wip

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.dockerignore

@@ -0,0 +1,3 @@
+*
+!config/
+!docker/

.github/release_template.md

@@ -6,6 +6,7 @@
 | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-x86_64.rpm)        |
 | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-x86_64.deb) |
 | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-x86_64.tar.gz) |
+| tgz-static-x86_64      | [![tgz-static](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-static-x86_64.tar.gz) |
 | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-aarch64.rpm)        |
 | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-aarch64.deb) |
 | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/aarch64/falco-FALCOVER-aarch64.tar.gz) |

.github/workflows/ci.yml

@@ -39,24 +39,26 @@ jobs:
   test-dev-packages:
     needs: [fetch-version, build-dev-packages-x86_64]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+    # See https://github.com/falcosecurity/falco/pull/3482
+    # Since musl build does not support dynamically loaded plugins,
+    # many tests would fail (the ones using `container.foo` fields).
+    # Disable tests on static builds for now.
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        static: ["static", ""]
     with:
       arch: x86_64
-      sanitizers: ${{ matrix.static == '' && true || false }}
-      static: ${{ matrix.static != '' && true || false }}
+#      sanitizers: ${{ matrix.static == '' && true || false }}
+      sanitizers: true
+#      static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
 
   test-dev-packages-arm64:
     needs: [fetch-version, build-dev-packages-arm64]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
     with:
       arch: aarch64
-      static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
 
   build-dev-minimal:

.github/workflows/master.yaml

@@ -31,13 +31,17 @@ jobs:
   test-dev-packages:
     needs: [fetch-version, build-dev-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+    # See https://github.com/falcosecurity/falco/pull/3482
+    # Since musl build does not support dynamically loaded plugins,
+    # many tests would fail (the ones using `container.foo` fields).
+    # Disable tests on static builds for now.
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        static: ["static", ""]
     with:
       arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
+#      static: ${{ matrix.static != '' && true || false }}
       version: ${{ needs.fetch-version.outputs.version }}
   
   test-dev-packages-arm64:

.github/workflows/release.yaml

@@ -69,13 +69,17 @@ jobs:
   test-packages:
     needs: [release-settings, build-packages]
     uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
+    # See https://github.com/falcosecurity/falco/pull/3482
+    # Since musl build does not support dynamically loaded plugins,
+    # many tests would fail (the ones using `container.foo` fields).
+    # Disable tests on static builds for now.
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        static: ["static", ""]
     with:
       arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
+#      static: ${{ matrix.static != '' && true || false }}
       version: ${{ github.event.release.tag_name }}
 
   test-packages-arm64:

.github/workflows/reusable_build_docker.yaml

@@ -43,8 +43,7 @@ jobs:
 
       - name: Build falco image
         run: |
-          cd ${{ github.workspace }}/docker/falco/
-          docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
+          docker build -f docker/falco/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
             --build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
             --build-arg FALCO_VERSION=${{ inputs.version }} \
             --build-arg TARGETARCH=${TARGETARCH} \
@@ -53,8 +52,7 @@ jobs:
 
       - name: Build falco-debian image
         run: |
-          cd ${{ github.workspace }}/docker/falco-debian/
-          docker build -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian \
+          docker build -f docker/falco-debian/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian \
             --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
             --build-arg FALCO_VERSION=${{ inputs.version }} \
             --build-arg TARGETARCH=${TARGETARCH} \
@@ -63,8 +61,7 @@ jobs:
 
       - name: Build falco-driver-loader image
         run: |
-          cd ${{ github.workspace }}/docker/driver-loader/
-          docker build -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
+          docker build -f docker/driver-loader/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
             --build-arg FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tag }} \
             --build-arg TARGETARCH=${TARGETARCH} \
             .
@@ -72,8 +69,7 @@ jobs:
 
       - name: Build falco-driver-loader-buster image
         run: |
-          cd ${{ github.workspace }}/docker/driver-loader-buster/
-          docker build -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster \
+          docker build -f docker/driver-loader-buster/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster \
             --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
             --build-arg FALCO_VERSION=${{ inputs.version }} \
             --build-arg TARGETARCH=${TARGETARCH} \
@@ -83,6 +79,6 @@ jobs:
       - name: Upload images tarballs
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
-          name: falco-images
+          name: falco-images-${{ inputs.arch }}
           path: /tmp/falco-*.tar
           retention-days: 1

.github/workflows/reusable_build_packages.yaml

@@ -59,7 +59,12 @@ jobs:
       # Always install deps before invoking checkout action, to properly perform a full clone.
       - name: Install build deps
         run: |
-          sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
+          sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm alien
+
+      - name: Install systemd rpm macros
+        run: |
+          wget https://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/s/systemd-rpm-macros-257.4-3.fc43.noarch.rpm
+          sudo alien -d -i systemd-rpm-macros-257.4-3.fc43.noarch.rpm
 
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

.github/workflows/reusable_publish_docker.yaml

@@ -33,10 +33,16 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
-      - name: Download images tarballs
+      - name: Download x86_64 images tarballs
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          name: falco-images
+          name: falco-images-x86_64
+          path: /tmp/falco-images
+
+      - name: Download aarch64 images tarballs
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: falco-images-aarch64
           path: /tmp/falco-images
 
       - name: Load all images

.github/workflows/reusable_test_packages.yaml

@@ -40,8 +40,7 @@ jobs:
           tar -xvf $(ls falco-*.tar.gz)
           cd falco-${{ inputs.version }}-${{ inputs.arch }}
           sudo cp -r * /
-     
-      # We only run driver loader tests on x86_64
+    
       - name: Install kernel headers for falco-driver-loader tests
         run: |
           sudo apt update -y
@@ -49,6 +48,7 @@ jobs:
 
       # Some builds use sanitizers, we always install support for them so they can run
       - name: Install sanitizer support
+        if: inputs.sanitizers
         run: |
           sudo apt update -y
           sudo apt install -y libasan5 libubsan1
@@ -56,7 +56,7 @@ jobs:
       - name: Run tests
         env:
           LSAN_OPTIONS: "intercept_tls_get_addr=0"
-        uses: falcosecurity/testing@main 
+        uses: falcosecurity/testing@main
         with:
           test-falco: 'true'
           test-falcoctl: 'true'

ADOPTERS.md

@@ -43,6 +43,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).
 
+* [NETWAYS Web Services](https://nws.netways.de/en/) - NETWAYS Web Services provides cloud and managed services tailored to their customers needs. From VPCs to managed databases and Kubernetes clusters, NETWAYS Web Services enables their customers to run infrastructure and applications without worries. Falco plays its part for NETWAYS Managed Services to ensure their platform conforms to ISO 27001 at all times and that their clients' workloads behave as expected by detecting anomalies in real-time.
+
 * [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
 
 * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPAA compliance requirements.

CHANGELOG.md

@@ -1,5 +1,86 @@
 # Change Log
 
+## v0.40.0
+
+Released on 2025-01-28
+
+### Breaking Changes :warning:
+
+* cleanup(userspac/falco)!: drop deprecated options. [[#3361](https://github.com/falcosecurity/falco/pull/3361)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Major Changes
+
+* new(docker): streamline docker images [[#3273](https://github.com/falcosecurity/falco/pull/3273)] - [@FedeDP](https://github.com/FedeDP)
+* new(build): reintroduce static build [[#3428](https://github.com/falcosecurity/falco/pull/3428)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(cmake,ci): added support for using jemalloc allocator instead of glibc one and use it by default for release artifacts [[#3406](https://github.com/falcosecurity/falco/pull/3406)] - [@FedeDP](https://github.com/FedeDP)
+* new(userspace,cmake): honor new plugins exposed suggested output formats [[#3388](https://github.com/falcosecurity/falco/pull/3388)] - [@FedeDP](https://github.com/FedeDP)
+* new(userspace/falco): allow entirely disabling plugin hostinfo support. [[#3412](https://github.com/falcosecurity/falco/pull/3412)] - [@FedeDP](https://github.com/FedeDP)
+* new(ci): use `zig` compiler instead of relying on centos7. [[#3307](https://github.com/falcosecurity/falco/pull/3307)] - [@FedeDP](https://github.com/FedeDP)
+* new(falco): add buffer_format_base64 option, deprecate -b [[#3358](https://github.com/falcosecurity/falco/pull/3358)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(falco): add base_syscalls.all option to falco.yaml, deprecate -A [[#3352](https://github.com/falcosecurity/falco/pull/3352)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(falco): add falco_libs.snaplen option, deprecate -S / --snaplen [[#3362](https://github.com/falcosecurity/falco/pull/3362)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+
+### Minor Changes
+
+* update(cmake): bump falcoctl to v0.11.0 [[#3467](https://github.com/falcosecurity/falco/pull/3467)] - [@alacuku](https://github.com/alacuku)
+* chore(ci): add attestation for falco [[#3216](https://github.com/falcosecurity/falco/pull/3216)] - [@cpanato](https://github.com/cpanato)
+* chore(ci): build Falco in RelWithDebInfo, and upload Falco debug symbols as github artifacts [[#3452](https://github.com/falcosecurity/falco/pull/3452)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): DEB and RPM package requirements for dkms and kernel-devel are now suggestions [[#3450](https://github.com/falcosecurity/falco/pull/3450)] - [@jthiltges](https://github.com/jthiltges)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): fix container_engines.cri.sockets not loading from config file [[#3453](https://github.com/falcosecurity/falco/pull/3453)] - [@zayaanmoez](https://github.com/zayaanmoez)
+* fix(docker): /usr/src/'*' no longer created if $HOST_PATH/usr/src didn't exist at startup [[#3434](https://github.com/falcosecurity/falco/pull/3434)] - [@shane-lawrence](https://github.com/shane-lawrence)
+* fix(docker): add brotli to the Falco image [[#3399](https://github.com/falcosecurity/falco/pull/3399)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace/engine): explicitly disallow appending/modifying a rule with different sources [[#3383](https://github.com/falcosecurity/falco/pull/3383)] - [@mstemm](https://github.com/mstemm)
+
+
+
+### Non user-facing changes
+
+* chore(falco.yaml): remove comments about cri cli arguments [[#3458](https://github.com/falcosecurity/falco/pull/3458)] - [@alacuku](https://github.com/alacuku)
+* fix(ci): fixed reusable_build/publish_docker workflows. [[#3459](https://github.com/falcosecurity/falco/pull/3459)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3455](https://github.com/falcosecurity/falco/pull/3455)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* chore(ci): bumped actions/upload-download-artifact. [[#3454](https://github.com/falcosecurity/falco/pull/3454)] - [@FedeDP](https://github.com/FedeDP)
+* chore(docker): drop unused libelf dep from container images [[#3451](https://github.com/falcosecurity/falco/pull/3451)] - [@leogr](https://github.com/leogr)
+* chore(docs): update `plugins_hostinfo` config file comment. [[#3449](https://github.com/falcosecurity/falco/pull/3449)] - [@FedeDP](https://github.com/FedeDP)
+* new(build): add RelWithDebInfo target [[#3440](https://github.com/falcosecurity/falco/pull/3440)] - [@shane-lawrence](https://github.com/shane-lawrence)
+* chore(deps): Bump submodules/falcosecurity-rules from `283a62f` to `abf6637` [[#3448](https://github.com/falcosecurity/falco/pull/3448)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(ci): use 4cpu-16gb arm runners [[#3447](https://github.com/falcosecurity/falco/pull/3447)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(cmake): update libs and driver to latest master [[#3439](https://github.com/falcosecurity/falco/pull/3439)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* chore: avoid deprecated funcs to calculate sha256 [[#3442](https://github.com/falcosecurity/falco/pull/3442)] - [@federico-sysdig](https://github.com/federico-sysdig)
+* chore(ci): enable jemalloc in musl build. [[#3436](https://github.com/falcosecurity/falco/pull/3436)] - [@FedeDP](https://github.com/FedeDP)
+* docs(falco.yaml): correct `buffered_outputs` description [[#3427](https://github.com/falcosecurity/falco/pull/3427)] - [@leogr](https://github.com/leogr)
+* fix(userspace/falco): use correct filtercheck_field_info. [[#3426](https://github.com/falcosecurity/falco/pull/3426)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3421](https://github.com/falcosecurity/falco/pull/3421)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix: update the url for the docs about the concurrent queue classes [[#3415](https://github.com/falcosecurity/falco/pull/3415)] - [@Issif](https://github.com/Issif)
+* update(changelog): updated changelog for 0.39.2. [[#3410](https://github.com/falcosecurity/falco/pull/3410)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3392](https://github.com/falcosecurity/falco/pull/3392)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix(cmake,docker): avoid cpp-httplib requiring brotli. [[#3400](https://github.com/falcosecurity/falco/pull/3400)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `407e997` to `283a62f` [[#3391](https://github.com/falcosecurity/falco/pull/3391)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bump libs to latest master. [[#3389](https://github.com/falcosecurity/falco/pull/3389)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3385](https://github.com/falcosecurity/falco/pull/3385)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* Make enable()/disable() virtual so they can be overridden [[#3375](https://github.com/falcosecurity/falco/pull/3375)] - [@mstemm](https://github.com/mstemm)
+* fix(ci): fixed shasum computation for bump-libs CI. [[#3379](https://github.com/falcosecurity/falco/pull/3379)] - [@FedeDP](https://github.com/FedeDP)
+* chore(ci): use redhat advised method to check rpmsign success. [[#3376](https://github.com/falcosecurity/falco/pull/3376)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `e38fb3f` to `407e997` [[#3374](https://github.com/falcosecurity/falco/pull/3374)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* Compile output clone [[#3364](https://github.com/falcosecurity/falco/pull/3364)] - [@mstemm](https://github.com/mstemm)
+* fix(ci): fixed bump-libs workflow syntax. [[#3369](https://github.com/falcosecurity/falco/pull/3369)] - [@FedeDP](https://github.com/FedeDP)
+* new(ci): add a workflow to automatically bump libs on each monday. [[#3360](https://github.com/falcosecurity/falco/pull/3360)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `b6ad373` to `e38fb3f` [[#3365](https://github.com/falcosecurity/falco/pull/3365)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(falco): reformat options::define [[#3356](https://github.com/falcosecurity/falco/pull/3356)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |     31 |
+| Release note    |     18 |
+| Total           |     49 |
+
 ## v0.39.2
 
 Released on 2024-11-21

CMakeLists.txt

@@ -267,6 +267,34 @@ if(NOT WIN32
    AND NOT MUSL_OPTIMIZED_BUILD
 )
 	include(falcoctl)
+	include(container_plugin)
+
+	# Generate a binary_dir/falco.yaml that automatically enables the plugin to be used for local
+	# testing.
+	configure_file(${CMAKE_SOURCE_DIR}/falco.yaml ${CMAKE_BINARY_DIR} COPYONLY)
+	# The custom target configures the plugin and set its path
+	add_custom_target(
+		container
+		COMMAND sed -i 's,^load_plugins: .*,load_plugins: [container],g'
+				${CMAKE_BINARY_DIR}/falco.yaml
+		COMMAND sed -i 's,libcontainer.so,${CONTAINER_LIBRARY},g' ${CMAKE_BINARY_DIR}/falco.yaml
+		DEPENDS container_plugin
+	)
+	# Let `make falco` also download container plugin
+	add_dependencies(falco container)
+
+	# Install the plugin
+	install(
+		FILES "${CONTAINER_LIBRARY}"
+		DESTINATION "${FALCO_ABSOLUTE_SHARE_DIR}/plugins"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
+	# Install additional config override file to enable the container plugin
+	install(
+		FILES "${PROJECT_SOURCE_DIR}/config/falco.container_plugin.yaml"
+		DESTINATION "${FALCO_ETC_DIR}/config.d"
+		COMPONENT "${FALCO_COMPONENT_NAME}"
+	)
 endif()
 
 # Packages configuration

README.md

@@ -2,7 +2,7 @@
 
 [![Latest release](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![Supported Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) [![License](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Docs](https://img.shields.io/badge/docs-latest-green.svg?style=for-the-badge)](https://falco.org/docs)
 
-[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/falcosecurity/falco?label=openssf%20scorecard&style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/falcosecurity/falco)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) <a href="https://actuated.dev/"><img alt="Arm CI sponsored by Actuated" src="https://docs.actuated.dev/images/actuated-badge.png" width="120px"></img></a>
+[![Falco Core Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-core-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#core-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)  [![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/falcosecurity/falco?label=openssf%20scorecard&style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/falcosecurity/falco)  [![OpenSSF Best Practices](https://img.shields.io/cii/summary/2317?label=OpenSSF%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317)
 
 [![Falco](https://falco.org/img/brand/falco-horizontal-color.svg)](https://falco.org)
 
@@ -14,43 +14,30 @@ Falco, originally created by [Sysdig](https://sysdig.com), is a **graduated proj
 
 For detailed technical information and insights into the cyber threats that Falco can detect, visit the official [Falco](https://falco.org/) website.
 
-For comprehensive information on the latest updates and changes to the project, please refer to the [Change Log](CHANGELOG.md). Additionally, we have documented the [Release Process](RELEASE.md) for delivering new versions of Falco.
+For comprehensive information on the latest updates and changes to the project, please refer to the [Change Log](CHANGELOG.md).
 
-## Falco Repo: Powering the Core of The Falco Project
+## The Falco Project
 
-This is the main Falco repository which contains the source code for building the Falco binary. By utilizing its [libs](https://github.com/falcosecurity/libs) and the [falco.yaml](falco.yaml) configuration file, this repository forms the foundation of Falco's functionality. The Falco repository is closely interconnected with the following *core* repositories:
+The Falco Project codebase is maintained under the [falcosecurity GitHub organization](https://github.com/falcosecurity). The primary repository, [falcosecurity/falco](https://github.com/falcosecurity/falco), holds the source code for the Falco binary, while other sub-projects are hosted in dedicated repositories. This approach of isolating components into specialized repositories enhances modularity and focused development. Notable [core repositories](https://github.com/falcosecurity/evolution?tab=readme-ov-file#core) include:
 
-- [falcosecurity/libs](https://github.com/falcosecurity/libs): Falco's libraries are key to its fundamental operations, making up the greater portion of the source code of the Falco binary and providing essential features such as kernel drivers.
-- [falcosecurity/rules](https://github.com/falcosecurity/rules): Contains the official ruleset for Falco, providing pre-defined detection rules for various security threats and abnormal behaviors.
-- [falcosecurity/plugins](https://github.com/falcosecurity/plugins/): Falco plugins facilitate integration with external services, expand Falco's capabilities beyond syscalls and container events, and are designed to evolve with specialized functionality in future releases.
-- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): Command-line utility for managing and interacting with Falco.
+- [falcosecurity/libs](https://github.com/falcosecurity/libs): This repository hosts Falco's core libraries, which constitute the majority of the binary’s source code and provide essential features, such as kernel drivers.
+- [falcosecurity/rules](https://github.com/falcosecurity/rules): It contains the official ruleset for Falco, offering pre-defined detection rules for various security threats and abnormal behaviors.
+- [falcosecurity/plugins](https://github.com/falcosecurity/plugins): This repository supports integration with external services through plugins that extend Falco's capabilities beyond syscalls and container events, with plans for evolving specialized functionalities in future releases.
+- [falcosecurity/falcoctl](https://github.com/falcosecurity/falcoctl): A command-line utility designed for managing and interacting with Falco.
+- [falcosecurity/charts](https://github.com/falcosecurity/charts): This repository provides Helm charts for deploying Falco and its ecosystem, simplifying the installation and management process.
 
-For more information, visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution). It provides valuable insights and information about the project's repositories.
+For further insights into our repositories and additional details about our governance model, please visit the official hub of The Falco Project: [falcosecurity/evolution](https://github.com/falcosecurity/evolution).
 
 ## Getting Started with Falco
 
-Carefully review and follow the [Official Documentation](https://falco.org/docs/install-operate/).
+If you're new to Falco, begin your journey with our [Getting Started](https://falco.org/docs/getting-started/) guide. For production deployments, please refer to our comprehensive [Setup](https://falco.org/docs/setup/) documentation.
 
-Considerations and guidance for Falco adopters:
-
-1. Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.
-
-2. Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.
-
-3. Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.
-
-4. Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.
-
-5. Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.
+As final recommendations before deploying Falco, verify environment compatibility, define your detection goals, optimize performance, choose the appropriate build, and plan for SIEM or data lake integration to ensure effective incident response.
 
 ### Demo Environment
 
 A demo environment is provided via a docker-compose file that can be started on a docker host which includes falco, falcosidekick, falcosidekick-ui and its required redis database. For more information see the [docker-compose section](docker/docker-compose/)
 
-## How to Contribute
-
-Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) guide and the [Code of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.
-
 ## Join the Community
 
 To get involved with the Falco Project please visit the [Community](https://github.com/falcosecurity/community) repository to find more information and ways to get involved.
@@ -71,20 +58,16 @@ In addition, you can refer to the [falco](https://github.com/falcosecurity/falco
 
 To report security vulnerabilities, please follow the community process outlined in the documentation found [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).
 
-## What's next for Falco?
+## Building
 
-Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.
-
-## License
-
-Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
+For comprehensive, step-by-step instructions on building Falco from source, please refer to the [official documentation](https://falco.org/docs/developer-guide/source/).
 
 ## Testing
 
 <details>
 	<summary>Expand Testing Instructions</summary>
 
-Falco's [Build Falco from source](https://falco.org/docs/install-operate/source/) is the go-to resource to understand how to build Falco from source. In addition, the [falcosecurity/libs](https://github.com/falcosecurity/libs) repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.
+Falco's [Build Falco from source](https://falco.org/docs/developer-guide/source/) is the go-to resource to understand how to build Falco from source. In addition, the [falcosecurity/libs](https://github.com/falcosecurity/libs) repository offers additional valuable information about tests and debugging of Falco's underlying libraries and kernel drivers.
 
 Here's an example of a `cmake` command that will enable everything you need for all unit tests of this repository:
 
@@ -117,7 +100,13 @@ Lastly, The Falco Project has moved its Falco regression tests to [falcosecurity
 
 </br>
 
-## Why is Falco in C++ rather than Go or {language}?
+ ## How to Contribute
+
+Please refer to the [Contributing](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) guide and the [Code of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md) for more information on how to contribute.
+
+## FAQs
+
+### Why is Falco in C++ rather than Go or {language}?
 
 <details>
 	<summary>Expand Information</summary>
@@ -136,6 +125,14 @@ Lastly, The Falco Project has moved its Falco regression tests to [falcosecurity
 </details>
 </br>
 
+### What's next for Falco?
+
+Stay updated with Falco's evolving capabilities by exploring the [Falco Roadmap](https://github.com/orgs/falcosecurity/projects/5), which provides insights into the features currently under development and planned for future releases.
+
+## License
+
+Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
+
 ## Resources
 
  - [Governance](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md)
@@ -145,5 +142,6 @@ Lastly, The Falco Project has moved its Falco regression tests to [falcosecurity
  - [Repositories Guidelines](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md)
  - [Repositories List](https://github.com/falcosecurity/evolution/blob/main/README.md#repositories)
  - [Adopters List](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md)
- - [Install and Operate](https://falco.org/docs/install-operate/)
+ - [Release Process](RELEASE.md)
+ - [Setup documentation](https://falco.org/docs/setup/)
  - [Troubleshooting](https://falco.org/docs/troubleshooting/)

cmake/modules/cares.cmake

@@ -0,0 +1,77 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS})
+
+if(CARES_INCLUDE)
+	# we already have c-ares
+elseif(NOT USE_BUNDLED_CARES)
+	find_path(CARES_INCLUDE NAMES cares/ares.h ares.h)
+	find_library(CARES_LIB NAMES cares)
+	if(CARES_INCLUDE AND CARES_LIB)
+		message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system c-ares")
+	endif()
+else()
+	if(BUILD_SHARED_LIBS)
+		set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(CARES_STATIC_OPTION "Off")
+	else()
+		set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(CARES_STATIC_OPTION "On")
+	endif()
+	set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares")
+	set(CARES_INCLUDE "${CARES_SRC}/include/")
+	set(CARES_LIB "${CARES_SRC}/lib/libcares${CARES_LIB_SUFFIX}")
+
+	if(NOT TARGET c-ares)
+		message(STATUS "Using bundled c-ares in '${CARES_SRC}'")
+		ExternalProject_Add(
+			c-ares
+			PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix"
+			URL "https://github.com/c-ares/c-ares/releases/download/v1.33.1/c-ares-1.33.1.tar.gz"
+			URL_HASH "SHA256=06869824094745872fa26efd4c48e622b9bd82a89ef0ce693dc682a23604f415"
+			BUILD_IN_SOURCE 1
+			CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW
+					   -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY}
+					   -DCARES_SHARED=${BUILD_SHARED_LIBS}
+					   -DCARES_STATIC=${CARES_STATIC_OPTION}
+					   -DCARES_STATIC_PIC=${ENABLE_PIC}
+					   -DCARES_BUILD_TOOLS=Off
+					   -DCARES_INSTALL=Off
+					   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+			BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB}
+			INSTALL_COMMAND ""
+		)
+		install(
+			FILES "${CARES_LIB}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${CARES_INCLUDE}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+
+endif()
+
+if(NOT TARGET c-ares)
+	add_custom_target(c-ares)
+endif()
+
+include_directories("${CARES_INCLUDE}")

cmake/modules/curl.cmake

@@ -0,0 +1,100 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
+
+include(openssl)
+include(zlib)
+
+if(CURL_INCLUDE_DIRS)
+	# we already have curl
+elseif(NOT USE_BUNDLED_CURL)
+	find_package(CURL REQUIRED)
+	message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}")
+else()
+	if(BUILD_SHARED_LIBS)
+		set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(CURL_STATIC_OPTION)
+	else()
+		set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(CURL_STATIC_OPTION --disable-shared)
+	endif()
+	set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
+	set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/")
+	set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}")
+
+	if(NOT USE_BUNDLED_OPENSSL)
+		set(CURL_SSL_OPTION "--with-ssl")
+	else()
+		set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+		message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'")
+	endif()
+
+	if(NOT USE_BUNDLED_ZLIB)
+		set(CURL_ZLIB_OPTION "--with-zlib")
+	else()
+		set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}")
+		message(STATUS "Using zlib for curl in '${ZLIB_SRC}'")
+	endif()
+	message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+
+	if(NOT ENABLE_PIC)
+		set(CURL_PIC_OPTION)
+	else()
+		set(CURL_PIC_OPTION "--with-pic")
+	endif()
+
+	if(NOT TARGET curl)
+		ExternalProject_Add(
+			curl
+			PREFIX "${PROJECT_BINARY_DIR}/curl-prefix"
+			DEPENDS openssl zlib
+			URL "https://github.com/curl/curl/releases/download/curl-8_7_1/curl-8.7.1.tar.bz2"
+			URL_HASH "SHA256=05bbd2b698e9cfbab477c33aa5e99b4975501835a41b7ca6ca71de03d8849e76"
+			CONFIGURE_COMMAND
+				./configure ${CURL_SSL_OPTION} ${CURL_ZLIB_OPTION} ${CURL_STATIC_OPTION}
+				${CURL_PIC_OPTION} --enable-optimize --disable-curldebug --disable-rt --enable-http
+				--disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp
+				--disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb
+				--disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp
+				--without-winssl --without-polarssl --without-cyassl --without-nss --without-axtls
+				--without-librtmp --without-winidn --without-libidn2 --without-libpsl
+				--without-nghttp2 --without-libssh2 --with-ca-path=/etc/ssl/certs/
+				--disable-threaded-resolver --without-brotli --without-zstd
+			BUILD_COMMAND make
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${CURL_LIBRARIES}
+			INSTALL_COMMAND ""
+		)
+		install(
+			FILES "${CURL_LIBRARIES}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${CURL_INCLUDE_DIRS}curl"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+			FILES_MATCHING
+			PATTERN "*.h"
+		)
+	endif()
+endif()
+
+if(NOT TARGET curl)
+	add_custom_target(curl)
+endif()
+
+include_directories("${CURL_INCLUDE_DIRS}")

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "cb93f4b3d75b7c61f3056fa8b08fb904d9aa13fc")
+		set(DRIVER_VERSION "dc16ffa8553155ef16f739cc5105bff2e07b1984")
 		set(DRIVER_CHECKSUM
-			"SHA256=70592c7651032d528ee945a1cb63b6488546a67f46c545493eefe3d2777b4023"
+			"SHA256=1d974bc06ba4b74ea8b598fa3b204b6efd873790c09516f7fe72465c4b354d66"
 		)
 	endif()
 

cmake/modules/falcoctl.cmake

@@ -20,16 +20,16 @@ option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON
 if(ADD_FALCOCTL_DEPENDENCY)
 	string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-	set(FALCOCTL_VERSION "0.10.1")
+	set(FALCOCTL_VERSION "0.11.0")
 
 	message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
 
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
 		set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-		set(FALCOCTL_HASH "039961004a72d27409ab6ba82542134bd5df8a69ad341c897f3d26b6596b9e6a")
+		set(FALCOCTL_HASH "b9d0e0f50813e7172a945f36f70c5c3c16a677ab4c85b35b6f7a155bc92768fc")
 	else() # aarch64
 		set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-		set(FALCOCTL_HASH "fbaf83512cc73e99f14f90cb14ed4eee83f40efde3d398c7b7ef02163116f2fc")
+		set(FALCOCTL_HASH "689c625d1d414cbf53d39ef94083a53dda3ea4ac4908799fb85f4519e21442e0")
 	endif()
 
 	ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "cb93f4b3d75b7c61f3056fa8b08fb904d9aa13fc")
+		set(FALCOSECURITY_LIBS_VERSION "dc16ffa8553155ef16f739cc5105bff2e07b1984")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=70592c7651032d528ee945a1cb63b6488546a67f46c545493eefe3d2777b4023"
+			"SHA256=1d974bc06ba4b74ea8b598fa3b204b6efd873790c09516f7fe72465c4b354d66"
 		)
 	endif()
 

cmake/modules/grpc.cmake

@@ -0,0 +1,274 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS})
+
+if(GRPC_INCLUDE)
+	# we already have grpc
+elseif(NOT USE_BUNDLED_GRPC)
+	# gRPC
+	find_package(gRPC CONFIG)
+	if(gRPC_FOUND)
+		message(STATUS "Using gRPC ${gRPC_VERSION}")
+		set(GPR_LIB gRPC::gpr)
+		set(GRPC_LIB gRPC::grpc)
+		set(GRPCPP_LIB gRPC::grpc++)
+
+		# gRPC C++ plugin
+		get_target_property(GRPC_CPP_PLUGIN gRPC::grpc_cpp_plugin LOCATION)
+		if(NOT GRPC_CPP_PLUGIN)
+			message(FATAL_ERROR "System grpc_cpp_plugin not found")
+		endif()
+
+		# gRPC include dir + properly handle grpc{++,pp}
+		get_target_property(GRPC_INCLUDE gRPC::grpc++ INTERFACE_INCLUDE_DIRECTORIES)
+		find_path(
+			GRPCXX_INCLUDE
+			NAMES grpc++/grpc++.h
+			PATHS ${GRPC_INCLUDE}
+		)
+		if(NOT GRPCXX_INCLUDE)
+			find_path(
+				GRPCPP_INCLUDE
+				NAMES grpcpp/grpcpp.h
+				PATHS ${GRPC_INCLUDE}
+			)
+			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
+		endif()
+	else()
+		# Fallback to manually find libraries; Some distro, namely Ubuntu focal, do not install gRPC
+		# config cmake module
+		find_library(GPR_LIB NAMES gpr)
+		if(GPR_LIB)
+			message(STATUS "Found gpr lib: ${GPR_LIB}")
+		else()
+			message(FATAL_ERROR "Couldn't find system gpr")
+		endif()
+		find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
+		if(GRPCXX_INCLUDE)
+			set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
+		else()
+			find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
+			set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
+			add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
+		endif()
+		find_library(GRPC_LIB NAMES grpc)
+		find_library(GRPCPP_LIB NAMES grpc++)
+		if(GRPC_INCLUDE
+		   AND GRPC_LIB
+		   AND GRPCPP_LIB
+		)
+			message(
+				STATUS
+					"Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}"
+			)
+		else()
+			message(FATAL_ERROR "Couldn't find system grpc")
+		endif()
+		find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
+		if(NOT GRPC_CPP_PLUGIN)
+			message(FATAL_ERROR "System grpc_cpp_plugin not found")
+		endif()
+	endif()
+else()
+	include(cares)
+	include(protobuf)
+	include(zlib)
+	include(openssl)
+	if(BUILD_SHARED_LIBS)
+		set(GRPC_OPENSSL_STATIC_LIBS_OPTION FALSE)
+	else()
+		set(GRPC_OPENSSL_STATIC_LIBS_OPTION TRUE)
+	endif()
+	include(re2)
+	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
+	set(GRPC_INSTALL_DIR "${GRPC_SRC}/target")
+	set(GRPC_INCLUDE "${GRPC_INSTALL_DIR}/include" "${GRPC_SRC}/third_party/abseil-cpp")
+	set(GPR_LIB "${GRPC_SRC}/libgpr.a")
+	set(GRPC_LIB "${GRPC_SRC}/libgrpc.a")
+	set(GRPCPP_LIB "${GRPC_SRC}/libgrpc++.a")
+	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/grpc_cpp_plugin")
+	set(GRPC_MAIN_LIBS "")
+	list(
+		APPEND
+		GRPC_MAIN_LIBS
+		"${GPR_LIB}"
+		"${GRPC_LIB}"
+		"${GRPCPP_LIB}"
+		"${GRPC_SRC}/libgrpc++_alts.a"
+		"${GRPC_SRC}/libgrpc++_error_details.a"
+		"${GRPC_SRC}/libgrpc++_reflection.a"
+		"${GRPC_SRC}/libgrpc++_unsecure.a"
+		"${GRPC_SRC}/libgrpc_plugin_support.a"
+		"${GRPC_SRC}/libgrpc_unsecure.a"
+		"${GRPC_SRC}/libgrpcpp_channelz.a"
+	)
+
+	get_filename_component(PROTOC_DIR ${PROTOC} PATH)
+
+	if(NOT TARGET grpc)
+		message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
+
+		# fixme(leogr): this workaround is required to inject the missing deps (built by gRCP
+		# cmakefiles) into target_link_libraries later note: the list below is manually generated
+		# starting from the output of pkg-config --libs grpc++
+		set(GRPC_LIBRARIES "")
+		list(
+			APPEND
+			GRPC_LIBRARIES
+			"${GRPC_SRC}/libaddress_sorting.a"
+			"${GRPC_SRC}/libupb.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_hash.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_city.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_low_level_hash.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_raw_hash_set.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_hashtablez_sampler.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_statusor.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_status.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_functions.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/profiling/libabsl_exponential_biased.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_optional_access.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_variant_access.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_str_format_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_synchronization.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_graphcycles_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_stacktrace.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_symbolize.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_debugging_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_demangle_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_malloc_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_civil_time.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_base.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_spinlock_wait.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/numeric/libabsl_int128.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_throw_delegate.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_raw_logging_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_log_severity.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time_zone.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord_internal.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_info.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_handle.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_pool_urbg.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes_impl.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_slow.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_seed_material.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_platform.a"
+			"${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_seed_gen_exception.a"
+		)
+
+		# Make abseil-cpp build compatible with gcc-13 See
+		# https://patchwork.yoctoproject.org/project/oe/patch/20230518093301.2938164-1-Martin.Jansa@gmail.com/
+		# TO BE DROPPED once we finally upgrade grpc...
+		set(GRPC_PATCH_CMD
+			sh
+			-c
+			"sed -i '20s/^/#include <cstdint>/' ${GRPC_SRC}/third_party/abseil-cpp/absl/strings/internal/str_format/extension.h"
+		)
+
+		# Zig workaround: Add a PATCH_COMMAND to grpc cmake to fixup emitted -march by abseil-cpp
+		# cmake module, making it use a name understood by zig for arm64. See
+		# https://github.com/abseil/abseil-cpp/blob/master/absl/copts/GENERATED_AbseilCopts.cmake#L226.
+		if(CMAKE_C_COMPILER MATCHES "zig")
+			message(STATUS "Enabling zig workaround for abseil-cpp")
+			set(GRPC_PATCH_CMD
+				${GRPC_PATCH_CMD}
+				&&
+				sh
+				-c
+				"sed -i 's/armv8-a/cortex_a57/g' ${GRPC_SRC}/third_party/abseil-cpp/absl/copts/GENERATED_AbseilCopts.cmake"
+			)
+		endif()
+
+		ExternalProject_Add(
+			grpc
+			PREFIX "${PROJECT_BINARY_DIR}/grpc-prefix"
+			DEPENDS openssl protobuf c-ares zlib re2
+			GIT_REPOSITORY https://github.com/grpc/grpc.git
+			GIT_TAG v1.44.0
+			GIT_SUBMODULES "third_party/abseil-cpp"
+			CMAKE_CACHE_ARGS
+				-DCMAKE_INSTALL_PREFIX:PATH=${GRPC_INSTALL_DIR}
+				-DCMAKE_BUILD_TYPE:STRING=${CMAKE_BUILD_TYPE}
+				-DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=${ENABLE_PIC}
+				-DgRPC_INSTALL:BOOL=OFF
+				# disable unused stuff
+				-DgRPC_BUILD_TESTS:BOOL=OFF
+				-DgRPC_BUILD_CSHARP_EXT:BOOL=OFF
+				-DgRPC_BUILD_GRPC_CSHARP_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_NODE_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_PHP_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_PYTHON_PLUGIN:BOOL=OFF
+				-DgRPC_BUILD_GRPC_RUBY_PLUGIN:BOOL=OFF
+				# deps provided by us
+				# https://github.com/grpc/grpc/blob/v1.32.0/cmake/modules/Findc-ares.cmake
+				-DgRPC_CARES_PROVIDER:STRING=package
+				-Dc-ares_DIR:PATH=${CARES_SRC}
+				-Dc-ares_INCLUDE_DIR:PATH=${CARES_INCLUDE}
+				-Dc-ares_LIBRARY:PATH=${CARES_LIB}
+				# https://cmake.org/cmake/help/v3.6/module/FindProtobuf.html
+				-DgRPC_PROTOBUF_PROVIDER:STRING=package
+				-DCMAKE_CXX_FLAGS:STRING=-I${PROTOBUF_INCLUDE}
+				-DProtobuf_INCLUDE_DIR:PATH=${PROTOBUF_INCLUDE}
+				-DProtobuf_LIBRARY:PATH=${PROTOBUF_LIB}
+				-DProtobuf_PROTOC_LIBRARY:PATH=${PROTOC_LIB}
+				-DProtobuf_PROTOC_EXECUTABLE:PATH=${PROTOC}
+				# https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html
+				-DgRPC_SSL_PROVIDER:STRING=package
+				-DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
+				-DOPENSSL_USE_STATIC_LIBS:BOOL=${GRPC_OPENSSL_STATIC_LIBS_OPTION}
+				# https://cmake.org/cmake/help/v3.6/module/FindZLIB.html
+				-DgRPC_ZLIB_PROVIDER:STRING=package
+				-DZLIB_ROOT:STRING=${ZLIB_SRC}
+				# RE2
+				-DgRPC_RE2_PROVIDER:STRING=package
+				-Dre2_DIR:PATH=${RE2_DIR}
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB} ${GPR_LIB} ${GRPC_LIBRARIES}
+			# Keep installation files into the local ${GRPC_INSTALL_DIR} since here is the case when
+			# we are embedding gRPC
+			UPDATE_COMMAND ""
+			PATCH_COMMAND ${GRPC_PATCH_CMD}
+			INSTALL_COMMAND DESTDIR= ${CMAKE_MAKE_PROGRAM} install
+		)
+		install(
+			FILES ${GRPC_MAIN_LIBS}
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			FILES ${GRPC_LIBRARIES}
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${GRPC_SRC}/target/include/"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+endif()
+
+if(NOT TARGET grpc)
+	add_custom_target(grpc)
+endif()
+
+include_directories("${GRPC_INCLUDE}")

cmake/modules/jemalloc.cmake

@@ -40,12 +40,18 @@ else()
 	set(JEMALLOC_SRC "${PROJECT_BINARY_DIR}/jemalloc-prefix/src")
 	set(JEMALLOC_LIB "${JEMALLOC_SRC}/jemalloc/lib/libjemalloc${JEMALLOC_LIB_SUFFIX}")
 	set(JEMALLOC_INCLUDE "${JEMALLOC_SRC}/jemalloc/include/jemalloc")
+	if(CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64")
+		set(JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS --with-lg-page=14)
+	else()
+		set(JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS "")
+	endif()
 	ExternalProject_Add(
 		jemalloc
 		PREFIX "${PROJECT_BINARY_DIR}/jemalloc-prefix"
 		URL "https://github.com/jemalloc/jemalloc/archive/refs/tags/5.3.0.tar.gz"
 		URL_HASH "SHA256=ef6f74fd45e95ee4ef7f9e19ebe5b075ca6b7fbe0140612b2a161abafb7ee179"
 		CONFIGURE_COMMAND ./autogen.sh --enable-prof --disable-libdl
+						  ${JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS}
 		BUILD_IN_SOURCE 1
 		BUILD_COMMAND make build_lib_static
 		INSTALL_COMMAND ""

cmake/modules/openssl.cmake

@@ -0,0 +1,81 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
+
+if(OPENSSL_INCLUDE_DIR)
+	# we already have openssl
+elseif(NOT USE_BUNDLED_OPENSSL)
+	find_package(OpenSSL REQUIRED)
+	message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
+else()
+	if(BUILD_SHARED_LIBS)
+		set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+		set(OPENSSL_SHARED_OPTION shared)
+	else()
+		set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+		set(OPENSSL_SHARED_OPTION no-shared)
+	endif()
+	set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
+	set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
+	set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/")
+	set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}")
+	set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}")
+	set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO})
+
+	if(NOT TARGET openssl)
+		if(NOT ENABLE_PIC)
+			set(OPENSSL_PIC_OPTION)
+		else()
+			set(OPENSSL_PIC_OPTION "-fPIC")
+		endif()
+
+		message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
+
+		ExternalProject_Add(
+			openssl
+			PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix"
+			URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.4/openssl-3.1.4.tar.gz"
+			URL_HASH "SHA256=840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
+			CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} ${OPENSSL_PIC_OPTION}
+							  --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib
+			BUILD_COMMAND make
+			BUILD_IN_SOURCE 1
+			BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}
+			INSTALL_COMMAND make install_sw
+		)
+		install(
+			FILES "${OPENSSL_LIBRARY_SSL}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			FILES "${OPENSSL_LIBRARY_CRYPTO}"
+			DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+		install(
+			DIRECTORY "${OPENSSL_INCLUDE_DIR}"
+			DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}"
+			COMPONENT "libs-deps"
+		)
+	endif()
+endif()
+
+if(NOT TARGET openssl)
+	add_custom_target(openssl)
+endif()
+
+include_directories("${OPENSSL_INCLUDE_DIR}")

config/falco.container_plugin.yaml

@@ -0,0 +1,2 @@
+# Enable container plugin for linux non musl installation.
+load_plugins: [container]

config/falco.iso8601_timeformat.yaml

@@ -0,0 +1,2 @@
+# Enable iso 8601 time format on docker
+time_format_iso_8601: true

docker/driver-loader-buster/Dockerfile

@@ -96,10 +96,8 @@ RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+# Change the falco config within the container to enable ISO 8601 output.
+ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
@@ -123,6 +121,6 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 
-COPY ./docker-entrypoint.sh /
+COPY ./docker/driver-loader-buster/docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]

docker/driver-loader/Dockerfile

@@ -41,6 +41,6 @@ RUN apt-get update \
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
-COPY ./docker-entrypoint.sh /
+COPY ./docker/driver-loader/docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]

docker/falco-debian/Dockerfile

@@ -26,6 +26,7 @@ RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 
-RUN sed -i -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' /etc/falco/falco.yaml
+# Change the falco config within the container to enable ISO 8601 output.
+ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
 CMD ["/usr/bin/falco"]

docker/falco/Dockerfile

@@ -28,7 +28,8 @@ RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
     cp -r /falco/* / && \
     rm -rf /falco
 
-RUN sed -i -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' /etc/falco/falco.yaml
+# Change the falco config within the container to enable ISO 8601 output.
+ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
 # Falcoctl is not included here.
 RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/

falco.yaml

@@ -436,7 +436,7 @@ engine:
 # Falco plugins enable integration with other services in your ecosystem.
 # They allow Falco to extend its functionality and leverage data sources such as
 # Kubernetes audit logs or AWS CloudTrail logs. This enables Falco to perform
-# fast on-host detections beyond syscalls and container events. The plugin
+# fast on-host detections beyond syscalls. The plugin
 # system will continue to evolve with more specialized functionality in future
 # releases.
 #
@@ -448,7 +448,7 @@ engine:
 # Please note that if your intention is to enrich Falco syscall logs with fields
 # such as `k8s.ns.name`, `k8s.pod.name`, and `k8s.pod.*`, you do not need to use
 # the `k8saudit` plugin. This information is automatically extracted from
-# the container runtime socket. The `k8saudit` plugin is specifically designed
+# the container runtime socket by the 'container' plugin. The `k8saudit` plugin is specifically designed
 # to integrate with Kubernetes audit logs and is not required for basic enrichment
 # of syscall logs with Kubernetes-related fields.
 #
@@ -466,6 +466,32 @@ load_plugins: []
 # applied when the corresponding plugin is enabled using the `load_plugins`
 # option.
 plugins:
+  - name: container
+    # For a summary of config option, see https://github.com/FedeDP/container_plugin?tab=readme-ov-file#configuration
+    library_path: libcontainer.so
+    init_config:
+      label_max_len: 100
+      with_size: false
+# We use default config values for engine key.
+#      engines:
+#        docker:
+#          enabled: true
+#          sockets: [ '/var/run/docker.sock' ]
+#        podman:
+#          enabled: true
+#          sockets: [ '/run/podman/podman.sock', '/run/user/1000/podman/podman.sock' ]
+#        containerd:
+#          enabled: true
+#          sockets: [ '/run/containerd/containerd.sock' ]
+#        cri:
+#          enabled: true
+#          sockets: [ '/run/crio/crio.sock' ]
+#        lxc:
+#          enabled: false
+#        libvirt_lxc:
+#          enabled: false
+#        bpm:
+#          enabled: false
   - name: k8saudit
     library_path: libk8saudit.so
     init_config: ""
@@ -879,11 +905,11 @@ log_level: info
 # library specifically, providing more granular control over the logging
 # behavior of the underlying components used by Falco. Only logs of a certain
 # severity level or higher will be emitted. Supported levels: "fatal",
-# "critical", "error", "warning", "notice", "info", "debug", "trace". It is not
-# recommended for production use.
+# "critical", "error", "warning", "notice", "info", "debug", "trace".
+#  It is not recommended to use "debug" and "trace" for production use.
 libs_logger:
-  enabled: false
-  severity: debug
+  enabled: true
+  severity: info
 
 
 #################################################################################
@@ -1092,8 +1118,7 @@ syscall_event_drops:
 #
 # `state_counters_enabled`: Emit counters related to Falco's state engine, including 
 # added, removed threads or file descriptors (fds), and failed lookup, store, or 
-# retrieve actions in relation to Falco's underlying process cache table (threadtable). 
-# We also log the number of currently cached containers if applicable.
+# retrieve actions in relation to Falco's underlying process cache table (threadtable).
 #
 # `kernel_event_counters_enabled`: Emit kernel side event and drop counters, as
 # an alternative to `syscall_event_drops`, but with some differences. These
@@ -1277,6 +1302,7 @@ metrics:
 base_syscalls:
   custom_set: []
   repair: false
+  all: false
 
 ##############
 # Falco libs #
@@ -1307,44 +1333,3 @@ base_syscalls:
 falco_libs:
   thread_table_size: 262144
   snaplen: 80
-
-# [Incubating] `container_engines`
-#
-# This option allows you to explicitly enable or disable API lookups against container 
-# runtime sockets for each supported container runtime. 
-# Access to these sockets enables Falco to retrieve container and Kubernetes fields, 
-# helping identify workload owners in modern containerized environments. 
-# Refer to the fields docs:
-# 
-# - [Kubernetes fields](https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s)
-# - [Container fields](https://falco.org/docs/reference/rules/supported-fields/#container)
-# 
-# Additionally, Falco can use container events as a data source for alerting (evt.type = container).
-# 
-# For most container engines, you can solely enable or disable them, and Falco will search the 
-# default (hard-coded) container runtime socket paths, such as `/var/run/docker.sock` for Docker.
-#
-# However, for Kubernetes settings, you can customize the CRI socket paths:
-# 
-# - `container_engines.cri.sockets`: Pass a list of container runtime sockets.
-# - `container_engines.cri.disable_async`: Since API lookups may not always be quick or 
-# perfect, resulting in empty fields for container metadata, you can use this option option 
-# to disable asynchronous fetching. Note that missing fields may still occasionally occur.
-# 
-# The equivalent (stable) CLI args are `--cri` or `--disable-cri-async`.
-
-container_engines:
-  docker:
-    enabled: true
-  cri:
-    enabled: true
-    sockets: ["/run/containerd/containerd.sock", "/run/crio/crio.sock", "/run/k3s/containerd/containerd.sock"]
-    disable_async: false
-  podman:
-    enabled: true
-  lxc:
-    enabled: true
-  libvirt_lxc:
-    enabled: true
-  bpm:
-    enabled: true

proposals/20231220-features-adoption-and-deprecation.md

@@ -175,7 +175,7 @@ _The units represent the number of releases._
 ### Examples
 
 **Example 1** Let's consider a feature _foo_ in the Output/Alerts Area introduced in Falco 1.0.0 and labeled as *Incubating*. The feature is promoted to *Stable* in Falco 1.1.0 (because the feature did not get any user-facing change).
-Subsequently, maintainers decide that backward-compatible changes must be introduced in _foo_ to improve its functionality. The part of the feature to be changed is labeled as *Deprecated* in Falco 1.2.0, and the deprecation period starts. The non-backward compatible change is then introduced in Falco 1.4.0.
+Subsequently, maintainers decide that backward-incompatible changes must be introduced in _foo_ to improve its functionality. The part of the feature to be changed is labeled as *Deprecated* in Falco 1.2.0, and the deprecation period starts. The non-backward compatible change is then introduced in Falco 1.4.0.
 
 **Example 2** The `--bar` flag in the CLI/Config Area has been introduced since Falco 1.1.0 and is labeled as *Stable*. Before releasing Falco 1.5.0, maintainers realize `--bar` is redundant and should be removed. The flag is labeled as *Deprecated* in Falco 1.5.0, and the deprecation period starts. The flag is removed in Falco 1.6.0.
 

scripts/ignored-calls.sh

@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-# SPDX-License-Identifier: Apache-2.0
-#
-# Copyright (C) 2023 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-parentdir="$(dirname "$scriptdir")"
-libsdir="${parentdir}/build/falcosecurity-libs-repo/falcosecurity-libs-prefix/src/falcosecurity-libs"
-cat "${libsdir}/userspace/libscap/syscall_info_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/.*\"\(.*\)\".*/\1/'  | sort > /tmp/ignored_syscall_info_table.txt
-cat "${libsdir}/driver/event_table.c" | grep EF_DROP_SIMPLE_CONS | sed -e 's/[^\"]*\"\([^\"]*\)\".*/\1/' | sort | uniq > /tmp/ignored_driver_event_table.txt
-
-cat /tmp/ignored_driver_event_table.txt /tmp/ignored_syscall_info_table.txt | sort | uniq | tr '\n' ', '
-

submodules/falcosecurity-rules

@@ -0,0 +1 @@
+371e43167e1b70ef0600d8fd30c8a338663ccb56

unit_tests/falco/app/actions/test_configure_interesting_sets.cpp

@@ -116,7 +116,6 @@ TEST_F(test_falco_engine, preconditions_postconditions) {
 
 	s1.engine = nullptr;
 	s1.config = std::make_shared<falco_configuration>();
-	s1.options.all_events = false;
 	auto result = falco::app::actions::configure_interesting_sets(s1);
 	ASSERT_FALSE(result.success);
 	ASSERT_NE(result.errstr, "");
@@ -199,9 +198,8 @@ TEST_F(test_falco_engine, selection_not_allevents) {
 	falco::app::state s2;
 	// run app action with fake engine and without the `-A` option
 	s2.engine = m_engine;
-	s2.options.all_events = false;
+	s2.config->m_base_syscalls_all = false;
 
-	ASSERT_EQ(s2.options.all_events, false);
 	auto result = falco::app::actions::configure_interesting_sets(s2);
 	ASSERT_TRUE(result.success);
 	ASSERT_EQ(result.errstr, "");
@@ -256,7 +254,8 @@ TEST_F(test_falco_engine, selection_allevents) {
 	falco::app::state s3;
 	// run app action with fake engine and with the `-A` option
 	s3.engine = m_engine;
-	s3.options.all_events = true;
+	s3.config->m_base_syscalls_all = true;
+
 	auto result = falco::app::actions::configure_interesting_sets(s3);
 	ASSERT_TRUE(result.success);
 	ASSERT_EQ(result.errstr, "");
@@ -299,8 +298,8 @@ TEST_F(test_falco_engine, selection_allevents) {
 
 TEST_F(test_falco_engine, selection_generic_evts) {
 	falco::app::state s4;
-	// run app action with fake engine and without the `-A` option
-	s4.options.all_events = false;
+	// run app action with fake engine and without the `m_base_syscalls_all` option
+
 	auto filters = s_sample_filters;
 	filters.insert(s_sample_generic_filters.begin(), s_sample_generic_filters.end());
 	load_rules(ruleset_from_filters(filters), "dummy_ruleset.yaml");
@@ -347,8 +346,7 @@ TEST_F(test_falco_engine, selection_custom_base_set) {
 	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
 
 	falco::app::state s5;
-	// run app action with fake engine and without the `-A` option
-	s5.options.all_events = true;
+	s5.config->m_base_syscalls_all = true;
 	s5.engine = m_engine;
 	auto default_base_set = libsinsp::events::sinsp_state_sc_set();
 
@@ -425,8 +423,8 @@ TEST_F(test_falco_engine, selection_custom_base_set) {
 	expected_sc_names.erase("accept4");
 	ASSERT_NAMES_EQ(selected_sc_names, expected_sc_names);
 
-	// non-empty custom base set (positive, without -A)
-	s5.options.all_events = false;
+	// non-empty custom base set (positive, disable all syscalls)
+	s5.config->m_base_syscalls_all = false;
 	s5.config->m_base_syscalls_custom_set = {"read"};
 	result = falco::app::actions::configure_interesting_sets(s5);
 	ASSERT_TRUE(result.success);
@@ -453,8 +451,8 @@ TEST_F(test_falco_engine, selection_custom_base_set_repair) {
 	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
 
 	falco::app::state s6;
-	// run app action with fake engine and without the `-A` option
-	s6.options.all_events = false;
+	// run app action with fake engine and without the `all syscalls` option
+	s6.config->m_base_syscalls_all = false;
 	s6.engine = m_engine;
 
 	// note: here we use file syscalls (e.g. open, openat) and have a custom
@@ -494,8 +492,8 @@ TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) {
 	load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
 
 	falco::app::state s7;
-	// run app action with fake engine and with the `-A` option
-	s7.options.all_events = true;
+	// run app action with fake engine and with the `all syscalls` option
+	s7.config->m_base_syscalls_all = true;
 	s7.engine = m_engine;
 
 	// simulate empty custom set but repair option set.

unit_tests/falco/test_atomic_signal_handler.cpp

@@ -24,6 +24,7 @@ limitations under the License.
 #include <future>
 #include <memory>
 #include <vector>
+#include <thread>
 
 TEST(AtomicSignalHandler, lock_free_implementation) {
 	ASSERT_TRUE(falco::atomic_signal_handler().is_lock_free());

unit_tests/falco/test_configuration_config_files.cpp

@@ -466,6 +466,9 @@ TEST(Configuration, configuration_config_files_cmdline) {
 	std::vector<std::string> cmdline_config_options;
 	cmdline_config_options.push_back((yaml_helper::configs_key + "=conf_2.yaml"));
 
+	// Override foo2 value from cli
+	cmdline_config_options.push_back(("foo2=bar22"));
+
 	falco_configuration falco_config;
 	config_loaded_res res;
 	ASSERT_NO_THROW(res = falco_config.init_from_file("main.yaml", cmdline_config_options));
@@ -480,7 +483,7 @@ TEST(Configuration, configuration_config_files_cmdline) {
 	ASSERT_TRUE(falco_config.m_config.is_defined("base_value.name"));
 	ASSERT_EQ(falco_config.m_config.get_scalar<std::string>("base_value.name", ""), "foo");
 	ASSERT_TRUE(falco_config.m_config.is_defined("foo2"));
-	ASSERT_EQ(falco_config.m_config.get_scalar<std::string>("foo2", ""), "bar2");
+	ASSERT_EQ(falco_config.m_config.get_scalar<std::string>("foo2", ""), "bar22");
 	ASSERT_TRUE(falco_config.m_config.is_defined("base_value_2.id"));
 	ASSERT_EQ(falco_config.m_config.get_scalar<int>("base_value_2.id", 0), 2);
 

userspace/engine/falco_engine_version.h

@@ -20,7 +20,7 @@ limitations under the License.
 
 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 46
+#define FALCO_ENGINE_VERSION_MINOR 47
 #define FALCO_ENGINE_VERSION_PATCH 0
 
 #define FALCO_ENGINE_VERSION                                                               \
@@ -36,4 +36,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "24861acb14c5b9f7d293dd37d1623949135e1a865f2d813cbd660212b71ada33"
+#define FALCO_ENGINE_CHECKSUM "1478da9cefb00623e5158e6582ff5322a2118f804c61ddb65f57079353257611"

userspace/engine/rule_loader_compiler.cpp

@@ -36,9 +36,12 @@ limitations under the License.
 	}
 
 static std::string s_container_info_fmt = "%container.info";
-static std::string s_default_extra_fmt =
-        "container_id=%container.id container_name=%container.name";
-
+// We were previously expanding %container.info to "container_id=%container.id
+// container_name=%container.name". Since the container plugin is now in use, and it exposes
+// container.id and container.name as suggested output fields, we don't need to expand
+// container.info anymore. We kept container.info in the ruleset to avoid a major breaking change.
+// TODO: drop `container.info` magic once we make a major breaking change in the ruleset.
+static std::string s_default_extra_fmt = "";
 using namespace libsinsp::filter;
 
 // todo(jasondellaluce): this breaks string escaping in lists and exceptions

userspace/falco/CMakeLists.txt

@@ -110,16 +110,21 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
 
 	if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND USE_BUNDLED_GRPC)
 		list(APPEND FALCO_DEPENDENCIES grpc)
-		list(APPEND FALCO_LIBRARIES "${GRPC_LIBRARIES}")
+	endif()
+
+	if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND USE_BUNDLED_CURL)
+		list(APPEND FALCO_DEPENDENCIES curl)
 	endif()
 
 	list(
 		APPEND
 		FALCO_LIBRARIES
 		httplib::httplib
+		"${CURL_LIBRARIES}"
 		"${GRPCPP_LIB}"
 		"${GRPC_LIB}"
 		"${GPR_LIB}"
+		"${GRPC_LIBRARIES}"
 		"${PROTOBUF_LIB}"
 		"${CARES_LIB}"
 		"${OPENSSL_LIBRARIES}"

userspace/falco/app/actions/configure_interesting_sets.cpp

@@ -200,22 +200,12 @@ static void select_event_set(falco::app::state& s,
 		                          concat_set_in_order(non_rules_sc_set_names) + "\n");
 	}
 
-	/* base_syscall.all / -A flag behavior:
+	/* base_syscall.all behavior:
 	 * (1) default: all syscalls in rules included, sinsp state enforcement
 	       without high volume syscalls
 	 * (2) set: all syscalls in rules included, sinsp state enforcement
 	       and allowing high volume syscalls */
-	bool all_events = false;
-	if(s.options.all_events) {
-		falco_logger::log(falco_logger::level::WARNING,
-		                  "The -A option is deprecated and will be removed. Use -o "
-		                  "base_syscalls.all=true instead.");
-		all_events = true;
-	}
-	if(s.config->m_base_syscalls_all) {
-		all_events = true;
-	}
-	if(!(s.options.all_events || s.config->m_base_syscalls_all)) {
+	if(!s.config->m_base_syscalls_all) {
 		auto ignored_sc_set = falco::app::ignored_sc_set();
 		auto erased_sc_set = s.selected_sc_set.intersect(ignored_sc_set);
 		s.selected_sc_set = s.selected_sc_set.diff(ignored_sc_set);

userspace/falco/app/actions/init_falco_engine.cpp

@@ -95,8 +95,8 @@ void configure_output_format(falco::app::state& s) {
 
 	// See https://falco.org/docs/rules/style-guide/
 	const std::string container_info =
-	        "container_id=%container.id container_image=%container.image.repository "
-	        "container_image_tag=%container.image.tag container_name=%container.name";
+	        "container_image=%container.image.repository "
+	        "container_image_tag=%container.image.tag";
 	const std::string k8s_info = "k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name";
 	const std::string gvisor_info = "vpid=%proc.vpid vtid=%thread.vtid";
 
@@ -170,14 +170,15 @@ falco::app::run_result falco::app::actions::init_falco_engine(falco::app::state&
 	if(s.is_capture_mode()) {
 		auto manager = s.offline_inspector->get_plugin_manager();
 		for(const auto& p : manager->plugins()) {
-			if(p->caps() & CAP_SOURCING && p->id() != 0) {
-				bool added = false;
-				auto source_idx = manager->source_idx_by_plugin_id(p->id(), added);
-				auto engine_idx = s.source_infos.at(p->event_source())->engine_idx;
-				if(!added || source_idx != engine_idx) {
-					return run_result::fatal("Could not add event source in the engine: " +
-					                         p->event_source());
-				}
+			if((p->caps() & CAP_SOURCING) == 0 || p->id() == 0) {
+				continue;
+			}
+			bool added = false;
+			auto source_idx = manager->source_idx_by_plugin_id(p->id(), added);
+			auto engine_idx = s.source_infos.at(p->event_source())->engine_idx;
+			if(!added || source_idx != engine_idx) {
+				return run_result::fatal("Could not add event source in the engine: " +
+				                         p->event_source());
 			}
 		}
 	}

userspace/falco/app/actions/init_inspectors.cpp

@@ -27,76 +27,18 @@ using namespace falco::app::actions;
 
 static void init_syscall_inspector(falco::app::state& s, std::shared_ptr<sinsp> inspector) {
 	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
-	if(s.options.print_base64) {
-		falco_logger::log(falco_logger::level::WARNING,
-		                  "The -b/--print-base64 option is deprecated and will be removed. Use -o "
-		                  "buffer_format_base64=true instead.");
-		event_buffer_format = sinsp_evt::PF_BASE64;
-	}
 	if(s.config->m_buffer_format_base64) {
 		event_buffer_format = sinsp_evt::PF_BASE64;
 	}
 
 	inspector->set_buffer_format(event_buffer_format);
 
-	//
-	// Container engines
-	//
-
-	// Debug log messages
-	if(s.config->m_container_engines_mask & (1 << CT_DOCKER)) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'docker'");
-	}
-
-	if(s.config->m_container_engines_mask & (1 << CT_PODMAN)) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'podman'");
-	}
-
-	if(s.config->m_container_engines_mask &
-	   ((1 << CT_CRI) | (1 << CT_CRIO) | (1 << CT_CONTAINERD))) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'CRI'");
-	}
-
-	if(s.config->m_container_engines_mask & (1 << CT_LXC)) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'lxc'");
-	}
-
-	if(s.config->m_container_engines_mask & (1 << CT_LIBVIRT_LXC)) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'libvirt_lxc'");
-	}
-
-	if(s.config->m_container_engines_mask & (1 << CT_BPM)) {
-		falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'bpm'");
-	}
-
-	// Container engines configs via falco.yaml
-	inspector->set_container_engine_mask(s.config->m_container_engines_mask);
-	for(auto& p : s.config->m_container_engines_cri_socket_paths) {
-		if(!p.empty()) {
-			inspector->add_cri_socket_path(p);
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Enabled container runtime socket at '" + p + "' via config file");
-		}
-	}
-
-	inspector->set_cri_async(!s.config->m_container_engines_disable_cri_async);
-	if(s.config->m_container_engines_disable_cri_async) {
-		falco_logger::log(falco_logger::level::DEBUG, "Disabling async lookups for 'CRI'");
-	}
-
 	//
 	// If required, set the snaplen.
-	// In case both config and CLI options are specified, CLI takes precedence.
 	//
 	if(s.config->m_falco_libs_snaplen != 0) {
 		inspector->set_snaplen(s.config->m_falco_libs_snaplen);
 	}
-	if(s.options.snaplen != 0) {
-		inspector->set_snaplen(s.options.snaplen);
-		falco_logger::log(falco_logger::level::WARNING,
-		                  "The -S/--snaplen option is deprecated and will be removed. Use -o "
-		                  "falco_libs.snaplen=<len> instead.");
-	}
 
 	if(s.is_driver_drop_failed_exit_enabled()) {
 		falco_logger::log(falco_logger::level::INFO,
@@ -147,13 +89,14 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 	std::string err;
 	std::unordered_set<std::string> used_plugins;
 	const auto& all_plugins = s.offline_inspector->get_plugin_manager()->plugins();
+	const bool is_capture_mode = s.is_capture_mode();
 
 	for(const auto& src : s.loaded_sources) {
 		auto src_info = s.source_infos.at(src);
 
 		// in capture mode, every event source uses the offline inspector.
 		// in live mode, we create a new inspector for each event source
-		if(s.is_capture_mode()) {
+		if(is_capture_mode) {
 			src_info->inspector = s.offline_inspector;
 		} else {
 			src_info->inspector =
@@ -174,15 +117,16 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 			                ((p->id() != 0 && src == p->event_source()) ||
 			                 (p->id() == 0 && src == falco_common::syscall_source));
 
-			if(s.is_capture_mode()) {
+			if(is_capture_mode) {
 				// in capture mode, every plugin is already registered
 				// in the offline inspector by the load_plugins action
 				plugin = p;
 			} else {
-				// in live mode, for the inspector assigned to the given
-				// event source, we must register the plugin supporting
-				// that event source and also plugins with field extraction
-				// capability that are compatible with that event source
+				// in live mode, for the inspector assigned to the given event source, we must
+				// register a plugin if one of the following condition applies to it:
+				// - it has event sourcing capability for the given event source
+				// - it has one among field extraction, event parsing and async events capabilities
+				//   and is compatible (with respect to that capability) with the given event source
 				if(is_input ||
 				   (p->caps() & CAP_EXTRACTION &&
 				    sinsp_plugin::is_source_compatible(p->extract_event_sources(), src)) ||
@@ -194,22 +138,23 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 				}
 			}
 
-			// init the plugin, if we registered it into an inspector
-			// (in capture mode, this is true for every plugin)
-			if(plugin) {
-				// avoid initializing the same plugin twice in the same
-				// inspector if we're in capture mode
-				if(!s.is_capture_mode() || used_plugins.find(p->name()) == used_plugins.end()) {
-					if(!plugin->init(config->m_init_config, err)) {
-						return run_result::fatal(err);
-					}
-				}
-				if(is_input) {
-					auto gen_check = src_info->inspector->new_generic_filtercheck();
-					src_info->filterchecks->add_filter_check(std::move(gen_check));
-				}
-				used_plugins.insert(plugin->name());
+			if(!plugin) {
+				continue;
 			}
+
+			// init the plugin only if we registered it into an inspector (in capture mode, this is
+			// true for every plugin). Avoid initializing the same plugin twice in the same
+			// inspector if we're in capture mode
+			if(!is_capture_mode || used_plugins.find(p->name()) == used_plugins.end()) {
+				if(!plugin->init(config->m_init_config, err)) {
+					return run_result::fatal(err);
+				}
+			}
+			if(is_input) {
+				auto gen_check = src_info->inspector->new_generic_filtercheck();
+				src_info->filterchecks->add_filter_check(std::move(gen_check));
+			}
+			used_plugins.insert(plugin->name());
 		}
 
 		// populate filtercheck list for this inspector
@@ -221,20 +166,22 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 			return run_result::fatal(err);
 		}
 
-		// in live mode, each inspector should have registered at most two event sources:
-		// the "syscall" on, loaded at default at index 0, and optionally another
-		// one defined by a plugin, at index 1
-		if(!s.is_capture_mode()) {
-			const auto& sources = src_info->inspector->event_sources();
-			if(sources.size() == 0 || sources.size() > 2 ||
-			   sources[0] != falco_common::syscall_source) {
-				err.clear();
-				for(const auto& source : sources) {
-					err += (err.empty() ? "" : ", ") + source;
-				}
-				return run_result::fatal("Illegal sources setup in live inspector for source '" +
-				                         src + "': " + err);
+		if(is_capture_mode) {
+			continue;
+		}
+
+		// in live mode, each inspector should have registered at most two event sources: the
+		// "syscall" on, loaded at default at index 0, and optionally another one defined by a
+		// plugin, at index 1
+		const auto& sources = src_info->inspector->event_sources();
+		if(sources.size() == 0 || sources.size() > 2 ||
+		   sources[0] != falco_common::syscall_source) {
+			err.clear();
+			for(const auto& source : sources) {
+				err += (err.empty() ? "" : ", ") + source;
 			}
+			return run_result::fatal("Illegal sources setup in live inspector for source '" + src +
+			                         "': " + err);
 		}
 	}
 

userspace/falco/app/actions/list_fields.cpp

@@ -21,17 +21,18 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::list_fields(falco::app::state& s) {
-	if(s.options.list_fields) {
-		if(s.options.list_source_fields != "" &&
-		   !s.engine->is_source_valid(s.options.list_source_fields)) {
-			return run_result::fatal("Value for --list must be a valid source type");
-		}
-		s.engine->list_fields(s.options.list_source_fields,
-		                      s.options.verbose,
-		                      s.options.names_only,
-		                      s.options.markdown);
-		return run_result::exit();
+	if(!s.options.list_fields) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	if(s.options.list_source_fields != "" &&
+	   !s.engine->is_source_valid(s.options.list_source_fields)) {
+		return run_result::fatal("Value for --list must be a valid source type");
+	}
+
+	s.engine->list_fields(s.options.list_source_fields,
+	                      s.options.verbose,
+	                      s.options.names_only,
+	                      s.options.markdown);
+	return run_result::exit();
 }

userspace/falco/app/actions/list_plugins.cpp

@@ -24,20 +24,20 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::list_plugins(const falco::app::state& s) {
-	if(s.options.list_plugins) {
-		std::ostringstream os;
-		sinsp inspector;
-		const auto& configs = s.config->m_plugins;
-		for(auto& c : configs) {
-			// load the plugin (no need to initialize it)
-			auto plugin = inspector.register_plugin(c.m_library_path);
-			format_plugin_info(plugin, os);
-			os << std::endl;
-		}
-
-		printf("%lu Plugins Loaded:\n\n%s\n", configs.size(), os.str().c_str());
-		return run_result::exit();
+	if(!s.options.list_plugins) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	std::ostringstream os;
+	sinsp inspector;
+	const auto& configs = s.config->m_plugins;
+	for(auto& c : configs) {
+		// load the plugin (no need to initialize it)
+		auto plugin = inspector.register_plugin(c.m_library_path);
+		format_plugin_info(plugin, os);
+		os << std::endl;
+	}
+
+	printf("%lu Plugins Loaded:\n\n%s\n", configs.size(), os.str().c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/load_plugins.cpp

@@ -51,16 +51,18 @@ falco::app::run_result falco::app::actions::load_plugins(falco::app::state& s) {
 		                  "Loading plugin '" + p.m_name + "' from file " + p.m_library_path + "\n");
 		auto plugin = s.offline_inspector->register_plugin(p.m_library_path);
 		s.plugin_configs.insert(p, plugin->name());
-		if(plugin->caps() & CAP_SOURCING && plugin->id() != 0) {
-			state::source_info src_info;
-			src_info.filterchecks = std::make_shared<filter_check_list>();
-			auto sname = plugin->event_source();
-			s.source_infos.insert(src_info, sname);
-			// note: this avoids duplicate values
-			if(std::find(s.loaded_sources.begin(), s.loaded_sources.end(), sname) ==
-			   s.loaded_sources.end()) {
-				s.loaded_sources.push_back(sname);
-			}
+		if((plugin->caps() & CAP_SOURCING) == 0 || plugin->id() == 0) {
+			continue;
+		}
+		// Account the plugin event source
+		state::source_info src_info;
+		src_info.filterchecks = std::make_shared<filter_check_list>();
+		auto src_name = plugin->event_source();
+		s.source_infos.insert(src_info, src_name);
+		// note: this avoids duplicate values
+		if(std::find(s.loaded_sources.begin(), s.loaded_sources.end(), src_name) ==
+		   s.loaded_sources.end()) {
+			s.loaded_sources.push_back(src_name);
 		}
 	}
 

userspace/falco/app/actions/pidfile.cpp

@@ -30,21 +30,23 @@ falco::app::run_result falco::app::actions::pidfile(const falco::app::state& sta
 		return run_result::ok();
 	}
 
-	if(!state.options.pidfilename.empty()) {
-		int64_t self_pid = getpid();
-
-		std::ofstream stream;
-		stream.open(state.options.pidfilename);
-
-		if(!stream.good()) {
-			falco_logger::log(
-			        falco_logger::level::ERR,
-			        "Could not write pid to pidfile " + state.options.pidfilename + ". Exiting.\n");
-			exit(-1);
-		}
-		stream << self_pid;
-		stream.close();
+	if(state.options.pidfilename.empty()) {
+		return run_result::ok();
 	}
 
+	int64_t self_pid = getpid();
+
+	std::ofstream stream;
+	stream.open(state.options.pidfilename);
+
+	if(!stream.good()) {
+		falco_logger::log(
+		        falco_logger::level::ERR,
+		        "Could not write pid to pidfile " + state.options.pidfilename + ". Exiting.\n");
+		exit(-1);
+	}
+	stream << self_pid;
+	stream.close();
+
 	return run_result::ok();
 }

userspace/falco/app/actions/print_config_schema.cpp

@@ -21,9 +21,10 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_config_schema(falco::app::state &s) {
-	if(s.options.print_config_schema) {
-		printf("%s", s.config->m_config_schema.dump(2).c_str());
-		return run_result::exit();
+	if(!s.options.print_config_schema) {
+		return run_result::ok();
 	}
-	return run_result::ok();
+
+	printf("%s", s.config->m_config_schema.dump(2).c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/print_generated_gvisor_config.cpp

@@ -22,12 +22,13 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_generated_gvisor_config(falco::app::state& s) {
-	if(!s.options.gvisor_generate_config_with_socket.empty()) {
-		sinsp i;
-		std::string gvisor_config =
-		        i.generate_gvisor_config(s.options.gvisor_generate_config_with_socket);
-		printf("%s\n", gvisor_config.c_str());
-		return run_result::exit();
+	if(s.options.gvisor_generate_config_with_socket.empty()) {
+		return run_result::ok();
 	}
-	return run_result::ok();
+
+	sinsp i;
+	std::string gvisor_config =
+	        i.generate_gvisor_config(s.options.gvisor_generate_config_with_socket);
+	printf("%s\n", gvisor_config.c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/print_help.cpp

@@ -21,9 +21,10 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_help(falco::app::state& s) {
-	if(s.options.help) {
-		printf("%s", s.options.usage().c_str());
-		return run_result::exit();
+	if(!s.options.help) {
+		return run_result::ok();
 	}
-	return run_result::ok();
+
+	printf("%s", s.options.usage().c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/print_kernel_version.cpp

@@ -28,22 +28,25 @@ using namespace falco::app::actions;
 falco::app::run_result falco::app::actions::print_kernel_version(const falco::app::state& s) {
 #ifdef __linux__
 	// We print this info only when a kernel driver is injected
-	if(s.is_modern_ebpf() || s.is_ebpf() || s.is_kmod()) {
-		std::ifstream input_file("/proc/version");
-		if(!input_file.is_open()) {
-			// We don't want to fail, we just need to log something
-			falco_logger::log(falco_logger::level::INFO,
-			                  "Cannot read under '/proc/version' (err_message: '" +
-			                          std::string(strerror(errno)) + "', err_code: " +
-			                          std::to_string(errno) + "). No info provided, go on.");
-			return run_result::ok();
-		}
-
-		std::stringstream buffer;
-		buffer << input_file.rdbuf();
-		std::string contents(buffer.str());
-		falco_logger::log(falco_logger::level::INFO, "System info: " + contents);
+	bool const is_kernel_driver_injected = s.is_modern_ebpf() || s.is_ebpf() || s.is_kmod();
+	if(!is_kernel_driver_injected) {
+		return run_result::ok();
 	}
+
+	std::ifstream input_file("/proc/version");
+	if(!input_file.is_open()) {
+		// We don't want to fail, we just need to log something
+		falco_logger::log(
+		        falco_logger::level::INFO,
+		        "Cannot read under '/proc/version' (err_message: '" + std::string(strerror(errno)) +
+		                "', err_code: " + std::to_string(errno) + "). No info provided, go on.");
+		return run_result::ok();
+	}
+
+	std::stringstream buffer;
+	buffer << input_file.rdbuf();
+	std::string contents(buffer.str());
+	falco_logger::log(falco_logger::level::INFO, "System info: " + contents);
 #endif
 	return run_result::ok();
 }

userspace/falco/app/actions/print_page_size.cpp

@@ -24,25 +24,24 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_page_size(const falco::app::state& s) {
-	if(s.options.print_page_size) {
-#ifndef _WIN32
-		long page_size = getpagesize();
-#else
-		SYSTEM_INFO sysInfo;
-
-		GetSystemInfo(&sysInfo);
-
-		long page_size = sysInfo.dwPageSize;
-#endif
-		if(page_size <= 0) {
-			return run_result::fatal(
-			        "\nUnable to get the system page size through 'getpagesize()'\n");
-		} else {
-			falco_logger::log(
-			        falco_logger::level::INFO,
-			        "Your system page size is: " + std::to_string(page_size) + " bytes\n");
-		}
-		return run_result::exit();
+	if(!s.options.print_page_size) {
+		return run_result::ok();
 	}
-	return run_result::ok();
+
+#ifndef _WIN32
+	long page_size = getpagesize();
+#else
+	SYSTEM_INFO sysInfo;
+
+	GetSystemInfo(&sysInfo);
+
+	long page_size = sysInfo.dwPageSize;
+#endif
+	if(page_size <= 0) {
+		return run_result::fatal("\nUnable to get the system page size through 'getpagesize()'\n");
+	}
+
+	falco_logger::log(falco_logger::level::INFO,
+	                  "Your system page size is: " + std::to_string(page_size) + " bytes\n");
+	return run_result::exit();
 }

userspace/falco/app/actions/print_plugin_info.cpp

@@ -24,78 +24,81 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_plugin_info(const falco::app::state &s) {
-	if(!s.options.print_plugin_info.empty()) {
-		sinsp inspector;
-		for(auto &pc : s.config->m_plugins) {
-			if(pc.m_name == s.options.print_plugin_info ||
-			   pc.m_library_path == s.options.print_plugin_info) {
-				// load the plugin
-				auto p = inspector.register_plugin(pc.m_library_path);
-
-				// print plugin descriptive info
-				std::ostringstream os;
-				format_plugin_info(p, os);
-				os << std::endl;
-				printf("%s", os.str().c_str());
-
-				// print plugin init schema
-				os.str("");
-				os.clear();
-				ss_plugin_schema_type type;
-				auto schema = p->get_init_schema(type);
-				os << "Init config schema type: ";
-				switch(type) {
-				case SS_PLUGIN_SCHEMA_JSON:
-					os << "JSON" << std::endl;
-					break;
-				case SS_PLUGIN_SCHEMA_NONE:
-				default:
-					os << "Not available, plugin does not implement the init config schema "
-					      "functionality"
-					   << std::endl;
-					break;
-				}
-				os << schema << std::endl;
-				os << std::endl;
-				printf("%s", os.str().c_str());
-
-				// init the plugin
-				std::string err;
-				if(!p->init(pc.m_init_config, err)) {
-					return run_result::fatal(err);
-				}
-
-				// print plugin suggested open parameters
-				if(p->caps() & CAP_SOURCING) {
-					os.str("");
-					os.clear();
-					auto params = p->list_open_params();
-					if(params.empty()) {
-						os << "No suggested open params available: ";
-						os << "plugin has not been configured, or it does not implement the open "
-						      "params suggestion functionality"
-						   << std::endl;
-					} else {
-						os << "Suggested open params:" << std::endl;
-						for(const auto &oparam : p->list_open_params()) {
-							if(oparam.desc == "") {
-								os << oparam.value << std::endl;
-							} else {
-								os << oparam.value << ": " << oparam.desc << std::endl;
-							}
-						}
-					}
-					os << std::endl;
-					printf("%s", os.str().c_str());
-				}
-
-				// exit
-				return run_result::exit();
-			}
-		}
-		return run_result::fatal("can't find plugin and print its info: " +
-		                         s.options.print_plugin_info);
+	if(s.options.print_plugin_info.empty()) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	sinsp inspector;
+	for(auto &pc : s.config->m_plugins) {
+		if(pc.m_name != s.options.print_plugin_info &&
+		   pc.m_library_path != s.options.print_plugin_info) {
+			continue;
+		}
+
+		// found matching plugin; load it
+		auto p = inspector.register_plugin(pc.m_library_path);
+
+		// print plugin descriptive info
+		std::ostringstream os;
+		format_plugin_info(p, os);
+		os << std::endl;
+		printf("%s", os.str().c_str());
+
+		// print plugin init schema
+		os.str("");
+		os.clear();
+		ss_plugin_schema_type type;
+		auto schema = p->get_init_schema(type);
+		os << "Init config schema type: ";
+		switch(type) {
+		case SS_PLUGIN_SCHEMA_JSON:
+			os << "JSON" << std::endl;
+			break;
+		case SS_PLUGIN_SCHEMA_NONE:
+		default:
+			os << "Not available, plugin does not implement the init config schema "
+			      "functionality"
+			   << std::endl;
+			break;
+		}
+		os << schema << std::endl;
+		os << std::endl;
+		printf("%s", os.str().c_str());
+
+		// init the plugin
+		std::string err;
+		if(!p->init(pc.m_init_config, err)) {
+			return run_result::fatal(err);
+		}
+
+		// print plugin suggested open parameters
+		if(p->caps() & CAP_SOURCING) {
+			os.str("");
+			os.clear();
+			auto params = p->list_open_params();
+			if(params.empty()) {
+				os << "No suggested open params available: ";
+				os << "plugin has not been configured, or it does not implement the open "
+				      "params suggestion functionality"
+				   << std::endl;
+			} else {
+				os << "Suggested open params:" << std::endl;
+				for(const auto &oparam : p->list_open_params()) {
+					if(oparam.desc == "") {
+						os << oparam.value << std::endl;
+					} else {
+						os << oparam.value << ": " << oparam.desc << std::endl;
+					}
+				}
+			}
+			os << std::endl;
+			printf("%s", os.str().c_str());
+		}
+
+		// exit
+		return run_result::exit();
+	}
+
+	return run_result::fatal("can't find plugin and print its info: " +
+	                         s.options.print_plugin_info);
 }

userspace/falco/app/actions/print_rule_schema.cpp

@@ -21,9 +21,10 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_rule_schema(falco::app::state &s) {
-	if(s.options.print_rule_schema) {
-		printf("%s", s.engine->m_rule_schema.dump(2).c_str());
-		return run_result::exit();
+	if(!s.options.print_rule_schema) {
+		return run_result::ok();
 	}
-	return run_result::ok();
+
+	printf("%s", s.engine->m_rule_schema.dump(2).c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/print_support.cpp

@@ -88,31 +88,30 @@ static int get_sysinfo(nlohmann::json& support) {
 #endif
 
 falco::app::run_result falco::app::actions::print_support(falco::app::state& s) {
-	if(s.options.print_support) {
-		nlohmann::json support;
-
-		if(get_sysinfo(support) != 0) {
-			return run_result::fatal(std::string("Could not get system info: ") + strerror(errno));
-		}
-
-		const falco::versions_info infos(s.offline_inspector);
-		support["version"] = infos.falco_version;
-		support["engine_info"] = infos.as_json();
-		support["cmdline"] = s.cmdline;
-		support["config"] = s.config->dump();
-		support["rules_files"] = nlohmann::json::array();
-		for(const auto& filename : s.config->m_loaded_rules_filenames) {
-			nlohmann::json finfo;
-			finfo["name"] = filename;
-			nlohmann::json variant;
-			variant["content"] = read_file(filename);
-			finfo["variants"].push_back(variant);
-			support["rules_files"].push_back(finfo);
-		}
-		printf("%s\n", support.dump().c_str());
-
-		return run_result::exit();
+	if(!s.options.print_support) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	nlohmann::json support;
+
+	if(get_sysinfo(support) != 0) {
+		return run_result::fatal(std::string("Could not get system info: ") + strerror(errno));
+	}
+
+	const falco::versions_info infos(s.offline_inspector);
+	support["version"] = infos.falco_version;
+	support["engine_info"] = infos.as_json();
+	support["cmdline"] = s.cmdline;
+	support["config"] = s.config->dump();
+	support["rules_files"] = nlohmann::json::array();
+	for(const auto& filename : s.config->m_loaded_rules_filenames) {
+		nlohmann::json finfo;
+		finfo["name"] = filename;
+		nlohmann::json variant;
+		variant["content"] = read_file(filename);
+		finfo["variants"].push_back(variant);
+		support["rules_files"].push_back(finfo);
+	}
+	printf("%s\n", support.dump().c_str());
+	return run_result::exit();
 }

userspace/falco/app/actions/print_syscall_events.cpp

@@ -157,30 +157,29 @@ static void print_events(const std::vector<event_entry>& events, bool markdown)
 }
 
 falco::app::run_result falco::app::actions::print_syscall_events(falco::app::state& s) {
-	if(s.options.list_syscall_events) {
-		const falco::versions_info info(s.offline_inspector);
-		printf("The events below are valid for Falco *Schema Version*: %s\n",
-		       info.driver_schema_version.c_str());
-
-		const libsinsp::events::set<ppm_event_code> available =
-		        libsinsp::events::all_event_set().diff(
-		                sc_set_to_event_set(falco::app::ignored_sc_set()));
-		const struct events_by_category events_bc = get_event_entries_by_category(true, available);
-
-		printf("## Syscall events\n\n");
-		print_events(events_bc.syscalls, s.options.markdown);
-
-		printf("\n\n## Tracepoint events\n\n");
-		print_events(events_bc.tracepoints, s.options.markdown);
-
-		printf("\n\n## Plugin events\n\n");
-		print_events(events_bc.pluginevents, s.options.markdown);
-
-		printf("\n\n## Metaevents\n\n");
-		print_events(events_bc.metaevents, s.options.markdown);
-
-		return run_result::exit();
+	if(!s.options.list_syscall_events) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	const falco::versions_info info(s.offline_inspector);
+	printf("The events below are valid for Falco *Schema Version*: %s\n",
+	       info.driver_schema_version.c_str());
+
+	const libsinsp::events::set<ppm_event_code> available = libsinsp::events::all_event_set().diff(
+	        sc_set_to_event_set(falco::app::ignored_sc_set()));
+	const struct events_by_category events_bc = get_event_entries_by_category(true, available);
+
+	printf("## Syscall events\n\n");
+	print_events(events_bc.syscalls, s.options.markdown);
+
+	printf("\n\n## Tracepoint events\n\n");
+	print_events(events_bc.tracepoints, s.options.markdown);
+
+	printf("\n\n## Plugin events\n\n");
+	print_events(events_bc.pluginevents, s.options.markdown);
+
+	printf("\n\n## Metaevents\n\n");
+	print_events(events_bc.metaevents, s.options.markdown);
+
+	return run_result::exit();
 }

userspace/falco/app/actions/print_version.cpp

@@ -22,22 +22,22 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::print_version(falco::app::state& s) {
-	if(s.options.print_version_info) {
-		const falco::versions_info info(s.offline_inspector);
-		if(s.config->m_json_output) {
-			printf("%s\n", info.as_json().dump().c_str());
-		} else {
-			printf("Falco version: %s\n", info.falco_version.c_str());
-			printf("Libs version:  %s\n", info.libs_version.c_str());
-			printf("Plugin API:    %s\n", info.plugin_api_version.c_str());
-			printf("Engine:        %s\n", info.engine_version.c_str());
-			printf("Driver:\n");
-			printf("  API version:    %s\n", info.driver_api_version.c_str());
-			printf("  Schema version: %s\n", info.driver_schema_version.c_str());
-			printf("  Default driver: %s\n", info.default_driver_version.c_str());
-		}
-		return run_result::exit();
+	if(!s.options.print_version_info) {
+		return run_result::ok();
 	}
 
-	return run_result::ok();
+	const falco::versions_info info(s.offline_inspector);
+	if(s.config->m_json_output) {
+		printf("%s\n", info.as_json().dump().c_str());
+	} else {
+		printf("Falco version: %s\n", info.falco_version.c_str());
+		printf("Libs version:  %s\n", info.libs_version.c_str());
+		printf("Plugin API:    %s\n", info.plugin_api_version.c_str());
+		printf("Engine:        %s\n", info.engine_version.c_str());
+		printf("Driver:\n");
+		printf("  API version:    %s\n", info.driver_api_version.c_str());
+		printf("  Schema version: %s\n", info.driver_schema_version.c_str());
+		printf("  Default driver: %s\n", info.default_driver_version.c_str());
+	}
+	return run_result::exit();
 }

userspace/falco/app/actions/process_events.cpp

@@ -260,10 +260,18 @@ static falco::app::run_result do_inspect(
 
 		// Reset the timeouts counter, Falco successfully got an event to process
 		timeouts_since_last_success_or_msg = 0;
+
 		if(duration_start == 0) {
 			duration_start = ev->get_ts();
 		} else if(duration_to_tot_ns > 0) {
-			if(ev->get_ts() - duration_start >= duration_to_tot_ns) {
+			// Highest priority async events (whose timestamp is -1 and get set by sinsp to current
+			// ts) are processed **before** other events, event if already enqueued. This means that
+			// we might find ourself in a situation where we have duration_start whose ts is > then
+			// next ev->get_ts(), leading t ev->get_ts() - duration_start being <0 (and, since we
+			// are unsigned here, huge). The diff should never need to be that large anyway, use a
+			// signed.
+			const int64_t diff = ev->get_ts() - duration_start;
+			if(diff >= (int64_t)duration_to_tot_ns) {
 				break;
 			}
 		}

userspace/falco/app/actions/start_grpc_server.cpp

@@ -27,44 +27,46 @@ using namespace falco::app::actions;
 falco::app::run_result falco::app::actions::start_grpc_server(falco::app::state& s) {
 #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
 	// gRPC server
-	if(s.config->m_grpc_enabled) {
-		if(s.options.dry_run) {
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Skipping starting gRPC server in dry-run\n");
-			return run_result::ok();
-		}
-
-		falco_logger::log(falco_logger::level::INFO,
-		                  "gRPC server threadiness equals to " +
-		                          std::to_string(s.config->m_grpc_threadiness) + "\n");
-		// TODO(fntlnz,leodido): when we want to spawn multiple threads we need to have a queue per
-		// thread, or implement different queuing mechanisms, round robin, fanout? What we want to
-		// achieve?
-		s.grpc_server.init(s.config->m_grpc_bind_address,
-		                   s.config->m_grpc_threadiness,
-		                   s.config->m_grpc_private_key,
-		                   s.config->m_grpc_cert_chain,
-		                   s.config->m_grpc_root_certs,
-		                   s.config->m_log_level);
-		s.grpc_server_thread = std::thread([&s] { s.grpc_server.run(); });
+	if(!s.config->m_grpc_enabled) {
+		return run_result::ok();
 	}
+
+	if(s.options.dry_run) {
+		falco_logger::log(falco_logger::level::DEBUG, "Skipping starting gRPC server in dry-run\n");
+		return run_result::ok();
+	}
+
+	falco_logger::log(falco_logger::level::INFO,
+	                  "gRPC server threadiness equals to " +
+	                          std::to_string(s.config->m_grpc_threadiness) + "\n");
+	// TODO(fntlnz,leodido): when we want to spawn multiple threads we need to have a queue per
+	// thread, or implement different queuing mechanisms, round robin, fanout? What we want to
+	// achieve?
+	s.grpc_server.init(s.config->m_grpc_bind_address,
+	                   s.config->m_grpc_threadiness,
+	                   s.config->m_grpc_private_key,
+	                   s.config->m_grpc_cert_chain,
+	                   s.config->m_grpc_root_certs,
+	                   s.config->m_log_level);
+	s.grpc_server_thread = std::thread([&s] { s.grpc_server.run(); });
 #endif
 	return run_result::ok();
 }
 
 falco::app::run_result falco::app::actions::stop_grpc_server(falco::app::state& s) {
 #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
-	if(s.config->m_grpc_enabled) {
-		if(s.options.dry_run) {
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Skipping stopping gRPC server in dry-run\n");
-			return run_result::ok();
-		}
+	if(!s.config->m_grpc_enabled) {
+		return run_result::ok();
+	}
 
-		if(s.grpc_server_thread.joinable()) {
-			s.grpc_server.shutdown();
-			s.grpc_server_thread.join();
-		}
+	if(s.options.dry_run) {
+		falco_logger::log(falco_logger::level::DEBUG, "Skipping stopping gRPC server in dry-run\n");
+		return run_result::ok();
+	}
+
+	if(s.grpc_server_thread.joinable()) {
+		s.grpc_server.shutdown();
+		s.grpc_server_thread.join();
 	}
 #endif
 	return run_result::ok();

userspace/falco/app/actions/start_webserver.cpp

@@ -26,39 +26,40 @@ using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::start_webserver(falco::app::state& state) {
 #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
-	if(!state.is_capture_mode() && state.config->m_webserver_enabled) {
-		if(state.options.dry_run) {
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Skipping starting webserver in dry-run\n");
-			return run_result::ok();
-		}
-
-		falco_configuration::webserver_config webserver_config = state.config->m_webserver_config;
-		std::string ssl_option = (webserver_config.m_ssl_enabled ? " (SSL)" : "");
-		falco_logger::log(falco_logger::level::INFO,
-		                  "Starting health webserver with threadiness " +
-		                          std::to_string(webserver_config.m_threadiness) +
-		                          ", listening on " + webserver_config.m_listen_address + ":" +
-		                          std::to_string(webserver_config.m_listen_port) + ssl_option +
-		                          "\n");
-
-		state.webserver.start(state, webserver_config);
+	if(state.is_capture_mode() || !state.config->m_webserver_enabled) {
+		return run_result::ok();
 	}
+
+	if(state.options.dry_run) {
+		falco_logger::log(falco_logger::level::DEBUG, "Skipping starting webserver in dry-run\n");
+		return run_result::ok();
+	}
+
+	falco_configuration::webserver_config webserver_config = state.config->m_webserver_config;
+	std::string ssl_option = (webserver_config.m_ssl_enabled ? " (SSL)" : "");
+	falco_logger::log(falco_logger::level::INFO,
+	                  "Starting health webserver with threadiness " +
+	                          std::to_string(webserver_config.m_threadiness) + ", listening on " +
+	                          webserver_config.m_listen_address + ":" +
+	                          std::to_string(webserver_config.m_listen_port) + ssl_option + "\n");
+
+	state.webserver.start(state, webserver_config);
 #endif
 	return run_result::ok();
 }
 
 falco::app::run_result falco::app::actions::stop_webserver(falco::app::state& state) {
 #if !defined(_WIN32) && !defined(__EMSCRIPTEN__) && !defined(MINIMAL_BUILD)
-	if(!state.is_capture_mode() && state.config->m_webserver_enabled) {
-		if(state.options.dry_run) {
-			falco_logger::log(falco_logger::level::DEBUG,
-			                  "Skipping stopping webserver in dry-run\n");
-			return run_result::ok();
-		}
-
-		state.webserver.stop();
+	if(state.is_capture_mode() || !state.config->m_webserver_enabled) {
+		return run_result::ok();
 	}
+
+	if(state.options.dry_run) {
+		falco_logger::log(falco_logger::level::DEBUG, "Skipping stopping webserver in dry-run\n");
+		return run_result::ok();
+	}
+
+	state.webserver.stop();
 #endif
 	return run_result::ok();
 }

userspace/falco/app/actions/validate_rules_files.cpp

@@ -26,115 +26,113 @@ using namespace falco::app;
 using namespace falco::app::actions;
 
 falco::app::run_result falco::app::actions::validate_rules_files(falco::app::state& s) {
-	if(s.options.validate_rules_filenames.size() > 0) {
-		std::vector<std::string> rules_contents;
-		falco::load_result::rules_contents_t rc;
+	if(s.options.validate_rules_filenames.size() == 0) {
+		return run_result::ok();
+	}
 
-		try {
-			read_files(s.options.validate_rules_filenames.begin(),
-			           s.options.validate_rules_filenames.end(),
-			           rules_contents,
-			           rc);
-		} catch(falco_exception& e) {
-			return run_result::fatal(e.what());
+	std::vector<std::string> rules_contents;
+	falco::load_result::rules_contents_t rc;
+
+	try {
+		read_files(s.options.validate_rules_filenames.begin(),
+		           s.options.validate_rules_filenames.end(),
+		           rules_contents,
+		           rc);
+	} catch(falco_exception& e) {
+		return run_result::fatal(e.what());
+	}
+
+	bool successful = true;
+
+	// The validation result is *always* printed to
+	// stdout. When json_output is true, the output is in
+	// json format and contains all errors/warnings for
+	// all files.
+	//
+
+	// When json_output is false, it contains a summary of
+	// each file and whether it was valid or not, along
+	// with any errors.  To match older falco behavior,
+	// this *only* contains errors.
+	//
+	// So for each file stdout will contain:
+	//
+	// <filename>: Ok
+	// or
+	// <filename>: Invalid
+	// [All Validation Errors]
+	//
+	// Warnings are only printed to stderr, and only
+	// printed when verbose is true.
+	std::string summary;
+
+	falco_logger::log(falco_logger::level::INFO, "Validating rules file(s):\n");
+	for(const auto& file : s.options.validate_rules_filenames) {
+		falco_logger::log(falco_logger::level::INFO, "   " + file + "\n");
+	}
+
+	// The json output encompasses all files so the
+	// validation result is a single json object.
+	std::string err = "";
+	nlohmann::json results = nlohmann::json::array();
+
+	for(auto& filename : s.options.validate_rules_filenames) {
+		std::unique_ptr<falco::load_result> res;
+
+		res = s.engine->load_rules(rc.at(filename), filename);
+		if(!check_rules_plugin_requirements(s, err)) {
+			return run_result::fatal(err);
 		}
 
-		bool successful = true;
-
-		// The validation result is *always* printed to
-		// stdout. When json_output is true, the output is in
-		// json format and contains all errors/warnings for
-		// all files.
-		//
-
-		// When json_output is false, it contains a summary of
-		// each file and whether it was valid or not, along
-		// with any errors.  To match older falco behavior,
-		// this *only* contains errors.
-		//
-		// So for each file stdout will contain:
-		//
-		// <filename>: Ok
-		// or
-		// <filename>: Invalid
-		// [All Validation Errors]
-		//
-		// Warnings are only printed to stderr, and only
-		// printed when verbose is true.
-		std::string summary;
-
-		falco_logger::log(falco_logger::level::INFO, "Validating rules file(s):\n");
-		for(const auto& file : s.options.validate_rules_filenames) {
-			falco_logger::log(falco_logger::level::INFO, "   " + file + "\n");
-		}
-
-		// The json output encompasses all files so the
-		// validation result is a single json object.
-		std::string err = "";
-		nlohmann::json results = nlohmann::json::array();
-
-		for(auto& filename : s.options.validate_rules_filenames) {
-			std::unique_ptr<falco::load_result> res;
-
-			res = s.engine->load_rules(rc.at(filename), filename);
-			if(!check_rules_plugin_requirements(s, err)) {
-				return run_result::fatal(err);
-			}
-
-			successful &= res->successful();
-
-			if(s.config->m_json_output) {
-				results.push_back(res->as_json(rc));
-			}
-
-			if(summary != "") {
-				summary += "\n";
-			}
-
-			// Add to the summary if not successful, or successful
-			// with no warnings.
-			if(!res->successful() || (res->successful() && !res->has_warnings())) {
-				summary += res->as_string(true, rc);
-			} else {
-				// If here, there must be only warnings.
-				// Add a line to the summary noting that the
-				// file was ok with warnings, without actually
-				// printing the warnings.
-				summary += filename + ": Ok, with warnings";
-				falco_logger::log(falco_logger::level::WARNING, res->as_string(true, rc) + "\n");
-			}
-		}
-
-		// printout of `-L` option
-		nlohmann::json describe_res;
-		if(successful && (s.options.describe_all_rules || !s.options.describe_rule.empty())) {
-			std::string* rptr =
-			        !s.options.describe_rule.empty() ? &(s.options.describe_rule) : nullptr;
-			const auto& plugins = s.offline_inspector->get_plugin_manager()->plugins();
-			describe_res = s.engine->describe_rule(rptr, plugins);
-		}
+		successful &= res->successful();
 
 		if(s.config->m_json_output) {
-			nlohmann::json res;
-			res["falco_load_results"] = results;
-			if(!describe_res.empty() && successful) {
-				res["falco_describe_results"] = std::move(describe_res);
-			}
-			std::cout << res.dump() << std::endl;
-		} else {
-			std::cout << summary << std::endl;
-			if(!describe_res.empty() && successful) {
-				std::cout << std::endl;
-				format_described_rules_as_text(describe_res, std::cout);
-			}
+			results.push_back(res->as_json(rc));
 		}
 
-		if(successful) {
-			return run_result::exit();
+		if(summary != "") {
+			summary += "\n";
+		}
+
+		// Add to the summary if not successful, or successful
+		// with no warnings.
+		if(!res->successful() || (res->successful() && !res->has_warnings())) {
+			summary += res->as_string(true, rc);
 		} else {
-			return run_result::fatal(summary);
+			// If here, there must be only warnings.
+			// Add a line to the summary noting that the
+			// file was ok with warnings, without actually
+			// printing the warnings.
+			summary += filename + ": Ok, with warnings";
+			falco_logger::log(falco_logger::level::WARNING, res->as_string(true, rc) + "\n");
 		}
 	}
 
-	return run_result::ok();
+	// printout of `-L` option
+	nlohmann::json describe_res;
+	if(successful && (s.options.describe_all_rules || !s.options.describe_rule.empty())) {
+		std::string* rptr = !s.options.describe_rule.empty() ? &(s.options.describe_rule) : nullptr;
+		const auto& plugins = s.offline_inspector->get_plugin_manager()->plugins();
+		describe_res = s.engine->describe_rule(rptr, plugins);
+	}
+
+	if(s.config->m_json_output) {
+		nlohmann::json res;
+		res["falco_load_results"] = results;
+		if(!describe_res.empty() && successful) {
+			res["falco_describe_results"] = std::move(describe_res);
+		}
+		std::cout << res.dump() << std::endl;
+	} else {
+		std::cout << summary << std::endl;
+		if(!describe_res.empty() && successful) {
+			std::cout << std::endl;
+			format_described_rules_as_text(describe_res, std::cout);
+		}
+	}
+
+	if(!successful) {
+		return run_result::fatal(summary);
+	}
+	return run_result::exit();
 }

userspace/falco/app/app.cpp

@@ -53,17 +53,17 @@ bool falco::app::run(falco::app::state& s, bool& restart, std::string& errstr) {
 	// called. Before changing the order, ensure that all
 	// dependencies are honored (e.g. don't process events before
 	// loading plugins, opening inspector, etc.).
-	std::list<app_action> run_steps = {
+	std::list<app_action> const run_steps = {
+	        falco::app::actions::print_help,
 	        falco::app::actions::print_config_schema,
 	        falco::app::actions::print_rule_schema,
-	        falco::app::actions::load_config,
-	        falco::app::actions::print_help,
-	        falco::app::actions::print_kernel_version,
-	        falco::app::actions::print_version,
-	        falco::app::actions::print_page_size,
 	        falco::app::actions::print_generated_gvisor_config,
 	        falco::app::actions::print_ignored_events,
 	        falco::app::actions::print_syscall_events,
+	        falco::app::actions::load_config,
+	        falco::app::actions::print_kernel_version,
+	        falco::app::actions::print_version,
+	        falco::app::actions::print_page_size,
 	        falco::app::actions::require_config_file,
 	        falco::app::actions::print_plugin_info,
 	        falco::app::actions::list_plugins,
@@ -87,7 +87,7 @@ bool falco::app::run(falco::app::state& s, bool& restart, std::string& errstr) {
 	        falco::app::actions::process_events,
 	};
 
-	std::list<app_action> teardown_steps = {
+	std::list<app_action> const teardown_steps = {
 	        falco::app::actions::unregister_signal_handlers,
 	        falco::app::actions::stop_grpc_server,
 	        falco::app::actions::stop_webserver,

userspace/falco/app/options.cpp

@@ -73,10 +73,6 @@ bool options::parse(int argc, char **argv, std::string &errstr) {
 		}
 	}
 
-	if(m_cmdline_parsed.count("b") > 0) {
-		print_base64 = true;
-	}
-
 	if(m_cmdline_parsed.count("r") > 0) {
 		for(auto &path : m_cmdline_parsed["r"].as<std::vector<std::string>>()) {
 			rules_filenames.push_back(path);
@@ -104,15 +100,13 @@ void options::define(cxxopts::Options& opts)
 #endif
 		("config-schema",            "Print the config json schema and exit.", cxxopts::value(print_config_schema)->default_value("false"))
 		("rule-schema",              "Print the rule json schema and exit.", cxxopts::value(print_rule_schema)->default_value("false"))
-		("A",                        "DEPRECATED: use -o base_syscalls.all=true instead. Monitor all events supported by Falco and defined in rules and configs. Some events are ignored by default when -A is not specified (the -i option lists these events ignored). Using -A can impact performance. This option has no effect when reproducing events from a capture file.", cxxopts::value(all_events)->default_value("false"))
-		("b,print-base64",           "DEPRECATED: use -o buffer_format_base64=true. Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
 		("disable-source",           "Turn off a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times, but turning off all event sources simultaneously is not permitted. This option can not be mixed with --enable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(disable_sources), "<event_source>")
 		("dry-run",                  "Run Falco without processing events. It can help check that the configuration and rules do not have any errors.", cxxopts::value(dry_run)->default_value("false"))
 		("enable-source",            "Enable a specific <event_source>. By default, all loaded sources get enabled. Available sources are 'syscall' plus all sources defined by loaded plugins supporting the event sourcing capability. This option can be passed multiple times. When using this option, only the event sources specified by it will be enabled. This option can not be mixed with --disable-source. This option has no effect when reproducing events from a capture file.", cxxopts::value(enable_sources), "<event_source>")
 #ifdef HAS_GVISOR
 		("gvisor-generate-config",   "Generate a configuration file that can be used for gVisor and exit. See --gvisor-config for more details.", cxxopts::value<std::string>(gvisor_generate_config_with_socket)->implicit_value("/run/falco/gvisor.sock"), "<socket_path>")
 #endif
-		("i",                        "Print those events that are ignored by default for performance reasons and exit. See -A for more details.", cxxopts::value(print_ignored_events)->default_value("false"))
+		("i",                        "Print those events that are ignored by default for performance reasons and exit.", cxxopts::value(print_ignored_events)->default_value("false"))
 		("L",                        "Show the name and description of all rules and exit. If json_output is set to true, it prints details about all rules, macros, and lists in JSON format.", cxxopts::value(describe_all_rules)->default_value("false"))
 		("l",                        "Show the name and description of the rule specified <rule> and exit. If json_output is set to true, it prints details about the rule in JSON format.", cxxopts::value(describe_rule), "<rule>")
 		("list",                     "List all defined fields and exit. If <source> is provided, only list those fields for the source <source>. Current values for <source> are \"syscall\" or any source from a configured plugin with event sourcing capability.", cxxopts::value(list_source_fields)->implicit_value(""), "<source>")
@@ -126,7 +120,6 @@ void options::define(cxxopts::Options& opts)
 		("p,print",                  "Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a syscall rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p <output_format> for a custom format. In this case, the given <output_format> will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "<output_format>")
 		("P,pidfile",                "Write PID to specified <pid_file> path. By default, no PID file is created.", cxxopts::value(pidfilename)->default_value(""), "<pid_file>")
 		("r",                        "Rules file or directory to be loaded. This option can be passed multiple times. Falco defaults to the values in the configuration file when this option is not specified.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
-		("S,snaplen",                "DEPRECATED: use -o falco_libs.snaplen=<len> instead. Collect only the first <len> bytes of each I/O buffer for 'syscall' events. By default, the first 80 bytes are collected by the driver and sent to the user space for processing. Use this option with caution since it can have a strong performance impact.", cxxopts::value(snaplen)->default_value("0"), "<len>")
 		("support",                  "Print support information, including version, rules files used, loaded configuration, etc., and exit. The output is in JSON format.", cxxopts::value(print_support)->default_value("false"))
 		("U,unbuffered",             "Turn off output buffering for configured outputs. This causes every single line emitted by Falco to be flushed, which generates higher CPU usage but is useful when piping those outputs into another process or a script.", cxxopts::value(unbuffered_outputs)->default_value("false"))
 		("V,validate",               "Read the contents of the specified <rules_file> file(s), validate the loaded rules, and exit. This option can be passed multiple times to validate multiple files.", cxxopts::value(validate_rules_filenames), "<rules_file>")

userspace/falco/app/options.h

@@ -45,9 +45,7 @@ public:
 	bool print_config_schema = false;
 	bool print_rule_schema = false;
 	std::string conf_filename;
-	bool all_events = false;
 	sinsp_evt::param_fmt event_buffer_format = sinsp_evt::PF_NORMAL;
-	bool print_base64 = false;
 	std::vector<std::string> disable_sources;
 	std::vector<std::string> enable_sources;
 	std::string gvisor_generate_config_with_socket;
@@ -67,7 +65,6 @@ public:
 	std::string pidfilename;
 	// Rules list as passed by the user, via cmdline option '-r'
 	std::list<std::string> rules_filenames;
-	uint64_t snaplen = 0;
 	bool print_support = false;
 	bool unbuffered_outputs = false;
 	std::vector<std::string> validate_rules_filenames;

userspace/falco/configuration.cpp

@@ -96,12 +96,7 @@ falco_configuration::falco_configuration():
         m_metrics_flags(0),
         m_metrics_convert_memory_to_mb(true),
         m_metrics_include_empty_values(false),
-        m_plugins_hostinfo(true),
-        m_container_engines_mask(0),
-        m_container_engines_disable_cri_async(false),
-        m_container_engines_cri_socket_paths({"/run/containerd/containerd.sock",
-                                              "/run/crio/crio.sock",
-                                              "/run/k3s/containerd/containerd.sock"}) {
+        m_plugins_hostinfo(true) {
 	m_config_schema = nlohmann::json::parse(config_schema_string);
 }
 
@@ -133,12 +128,20 @@ config_loaded_res falco_configuration::init_from_file(
 		std::cerr << "Cannot read config file (" + conf_filename + "): " + e.what() + "\n";
 		throw e;
 	}
-	init_cmdline_options(cmdline_options);
 
 	// Only report top most schema validation status
 	res[conf_filename] = validation_status[0];
 
+	// Load any `-o config_files=foo.yaml` cmdline additional option
+	load_cmdline_config_files(cmdline_options);
+
+	// Merge all config files (both from main falco.yaml and `-o config_files=foo.yaml`)
 	merge_config_files(conf_filename, res);
+
+	// Load all other `-o` cmdline options to override any config key
+	init_cmdline_options(cmdline_options);
+
+	// Finally load the parsed config to our structure
 	load_yaml(conf_filename);
 
 	return res;
@@ -210,8 +213,8 @@ void falco_configuration::init_logger() {
 	m_log_level = m_config.get_scalar<std::string>("log_level", "info");
 	falco_logger::set_level(m_log_level);
 	falco_logger::set_sinsp_logging(
-	        m_config.get_scalar<bool>("libs_logger.enabled", false),
-	        m_config.get_scalar<std::string>("libs_logger.severity", "debug"),
+	        m_config.get_scalar<bool>("libs_logger.enabled", true),
+	        m_config.get_scalar<std::string>("libs_logger.severity", "info"),
 	        "[libs]: ");
 	falco_logger::log_stderr = m_config.get_scalar<bool>("log_stderr", false);
 	falco_logger::log_syslog = m_config.get_scalar<bool>("log_syslog", true);
@@ -690,33 +693,6 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	}
 
 	m_watch_config_files = m_config.get_scalar<bool>("watch_config_files", true);
-
-	if(m_config.get_scalar<bool>("container_engines.docker.enabled", true)) {
-		m_container_engines_mask |= (1 << CT_DOCKER);
-	}
-	if(m_config.get_scalar<bool>("container_engines.podman.enabled", true)) {
-		m_container_engines_mask |= (1 << CT_PODMAN);
-	}
-	if(m_config.get_scalar<bool>("container_engines.cri.enabled", true)) {
-		m_container_engines_mask |= ((1 << CT_CRI) | (1 << CT_CRIO) | (1 << CT_CONTAINERD));
-		m_container_engines_cri_socket_paths.clear();
-		m_config.get_sequence<std::vector<std::string>>(m_container_engines_cri_socket_paths,
-		                                                "container_engines.cri.sockets");
-		m_container_engines_disable_cri_async =
-		        m_config.get_scalar<bool>("container_engines.cri.disable-cri-async", false);
-	}
-	if(m_config.get_scalar<bool>("container_engines.lxc.enabled", true)) {
-		m_container_engines_mask |= (1 << CT_LXC);
-	}
-	if(m_config.get_scalar<bool>("container_engines.libvirt_lxc.enabled", true)) {
-		m_container_engines_mask |= (1 << CT_LIBVIRT_LXC);
-	}
-	if(m_config.get_scalar<bool>("container_engines.rocket.enabled", true)) {
-		m_container_engines_mask |= (1 << CT_RKT);
-	}
-	if(m_config.get_scalar<bool>("container_engines.bpm.enabled", true)) {
-		m_container_engines_mask |= (1 << CT_BPM);
-	}
 }
 
 void falco_configuration::read_rules_file_directory(const std::string &path,
@@ -766,6 +742,16 @@ static bool split(const std::string &str, char delim, std::pair<std::string, std
 	return true;
 }
 
+void falco_configuration::load_cmdline_config_files(
+        const std::vector<std::string> &cmdline_options) {
+	for(const std::string &option : cmdline_options) {
+		// Set all config_files options
+		if(option.rfind(yaml_helper::configs_key, 0) == 0) {
+			set_cmdline_option(option);
+		}
+	}
+}
+
 void falco_configuration::init_cmdline_options(const std::vector<std::string> &cmdline_options) {
 	for(const std::string &option : cmdline_options) {
 		set_cmdline_option(option);

userspace/falco/configuration.h

@@ -199,11 +199,6 @@ public:
 	std::vector<plugin_config> m_plugins;
 	bool m_plugins_hostinfo;
 
-	// container engines
-	uint64_t m_container_engines_mask;
-	uint64_t m_container_engines_disable_cri_async;
-	std::vector<std::string> m_container_engines_cri_socket_paths;
-
 	// Falco engine
 	engine_kind_t m_engine_mode = engine_kind_t::KMOD;
 	kmod_config m_kmod = {};
@@ -221,6 +216,8 @@ private:
 	void init_logger();
 	void load_engine_config(const std::string& config_name);
 	void init_cmdline_options(const std::vector<std::string>& cmdline_options);
+	void load_cmdline_config_files(const std::vector<std::string>& cmdline_options);
+
 	/**
 	 * Given a <key>=<value> specifier, set the appropriate option
 	 * in the underlying yaml config. <key> can contain '.'

userspace/falco/falco_outputs.h

@@ -19,6 +19,7 @@ limitations under the License.
 
 #include <memory>
 #include <map>
+#include <thread>
 
 #include "falco_common.h"
 #include "falco_engine.h"

userspace/falco/outputs_http.h

@@ -18,6 +18,8 @@ limitations under the License.
 #pragma once
 
 #include "outputs.h"
+#include <curl/curl.h>
+#include <curl/easy.h>
 
 namespace falco {
 namespace outputs {

userspace/falco/stats_writer.cpp

@@ -461,6 +461,7 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 					        METRIC_VALUE_UNIT_MEMORY_BYTES,
 					        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
 					        val);
+#if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
 					if(m_writer->m_config->m_metrics_convert_memory_to_mb &&
 					   m_writer->m_output_rule_metrics_converter) {
 						m_writer->m_output_rule_metrics_converter
@@ -469,6 +470,9 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 					} else {
 						output_fields[metric.name] = metric.value.u64;
 					}
+#else
+					output_fields[metric.name] = metric.value.u64;
+#endif
 				}
 			}
 		}