPTIONS options:"
-	echo "  --help           show this help message"
-	echo "  --clean          try to remove an already present driver installation"
-	echo "  --compile        try to compile the driver locally (default true)"
-	echo "  --download       try to download a prebuilt driver (default true)"
- 	echo "  --http-insecure	 enable insecure downloads"
-	echo "  --print-env      skip execution and print env variables for other tools to consume"
-	echo ""
-	echo "Environment variables:"
-	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
-	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
-	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
-	echo ""
-}
-
-# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
-
-if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
-    done
-
-    # convert the optional space-separated env variable FALCO_DRIVER_LOADER_OPTIONS to array, prevent 
-    # shell expansion and use it as argument list for falcoctl
-    read -a falco_driver_loader_option_arr <<< $FALCO_DRIVER_LOADER_OPTIONS
-
-    ENABLE_COMPILE="false"
-    ENABLE_DOWNLOAD="false"
-    HTTP_INSECURE="false"
-    driver=
-    has_opts=
-    for opt in "${falco_driver_loader_option_arr[@]}"
-    do
-        case "$opt" in
-            auto|kmod|ebpf|modern_ebpf)
-                if [ -n "$driver" ]; then
-                    >&2 echo "Only one driver per invocation"
-                    print_usage
-                    exit 1
-                else
-                    driver=$opt
-                fi
-                ;;
-            -h|--help)
-                print_usage
-                exit 0
-                ;;    
-            --clean)
-                /usr/bin/falcoctl driver cleanup
-                exit 0
-                ;;
-            --compile)
-                ENABLE_COMPILE="true"
-                has_opts="true"
-                ;;
-            --download)
-                ENABLE_DOWNLOAD="true"
-                has_opts="true"
-                ;;
-            --http-insecure)
-                HTTP_INSECURE="true"
-                ;;
-            --print-env)
-                /usr/bin/falcoctl driver printenv
-                exit 0
-                ;;
-            --*)
-                >&2 echo "Unknown option: $opt"
-                print_usage
-                exit 1
-                ;;
-            *)
-                >&2 echo "Unknown driver: $opt"
-                print_usage
-                exit 1
-                ;;
-        esac
-    done
-
-    # No opts passed, enable both compile and download
-    if [ -z "$has_opts" ]; then
-        ENABLE_COMPILE="true"
-        ENABLE_DOWNLOAD="true"
-    fi
-
-    # Default value: auto
-    if [ -z "$driver" ]; then
-      driver="auto"
-    fi
-
-    if [ "$driver" != "auto" ]; then
-      /usr/bin/falcoctl driver config --type $driver
-    else
-      # Needed because we need to configure Falco to start with correct driver
-      /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
-    fi
-    /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"
-
-fi
-
-exec "$@"

docker/no-driver/Dockerfile

@@ -1,39 +0,0 @@
-FROM debian:12 as builder
-
-ARG FALCO_VERSION
-ARG VERSION_BUCKET=bin
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-
-RUN apt-get -y update && apt-get -y install gridsite-clients curl ca-certificates
-
-WORKDIR /
-
-RUN curl -L -o falco.tar.gz \
-    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-$(urlencode ${FALCO_VERSION})-$(uname -m).tar.gz && \
-    tar -xvf falco.tar.gz && \
-    rm -f falco.tar.gz && \
-    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
-    rm -rf /falco/usr/src/falco-*
-
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
-    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
-
-FROM debian:12-slim
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
-# NOTE: for the "least privileged" use case, please refer to the official documentation
-
-RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 \
-    && apt clean -y && rm -rf /var/lib/apt/lists/*
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-COPY --from=builder /falco /
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/no-driver/Dockerfile.distroless

@@ -1,40 +0,0 @@
-FROM cgr.dev/chainguard/wolfi-base as builder
-
-ARG FALCO_VERSION
-ARG VERSION_BUCKET=bin
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-
-RUN apk update && apk add build-base gcc curl ca-certificates jq elfutils
-
-WORKDIR /
-
-RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
-    curl -L -o falco.tar.gz \
-    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
-    tar -xvf falco.tar.gz && \
-    rm -f falco.tar.gz && \
-    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
-    rm -rf /falco/usr/src/falco-*
-
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
-    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
-
-FROM cgr.dev/chainguard/wolfi-base
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
-# NOTE: for the "least privileged" use case, please refer to the official documentation
-
-RUN apk update && apk add libelf libstdc++
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-USER root
-COPY --from=builder /falco /
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

falco.yaml

@@ -143,8 +143,31 @@
 # Also, nested include is not allowed, ie: included config files won't be able to include other config files.
 #
 # Like for 'rules_files', specifying a folder will load all the configs files present in it in a lexicographical order.
+#
+# 3 merge-strategies are available:
+# `append` (default):
+#   * existing sequence keys will be appended
+#   * existing scalar keys will be overridden
+#   * non-existing keys will be added
+# `override`:
+#   * existing keys will be overridden
+#   * non-existing keys will be added
+# `add-only`:
+#   * existing keys will be ignored
+#   * non-existing keys will be added
+#
+# Each item on the list can be either a yaml map or a simple string.
+# The simple string will be interpreted as the config file path, and the `append` merge-strategy will be enforced.
+# When the item is a yaml map instead, it will be of the form: `   path: foo\n   strategy: X`.
+# When `strategy` is omitted, once again `append` is used.
+#
+# When a merge-strategy is enabled for a folder entry, all the included config files will use that merge-strategy.
 config_files:
   - /etc/falco/config.d
+  # Example of config file specified as yaml map with strategy made explicit.
+  #- path: $HOME/falco_local_configs/
+  #  strategy: add-only
+
 
 # [Stable] `watch_config_files`
 #
@@ -167,8 +190,8 @@ watch_config_files: true
 # Falco rules can be specified using files or directories, which are loaded at
 # startup.
 #
-# If the entry is a file, it will be read directly. If the entry is a directory,
-# all files within that directory will be read in alphabetical order.
+# If the entry is a yaml file, it will be read directly. If the entry is a directory,
+# all yaml files within that directory will be read in alphabetical order.
 #
 # The falco_rules.yaml file ships with the Falco package and is overridden with
 # every new software version. falco_rules.local.yaml is only created if it
@@ -196,6 +219,10 @@ watch_config_files: true
 # "first match wins" principle. However, enabling the `all` matching option may result
 # in a performance penalty. We recommend carefully testing this alternative setting  
 # before deploying it in production. Read more under the `rule_matching` configuration.
+#
+# Since Falco 0.41 only files with .yml and .yaml extensions are considered, 
+# including directory contents. This means that you may specify directories that
+# contain yaml files for rules and other files which will be ignored.
 rules_files:
   - /etc/falco/falco_rules.yaml
   - /etc/falco/falco_rules.local.yaml
@@ -436,7 +463,7 @@ engine:
 # Falco plugins enable integration with other services in your ecosystem.
 # They allow Falco to extend its functionality and leverage data sources such as
 # Kubernetes audit logs or AWS CloudTrail logs. This enables Falco to perform
-# fast on-host detections beyond syscalls and container events. The plugin
+# fast on-host detections beyond syscalls. The plugin
 # system will continue to evolve with more specialized functionality in future
 # releases.
 #
@@ -448,7 +475,7 @@ engine:
 # Please note that if your intention is to enrich Falco syscall logs with fields
 # such as `k8s.ns.name`, `k8s.pod.name`, and `k8s.pod.*`, you do not need to use
 # the `k8saudit` plugin. This information is automatically extracted from
-# the container runtime socket. The `k8saudit` plugin is specifically designed
+# the container runtime socket by the 'container' plugin. The `k8saudit` plugin is specifically designed
 # to integrate with Kubernetes audit logs and is not required for basic enrichment
 # of syscall logs with Kubernetes-related fields.
 #
@@ -466,6 +493,32 @@ load_plugins: []
 # applied when the corresponding plugin is enabled using the `load_plugins`
 # option.
 plugins:
+  - name: container
+    # For a summary of config option, see https://github.com/FedeDP/container_plugin?tab=readme-ov-file#configuration
+    library_path: libcontainer.so
+    init_config:
+      label_max_len: 100
+      with_size: false
+# We use default config values for engine key.
+#      engines:
+#        docker:
+#          enabled: true
+#          sockets: [ '/var/run/docker.sock' ]
+#        podman:
+#          enabled: true
+#          sockets: [ '/run/podman/podman.sock', '/run/user/1000/podman/podman.sock' ]
+#        containerd:
+#          enabled: true
+#          sockets: [ '/run/containerd/containerd.sock' ]
+#        cri:
+#          enabled: true
+#          sockets: [ '/run/crio/crio.sock' ]
+#        lxc:
+#          enabled: false
+#        libvirt_lxc:
+#          enabled: false
+#        bpm:
+#          enabled: false
   - name: k8saudit
     library_path: libk8saudit.so
     init_config: ""
@@ -480,6 +533,14 @@ plugins:
   - name: json
     library_path: libjson.so
 
+# [Sandbox] `plugins_hostinfo`
+#
+# Uncomment to disable host info support for source plugins
+# that DO NOT generate raw events from the libscap event table
+# or for plugins that DO NOT parse raw events generated by drivers,
+# effectively dropping the `proc-fs` hostPath volume requirement for them:
+# https://github.com/falcosecurity/charts/blob/bd57711e7c8e00919ea288716e0d9d5fdad8867e/charts/falco/templates/pod-template.tpl#L302-L304
+# plugins_hostinfo: false
 
 ##########################
 # Falco outputs settings #
@@ -492,6 +553,13 @@ plugins:
 # the /etc/localtime configuration.
 time_format_iso_8601: false
 
+# [Incubating] `buffer_format_base64`
+#
+# When enabled, Falco will output data buffer with base64 encoding. This is useful
+# for encoding binary data that needs to be used over media designed to consume
+# this format.
+buffer_format_base64: false
+
 # [Stable] `priority`
 #
 # Any rule with a priority level more severe than or equal to the specified
@@ -527,6 +595,13 @@ json_include_output_property: true
 # information.
 json_include_message_property: false
 
+# [Incubating] `json_include_output_fields_property`
+#
+# When using JSON output in Falco, you have the option to include the individual
+# output fields for easier access. To reduce the logging volume, it is recommended
+# to turn it off if it's not necessary for your use case.
+json_include_output_fields_property: true
+
 # [Stable] `json_include_tags_property`
 #
 # When using JSON output in Falco, you have the option to include the "tags"
@@ -538,9 +613,14 @@ json_include_tags_property: true
 
 # [Stable] `buffered_outputs`
 #
-# Enabling buffering for the output queue can offer performance optimization,
-# efficient resource usage, and smoother data flow, resulting in a more reliable
-# output mechanism. By default, buffering is disabled (false).
+# Global buffering option for output channels. When disabled, the output channel
+# that supports buffering flushes the output buffer on every alert. This can lead to 
+# increased CPU usage but is useful when piping outputs to another process or script. 
+# Buffering is currently supported by `file_output`, `program_output`, and `std_output`. 
+# Some output channels may implement buffering strategies you cannot control. 
+# Additionally, this setting is separate from the `output_queue` option. The output queue 
+# sits between the rule engine and the output channels, while output buffering occurs 
+# afterward once the specific channel implementation outputs the formatted message.
 buffered_outputs: false
 
 # [Incubating] `rule_matching`
@@ -568,7 +648,7 @@ rule_matching: first
 #
 # Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter
 # allows you to customize the queue capacity. Please refer to the official documentation:
-# https://oneapi-src.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html.
+# https://uxlfoundation.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html.
 # On a healthy system with optimized Falco rules, the queue should not fill up.
 # If it does, it is most likely happening due to the entire event flow being too slow,
 # indicating that the server is under heavy load.
@@ -611,6 +691,7 @@ outputs_queue:
 #             affect the regular Falco message in any way. These can be specified as a
 #             custom name with a custom format or as any supported field
 #             (see: https://falco.org/docs/reference/rules/supported-fields/)
+#   `suggested_output`: enable the use of extractor plugins suggested fields for the matching source output.
 #
 # Example:
 # 
@@ -627,6 +708,13 @@ outputs_queue:
 # property you will find three new ones: "evt.cpu", "home_directory" which will contain the value of the
 # environment variable $HOME, and "evt.hostname" which will contain the hostname.
 
+# By default, we enable suggested_output for any source.
+# This means that any extractor plugin that indicates some of its fields
+# as suggested output formats, will see these fields in the output
+# in the form "foo_bar=$foo.bar"
+append_output:
+  - suggested_output: true
+
 
 ##########################
 # Falco outputs channels #
@@ -692,6 +780,8 @@ http_output:
   echo: false
   compress_uploads: false
   keep_alive: false
+  # Maximum consecutive timeouts of libcurl to ignore
+  max_consecutive_timeouts: 5
 
 # [Stable] `program_output`
 #
@@ -851,11 +941,11 @@ log_level: info
 # library specifically, providing more granular control over the logging
 # behavior of the underlying components used by Falco. Only logs of a certain
 # severity level or higher will be emitted. Supported levels: "fatal",
-# "critical", "error", "warning", "notice", "info", "debug", "trace". It is not
-# recommended for production use.
+# "critical", "error", "warning", "notice", "info", "debug", "trace".
+#  It is not recommended to use "debug" and "trace" for production use.
 libs_logger:
-  enabled: false
-  severity: debug
+  enabled: true
+  severity: info
 
 
 #################################################################################
@@ -1064,8 +1154,7 @@ syscall_event_drops:
 #
 # `state_counters_enabled`: Emit counters related to Falco's state engine, including 
 # added, removed threads or file descriptors (fds), and failed lookup, store, or 
-# retrieve actions in relation to Falco's underlying process cache table (threadtable). 
-# We also log the number of currently cached containers if applicable.
+# retrieve actions in relation to Falco's underlying process cache table (threadtable).
 #
 # `kernel_event_counters_enabled`: Emit kernel side event and drop counters, as
 # an alternative to `syscall_event_drops`, but with some differences. These
@@ -1096,6 +1185,8 @@ syscall_event_drops:
 # there will be no metrics available. In other words, there are no default or 
 # generic plugin metrics at this time. This may be subject to change.
 #
+# `jemalloc_stats_enabled`: Falco can now expose jemalloc related stats.
+#
 # If metrics are enabled, the web server can be configured to activate the
 # corresponding Prometheus endpoint using `webserver.prometheus_metrics_enabled`.
 # Prometheus output can be used in combination with the other output options.
@@ -1117,6 +1208,7 @@ metrics:
   kernel_event_counters_per_cpu_enabled: false
   libbpf_stats_enabled: true
   plugins_metrics_enabled: true
+  jemalloc_stats_enabled: false
   convert_memory_to_mb: true
   include_empty_values: false
 
@@ -1155,6 +1247,14 @@ metrics:
 # Falco, the `base_syscalls` option allows for finer end-user control of
 # syscalls traced by Falco.
 #
+# --- [base_syscalls.all]
+#
+# `base_syscalls.all` enables monitoring of all events supported by Falco and
+# defined in rules and configs.
+# By default some events, such as `write`, are ignored (run `falco -i` to get
+# the full list) unless base_syscalls.all is true.
+# This option may negatively impact performance.
+#
 # --- [base_syscalls.custom_set]
 #
 # CAUTION: Misconfiguration of this setting may result in incomplete Falco event
@@ -1238,6 +1338,7 @@ metrics:
 base_syscalls:
   custom_set: []
   repair: false
+  all: false
 
 ##############
 # Falco libs #
@@ -1259,46 +1360,12 @@ base_syscalls:
 # `metrics.state_counters_enabled` to measure how the internal state handling is performing, 
 # and the fields called `n_drops_full_threadtable` or `n_store_evts_drops` will inform you
 # if you should increase this value for optimal performance.
+#
+# `snaplen`
+#
+# Set how many bytes are collected of each I/O buffer for 'syscall' events.
+# Use this option with caution since it can have a strong performance impact.
+#
 falco_libs:
   thread_table_size: 262144
-
-# [Incubating] `container_engines`
-#
-# This option allows you to explicitly enable or disable API lookups against container 
-# runtime sockets for each supported container runtime. 
-# Access to these sockets enables Falco to retrieve container and Kubernetes fields, 
-# helping identify workload owners in modern containerized environments. 
-# Refer to the fields docs:
-# 
-# - [Kubernetes fields](https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s)
-# - [Container fields](https://falco.org/docs/reference/rules/supported-fields/#container)
-# 
-# Additionally, Falco can use container events as a data source for alerting (evt.type = container).
-# 
-# For most container engines, you can solely enable or disable them, and Falco will search the 
-# default (hard-coded) container runtime socket paths, such as `/var/run/docker.sock` for Docker.
-#
-# However, for Kubernetes settings, you can customize the CRI socket paths:
-# 
-# - `container_engines.cri.sockets`: Pass a list of container runtime sockets.
-# - `container_engines.cri.disable_async`: Since API lookups may not always be quick or 
-# perfect, resulting in empty fields for container metadata, you can use this option option 
-# to disable asynchronous fetching. Note that missing fields may still occasionally occur.
-# 
-# The equivalent (stable) CLI args are `--cri` or `--disable-cri-async`.
-
-container_engines:
-  docker:
-    enabled: true
-  cri:
-    enabled: true
-    sockets: ["/run/containerd/containerd.sock", "/run/crio/crio.sock", "/run/k3s/containerd/containerd.sock"]
-    disable_async: false
-  podman:
-    enabled: true
-  lxc:
-    enabled: true
-  libvirt_lxc:
-    enabled: true
-  bpm:
-    enabled: true
+  snaplen: 80

proposals/20231220-features-adoption-and-deprecation.md

@@ -175,7 +175,7 @@ _The units represent the number of releases._
 ### Examples
 
 **Example 1** Let's consider a feature _foo_ in the Output/Alerts Area introduced in Falco 1.0.0 and labeled as *Incubating*. The feature is promoted to *Stable* in Falco 1.1.0 (because the feature did not get any user-facing change).
-Subsequently, maintainers decide that backward-compatible changes must be introduced in _foo_ to improve its functionality. The part of the feature to be changed is labeled as *Deprecated* in Falco 1.2.0, and the deprecation period starts. The non-backward compatible change is then introduced in Falco 1.4.0.
+Subsequently, maintainers decide that backward-incompatible changes must be introduced in _foo_ to improve its functionality. The part of the feature to be changed is labeled as *Deprecated* in Falco 1.2.0, and the deprecation period starts. The non-backward compatible change is then introduced in Falco 1.4.0.
 
 **Example 2** The `--bar` flag in the CLI/Config Area has been introduced since Falco 1.1.0 and is labeled as *Stable*. Before releasing Falco 1.5.0, maintainers realize `--bar` is redundant and should be removed. The flag is labeled as *Deprecated* in Falco 1.5.0, and the deprecation period starts. The flag is removed in Falco 1.6.0.
 

scripts/falcoctl/falcoctl.yaml.in

@@ -10,7 +10,7 @@ artifact:
     every: 6h0m0s
     falcoVersions: http://localhost:8765/versions
     refs:
-    - falco-rules:3
+    - falco-rules:4
 indexes:
 - name: falcosecurity
   url: https://falcosecurity.github.io/falcoctl/index.yaml

scripts/ignored-calls.sh

@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-parentdir="$(dirname "$scriptdir")"
-libsdir="${parentdir}/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs"
-cat "${libsdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/'  | sort > /tmp/ignored_syscall_info_table.txt
-cat "${libsdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt
-
-cat /tmp/ignored_driver_event_table.txt /tmp/ignored_syscall_info_table.txt | sort | uniq | tr '\n' ', '
-

unit_tests/engine/test_alt_rule_loader.cpp

@@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+#include <memory>
 #include <string>
 
 #include <gtest/gtest.h>
@@ -41,7 +42,10 @@ struct test_object_info {
 
 struct test_compile_output : public rule_loader::compile_output {
 	test_compile_output() = default;
-	~test_compile_output() = default;
+	virtual ~test_compile_output() = default;
+	virtual std::unique_ptr<compile_output> clone() const override {
+		return std::make_unique<test_compile_output>(*this);
+	}
 
 	std::set<std::string> defined_test_properties;
 };
@@ -320,3 +324,33 @@ TEST(engine_loader_alt_loader, falco_engine_alternate_loader) {
 	EXPECT_TRUE(defined_properties.find("other-value") != defined_properties.end());
 	EXPECT_TRUE(defined_properties.find("not-exists-value") == defined_properties.end());
 };
+
+TEST(engine_loader_alt_loader, clone_compile_output) {
+	sinsp inspector;
+	sinsp_filter_check_list filterchecks;
+	indexed_vector<falco_source> sources;
+
+	std::shared_ptr<rule_loader::configuration> cfg =
+	        create_configuration(inspector, filterchecks, sources);
+
+	test_reader reader;
+	test_collector collector;
+	test_compiler compiler;
+
+	EXPECT_TRUE(reader.read(*cfg, collector));
+
+	std::unique_ptr<rule_loader::compile_output> compile_output = compiler.new_compile_output();
+
+	compiler.compile(*cfg, collector, *compile_output);
+
+	const test_compile_output& original_ref =
+	        dynamic_cast<const test_compile_output&>(*(compile_output.get()));
+
+	std::unique_ptr<rule_loader::compile_output> copy = compile_output->clone();
+	const test_compile_output& copy_ref = dynamic_cast<const test_compile_output&>(*(copy.get()));
+
+	EXPECT_EQ(copy_ref.lists, original_ref.lists);
+	EXPECT_EQ(copy_ref.macros, original_ref.macros);
+	EXPECT_EQ(copy_ref.rules, original_ref.rules);
+	EXPECT_EQ(copy_ref.defined_test_properties, original_ref.defined_test_properties);
+}

unit_tests/engine/test_extra_output.cpp

@@ -28,7 +28,7 @@ TEST_F(test_falco_engine, extra_format_all) {
   priority: INFO
 )END";
 
-	m_engine->add_extra_output_format("evt.type=%evt.type", "", {}, "", false);
+	m_engine->add_extra_output_format("evt.type=%evt.type", "", {}, "");
 	ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
 
 	EXPECT_EQ(get_compiled_rule_output("legit_rule"),
@@ -50,7 +50,7 @@ TEST_F(test_falco_engine, extra_format_by_rule) {
   priority: INFO
 )END";
 
-	m_engine->add_extra_output_format("evt.type=%evt.type", "", {}, "legit_rule", false);
+	m_engine->add_extra_output_format("evt.type=%evt.type", "", {}, "legit_rule");
 	ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
 
 	EXPECT_EQ(get_compiled_rule_output("legit_rule"), "out 1 evt.type=%evt.type");
@@ -81,9 +81,9 @@ TEST_F(test_falco_engine, extra_format_by_tag_rule) {
   tags: [tag1, tag2]
 )END";
 
-	m_engine->add_extra_output_format("extra 1", "", {"tag1"}, "", false);
-	m_engine->add_extra_output_format("extra 2", "", {}, "another_rule", false);
-	m_engine->add_extra_output_format("extra 3", "", {"tag1", "tag2"}, "", false);
+	m_engine->add_extra_output_format("extra 1", "", {"tag1"}, "");
+	m_engine->add_extra_output_format("extra 2", "", {}, "another_rule");
+	m_engine->add_extra_output_format("extra 3", "", {"tag1", "tag2"}, "");
 
 	ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
 
@@ -92,32 +92,7 @@ TEST_F(test_falco_engine, extra_format_by_tag_rule) {
 	EXPECT_EQ(get_compiled_rule_output("a_third_rule"), "out 3 extra 1 extra 3");
 }
 
-TEST_F(test_falco_engine, extra_format_replace_container_info) {
-	std::string rules_content = R"END(
-- rule: legit_rule
-  desc: legit rule description
-  condition: evt.type=open
-  output: out 1 (%container.info)
-  priority: INFO
-  tags: [tag1]
-
-- rule: another_rule
-  desc: legit rule description
-  condition: evt.type=open
-  output: out 2
-  priority: INFO
-  tags: [tag1]
-)END";
-
-	m_engine->add_extra_output_format("extra 1", "", {}, "", true);
-
-	ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
-
-	EXPECT_EQ(get_compiled_rule_output("legit_rule"), "out 1 (extra 1)");
-	EXPECT_EQ(get_compiled_rule_output("another_rule"), "out 2 extra 1");
-}
-
-TEST_F(test_falco_engine, extra_format_do_not_replace_container_info) {
+TEST_F(test_falco_engine, extra_format_empty_container_info) {
 	std::string rules_content = R"END(
 - rule: legit_rule
   desc: legit rule description

unit_tests/engine/test_rule_loader.cpp

@@ -1222,3 +1222,108 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) {
 	EXPECT_EQ(get_compiled_rule_condition("test_rule"),
 	          "(evt.type = open and not tolower(proc.name) = test)");
 }
+
+TEST_F(test_falco_engine, redefine_rule_different_source) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: ka.verb = GET
+  output: some output
+  priority: INFO
+  source: k8s_audit
+
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: and 1 = 2
+  output: Some output
+  priority: INFO
+  source: syscall
+)END";
+
+	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
+}
+
+TEST_F(test_falco_engine, append_across_sources) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: ka.verb = GET
+  output: some output
+  priority: INFO
+  source: k8s_audit
+
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: and 1 = 2
+  output: Some output
+  priority: INFO
+  source: syscall
+  append: true
+)END";
+
+	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
+}
+
+TEST_F(test_falco_engine, selective_replace_across_sources) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: ka.verb = GET
+  output: some output
+  priority: INFO
+  source: k8s_audit
+
+- rule: LD_PRELOAD trick
+  condition: 1 = 2
+  override:
+    condition: replace
+  source: syscall
+)END";
+
+	ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
+}
+
+TEST_F(test_falco_engine, empty_source_addl_rule) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: evt.type=execve
+  output: some output
+  priority: INFO
+  source: syscall
+
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: and proc.name=apache
+  output: Some output
+  priority: INFO
+  source:
+  append: true
+)END";
+
+	EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
+}
+
+TEST_F(test_falco_engine, empty_string_source_addl_rule) {
+	auto rules_content = R"END(
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: evt.type=execve
+  output: some output
+  priority: INFO
+  source: syscall
+
+- rule: LD_PRELOAD trick
+  desc: Some desc
+  condition: and proc.name=apache
+  output: Some output
+  priority: INFO
+  source: ""
+  append: true
+)END";
+
+	EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
+}

unit_tests/falco/app/actions/test_configure_interesting_sets.cpp

@@ -116,7 +116,6 @@ TEST_F(test_falco_engine, preconditions_postconditions) {
 
 	s1.engine = nullptr;
 	s1.config = std::make_shared<falco_configuration>();
-	s1.options.all_events = false;
 	auto result = falco::app::actions::configure_interesting_sets(s1);
 	ASSERT_FALSE(result.success);
 	ASSERT_NE(result.errstr, "");
@@ -199,9 +198,8 @@ TEST_F(test_falco_engine, selection_not_allevents) {
 	falco::app::state s2;
 	// run app action with fake engine and without the `-A` option
 	s2.engine = m_engine;
-	s2.options.all_events = false;
+	s2.config->m_base_syscalls_all = false;
 
-	ASSERT_EQ(s2.options.all_events, false);
 	auto result = falco::app::actions::configure_interesting_sets(s2);
 	ASSERT_TRUE(result.success);
 	ASSERT_EQ(result.errstr, "");
@@ -256,7 +254,8 @@ TEST_F(test_falco_engine, selection_allevents) {
 	falco::app::state s3;
 	// run app action with fake engine and with the `-A` option
 	s3.engine = m_engine;
-	s3.options.all_events = true;
+	s3.config->m_base_syscalls_all = true;
+
 	auto result = falco::app::actions::configure_interesting_sets(s3);
 	ASSERT_TRUE(result.success);
 	ASSERT_EQ(result.errstr, "");
@@ -299,8 +298,8 @@ TEST_F(test_falco_engine, selection_allevents) {
 
 TEST_F(test_falco_engine, selection_generic_evts) {
 	falco::app::state s4;
-	// run app action with fake engine and without the `-A` option
-	s4.options.all_events = false;
+	// run app action with fake engine and without the `m_base_syscalls_all` option
+
 	auto filters = s_sample_filters;
 	filters.insert(s_sample_generic_filters.begin(), s_sample_generic_filters.end());
 	load_rules(ruleset_from_filters(filters), "dummy_ruleset.yaml");
@@ -347,8 +346,7 @@ TEST_F(test_falco_engine, selection_custom_base_set) {
 	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
 
 	falco::app::state s5;
-	// run app action with fake engine and without the `-A` option
-	s5.options.all_events = true;
+	s5.config->m_base_syscalls_all = true;
 	s5.engine = m_engine;
 	auto default_base_set = libsinsp::events::sinsp_state_sc_set();
 
@@ -425,8 +423,8 @@ TEST_F(test_falco_engine, selection_custom_base_set) {
 	expected_sc_names.erase("accept4");
 	ASSERT_NAMES_EQ(selected_sc_names, expected_sc_names);
 
-	// non-empty custom base set (positive, without -A)
-	s5.options.all_events = false;
+	// non-empty custom base set (positive, disable all syscalls)
+	s5.config->m_base_syscalls_all = false;
 	s5.config->m_base_syscalls_custom_set = {"read"};
 	result = falco::app::actions::configure_interesting_sets(s5);
 	ASSERT_TRUE(result.success);
@@ -453,8 +451,8 @@ TEST_F(test_falco_engine, selection_custom_base_set_repair) {
 	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
 
 	falco::app::state s6;
-	// run app action with fake engine and without the `-A` option
-	s6.options.all_events = false;
+	// run app action with fake engine and without the `all syscalls` option
+	s6.config->m_base_syscalls_all = false;
 	s6.engine = m_engine;
 
 	// note: here we use file syscalls (e.g. open, openat) and have a custom
@@ -494,8 +492,8 @@ TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) {
 	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
 
 	falco::app::state s7;
-	// run app action with fake engine and with the `-A` option
-	s7.options.all_events = true;
+	// run app action with fake engine and with the `all syscalls` option
+	s7.config->m_base_syscalls_all = true;
 	s7.engine = m_engine;
 
 	// simulate empty custom set but repair option set.
@@ -528,10 +526,47 @@ TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) {
 	ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
 }
 
+TEST_F(test_falco_engine, selection_base_syscalls_all) {
+	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
+
+	falco::app::state s7;
+	s7.engine = m_engine;
+
+	// simulate empty custom set but repair option set.
+	s7.config->m_base_syscalls_custom_set = {};
+	s7.config->m_base_syscalls_repair = true;
+	s7.config->m_base_syscalls_all = true;
+	auto result = falco::app::actions::configure_interesting_sets(s7);
+	auto s7_rules_set = s7.engine->sc_codes_for_ruleset(s_sample_source, s_sample_ruleset);
+	ASSERT_TRUE(result.success);
+	ASSERT_EQ(result.errstr, "");
+	auto selected_sc_names = libsinsp::events::sc_set_to_event_names(s7.selected_sc_set);
+	auto expected_sc_names = strset_t({// note: expecting syscalls from mock rules and
+	                                   // `sinsp_repair_state_sc_set` enforced syscalls
+	                                   "connect",
+	                                   "accept",
+	                                   "accept4",
+	                                   "umount2",
+	                                   "open",
+	                                   "ptrace",
+	                                   "mmap",
+	                                   "execve",
+	                                   "procexit",
+	                                   "bind",
+	                                   "socket",
+	                                   "clone3",
+	                                   "close",
+	                                   "setuid"});
+	ASSERT_NAMES_CONTAIN(selected_sc_names, expected_sc_names);
+	auto s7_state_set = libsinsp::events::sinsp_repair_state_sc_set(s7_rules_set);
+	ASSERT_EQ(s7.selected_sc_set, s7_state_set);
+	ASSERT_EQ(s7.selected_sc_set.size(), s7_state_set.size());
+}
+
 TEST(ConfigureInterestingSets, ignored_set_expected_size) {
 	// unit test fence to make sure we don't have unexpected regressions
 	// in the ignored set, to be updated in the future
-	ASSERT_EQ(falco::app::ignored_sc_set().size(), 14);
+	ASSERT_EQ(falco::app::ignored_sc_set().size(), 12);
 
 	// we don't expect to ignore any syscall in the default base set
 	ASSERT_EQ(falco::app::ignored_sc_set().intersect(libsinsp::events::sinsp_state_sc_set()).size(),

unit_tests/falco/test_atomic_signal_handler.cpp

@@ -24,6 +24,7 @@ limitations under the License.
 #include <future>
 #include <memory>
 #include <vector>
+#include <thread>
 
 TEST(AtomicSignalHandler, lock_free_implementation) {
 	ASSERT_TRUE(falco::atomic_signal_handler().is_lock_free());

unit_tests/falco/test_configuration_config_files.cpp

@@ -245,6 +245,316 @@ TEST(Configuration, configuration_config_files_override) {
 	std::filesystem::remove("conf_3.yaml");
 }
 
+TEST(Configuration, configuration_config_files_sequence_strategy_default) {
+	const std::string main_conf_yaml = yaml_helper::configs_key +
+	                                   ":\n"
+	                                   "  - conf_2.yaml\n"  // default merge-strategy: append
+	                                   "  - conf_3.yaml\n"
+	                                   "foo: [ bar ]\n"
+	                                   "base_value:\n"
+	                                   "    id: 1\n"
+	                                   "    name: foo\n";
+	const std::string conf_yaml_2 =
+	        "foo: [ bar2 ]\n"  // append to foo sequence
+	        "base_value_2:\n"
+	        "    id: 2\n";
+	const std::string conf_yaml_3 =
+	        "base_value:\n"  // override base_value
+	        "    id: 3\n";
+
+	std::ofstream outfile("main.yaml");
+	outfile << main_conf_yaml;
+	outfile.close();
+
+	outfile.open("conf_2.yaml");
+	outfile << conf_yaml_2;
+	outfile.close();
+
+	outfile.open("conf_3.yaml");
+	outfile << conf_yaml_3;
+	outfile.close();
+
+	std::vector<std::string> cmdline_config_options;
+	falco_configuration falco_config;
+	config_loaded_res res;
+	ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
+
+	// main + conf_2 + conf_3
+	ASSERT_EQ(res.size(), 3);
+
+	ASSERT_TRUE(falco_config.m_config.is_defined("foo"));
+	std::vector<std::string> foos;
+	auto expected_foos = std::vector<std::string>{"bar", "bar2"};
+	ASSERT_NO_THROW(falco_config.m_config.get_sequence<std::vector<std::string>>(foos, "foo"));
+	ASSERT_EQ(foos.size(), 2);  // 2 elements in `foo` sequence because we appended to it
+	for(size_t i = 0; i < foos.size(); ++i) {
+		EXPECT_EQ(foos[i], expected_foos[i])
+		        << "Vectors foo's and expected_foo's differ at index " << i;
+	}
+
+	ASSERT_TRUE(falco_config.m_config.is_defined("base_value.id"));
+	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value.id", 0), 3);  // overridden!
+	ASSERT_FALSE(falco_config.m_config.is_defined(
+	        "base_value.name"));  // no more present since entire `base_value` block was overridden
+	ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
+	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
+	ASSERT_FALSE(falco_config.m_config.is_defined("base_value_3.id"));  // not defined
+
+	std::filesystem::remove("main.yaml");
+	std::filesystem::remove("conf_2.yaml");
+	std::filesystem::remove("conf_3.yaml");
+}
+
+TEST(Configuration, configuration_config_files_sequence_strategy_append) {
+	const std::string main_conf_yaml = yaml_helper::configs_key +
+	                                   ":\n"
+	                                   "  - path: conf_2.yaml\n"
+	                                   "    strategy: append\n"
+	                                   "  - conf_3.yaml\n"
+	                                   "foo: [ bar ]\n"
+	                                   "base_value:\n"
+	                                   "    id: 1\n"
+	                                   "    name: foo\n";
+	const std::string conf_yaml_2 =
+	        "foo: [ bar2 ]\n"  // append to foo sequence
+	        "base_value_2:\n"
+	        "    id: 2\n";
+	const std::string conf_yaml_3 =
+	        "base_value:\n"  // override base_value
+	        "    id: 3\n";
+
+	std::ofstream outfile("main.yaml");
+	outfile << main_conf_yaml;
+	outfile.close();
+
+	outfile.open("conf_2.yaml");
+	outfile << conf_yaml_2;
+	outfile.close();
+
+	outfile.open("conf_3.yaml");
+	outfile << conf_yaml_3;
+	outfile.close();
+
+	std::vector<std::string> cmdline_config_options;
+	falco_configuration falco_config;
+	config_loaded_res res;
+	ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
+
+	// main + conf_2 + conf_3
+	ASSERT_EQ(res.size(), 3);
+
+	ASSERT_TRUE(falco_config.m_config.is_defined("foo"));
+	std::vector<std::string> foos;
+	auto expected_foos = std::vector<std::string>{"bar", "bar2"};
+	ASSERT_NO_THROW(falco_config.m_config.get_sequence<std::vector<std::string>>(foos, "foo"));
+	ASSERT_EQ(foos.size(), 2);  // 2 elements in `foo` sequence because we appended to it
+	for(size_t i = 0; i < foos.size(); ++i) {
+		EXPECT_EQ(foos[i], expected_foos[i])
+		        << "Vectors foo's and expected_foo's differ at index " << i;
+	}
+
+	ASSERT_TRUE(falco_config.m_config.is_defined("base_value.id"));
+	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value.id", 0), 3);  // overridden!
+	ASSERT_FALSE(falco_config.m_config.is_defined(
+	        "base_value.name"));  // no more present since entire `base_value` block was overridden
+	ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
+	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
+	ASSERT_FALSE(falco_config.m_config.is_defined("base_value_3.id"));  // not defined
+
+	std::filesystem::remove("main.yaml");
+	std::filesystem::remove("conf_2.yaml");
+	std::filesystem::remove("conf_3.yaml");
+}
+
+TEST(Configuration, configuration_config_files_sequence_strategy_override) {
+	const std::string main_conf_yaml = yaml_helper::configs_key +
+	                                   ":\n"
+	                                   "  - path: conf_2.yaml\n"
+	                                   "    strategy: override\n"
+	                                   "  - conf_3.yaml\n"
+	                                   "foo: [ bar ]\n"
+	                                   "base_value:\n"
+	                                   "    id: 1\n"
+	                                   "    name: foo\n";
+	const std::string conf_yaml_2 =
+	        "foo: [ bar2 ]\n"  // override foo sequence
+	        "base_value_2:\n"
+	        "    id: 2\n";
+	const std::string conf_yaml_3 =
+	        "base_value:\n"  // override base_value
+	        "    id: 3\n";
+
+	std::ofstream outfile("main.yaml");
+	outfile << main_conf_yaml;
+	outfile.close();
+
+	outfile.open("conf_2.yaml");
+	outfile << conf_yaml_2;
+	outfile.close();
+
+	outfile.open("conf_3.yaml");
+	outfile << conf_yaml_3;
+	outfile.close();
+
+	std::vector<std::string> cmdline_config_options;
+	falco_configuration falco_config;
+	config_loaded_res res;
+	ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
+
+	// main + conf_2 + conf_3
+	ASSERT_EQ(res.size(), 3);
+
+	ASSERT_TRUE(falco_config.m_config.is_defined("foo"));
+	std::vector<std::string> foos;
+	auto expected_foos = std::vector<std::string>{"bar2"};
+	ASSERT_NO_THROW(falco_config.m_config.get_sequence<std::vector<std::string>>(foos, "foo"));
+	ASSERT_EQ(foos.size(), 1);  // one element in `foo` sequence because we overrode it
+	for(size_t i = 0; i < foos.size(); ++i) {
+		EXPECT_EQ(foos[i], expected_foos[i])
+		        << "Vectors foo's and expected_foo's differ at index " << i;
+	}
+
+	ASSERT_TRUE(falco_config.m_config.is_defined("base_value.id"));
+	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value.id", 0), 3);  // overridden!
+	ASSERT_FALSE(falco_config.m_config.is_defined(
+	        "base_value.name"));  // no more present since entire `base_value` block was overridden
+	ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
+	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
+	ASSERT_FALSE(falco_config.m_config.is_defined("base_value_3.id"));  // not defined
+
+	std::filesystem::remove("main.yaml");
+	std::filesystem::remove("conf_2.yaml");
+	std::filesystem::remove("conf_3.yaml");
+}
+
+TEST(Configuration, configuration_config_files_sequence_strategy_addonly) {
+	/* Test that included config files are able to override configs from main file */
+	const std::string main_conf_yaml = yaml_helper::configs_key +
+	                                   ":\n"
+	                                   "  - path: conf_2.yaml\n"
+	                                   "    strategy: add-only\n"
+	                                   "  - conf_3.yaml\n"
+	                                   "foo: [ bar ]\n"
+	                                   "base_value:\n"
+	                                   "    id: 1\n"
+	                                   "    name: foo\n";
+	const std::string conf_yaml_2 =
+	        "foo: [ bar2 ]\n"  // ignored: add-only strategy
+	        "base_value_2:\n"
+	        "    id: 2\n";
+	const std::string conf_yaml_3 =
+	        "base_value:\n"  // override base_value
+	        "    id: 3\n";
+
+	std::ofstream outfile("main.yaml");
+	outfile << main_conf_yaml;
+	outfile.close();
+
+	outfile.open("conf_2.yaml");
+	outfile << conf_yaml_2;
+	outfile.close();
+
+	outfile.open("conf_3.yaml");
+	outfile << conf_yaml_3;
+	outfile.close();
+
+	std::vector<std::string> cmdline_config_options;
+	falco_configuration falco_config;
+	config_loaded_res res;
+	ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
+
+	// main + conf_2 + conf_3
+	ASSERT_EQ(res.size(), 3);
+
+	ASSERT_TRUE(falco_config.m_config.is_defined("foo"));
+	std::vector<std::string> foos;
+	auto expected_foos =
+	        std::vector<std::string>{"bar"};  // bar2 is ignored because of merge-strategy: add-only
+	ASSERT_NO_THROW(falco_config.m_config.get_sequence<std::vector<std::string>>(foos, "foo"));
+	ASSERT_EQ(foos.size(), 1);  // one element in `foo` sequence because we overrode it
+	for(size_t i = 0; i < foos.size(); ++i) {
+		EXPECT_EQ(foos[i], expected_foos[i])
+		        << "Vectors foo's and expected_foo's differ at index " << i;
+	}
+
+	ASSERT_TRUE(falco_config.m_config.is_defined("base_value.id"));
+	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value.id", 0), 3);  // overridden!
+	ASSERT_FALSE(falco_config.m_config.is_defined(
+	        "base_value.name"));  // no more present since entire `base_value` block was overridden
+	ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
+	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
+	ASSERT_FALSE(falco_config.m_config.is_defined("base_value_3.id"));  // not defined
+
+	std::filesystem::remove("main.yaml");
+	std::filesystem::remove("conf_2.yaml");
+	std::filesystem::remove("conf_3.yaml");
+}
+
+TEST(Configuration, configuration_config_files_sequence_wrong_strategy) {
+	const std::string main_conf_yaml = yaml_helper::configs_key +
+	                                   ":\n"
+	                                   "  - path: conf_2.yaml\n"
+	                                   "    strategy: wrong\n"
+	                                   "  - conf_3.yaml\n"
+	                                   "foo: [ bar ]\n"
+	                                   "base_value:\n"
+	                                   "    id: 1\n"
+	                                   "    name: foo\n";
+	const std::string conf_yaml_2 =
+	        "foo: [ bar2 ]\n"  // append to foo sequence
+	        "base_value_2:\n"
+	        "    id: 2\n";
+	const std::string conf_yaml_3 =
+	        "base_value:\n"  // override base_value
+	        "    id: 3\n";
+
+	std::ofstream outfile("main.yaml");
+	outfile << main_conf_yaml;
+	outfile.close();
+
+	outfile.open("conf_2.yaml");
+	outfile << conf_yaml_2;
+	outfile.close();
+
+	outfile.open("conf_3.yaml");
+	outfile << conf_yaml_3;
+	outfile.close();
+
+	std::vector<std::string> cmdline_config_options;
+	falco_configuration falco_config;
+	config_loaded_res res;
+	ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
+
+	// main
+	ASSERT_EQ(res.size(), 3);
+	auto validation = res["main.yaml"];
+	// Since we are using a wrong strategy, the validation should fail
+	// but the enforced strategy should be "append"
+	ASSERT_NE(validation, yaml_helper::validation_ok);
+
+	ASSERT_TRUE(falco_config.m_config.is_defined("foo"));
+	std::vector<std::string> foos;
+	auto expected_foos = std::vector<std::string>{"bar", "bar2"};
+	ASSERT_NO_THROW(falco_config.m_config.get_sequence<std::vector<std::string>>(foos, "foo"));
+	ASSERT_EQ(foos.size(), 2);  // 2 elements in `foo` sequence because we appended to it
+	for(size_t i = 0; i < foos.size(); ++i) {
+		EXPECT_EQ(foos[i], expected_foos[i])
+		        << "Vectors foo's and expected_foo's differ at index " << i;
+	}
+
+	ASSERT_TRUE(falco_config.m_config.is_defined("base_value.id"));
+	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value.id", 0), 3);  // overridden!
+	ASSERT_FALSE(falco_config.m_config.is_defined(
+	        "base_value.name"));  // no more present since entire `base_value` block was overridden
+	ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
+	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
+	ASSERT_FALSE(falco_config.m_config.is_defined("base_value_3.id"));  // not defined
+
+	std::filesystem::remove("main.yaml");
+	std::filesystem::remove("conf_2.yaml");
+	std::filesystem::remove("conf_3.yaml");
+}
+
 TEST(Configuration, configuration_config_files_unexistent) {
 	/* Test that including an unexistent file just skips it */
 	const std::string main_conf_yaml = yaml_helper::configs_key +
@@ -466,6 +776,9 @@ TEST(Configuration, configuration_config_files_cmdline) {
 	std::vector<std::string> cmdline_config_options;
 	cmdline_config_options.push_back((yaml_helper::configs_key + "=conf_2.yaml"));
 
+	// Override foo2 value from cli
+	cmdline_config_options.push_back(("foo2=bar22"));
+
 	falco_configuration falco_config;
 	config_loaded_res res;
 	ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
@@ -480,7 +793,7 @@ TEST(Configuration, configuration_config_files_cmdline) {
 	ASSERT_TRUE(falco_config.m_config.is_defined("base_value.name"));
 	ASSERT_EQ(falco_config.m_config.get_scalar<std::string>("base_value.name", ""), "foo");
 	ASSERT_TRUE(falco_config.m_config.is_defined("foo2"));
-	ASSERT_EQ(falco_config.m_config.get_scalar<std::string>("foo2", ""), "bar2");
+	ASSERT_EQ(falco_config.m_config.get_scalar<std::string>("foo2", ""), "bar22");
 	ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
 	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
 

unit_tests/falco/test_configuration_schema.cpp

@@ -18,6 +18,7 @@ limitations under the License.
 #include <gtest/gtest.h>
 #include <falco/configuration.h>
 #include <falco_test_var.h>
+#include <nlohmann/json.hpp>
 
 #define EXPECT_VALIDATION_STATUS(res, status)                                                     \
 	do {                                                                                          \
@@ -102,8 +103,13 @@ plugins:
       sslCertificate: /etc/falco/falco.pem
 )";
 
+	auto plugin_config_json = nlohmann::json::parse(
+	        R"({"maxEventSize": 262144, "sslCertificate": "/etc/falco/falco.pem"})");
+
 	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
 	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	auto parsed_init_config = nlohmann::json::parse(falco_config.m_plugins[0].m_init_config);
+	EXPECT_EQ(parsed_init_config, plugin_config_json);
 
 	config = R"(
 plugins:
@@ -114,6 +120,30 @@ plugins:
 
 	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
 	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	parsed_init_config = nlohmann::json::parse(falco_config.m_plugins[0].m_init_config);
+	EXPECT_EQ(parsed_init_config, plugin_config_json);
+
+	config = R"(
+plugins:
+  - name: k8saudit
+    library_path: libk8saudit.so
+    init_config: ""
+)";
+
+	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
+	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	EXPECT_EQ(falco_config.m_plugins[0].m_init_config, "");
+
+	config = R"(
+plugins:
+  - name: k8saudit
+    library_path: libk8saudit.so
+    init_config: null
+)";
+
+	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
+	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	EXPECT_EQ(falco_config.m_plugins[0].m_init_config, "");
 }
 
 TEST(Configuration, schema_yaml_helper_validator) {

userspace/engine/CMakeLists.txt

@@ -36,6 +36,14 @@ if(EMSCRIPTEN)
 	target_compile_options(falco_engine PRIVATE "-sDISABLE_EXCEPTION_CATCHING=0")
 endif()
 
+set(ENGINE_LIBRARIES sinsp nlohmann_json::nlohmann_json yaml-cpp)
+
+if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
+	# Used by falco_utils.cpp
+	add_dependencies(falco_engine openssl)
+	list(APPEND ENGINE_LIBRARIES "${OPENSSL_LIBRARIES}")
+endif()
+
 target_include_directories(falco_engine PUBLIC ${CMAKE_CURRENT_SOURCE_DIR} ${TBB_INCLUDE_DIR})
 
-target_link_libraries(falco_engine PUBLIC sinsp nlohmann_json::nlohmann_json yaml-cpp)
+target_link_libraries(falco_engine PUBLIC ${ENGINE_LIBRARIES})

userspace/engine/falco_engine.cpp

@@ -891,17 +891,6 @@ std::shared_ptr<filter_ruleset> falco_engine::ruleset_for_source(std::size_t sou
 	return source->ruleset;
 }
 
-void falco_engine::read_file(const std::string &filename, std::string &contents) {
-	std::ifstream is;
-
-	is.open(filename);
-	if(!is.is_open()) {
-		throw falco_exception("Could not open " + filename + " for reading");
-	}
-
-	contents.assign(std::istreambuf_iterator<char>(is), std::istreambuf_iterator<char>());
-}
-
 static bool check_plugin_requirement_alternatives(
         const std::vector<falco_engine::plugin_version_requirement> &plugins,
         const rule_loader::plugin_version_info::requirement_alternatives &alternatives,
@@ -986,9 +975,8 @@ void falco_engine::set_sampling_multiplier(double sampling_multiplier) {
 void falco_engine::add_extra_output_format(const std::string &format,
                                            const std::string &source,
                                            const std::set<std::string> &tags,
-                                           const std::string &rule,
-                                           bool replace_container_info) {
-	m_extra_output_format.push_back({format, source, tags, rule, replace_container_info});
+                                           const std::string &rule) {
+	m_extra_output_format.push_back({format, source, tags, rule});
 }
 
 void falco_engine::add_extra_output_formatted_field(const std::string &key,

userspace/engine/falco_engine.h

@@ -199,8 +199,7 @@ public:
 	void add_extra_output_format(const std::string &format,
 	                             const std::string &source,
 	                             const std::set<std::string> &tags,
-	                             const std::string &rule,
-	                             bool replace_container_info);
+	                             const std::string &rule);
 
 	// You can optionally add fields that will only show up in the object
 	// output (e.g. json, gRPC) alongside other output_fields
@@ -379,9 +378,6 @@ private:
 
 	filter_ruleset::engine_state_funcs m_engine_state;
 
-	// Throws falco_exception if the file can not be read
-	void read_file(const std::string &filename, std::string &contents);
-
 	indexed_vector<falco_source> m_sources;
 
 	inline const falco_source *find_source(std::size_t index) {

userspace/engine/falco_engine_version.h

@@ -20,7 +20,7 @@ limitations under the License.
 
 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 43
+#define FALCO_ENGINE_VERSION_MINOR 50
 #define FALCO_ENGINE_VERSION_PATCH 0
 
 #define FALCO_ENGINE_VERSION                                                               \
@@ -36,4 +36,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "8a7f383c1e7682c484096bb6a5cb68c29b818acbe65fa2854acbcc98277fd7e0"
+#define FALCO_ENGINE_CHECKSUM "c111251b08cfb00790515cd62fbe0b6c3d0b62035f7d9bbb1aea80f41d7986f9"

userspace/engine/falco_rule.h

@@ -35,6 +35,11 @@ struct falco_list {
 	falco_list& operator=(const falco_list&) = default;
 	~falco_list() = default;
 
+	bool operator==(const falco_list& rhs) const {
+		return (this->used == rhs.used && this->id == rhs.id && this->name == rhs.name &&
+		        this->items == rhs.items);
+	}
+
 	bool used;
 	std::size_t id;
 	std::string name;
@@ -53,6 +58,14 @@ struct falco_macro {
 	falco_macro& operator=(const falco_macro&) = default;
 	~falco_macro() = default;
 
+	bool operator==(const falco_macro& rhs) const {
+		// Note this only ensures that the shared_ptrs are
+		// pointing to the same underlying memory, not that
+		// they are logically equal.
+		return (this->used == rhs.used && this->id == rhs.id && this->name == rhs.name &&
+		        this->condition.get() == rhs.condition.get());
+	}
+
 	bool used;
 	std::size_t id;
 	std::string name;
@@ -71,6 +84,17 @@ struct falco_rule {
 	falco_rule& operator=(const falco_rule&) = default;
 	~falco_rule() = default;
 
+	bool operator==(const falco_rule& rhs) const {
+		// Note this only ensures that the shared_ptrs are
+		// pointing to the same underlying memory, not that
+		// they are logically equal.
+		return (this->id == rhs.id && this->source == rhs.source && this->name == rhs.name &&
+		        this->description == rhs.description && this->output == rhs.output &&
+		        this->tags == rhs.tags && this->exception_fields == rhs.exception_fields &&
+		        this->priority == rhs.priority && this->condition.get() == rhs.condition.get() &&
+		        this->filter.get() == rhs.filter.get());
+	}
+
 	std::size_t id;
 	std::string source;
 	std::string name;

userspace/engine/falco_utils.cpp

@@ -23,7 +23,7 @@ limitations under the License.
 
 #include <re2/re2.h>
 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
-#include <openssl/sha.h>
+#include <openssl/evp.h>
 #endif
 #include <cstring>
 #include <fstream>
@@ -144,22 +144,22 @@ std::string calculate_file_sha256sum(const std::string& filename) {
 		return "";
 	}
 
-	SHA256_CTX sha256_context;
-	SHA256_Init(&sha256_context);
+	std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)> ctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);
+	EVP_DigestInit_ex(ctx.get(), EVP_sha256(), nullptr);
 
 	constexpr size_t buffer_size = 4096;
 	char buffer[buffer_size];
 	while(file.read(buffer, buffer_size)) {
-		SHA256_Update(&sha256_context, buffer, buffer_size);
+		EVP_DigestUpdate(ctx.get(), buffer, buffer_size);
 	}
-	SHA256_Update(&sha256_context, buffer, file.gcount());
+	EVP_DigestUpdate(ctx.get(), buffer, file.gcount());
 
-	unsigned char digest[SHA256_DIGEST_LENGTH];
-	SHA256_Final(digest, &sha256_context);
+	std::vector<uint8_t> digest(EVP_MD_size(EVP_sha256()));
+	EVP_DigestFinal_ex(ctx.get(), digest.data(), nullptr);
 
-	std::stringstream ss;
-	for(int i = 0; i < SHA256_DIGEST_LENGTH; ++i) {
-		ss << std::hex << std::setw(2) << std::setfill('0') << static_cast<unsigned>(digest[i]);
+	std::ostringstream ss;
+	for(auto& c : digest) {
+		ss << std::hex << std::setw(2) << std::setfill('0') << (int)c;
 	}
 	return ss.str();
 }

userspace/engine/formats.cpp

@@ -24,11 +24,13 @@ falco_formats::falco_formats(std::shared_ptr<const falco_engine> engine,
                              bool json_include_output_property,
                              bool json_include_tags_property,
                              bool json_include_message_property,
+                             bool json_include_output_fields_property,
                              bool time_format_iso_8601):
         m_falco_engine(engine),
         m_json_include_output_property(json_include_output_property),
         m_json_include_tags_property(json_include_tags_property),
         m_json_include_message_property(json_include_message_property),
+        m_json_include_output_fields_property(json_include_output_fields_property),
         m_time_format_iso_8601(time_format_iso_8601) {}
 
 falco_formats::~falco_formats() {}
@@ -79,7 +81,9 @@ std::string falco_formats::format_event(sinsp_evt *evt,
 		std::string json_fields_prefix;
 
 		// Resolve message fields
-		message_formatter->tostring(evt, json_fields_message);
+		if(m_json_include_output_fields_property) {
+			message_formatter->tostring(evt, json_fields_message);
+		}
 		// Resolve prefix (e.g. time) fields
 		prefix_formatter->tostring(evt, json_fields_prefix);
 
@@ -118,36 +122,38 @@ std::string falco_formats::format_event(sinsp_evt *evt,
 			event["message"] = message;
 		}
 
-		event["output_fields"] = nlohmann::json::parse(json_fields_message);
+		if(m_json_include_output_fields_property) {
+			event["output_fields"] = nlohmann::json::parse(json_fields_message);
 
-		auto prefix_fields = nlohmann::json::parse(json_fields_prefix);
-		if(prefix_fields.is_object()) {
-			for(auto const &el : prefix_fields.items()) {
-				event["output_fields"][el.key()] = el.value();
-			}
-		}
-
-		for(auto const &ef : extra_fields) {
-			std::string fformat = ef.second.first;
-			if(fformat.size() == 0) {
-				continue;
+			auto prefix_fields = nlohmann::json::parse(json_fields_prefix);
+			if(prefix_fields.is_object()) {
+				for(auto const &el : prefix_fields.items()) {
+					event["output_fields"][el.key()] = el.value();
+				}
 			}
 
-			if(!(fformat[0] == '*')) {
-				fformat = "*" + fformat;
-			}
+			for(auto const &ef : extra_fields) {
+				std::string fformat = ef.second.first;
+				if(fformat.size() == 0) {
+					continue;
+				}
 
-			if(ef.second.second)  // raw field
-			{
-				std::string json_field_map;
-				auto field_formatter = m_falco_engine->create_formatter(source, fformat);
-				field_formatter->tostring_withformat(evt,
-				                                     json_field_map,
-				                                     sinsp_evt_formatter::OF_JSON);
-				auto json_obj = nlohmann::json::parse(json_field_map);
-				event["output_fields"][ef.first] = json_obj[ef.first];
-			} else {
-				event["output_fields"][ef.first] = format_string(evt, fformat, source);
+				if(!(fformat[0] == '*')) {
+					fformat = "*" + fformat;
+				}
+
+				if(ef.second.second)  // raw field
+				{
+					std::string json_field_map;
+					auto field_formatter = m_falco_engine->create_formatter(source, fformat);
+					field_formatter->tostring_withformat(evt,
+					                                     json_field_map,
+					                                     sinsp_evt_formatter::OF_JSON);
+					auto json_obj = nlohmann::json::parse(json_field_map);
+					event["output_fields"][ef.first] = json_obj[ef.first];
+				} else {
+					event["output_fields"][ef.first] = format_string(evt, fformat, source);
+				}
 			}
 		}
 

userspace/engine/formats.h

@@ -27,6 +27,7 @@ public:
 	              bool json_include_output_property,
 	              bool json_include_tags_property,
 	              bool json_include_message_property,
+	              bool json_include_output_fields_property,
 	              bool time_format_iso_8601);
 	virtual ~falco_formats();
 
@@ -52,5 +53,6 @@ protected:
 	bool m_json_include_output_property;
 	bool m_json_include_tags_property;
 	bool m_json_include_message_property;
+	bool m_json_include_output_fields_property;
 	bool m_time_format_iso_8601;
 };

userspace/engine/indexable_ruleset.h

@@ -85,11 +85,15 @@ public:
 		return m_rulesets[ruleset_id]->event_codes();
 	}
 
-	void enable(const std::string &pattern, match_type match, uint16_t ruleset_id) override {
+	virtual void enable(const std::string &pattern,
+	                    match_type match,
+	                    uint16_t ruleset_id) override {
 		enable_disable(pattern, match, true, ruleset_id);
 	}
 
-	void disable(const std::string &pattern, match_type match, uint16_t ruleset_id) override {
+	virtual void disable(const std::string &pattern,
+	                     match_type match,
+	                     uint16_t ruleset_id) override {
 		enable_disable(pattern, match, false, ruleset_id);
 	}
 

userspace/engine/indexed_vector.h

@@ -34,6 +34,9 @@ public:
 	indexed_vector& operator=(indexed_vector&&) = default;
 	indexed_vector(const indexed_vector&) = default;
 	indexed_vector& operator=(const indexed_vector&) = default;
+	bool operator==(const indexed_vector& rhs) const {
+		return (this->m_entries == rhs.m_entries && this->m_index == rhs.m_index);
+	}
 
 	/*!
 	    \brief Returns the number of elements

userspace/engine/rule_json_schema.h

@@ -119,8 +119,7 @@ const char rule_schema_string[] = LONG_STRING_CONST(
                 "values": {}
             },
             "required": [
-                "name",
-                "values"
+                "name"
             ],
             "title": "Exception"
         },

userspace/engine/rule_loader.h

@@ -250,7 +250,7 @@ public:
 	                 const context& ctx);
 
 	void set_schema_validation_status(const std::vector<std::string>& status);
-	std::string schema_validation();
+	std::string schema_validation() override;
 
 protected:
 	const std::string& as_summary_string();
@@ -272,7 +272,6 @@ struct extra_output_format_conf {
 	std::string m_source;
 	std::set<std::string> m_tags;
 	std::string m_rule;
-	bool m_replace_container_info;
 };
 
 struct extra_output_field_conf {
@@ -488,6 +487,7 @@ struct rule_update_info {
 	context cond_ctx;
 	std::string name;
 	std::optional<std::string> cond;
+	std::string source;
 	std::optional<std::string> output;
 	std::optional<std::string> desc;
 	std::optional<std::set<std::string>> tags;

userspace/engine/rule_loader_collector.cpp

@@ -182,10 +182,8 @@ void rule_loader::collector::append(configuration& cfg, macro_info& info) {
 }
 
 void rule_loader::collector::define(configuration& cfg, rule_info& info) {
-	const auto* prev = m_rule_infos.at(info.name);
-	THROW(prev && prev->source != info.source,
-	      "Rule has been re-defined with a different source",
-	      info.ctx);
+	auto prev = find_prev_rule(info);
+	(void)prev;
 
 	const auto* source = cfg.sources.at(info.source);
 	if(!source) {
@@ -205,7 +203,7 @@ void rule_loader::collector::define(configuration& cfg, rule_info& info) {
 }
 
 void rule_loader::collector::append(configuration& cfg, rule_update_info& info) {
-	auto prev = m_rule_infos.at(info.name);
+	auto prev = find_prev_rule(info);
 
 	THROW(!prev, ERROR_NO_PREVIOUS_RULE_APPEND, info.ctx);
 	THROW(!info.has_any_value(),
@@ -275,7 +273,7 @@ void rule_loader::collector::append(configuration& cfg, rule_update_info& info)
 }
 
 void rule_loader::collector::selective_replace(configuration& cfg, rule_update_info& info) {
-	auto prev = m_rule_infos.at(info.name);
+	auto prev = find_prev_rule(info);
 
 	THROW(!prev, ERROR_NO_PREVIOUS_RULE_REPLACE, info.ctx);
 	THROW(!info.has_any_value(),
@@ -330,6 +328,19 @@ void rule_loader::collector::selective_replace(configuration& cfg, rule_update_i
 	replace_info(prev, info, m_cur_index++);
 }
 
+template<typename ruleInfo>
+rule_loader::rule_info* rule_loader::collector::find_prev_rule(ruleInfo& info) {
+	auto ret = m_rule_infos.at(info.name);
+
+	// Throw an error if both the original rule and current rule
+	// have the same name and explicitly have different sources.
+	THROW(ret && (ret->source != "" && info.source != "" && ret->source != info.source),
+	      "Rule has been re-defined with a different source",
+	      info.ctx);
+
+	return ret;
+}
+
 void rule_loader::collector::enable(configuration& cfg, rule_info& info) {
 	auto prev = m_rule_infos.at(info.name);
 	THROW(!prev, "Rule has 'enabled' key but no rule by that name already exists", info.ctx);

userspace/engine/rule_loader_collector.h

@@ -97,6 +97,9 @@ public:
 	virtual void selective_replace(configuration& cfg, rule_update_info& info);
 
 private:
+	template<typename ruleInfo>
+	rule_info* find_prev_rule(ruleInfo& info);
+
 	uint32_t m_cur_index;
 	indexed_vector<rule_info> m_rule_infos;
 	indexed_vector<macro_info> m_macro_infos;

userspace/engine/rule_loader_compile_output.h

@@ -20,6 +20,8 @@ limitations under the License.
 #include "indexed_vector.h"
 #include "falco_rule.h"
 
+#include <memory>
+
 namespace rule_loader {
 struct compile_output {
 	compile_output() = default;
@@ -29,6 +31,10 @@ struct compile_output {
 	compile_output(const compile_output&) = default;
 	compile_output& operator=(const compile_output&) = default;
 
+	virtual std::unique_ptr<compile_output> clone() const {
+		return std::make_unique<compile_output>(*this);
+	};
+
 	indexed_vector<falco_list> lists;
 	indexed_vector<falco_macro> macros;
 	indexed_vector<falco_rule> rules;

userspace/engine/rule_loader_compiler.cpp

@@ -36,9 +36,12 @@ limitations under the License.
 	}
 
 static std::string s_container_info_fmt = "%container.info";
-static std::string s_default_extra_fmt =
-        "container_id=%container.id container_name=%container.name";
-
+// We were previously expanding %container.info to "container_id=%container.id
+// container_name=%container.name". Since the container plugin is now in use, and it exposes
+// container.id and container.name as suggested output fields, we don't need to expand
+// container.info anymore. We kept container.info in the ruleset to avoid a major breaking change.
+// TODO: drop `container.info` magic once we make a major breaking change in the ruleset.
+static std::string s_default_extra_fmt = "";
 using namespace libsinsp::filter;
 
 // todo(jasondellaluce): this breaks string escaping in lists and exceptions
@@ -431,18 +434,16 @@ void rule_loader::compiler::compile_rule_infos(configuration& cfg,
 				continue;
 			}
 
-			if(extra.m_replace_container_info) {
-				if(rule.output.find(s_container_info_fmt) != std::string::npos) {
-					rule.output = replace(rule.output, s_container_info_fmt, extra.m_format);
-				} else {
-					rule.output = rule.output + " " + extra.m_format;
-				}
-			} else {
-				rule.output = rule.output + " " + extra.m_format;
-			}
+			rule.output = rule.output + " " + extra.m_format;
 		}
 
 		if(rule.output.find(s_container_info_fmt) != std::string::npos) {
+			cfg.res->add_warning(falco::load_result::load_result::LOAD_DEPRECATED_ITEM,
+			                     "%container.info is deprecated and no more useful, and will be "
+			                     "dropped by Falco 1.0.0. "
+			                     "The container plugin will automatically add required fields to "
+			                     "the output message.",
+			                     r.ctx);
 			rule.output = replace(rule.output, s_container_info_fmt, s_default_extra_fmt);
 		}
 

userspace/engine/rule_loader_reader.cpp

@@ -53,7 +53,8 @@ static void decode_val_generic(const YAML::Node& item,
                                const char* key,
                                T& out,
                                const rule_loader::context& ctx,
-                               bool optional) {
+                               bool optional,
+                               bool can_be_empty) {
 	const YAML::Node& val = item[key];
 
 	if(!val.IsDefined() && optional) {
@@ -61,10 +62,19 @@ static void decode_val_generic(const YAML::Node& item,
 	}
 
 	THROW(!val.IsDefined(), std::string("Item has no mapping for key '") + key + "'", ctx);
+	if(val.IsNull() && can_be_empty) {
+		return;
+	}
+
 	THROW(val.IsNull(), std::string("Mapping for key '") + key + "' is empty", ctx);
 
 	rule_loader::context valctx(val, rule_loader::context::VALUE_FOR, key, ctx);
 	THROW(!val.IsScalar(), "Value is not a scalar value", valctx);
+
+	if(val.Scalar().empty() && can_be_empty) {
+		return;
+	}
+
 	THROW(val.Scalar().empty(), "Value must be non-empty", valctx);
 
 	THROW(!YAML::convert<T>::decode(val, out), "Can't decode YAML scalar value", valctx);
@@ -75,9 +85,10 @@ static void decode_val_generic(const YAML::Node& item,
                                const char* key,
                                std::optional<T>& out,
                                const rule_loader::context& ctx,
-                               bool optional) {
+                               bool optional,
+                               bool can_be_empty) {
 	T decoded;
-	decode_val_generic(item, key, decoded, ctx, optional);
+	decode_val_generic(item, key, decoded, ctx, optional, can_be_empty);
 	out = decoded;
 }
 
@@ -87,8 +98,9 @@ void rule_loader::reader::decode_val(const YAML::Node& item,
                                      T& out,
                                      const rule_loader::context& ctx) {
 	bool optional = false;
+	bool can_be_empty = false;
 
-	decode_val_generic(item, key, out, ctx, optional);
+	decode_val_generic(item, key, out, ctx, optional, can_be_empty);
 }
 
 template void rule_loader::reader::decode_val<std::string>(const YAML::Node& item,
@@ -102,8 +114,20 @@ void rule_loader::reader::decode_optional_val(const YAML::Node& item,
                                               T& out,
                                               const rule_loader::context& ctx) {
 	bool optional = true;
+	bool can_be_empty = false;
 
-	decode_val_generic(item, key, out, ctx, optional);
+	decode_val_generic(item, key, out, ctx, optional, can_be_empty);
+}
+
+template<typename T>
+void rule_loader::reader::decode_optional_empty_val(const YAML::Node& item,
+                                                    const char* key,
+                                                    T& out,
+                                                    const rule_loader::context& ctx) {
+	bool optional = true;
+	bool can_be_empty = true;
+
+	decode_val_generic(item, key, out, ctx, optional, can_be_empty);
 }
 
 template void rule_loader::reader::decode_optional_val<std::string>(
@@ -591,6 +615,9 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
 
 		rule_loader::context ctx(item, rule_loader::context::RULE, name, parent);
 
+		std::string source = "";
+		decode_optional_empty_val(item, "source", source, ctx);
+
 		bool has_append_flag = false;
 		decode_optional_val(item, "append", has_append_flag, ctx);
 		if(has_append_flag) {
@@ -648,6 +675,7 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
 				                         "append",
 				                         "condition",
 				                         ctx)) {
+					v.source = source;
 					decode_val(item, "condition", v.cond, ctx);
 				}
 
@@ -682,6 +710,7 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
 				                         "replace",
 				                         "condition",
 				                         ctx)) {
+					v.source = source;
 					decode_val(item, "condition", v.cond, ctx);
 				}
 
@@ -765,6 +794,7 @@ void rule_loader::reader::read_item(rule_loader::configuration& cfg,
 		} else if(has_append_flag) {
 			rule_loader::rule_update_info v(ctx);
 			v.name = name;
+			v.source = source;
 
 			if(item["condition"].IsDefined()) {
 				v.cond_ctx = rule_loader::context(item["condition"],

userspace/engine/rule_loader_reader.h

@@ -66,6 +66,11 @@ public:
 	                                const char* key,
 	                                T& out,
 	                                const rule_loader::context& ctx);
+	template<typename T>
+	static void decode_optional_empty_val(const YAML::Node& item,
+	                                      const char* key,
+	                                      T& out,
+	                                      const rule_loader::context& ctx);
 
 protected:
 	virtual void read_item(rule_loader::configuration& cfg,

userspace/engine/yaml_helper.h

@@ -85,6 +85,33 @@ public:
 	inline static const std::string validation_failed = "failed";
 	inline static const std::string validation_none = "none";
 
+	enum config_files_strategy {
+		STRATEGY_APPEND,  // append to existing sequence keys, override scalar keys and add new ones
+		STRATEGY_OVERRIDE,  // override existing keys (sequences too) and add new ones
+		STRATEGY_ADDONLY    // only add new keys and ignore existing ones
+	};
+
+	static enum config_files_strategy strategy_from_string(const std::string& strategy) {
+		if(strategy == "override") {
+			return yaml_helper::STRATEGY_OVERRIDE;
+		}
+		if(strategy == "add-only") {
+			return yaml_helper::STRATEGY_ADDONLY;
+		}
+		return yaml_helper::STRATEGY_APPEND;
+	}
+
+	static std::string strategy_to_string(const enum config_files_strategy strategy) {
+		switch(strategy) {
+		case yaml_helper::STRATEGY_OVERRIDE:
+			return "override";
+		case yaml_helper::STRATEGY_ADDONLY:
+			return "add-only";
+		default:
+			return "append";
+		}
+	}
+
 	/**
 	 * Load all the YAML document represented by the input string.
 	 * Since this is used by rule loader, does not process env vars.
@@ -137,6 +164,7 @@ public:
 	}
 
 	void include_config_file(const std::string& include_file_path,
+	                         enum config_files_strategy strategy = STRATEGY_APPEND,
 	                         const nlohmann::json& schema = {},
 	                         std::vector<std::string>* schema_warnings = nullptr) {
 		auto loaded_nodes = load_from_file_int(include_file_path, schema, schema_warnings);
@@ -152,10 +180,24 @@ public:
 				                         "' directive in included config file " +
 				                         include_file_path + ".");
 			}
-			// We allow to override keys.
-			// We don't need to use `get_node()` here,
-			// since key is a top-level one.
-			m_root[key] = n.second;
+			switch(strategy) {
+			case STRATEGY_APPEND:
+				if(n.second.IsSequence()) {
+					for(const auto& item : n.second) {
+						m_root[key].push_back(item);
+					}
+					break;
+				}
+				// fallthrough
+			case STRATEGY_OVERRIDE:
+				m_root[key] = n.second;
+				break;
+			case STRATEGY_ADDONLY:
+				if(!m_root[key].IsDefined()) {
+					m_root[key] = n.second;
+				}
+				break;
+			}
 		}
 	}
 

userspace/falco/CMakeLists.txt

@@ -68,8 +68,12 @@ set(FALCO_INCLUDE_DIRECTORIES
 )
 
 set(FALCO_DEPENDENCIES cxxopts)
+set(FALCO_LIBRARIES falco_engine)
 
-set(FALCO_LIBRARIES falco_engine sinsp yaml-cpp)
+if(USE_JEMALLOC)
+	list(APPEND FALCO_DEPENDENCIES jemalloc)
+	list(APPEND FALCO_LIBRARIES ${JEMALLOC_LIB})
+endif()
 
 if(NOT WIN32)
 	target_sources(falco_application PRIVATE outputs_program.cpp outputs_syslog.cpp)
@@ -96,6 +100,7 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
 	list(
 		APPEND
 		FALCO_INCLUDE_DIRECTORIES
+		FALCO_INCLUDE_DIRECTORIES
 		"${OPENSSL_INCLUDE_DIR}"
 		"${GRPC_INCLUDE}"
 		"${GRPCPP_INCLUDE}"
@@ -105,19 +110,23 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
 
 	if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND USE_BUNDLED_GRPC)
 		list(APPEND FALCO_DEPENDENCIES grpc)
-		list(APPEND FALCO_LIBRARIES "${GRPC_LIBRARIES}")
+	endif()
+
+	if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND USE_BUNDLED_CURL)
+		list(APPEND FALCO_DEPENDENCIES curl)
 	endif()
 
 	list(
 		APPEND
 		FALCO_LIBRARIES
 		httplib::httplib
+		"${CURL_LIBRARIES}"
 		"${GRPCPP_LIB}"
 		"${GRPC_LIB}"
 		"${GPR_LIB}"
+		"${GRPC_LIBRARIES}"
 		"${PROTOBUF_LIB}"
 		"${CARES_LIB}"
-		"${OPENSSL_LIBRARIES}"
 	)
 endif()
 
@@ -189,6 +198,25 @@ if(MUSL_OPTIMIZED_BUILD AND CMAKE_BUILD_TYPE STREQUAL "release")
 	)
 endif()
 
+# TODO: Add win32 support. https://github.com/falcosecurity/falco/issues/3445
+if(CMAKE_BUILD_TYPE STREQUAL "relwithdebinfo" AND NOT WIN32)
+	find_program(OBJCOPY_EXECUTABLE NAMES objcopy)
+	if(OBJCOPY_EXECUTABLE)
+		add_custom_command(
+			TARGET falco
+			POST_BUILD
+			COMMAND ${OBJCOPY_EXECUTABLE} --only-keep-debug $<TARGET_FILE:falco>
+					$<TARGET_FILE:falco>.debug
+			COMMAND ${OBJCOPY_EXECUTABLE} --strip-debug --strip-unneeded $<TARGET_FILE:falco>
+			COMMAND ${OBJCOPY_EXECUTABLE} --add-gnu-debuglink=$<TARGET_FILE:falco>.debug
+					$<TARGET_FILE:falco>
+			COMMENT "Generating separate debug file for falco"
+		)
+	else()
+		message(WARNING "objcopy not found; separate debug files will not be generated.")
+	endif()
+endif()
+
 if(EMSCRIPTEN)
 	install(
 		FILES "$<TARGET_FILE_DIR:falco>/falco.js" "$<TARGET_FILE_DIR:falco>/falco.wasm"

userspace/falco/app/actions/configure_interesting_sets.cpp

@@ -78,11 +78,27 @@ static void select_event_set(falco::app::state& s,
 
 	/* Load PPM event codes needed by plugins with parsing capability */
 	libsinsp::events::set<ppm_event_code> plugin_ev_codes;
-	for(const auto& p : s.offline_inspector->get_plugin_manager()->plugins()) {
-		if(!(p->caps() & CAP_PARSING)) {
-			continue;
+	if(s.is_capture_mode()) {
+		// In capture mode, we need to use the offline inspector
+		// because plugins are inited under it; see init_inspectors action.
+		for(const auto& p : s.offline_inspector->get_plugin_manager()->plugins()) {
+			if(!(p->caps() & CAP_PARSING)) {
+				continue;
+			}
+			plugin_ev_codes.merge(p->parse_event_codes());
+		}
+	} else {
+		// In live mode, we need to use inspectors from the loaded sources,
+		// because plugins are inited under them; see init_inspectors action.
+		for(const auto& src : s.loaded_sources) {
+			auto src_info = s.source_infos.at(src);
+			for(const auto& p : src_info->inspector->get_plugin_manager()->plugins()) {
+				if(!(p->caps() & CAP_PARSING)) {
+					continue;
+				}
+				plugin_ev_codes.merge(p->parse_event_codes());
+			}
 		}
-		plugin_ev_codes.merge(p->parse_event_codes());
 	}
 	const auto plugin_sc_set = libsinsp::events::event_set_to_sc_set(plugin_ev_codes);
 	const auto plugin_names = libsinsp::events::sc_set_to_event_names(plugin_sc_set);
@@ -184,12 +200,12 @@ static void select_event_set(falco::app::state& s,
 		                          concat_set_in_order(non_rules_sc_set_names) + "\n");
 	}
 
-	/* -A flag behavior:
+	/* base_syscall.all behavior:
 	 * (1) default: all syscalls in rules included, sinsp state enforcement
 	       without high volume syscalls
-	 * (2) -A flag set: all syscalls in rules included, sinsp state enforcement
+	 * (2) set: all syscalls in rules included, sinsp state enforcement
 	       and allowing high volume syscalls */
-	if(!s.options.all_events) {
+	if(!s.config->m_base_syscalls_all) {
 		auto ignored_sc_set = falco::app::ignored_sc_set();
 		auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set);
 		s.selected_sc_set = s.selected_sc_set.diff(ignored_sc_set);

userspace/falco/app/actions/helpers_inspector.cpp

@@ -63,7 +63,9 @@ falco::app::run_result falco::app::actions::open_live_inspector(falco::app::stat
 					        "Opening '" + source + "' source with plugin '" + cfg->m_name + "'");
 					inspector->open_plugin(cfg->m_name,
 					                       cfg->m_open_params,
-					                       sinsp_plugin_platform::SINSP_PLATFORM_HOSTINFO);
+					                       s.config->m_plugins_hostinfo
+					                               ? sinsp_plugin_platform::SINSP_PLATFORM_HOSTINFO
+					                               : sinsp_plugin_platform::SINSP_PLATFORM_GENERIC);
 					return run_result::ok();
 				}
 			}

userspace/falco/app/actions/init_falco_engine.cpp

@@ -18,18 +18,61 @@ limitations under the License.
 #include "actions.h"
 #include <libsinsp/plugin_manager.h>
 #include <falco_common.h>
+#include <algorithm>
 
 using namespace falco::app;
 using namespace falco::app::actions;
 
+static inline std::string format_suggested_field(const filtercheck_field_info* info) {
+	std::ostringstream out;
+
+	// Replace "foo.bar" with "foo_bar"
+	auto name = info->m_name;
+	std::replace(name.begin(), name.end(), '.', '_');
+
+	// foo_bar=%foo.bar
+	out << name << "=%" << info->m_name;
+	return out.str();
+}
+
+static void add_suggested_output(const falco::app::state& s,
+                                 const std::string& src,
+                                 const falco_configuration::append_output_config& eo) {
+	auto src_info = s.source_infos.at(src);
+	if(!src_info) {
+		return;
+	}
+	auto& filterchecks = *src_info->filterchecks;
+	std::vector<const filter_check_info*> fields;
+	filterchecks.get_all_fields(fields);
+	for(const auto& fld : fields) {
+		for(int i = 0; i < fld->m_nfields; i++) {
+			const auto* fldinfo = &fld->m_fields[i];
+			if(fldinfo->is_format_suggested()) {
+				s.engine->add_extra_output_format(format_suggested_field(fldinfo),
+				                                  src,
+				                                  eo.m_tags,
+				                                  eo.m_rule);
+			}
+		}
+	}
+}
+
 void configure_output_format(falco::app::state& s) {
 	for(auto& eo : s.config->m_append_output) {
 		if(eo.m_format != "") {
-			s.engine->add_extra_output_format(eo.m_format,
-			                                  eo.m_source,
-			                                  eo.m_tags,
-			                                  eo.m_rule,
-			                                  false);
+			s.engine->add_extra_output_format(eo.m_format, eo.m_source, eo.m_tags, eo.m_rule);
+		}
+
+		// Add suggested filtercheck formats to each source output
+		if(eo.m_suggested_output) {
+			if(eo.m_source.empty()) {
+				for(auto& src : s.loaded_sources) {
+					add_suggested_output(s, src, eo);
+				}
+			} else {
+				add_suggested_output(s, eo.m_source, eo);
+			}
 		}
 
 		for(auto const& ff : eo.m_formatted_fields) {
@@ -46,40 +89,25 @@ void configure_output_format(falco::app::state& s) {
 	}
 
 	// See https://falco.org/docs/rules/style-guide/
-	const std::string container_info =
-	        "container_id=%container.id container_image=%container.image.repository "
-	        "container_image_tag=%container.image.tag container_name=%container.name";
-	const std::string k8s_info = "k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name";
 	const std::string gvisor_info = "vpid=%proc.vpid vtid=%thread.vtid";
 
-	if(s.options.print_additional == "c" || s.options.print_additional == "container") {
-		s.engine->add_extra_output_format(container_info,
-		                                  falco_common::syscall_source,
-		                                  {},
-		                                  "",
-		                                  true);
-	} else if(s.options.print_additional == "cg" ||
-	          s.options.print_additional == "container-gvisor") {
-		s.engine->add_extra_output_format(gvisor_info + " " + container_info,
-		                                  falco_common::syscall_source,
-		                                  {},
-		                                  "",
-		                                  true);
-	} else if(s.options.print_additional == "k" || s.options.print_additional == "kubernetes") {
-		s.engine->add_extra_output_format(container_info + " " + k8s_info,
-		                                  falco_common::syscall_source,
-		                                  {},
-		                                  "",
-		                                  true);
-	} else if(s.options.print_additional == "kg" ||
-	          s.options.print_additional == "kubernetes-gvisor") {
-		s.engine->add_extra_output_format(gvisor_info + " " + container_info + " " + k8s_info,
-		                                  falco_common::syscall_source,
-		                                  {},
-		                                  "",
-		                                  true);
-	} else if(!s.options.print_additional.empty()) {
-		s.engine->add_extra_output_format(s.options.print_additional, "", {}, "", false);
+	if(!s.options.print_additional.empty()) {
+		falco_logger::log(falco_logger::level::WARNING,
+		                  "The -p/--print option is deprecated and will be removed. Use -o "
+		                  "append_output=... instead.\n");
+
+		if(s.options.print_additional == "c" || s.options.print_additional == "container" ||
+		   s.options.print_additional == "k" || s.options.print_additional == "kubernetes") {
+			// Don't do anything, we don't need these anymore
+			// since container plugin takes care of suggesting the output format fields itself.
+		} else if(s.options.print_additional == "cg" ||
+		          s.options.print_additional == "container-gvisor" ||
+		          s.options.print_additional == "kg" ||
+		          s.options.print_additional == "kubernetes-gvisor") {
+			s.engine->add_extra_output_format(gvisor_info, falco_common::syscall_source, {}, "");
+		} else {
+			s.engine->add_extra_output_format(s.options.print_additional, "", {}, "");
+		}
 	}
 }
 
@@ -122,14 +150,15 @@ falco::app::run_result falco::app::actions::init_falco_engine(falco::app::state&
 	if(s.is_capture_mode()) {
 		auto manager = s.offline_inspector->get_plugin_manager();
 		for(const auto& p : manager->plugins()) {
-			if(p->caps() & CAP_SOURCING && p->id() != 0) {
-				bool added = false;
-				auto source_idx = manager->source_idx_by_plugin_id(p->id(), added);
-				auto engine_idx = s.source_infos.at(p->event_source())->engine_idx;
-				if(!added || source_idx != engine_idx) {
-					return run_result::fatal("Could not add event source in the engine: " +
-					                         p->event_source());
-				}
+			if((p->caps() & CAP_SOURCING) == 0 || p->id() == 0) {
+				continue;
+			}
+			bool added = false;
+			auto source_idx = manager->source_idx_by_plugin_id(p->id(), added);
+			auto engine_idx = s.source_infos.at(p->event_source())->engine_idx;
+			if(!added || source_idx != engine_idx) {
+				return run_result::fatal("Could not add event source in the engine: " +
+				                         p->event_source());
 			}
 		}
 	}

userspace/falco/app/actions/init_inspectors.cpp

@@ -26,71 +26,18 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 static void init_syscall_inspector(falco::app::state& s, std::shared_ptr<sinsp> inspector) {
-	inspector->set_buffer_format(s.options.event_buffer_format);
+	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
+	if(s.config->m_buffer_format_base64) {
+		event_buffer_format = sinsp_evt::PF_BASE64;
+	}
+
+	inspector->set_buffer_format(event_buffer_format);
 
 	//
-	// Container engines
+	// If required, set the snaplen.
 	//
-
-	// Debug log messages
-	if(s.config->m_container_engines_mask & (1 << CT_DOCKER)) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'docker'");
-	}
-
-	if(s.config->m_container_engines_mask & (1 << CT_PODMAN)) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'podman'");
-	}
-
-	if(s.config->m_container_engines_mask &
-	   ((1 << CT_CRI) | (1 << CT_CRIO) | (1 << CT_CONTAINERD))) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'CRI'");
-	}
-
-	if(s.config->m_container_engines_mask & (1 << CT_LXC)) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'lxc'");
-	}
-
-	if(s.config->m_container_engines_mask & (1 << CT_LIBVIRT_LXC)) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'libvirt_lxc'");
-	}
-
-	if(s.config->m_container_engines_mask & (1 << CT_BPM)) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'bpm'");
-	}
-
-	// Container engines configs via falco.yaml
-	inspector->set_container_engine_mask(s.config->m_container_engines_mask);
-	for(auto& p : s.config->m_container_engines_cri_socket_paths) {
-		if(!p.empty()) {
-			inspector->add_cri_socket_path(p);
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Enabled container runtime socket at '" + p + "' via config file");
-		}
-	}
-
-	bool disable_cri_async =
-	        s.config->m_container_engines_disable_cri_async || s.options.disable_cri_async;
-	inspector->set_cri_async(!disable_cri_async);
-
-	if(disable_cri_async) {
-		falco_logger::log(falco_logger::level::DEBUG, "Disabling async lookups for 'CRI'");
-	}
-
-	// Container engines configs via CLI args
-	// If required, set the CRI paths
-	for(auto& p : s.options.cri_socket_paths) {
-		if(!p.empty()) {
-			inspector->add_cri_socket_path(p);
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Enabled container runtime socket at '" + p + "' via CLI args");
-		}
-	}
-
-	//
-	// If required, set the snaplen
-	//
-	if(s.options.snaplen != 0) {
-		inspector->set_snaplen(s.options.snaplen);
+	if(s.config->m_falco_libs_snaplen != 0) {
+		inspector->set_snaplen(s.config->m_falco_libs_snaplen);
 	}
 
 	if(s.is_driver_drop_failed_exit_enabled()) {
@@ -142,13 +89,14 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 	std::string err;
 	std::unordered_set<std::string> used_plugins;
 	const auto& all_plugins = s.offline_inspector->get_plugin_manager()->plugins();
+	const bool is_capture_mode = s.is_capture_mode();
 
 	for(const auto& src : s.loaded_sources) {
 		auto src_info = s.source_infos.at(src);
 
 		// in capture mode, every event source uses the offline inspector.
 		// in live mode, we create a new inspector for each event source
-		if(s.is_capture_mode()) {
+		if(is_capture_mode) {
 			src_info->inspector = s.offline_inspector;
 		} else {
 			src_info->inspector =
@@ -169,15 +117,16 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 			                ((p->id() != 0 && src == p->event_source()) ||
 			                 (p->id() == 0 && src == falco_common::syscall_source));
 
-			if(s.is_capture_mode()) {
+			if(is_capture_mode) {
 				// in capture mode, every plugin is already registered
 				// in the offline inspector by the load_plugins action
 				plugin = p;
 			} else {
-				// in live mode, for the inspector assigned to the given
-				// event source, we must register the plugin supporting
-				// that event source and also plugins with field extraction
-				// capability that are compatible with that event source
+				// in live mode, for the inspector assigned to the given event source, we must
+				// register a plugin if one of the following condition applies to it:
+				// - it has event sourcing capability for the given event source
+				// - it has one among field extraction, event parsing and async events capabilities
+				//   and is compatible (with respect to that capability) with the given event source
 				if(is_input ||
 				   (p->caps() & CAP_EXTRACTION &&
 				    sinsp_plugin::is_source_compatible(p->extract_event_sources(), src)) ||
@@ -189,22 +138,23 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 				}
 			}
 
-			// init the plugin, if we registered it into an inspector
-			// (in capture mode, this is true for every plugin)
-			if(plugin) {
-				// avoid initializing the same plugin twice in the same
-				// inspector if we're in capture mode
-				if(!s.is_capture_mode() || used_plugins.find(p->name()) == used_plugins.end()) {
-					if(!plugin->init(config->m_init_config, err)) {
-						return run_result::fatal(err);
-					}
-				}
-				if(is_input) {
-					auto gen_check = src_info->inspector->new_generic_filtercheck();
-					src_info->filterchecks->add_filter_check(std::move(gen_check));
-				}
-				used_plugins.insert(plugin->name());
+			if(!plugin) {
+				continue;
 			}
+
+			// init the plugin only if we registered it into an inspector (in capture mode, this is
+			// true for every plugin). Avoid initializing the same plugin twice in the same
+			// inspector if we're in capture mode
+			if(!is_capture_mode || used_plugins.find(p->name()) == used_plugins.end()) {
+				if(!plugin->init(config->m_init_config, err)) {
+					return run_result::fatal(err);
+				}
+			}
+			if(is_input) {
+				auto gen_check = src_info->inspector->new_generic_filtercheck();
+				src_info->filterchecks->add_filter_check(std::move(gen_check));
+			}
+			used_plugins.insert(plugin->name());
 		}
 
 		// populate filtercheck list for this inspector
@@ -216,20 +166,22 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 			return run_result::fatal(err);
 		}
 
-		// in live mode, each inspector should have registered at most two event sources:
-		// the "syscall" on, loaded at default at index 0, and optionally another
-		// one defined by a plugin, at index 1
-		if(!s.is_capture_mode()) {
-			const auto& sources = src_info->inspector->event_sources();
-			if(sources.size() == 0 || sources.size() > 2 ||
-			   sources[0] != falco_common::syscall_source) {
-				err.clear();
-				for(const auto& source : sources) {
-					err += (err.empty() ? "" : ", ") + source;
-				}
-				return run_result::fatal("Illegal sources setup in live inspector for source '" +
-				                         src + "': " + err);
+		if(is_capture_mode) {
+			continue;
+		}
+
+		// in live mode, each inspector should have registered at most two event sources: the
+		// "syscall" on, loaded at default at index 0, and optionally another one defined by a
+		// plugin, at index 1
+		const auto& sources = src_info->inspector->event_sources();
+		if(sources.size() == 0 || sources.size() > 2 ||
+		   sources[0] != falco_common::syscall_source) {
+			err.clear();
+			for(const auto& source : sources) {
+				err += (err.empty() ? "" : ", ") + source;
 			}
+			return run_result::fatal("Illegal sources setup in live inspector for source '" + src +
+			                         "': " + err);
 		}
 	}
 

userspace/falco/app/actions/init_outputs.cpp

@@ -64,6 +64,7 @@ falco::app::run_result falco::app::actions::init_outputs(falco::app::state& s) {
 	                                            s.config->m_json_include_output_property,
 	                                            s.config->m_json_include_tags_property,
 	                                            s.config->m_json_include_message_property,
+	                                            s.config->m_json_include_output_fields_property,
 	                                            s.config->m_output_timeout,
 	                                            s.config->m_buffered_outputs,
 	                                            s.config->m_outputs_queue_capacity,

userspace/falco/app/actions/list_fields.cpp

@@ -21,17 +21,18 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::list_fields(falco::app::state& s) {
-	if(s.options.list_fields) {
-		if(s.options.list_source_fields != "" &&
-		   !s.engine->is_source_valid(s.options.list_source_fields)) {
-			return run_result::fatal("Value for --list must be a valid source type");
-		}
-		s.engine->list_fields(s.options.list_source_fields,
-		                      s.options.verbose,
-		                      s.options.names_only,
-		                      s.options.markdown);
-		return run_result::exit();
+	if(!s.options.list_fields) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	if(s.options.list_source_fields != "" &&
+	   !s.engine->is_source_valid(s.options.list_source_fields)) {
+		return run_result::fatal("Value for --list must be a valid source type");
+	}
+
+	s.engine->list_fields(s.options.list_source_fields,
+	                      s.options.verbose,
+	                      s.options.names_only,
+	                      s.options.markdown);
+	return run_result::exit();
 }

userspace/falco/app/actions/list_plugins.cpp

@@ -24,20 +24,20 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::list_plugins(const falco::app::state& s) {
-	if(s.options.list_plugins) {
-		std::ostringstream os;
-		sinsp inspector;
-		const auto& configs = s.config->m_plugins;
-		for(auto& c : configs) {
-			// load the plugin (no need to initialize it)
-			auto plugin = inspector.register_plugin(c.m_library_path);
-			format_plugin_info(plugin, os);
-			os << std::endl;
-		}
-
-		printf("%lu Plugins Loaded:\n\n%s\n", configs.size(), os.str().c_str());
-		return run_result::exit();
+	if(!s.options.list_plugins) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	std::ostringstream os;
+	sinsp inspector;
+	const auto& configs = s.config->m_plugins;
+	for(auto& c : configs) {
+		// load the plugin (no need to initialize it)
+		auto plugin = inspector.register_plugin(c.m_library_path);
+		format_plugin_info(plugin, os);
+		os << std::endl;
+	}
+
+	printf("%lu Plugins Loaded:\n\n%s\n", configs.size(), os.str().c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/load_config.cpp

@@ -66,6 +66,10 @@ falco::app::run_result falco::app::actions::load_config(const falco::app::state&
 		}
 	}
 
+	s.config->m_falco_reload_ts = (int64_t)std::chrono::duration_cast<std::chrono::nanoseconds>(
+	                                      std::chrono::system_clock::now().time_since_epoch())
+	                                      .count();
+
 	s.config->m_buffered_outputs = !s.options.unbuffered_outputs;
 
 	return apply_deprecated_options(s);

userspace/falco/app/actions/load_plugins.cpp

@@ -51,16 +51,18 @@ falco::app::run_result falco::app::actions::load_plugins(falco::app::state& s) {
 		                  "Loading plugin '" + p.m_name + "' from file " + p.m_library_path + "\n");
 		auto plugin = s.offline_inspector->register_plugin(p.m_library_path);
 		s.plugin_configs.insert(p, plugin->name());
-		if(plugin->caps() & CAP_SOURCING && plugin->id() != 0) {
-			state::source_info src_info;
-			src_info.filterchecks = std::make_shared<filter_check_list>();
-			auto sname = plugin->event_source();
-			s.source_infos.insert(src_info, sname);
-			// note: this avoids duplicate values
-			if(std::find(s.loaded_sources.begin(), s.loaded_sources.end(), sname) ==
-			   s.loaded_sources.end()) {
-				s.loaded_sources.push_back(sname);
-			}
+		if((plugin->caps() & CAP_SOURCING) == 0 || plugin->id() == 0) {
+			continue;
+		}
+		// Account the plugin event source
+		state::source_info src_info;
+		src_info.filterchecks = std::make_shared<filter_check_list>();
+		auto src_name = plugin->event_source();
+		s.source_infos.insert(src_info, src_name);
+		// note: this avoids duplicate values
+		if(std::find(s.loaded_sources.begin(), s.loaded_sources.end(), src_name) ==
+		   s.loaded_sources.end()) {
+			s.loaded_sources.push_back(src_name);
 		}
 	}
 

userspace/falco/app/actions/pidfile.cpp

@@ -30,21 +30,23 @@ falco::app::run_result falco::app::actions::pidfile(const falco::app::state& sta
 		return run_result::ok();
 	}
 
-	if(!state.options.pidfilename.empty()) {
-		int64_t self_pid = getpid();
-
-		std::ofstream stream;
-		stream.open(state.options.pidfilename);
-
-		if(!stream.good()) {
-			falco_logger::log(
-			        falco_logger::level::ERR,
-			        "Could not write pid to pidfile " + state.options.pidfilename + ". Exiting.\n");
-			exit(-1);
-		}
-		stream << self_pid;
-		stream.close();
+	if(state.options.pidfilename.empty()) {
+		return run_result::ok();
 	}
 
+	int64_t self_pid = getpid();
+
+	std::ofstream stream;
+	stream.open(state.options.pidfilename);
+
+	if(!stream.good()) {
+		falco_logger::log(
+		        falco_logger::level::ERR,
+		        "Could not write pid to pidfile " + state.options.pidfilename + ". Exiting.\n");
+		exit(-1);
+	}
+	stream << self_pid;
+	stream.close();
+
 	return run_result::ok();
 }

userspace/falco/app/actions/print_config_schema.cpp

@@ -21,9 +21,10 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_config_schema(falco::app::state &s) {
-	if(s.options.print_config_schema) {
-		printf("%s", s.config->m_config_schema.dump(2).c_str());
-		return run_result::exit();
+	if(!s.options.print_config_schema) {
+		return run_result::ok();
 	}
-	return run_result::ok();
+
+	printf("%s", s.config->m_config_schema.dump(2).c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/print_generated_gvisor_config.cpp

@@ -22,12 +22,13 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_generated_gvisor_config(falco::app::state& s) {
-	if(!s.options.gvisor_generate_config_with_socket.empty()) {
-		sinsp i;
-		std::string gvisor_config =
-		        i.generate_gvisor_config(s.options.gvisor_generate_config_with_socket);
-		printf("%s\n", gvisor_config.c_str());
-		return run_result::exit();
+	if(s.options.gvisor_generate_config_with_socket.empty()) {
+		return run_result::ok();
 	}
-	return run_result::ok();
+
+	sinsp i;
+	std::string gvisor_config =
+	        i.generate_gvisor_config(s.options.gvisor_generate_config_with_socket);
+	printf("%s\n", gvisor_config.c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/print_help.cpp

@@ -21,9 +21,10 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_help(falco::app::state& s) {
-	if(s.options.help) {
-		printf("%s", s.options.usage().c_str());
-		return run_result::exit();
+	if(!s.options.help) {
+		return run_result::ok();
 	}
-	return run_result::ok();
+
+	printf("%s", s.options.usage().c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/print_kernel_version.cpp

@@ -28,22 +28,25 @@ using namespace falco::app::actions;
 falco::app::run_result falco::app::actions::print_kernel_version(const falco::app::state& s) {
 #ifdef __linux__
 	// We print this info only when a kernel driver is injected
-	if(s.is_modern_ebpf() || s.is_ebpf() || s.is_kmod()) {
-		std::ifstream input_file("/proc/version");
-		if(!input_file.is_open()) {
-			// We don't want to fail, we just need to log something
-			falco_logger::log(falco_logger::level::INFO,
-			                  "Cannot read under '/proc/version' (err_message: '" +
-			                          std::string(strerror(errno)) + "', err_code: " +
-			                          std::to_string(errno) + "). No info provided, go on.");
-			return run_result::ok();
-		}
-
-		std::stringstream buffer;
-		buffer << input_file.rdbuf();
-		std::string contents(buffer.str());
-		falco_logger::log(falco_logger::level::INFO, "System info: " + contents);
+	bool const is_kernel_driver_injected = s.is_modern_ebpf() || s.is_ebpf() || s.is_kmod();
+	if(!is_kernel_driver_injected) {
+		return run_result::ok();
 	}
+
+	std::ifstream input_file("/proc/version");
+	if(!input_file.is_open()) {
+		// We don't want to fail, we just need to log something
+		falco_logger::log(
+		        falco_logger::level::INFO,
+		        "Cannot read under '/proc/version' (err_message: '" + std::string(strerror(errno)) +
+		                "', err_code: " + std::to_string(errno) + "). No info provided, go on.");
+		return run_result::ok();
+	}
+
+	std::stringstream buffer;
+	buffer << input_file.rdbuf();
+	std::string contents(buffer.str());
+	falco_logger::log(falco_logger::level::INFO, "System info: " + contents);
 #endif
 	return run_result::ok();
 }

userspace/falco/app/actions/print_page_size.cpp

@@ -24,25 +24,24 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_page_size(const falco::app::state& s) {
-	if(s.options.print_page_size) {
-#ifndef _WIN32
-		long page_size = getpagesize();
-#else
-		SYSTEM_INFO sysInfo;
-
-		GetSystemInfo(&sysInfo);
-
-		long page_size = sysInfo.dwPageSize;
-#endif
-		if(page_size <= 0) {
-			return run_result::fatal(
-			        "\nUnable to get the system page size through 'getpagesize()'\n");
-		} else {
-			falco_logger::log(
-			        falco_logger::level::INFO,
-			        "Your system page size is: " + std::to_string(page_size) + " bytes\n");
-		}
-		return run_result::exit();
+	if(!s.options.print_page_size) {
+		return run_result::ok();
 	}
-	return run_result::ok();
+
+#ifndef _WIN32
+	long page_size = getpagesize();
+#else
+	SYSTEM_INFO sysInfo;
+
+	GetSystemInfo(&sysInfo);
+
+	long page_size = sysInfo.dwPageSize;
+#endif
+	if(page_size <= 0) {
+		return run_result::fatal("\nUnable to get the system page size through 'getpagesize()'\n");
+	}
+
+	falco_logger::log(falco_logger::level::INFO,
+	                  "Your system page size is: " + std::to_string(page_size) + " bytes\n");
+	return run_result::exit();
 }

userspace/falco/app/actions/print_plugin_info.cpp

@@ -24,78 +24,81 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_plugin_info(const falco::app::state &s) {
-	if(!s.options.print_plugin_info.empty()) {
-		sinsp inspector;
-		for(auto &pc : s.config->m_plugins) {
-			if(pc.m_name == s.options.print_plugin_info ||
-			   pc.m_library_path == s.options.print_plugin_info) {
-				// load the plugin
-				auto p = inspector.register_plugin(pc.m_library_path);
-
-				// print plugin descriptive info
-				std::ostringstream os;
-				format_plugin_info(p, os);
-				os << std::endl;
-				printf("%s", os.str().c_str());
-
-				// print plugin init schema
-				os.str("");
-				os.clear();
-				ss_plugin_schema_type type;
-				auto schema = p->get_init_schema(type);
-				os << "Init config schema type: ";
-				switch(type) {
-				case SS_PLUGIN_SCHEMA_JSON:
-					os << "JSON" << std::endl;
-					break;
-				case SS_PLUGIN_SCHEMA_NONE:
-				default:
-					os << "Not available, plugin does not implement the init config schema "
-					      "functionality"
-					   << std::endl;
-					break;
-				}
-				os << schema << std::endl;
-				os << std::endl;
-				printf("%s", os.str().c_str());
-
-				// init the plugin
-				std::string err;
-				if(!p->init(pc.m_init_config, err)) {
-					return run_result::fatal(err);
-				}
-
-				// print plugin suggested open parameters
-				if(p->caps() & CAP_SOURCING) {
-					os.str("");
-					os.clear();
-					auto params = p->list_open_params();
-					if(params.empty()) {
-						os << "No suggested open params available: ";
-						os << "plugin has not been configured, or it does not implement the open "
-						      "params suggestion functionality"
-						   << std::endl;
-					} else {
-						os << "Suggested open params:" << std::endl;
-						for(const auto &oparam : p->list_open_params()) {
-							if(oparam.desc == "") {
-								os << oparam.value << std::endl;
-							} else {
-								os << oparam.value << ": " << oparam.desc << std::endl;
-							}
-						}
-					}
-					os << std::endl;
-					printf("%s", os.str().c_str());
-				}
-
-				// exit
-				return run_result::exit();
-			}
-		}
-		return run_result::fatal("can't find plugin and print its info: " +
-		                         s.options.print_plugin_info);
+	if(s.options.print_plugin_info.empty()) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	sinsp inspector;
+	for(auto &pc : s.config->m_plugins) {
+		if(pc.m_name != s.options.print_plugin_info &&
+		   pc.m_library_path != s.options.print_plugin_info) {
+			continue;
+		}
+
+		// found matching plugin; load it
+		auto p = inspector.register_plugin(pc.m_library_path);
+
+		// print plugin descriptive info
+		std::ostringstream os;
+		format_plugin_info(p, os);
+		os << std::endl;
+		printf("%s", os.str().c_str());
+
+		// print plugin init schema
+		os.str("");
+		os.clear();
+		ss_plugin_schema_type type;
+		auto schema = p->get_init_schema(type);
+		os << "Init config schema type: ";
+		switch(type) {
+		case SS_PLUGIN_SCHEMA_JSON:
+			os << "JSON" << std::endl;
+			break;
+		case SS_PLUGIN_SCHEMA_NONE:
+		default:
+			os << "Not available, plugin does not implement the init config schema "
+			      "functionality"
+			   << std::endl;
+			break;
+		}
+		os << schema << std::endl;
+		os << std::endl;
+		printf("%s", os.str().c_str());
+
+		// init the plugin
+		std::string err;
+		if(!p->init(pc.m_init_config, err)) {
+			return run_result::fatal(err);
+		}
+
+		// print plugin suggested open parameters
+		if(p->caps() & CAP_SOURCING) {
+			os.str("");
+			os.clear();
+			auto params = p->list_open_params();
+			if(params.empty()) {
+				os << "No suggested open params available: ";
+				os << "plugin has not been configured, or it does not implement the open "
+				      "params suggestion functionality"
+				   << std::endl;
+			} else {
+				os << "Suggested open params:" << std::endl;
+				for(const auto &oparam : p->list_open_params()) {
+					if(oparam.desc == "") {
+						os << oparam.value << std::endl;
+					} else {
+						os << oparam.value << ": " << oparam.desc << std::endl;
+					}
+				}
+			}
+			os << std::endl;
+			printf("%s", os.str().c_str());
+		}
+
+		// exit
+		return run_result::exit();
+	}
+
+	return run_result::fatal("can't find plugin and print its info: " +
+	                         s.options.print_plugin_info);
 }

userspace/falco/app/actions/print_rule_schema.cpp

@@ -21,9 +21,10 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_rule_schema(falco::app::state &s) {
-	if(s.options.print_rule_schema) {
-		printf("%s", s.engine->m_rule_schema.dump(2).c_str());
-		return run_result::exit();
+	if(!s.options.print_rule_schema) {
+		return run_result::ok();
 	}
-	return run_result::ok();
+
+	printf("%s", s.engine->m_rule_schema.dump(2).c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/print_support.cpp

@@ -88,31 +88,30 @@ static int get_sysinfo(nlohmann::json& support) {
 #endif
 
 falco::app::run_result falco::app::actions::print_support(falco::app::state& s) {
-	if(s.options.print_support) {
-		nlohmann::json support;
-
-		if(get_sysinfo(support) != 0) {
-			return run_result::fatal(std::string("Could not get system info: ") + strerror(errno));
-		}
-
-		const falco::versions_info infos(s.offline_inspector);
-		support["version"] = infos.falco_version;
-		support["engine_info"] = infos.as_json();
-		support["cmdline"] = s.cmdline;
-		support["config"] = s.config->dump();
-		support["rules_files"] = nlohmann::json::array();
-		for(const auto& filename : s.config->m_loaded_rules_filenames) {
-			nlohmann::json finfo;
-			finfo["name"] = filename;
-			nlohmann::json variant;
-			variant["content"] = read_file(filename);
-			finfo["variants"].push_back(variant);
-			support["rules_files"].push_back(finfo);
-		}
-		printf("%s\n", support.dump().c_str());
-
-		return run_result::exit();
+	if(!s.options.print_support) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	nlohmann::json support;
+
+	if(get_sysinfo(support) != 0) {
+		return run_result::fatal(std::string("Could not get system info: ") + strerror(errno));
+	}
+
+	const falco::versions_info infos(s.offline_inspector);
+	support["version"] = infos.falco_version;
+	support["engine_info"] = infos.as_json();
+	support["cmdline"] = s.cmdline;
+	support["config"] = s.config->dump();
+	support["rules_files"] = nlohmann::json::array();
+	for(const auto& filename : s.config->m_loaded_rules_filenames) {
+		nlohmann::json finfo;
+		finfo["name"] = filename;
+		nlohmann::json variant;
+		variant["content"] = read_file(filename);
+		finfo["variants"].push_back(variant);
+		support["rules_files"].push_back(finfo);
+	}
+	printf("%s\n", support.dump().c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/print_syscall_events.cpp

@@ -157,30 +157,29 @@ static void print_events(const std::vector<event_entry>& events, bool markdown)
 }
 
 falco::app::run_result falco::app::actions::print_syscall_events(falco::app::state& s) {
-	if(s.options.list_syscall_events) {
-		const falco::versions_info info(s.offline_inspector);
-		printf("The events below are valid for Falco *Schema Version*: %s\n",
-		       info.driver_schema_version.c_str());
-
-		const libsinsp::events::set<ppm_event_code> available =
-		        libsinsp::events::all_event_set().diff(
-		                sc_set_to_event_set(falco::app::ignored_sc_set()));
-		const struct events_by_category events_bc = get_event_entries_by_category(true, available);
-
-		printf("## Syscall events\n\n");
-		print_events(events_bc.syscalls, s.options.markdown);
-
-		printf("\n\n## Tracepoint events\n\n");
-		print_events(events_bc.tracepoints, s.options.markdown);
-
-		printf("\n\n## Plugin events\n\n");
-		print_events(events_bc.pluginevents, s.options.markdown);
-
-		printf("\n\n## Metaevents\n\n");
-		print_events(events_bc.metaevents, s.options.markdown);
-
-		return run_result::exit();
+	if(!s.options.list_syscall_events) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	const falco::versions_info info(s.offline_inspector);
+	printf("The events below are valid for Falco *Schema Version*: %s\n",
+	       info.driver_schema_version.c_str());
+
+	const libsinsp::events::set<ppm_event_code> available = libsinsp::events::all_event_set().diff(
+	        sc_set_to_event_set(falco::app::ignored_sc_set()));
+	const struct events_by_category events_bc = get_event_entries_by_category(true, available);
+
+	printf("## Syscall events\n\n");
+	print_events(events_bc.syscalls, s.options.markdown);
+
+	printf("\n\n## Tracepoint events\n\n");
+	print_events(events_bc.tracepoints, s.options.markdown);
+
+	printf("\n\n## Plugin events\n\n");
+	print_events(events_bc.pluginevents, s.options.markdown);
+
+	printf("\n\n## Metaevents\n\n");
+	print_events(events_bc.metaevents, s.options.markdown);
+
+	return run_result::exit();
 }

userspace/falco/app/actions/print_version.cpp

@@ -22,22 +22,22 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_version(falco::app::state& s) {
-	if(s.options.print_version_info) {
-		const falco::versions_info info(s.offline_inspector);
-		if(s.config->m_json_output) {
-			printf("%s\n", info.as_json().dump().c_str());
-		} else {
-			printf("Falco version: %s\n", info.falco_version.c_str());
-			printf("Libs version:  %s\n", info.libs_version.c_str());
-			printf("Plugin API:    %s\n", info.plugin_api_version.c_str());
-			printf("Engine:        %s\n", info.engine_version.c_str());
-			printf("Driver:\n");
-			printf("  API version:    %s\n", info.driver_api_version.c_str());
-			printf("  Schema version: %s\n", info.driver_schema_version.c_str());
-			printf("  Default driver: %s\n", info.default_driver_version.c_str());
-		}
-		return run_result::exit();
+	if(!s.options.print_version_info) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	const falco::versions_info info(s.offline_inspector);
+	if(s.config->m_json_output) {
+		printf("%s\n", info.as_json().dump().c_str());
+	} else {
+		printf("Falco version: %s\n", info.falco_version.c_str());
+		printf("Libs version:  %s\n", info.libs_version.c_str());
+		printf("Plugin API:    %s\n", info.plugin_api_version.c_str());
+		printf("Engine:        %s\n", info.engine_version.c_str());
+		printf("Driver:\n");
+		printf("  API version:    %s\n", info.driver_api_version.c_str());
+		printf("  Schema version: %s\n", info.driver_schema_version.c_str());
+		printf("  Default driver: %s\n", info.default_driver_version.c_str());
+	}
+	return run_result::exit();
 }

userspace/falco/app/actions/process_events.cpp

@@ -260,10 +260,18 @@ static falco::app::run_result do_inspect(
 
 		// Reset the timeouts counter, Falco successfully got an event to process
 		timeouts_since_last_success_or_msg = 0;
+
 		if(duration_start == 0) {
 			duration_start = ev->get_ts();
 		} else if(duration_to_tot_ns > 0) {
-			if(ev->get_ts() - duration_start >= duration_to_tot_ns) {
+			// Highest priority async events (whose timestamp is -1 and get set by sinsp to current
+			// ts) are processed **before** other events, event if already enqueued. This means that
+			// we might find ourself in a situation where we have duration_start whose ts is > then
+			// next ev->get_ts(), leading t ev->get_ts() - duration_start being <0 (and, since we
+			// are unsigned here, huge). The diff should never need to be that large anyway, use a
+			// signed.
+			const int64_t diff = ev->get_ts() - duration_start;
+			if(diff >= (int64_t)duration_to_tot_ns) {
 				break;
 			}
 		}
@@ -477,6 +485,10 @@ falco::app::run_result falco::app::actions::process_events(falco::app::state& s)
 				}
 
 				if(s.enabled_sources.size() == 1) {
+					if(s.on_inspectors_opened != nullptr) {
+						s.on_inspectors_opened();
+					}
+
 					// optimization: with only one source we don't spawn additional threads
 					process_inspector_events(s,
 					                         src_info->inspector,
@@ -506,6 +518,9 @@ falco::app::run_result falco::app::actions::process_events(falco::app::state& s)
 				break;
 			}
 		}
+		if(s.enabled_sources.size() > 1 && s.on_inspectors_opened != nullptr) {
+			s.on_inspectors_opened();
+		}
 
 		// wait for event processing to terminate for all sources
 		// if a thread terminates with an error, we trigger the app termination

userspace/falco/app/actions/start_grpc_server.cpp

@@ -27,44 +27,46 @@ using namespace falco::app::actions;
 falco::app::run_result falco::app::actions::start_grpc_server(falco::app::state& s) {
 #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
 	// gRPC server
-	if(s.config->m_grpc_enabled) {
-		if(s.options.dry_run) {
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Skipping starting gRPC server in dry-run\n");
-			return run_result::ok();
-		}
-
-		falco_logger::log(falco_logger::level::INFO,
-		                  "gRPC server threadiness equals to " +
-		                          std::to_string(s.config->m_grpc_threadiness) + "\n");
-		// TODO(fntlnz,leodido): when we want to spawn multiple threads we need to have a queue per
-		// thread, or implement different queuing mechanisms, round robin, fanout? What we want to
-		// achieve?
-		s.grpc_server.init(s.config->m_grpc_bind_address,
-		                   s.config->m_grpc_threadiness,
-		                   s.config->m_grpc_private_key,
-		                   s.config->m_grpc_cert_chain,
-		                   s.config->m_grpc_root_certs,
-		                   s.config->m_log_level);
-		s.grpc_server_thread = std::thread([&s] { s.grpc_server.run(); });
+	if(!s.config->m_grpc_enabled) {
+		return run_result::ok();
 	}
+
+	if(s.options.dry_run) {
+		falco_logger::log(falco_logger::level::DEBUG, "Skipping starting gRPC server in dry-run\n");
+		return run_result::ok();
+	}
+
+	falco_logger::log(falco_logger::level::INFO,
+	                  "gRPC server threadiness equals to " +
+	                          std::to_string(s.config->m_grpc_threadiness) + "\n");
+	// TODO(fntlnz,leodido): when we want to spawn multiple threads we need to have a queue per
+	// thread, or implement different queuing mechanisms, round robin, fanout? What we want to
+	// achieve?
+	s.grpc_server.init(s.config->m_grpc_bind_address,
+	                   s.config->m_grpc_threadiness,
+	                   s.config->m_grpc_private_key,
+	                   s.config->m_grpc_cert_chain,
+	                   s.config->m_grpc_root_certs,
+	                   s.config->m_log_level);
+	s.grpc_server_thread = std::thread([&s] { s.grpc_server.run(); });
 #endif
 	return run_result::ok();
 }
 
 falco::app::run_result falco::app::actions::stop_grpc_server(falco::app::state& s) {
 #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
-	if(s.config->m_grpc_enabled) {
-		if(s.options.dry_run) {
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Skipping stopping gRPC server in dry-run\n");
-			return run_result::ok();
-		}
+	if(!s.config->m_grpc_enabled) {
+		return run_result::ok();
+	}
 
-		if(s.grpc_server_thread.joinable()) {
-			s.grpc_server.shutdown();
-			s.grpc_server_thread.join();
-		}
+	if(s.options.dry_run) {
+		falco_logger::log(falco_logger::level::DEBUG, "Skipping stopping gRPC server in dry-run\n");
+		return run_result::ok();
+	}
+
+	if(s.grpc_server_thread.joinable()) {
+		s.grpc_server.shutdown();
+		s.grpc_server_thread.join();
 	}
 #endif
 	return run_result::ok();

userspace/falco/app/actions/start_webserver.cpp

@@ -26,39 +26,41 @@ using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::start_webserver(falco::app::state& state) {
 #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
-	if(!state.is_capture_mode() && state.config->m_webserver_enabled) {
-		if(state.options.dry_run) {
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Skipping starting webserver in dry-run\n");
-			return run_result::ok();
-		}
-
-		falco_configuration::webserver_config webserver_config = state.config->m_webserver_config;
-		std::string ssl_option = (webserver_config.m_ssl_enabled ? " (SSL)" : "");
-		falco_logger::log(falco_logger::level::INFO,
-		                  "Starting health webserver with threadiness " +
-		                          std::to_string(webserver_config.m_threadiness) +
-		                          ", listening on " + webserver_config.m_listen_address + ":" +
-		                          std::to_string(webserver_config.m_listen_port) + ssl_option +
-		                          "\n");
-
-		state.webserver.start(state, webserver_config);
+	if(state.is_capture_mode() || !state.config->m_webserver_enabled) {
+		return run_result::ok();
 	}
+
+	if(state.options.dry_run) {
+		falco_logger::log(falco_logger::level::DEBUG, "Skipping starting webserver in dry-run\n");
+		return run_result::ok();
+	}
+
+	falco_configuration::webserver_config webserver_config = state.config->m_webserver_config;
+	std::string ssl_option = (webserver_config.m_ssl_enabled ? " (SSL)" : "");
+	falco_logger::log(falco_logger::level::INFO,
+	                  "Starting health webserver with threadiness " +
+	                          std::to_string(webserver_config.m_threadiness) + ", listening on " +
+	                          webserver_config.m_listen_address + ":" +
+	                          std::to_string(webserver_config.m_listen_port) + ssl_option + "\n");
+
+	state.webserver.start(state, webserver_config);
+	state.on_inspectors_opened = [&state]() { state.webserver.enable_prometheus_metrics(state); };
 #endif
 	return run_result::ok();
 }
 
 falco::app::run_result falco::app::actions::stop_webserver(falco::app::state& state) {
 #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
-	if(!state.is_capture_mode() && state.config->m_webserver_enabled) {
-		if(state.options.dry_run) {
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Skipping stopping webserver in dry-run\n");
-			return run_result::ok();
-		}
-
-		state.webserver.stop();
+	if(state.is_capture_mode() || !state.config->m_webserver_enabled) {
+		return run_result::ok();
 	}
+
+	if(state.options.dry_run) {
+		falco_logger::log(falco_logger::level::DEBUG, "Skipping stopping webserver in dry-run\n");
+		return run_result::ok();
+	}
+
+	state.webserver.stop();
 #endif
 	return run_result::ok();
 }