chore(ci): properly checkout pull request HEAD instead of merge commit in gh actions.

See https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.circleci/OWNERS

@@ -1,4 +1,2 @@
-approvers:
-  - jonahjon
-reviewers:
+emeritus_approvers:
   - jonahjon

.cmake-format

@@ -7,7 +7,7 @@ line_width = 120
 # How many spaces to tab for indent
 tab_size = 2
 
-# If arglists are longer than this, break them always
+# If arg lists are longer than this, break them always
 max_subargs_per_line = 3
 
 # If true, separate flow control names from their parentheses with a space
@@ -21,7 +21,7 @@ separate_fn_name_with_space = False
 dangle_parens = False
 
 # If the statement spelling length (including space and parenthesis is larger
-# than the tab width by more than this amoung, then force reject un-nested
+# than the tab width by more than this among, then force reject un-nested
 # layouts.
 max_prefix_chars = 2
 
@@ -54,7 +54,7 @@ always_wrap = []
 algorithm_order = [0, 1, 2, 3, 4]
 
 # If true, the argument lists which are known to be sortable will be sorted
-# lexicographicall
+# lexicographically
 enable_sort = True
 
 # If true, the parsers may infer whether or not an argument list is sortable

.codespellignore

@@ -0,0 +1,4 @@
+aks
+creat
+chage
+ro

.github/PULL_REQUEST_TEMPLATE.md

@@ -22,6 +22,8 @@
 
 > /kind feature
 
+> /kind release
+
 > If contributing rules or changes to rules, please make sure to also uncomment one of the following line:
 
 > /kind rule-update
@@ -46,6 +48,8 @@ Please remove the leading whitespace before the `/kind <>` you uncommented.
 
 > /area proposals
 
+> /area CI
+
 <!--
 Please remove the leading whitespace before the `/area <>` you uncommented.
 -->

.github/workflows/ci.yml

@@ -0,0 +1,175 @@
+name: CI Build
+on:
+  pull_request:
+    branches: [master]
+  push:
+    branches: [master]
+  workflow_dispatch:
+
+jobs:
+  build-minimal:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build-minimal
+          pushd build-minimal
+          cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build-minimal
+          make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build-minimal
+          make tests
+          popd
+
+  build-ubuntu-focal:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake -DBUILD_BPF=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          make tests
+          popd
+
+  build-ubuntu-focal-debug:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          make tests
+          popd
+
+  build-ubuntu-bionic:
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-$(uname -r) pkg-config autoconf libtool libelf-dev -y
+
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          make tests
+          popd
+
+  build-centos7-debug:
+    runs-on: ubuntu-latest
+    container:
+      image: falcosecurity/falco-builder:latest
+      env:
+        BUILD_TYPE: "debug"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          path: falco
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Link falco repo to /source/falco
+        run: |
+          mkdir -p /source
+          ln -s "$GITHUB_WORKSPACE/falco" /source/falco
+  
+      - name: Prepare project
+        run: /usr/bin/entrypoint cmake
+
+      - name: Build
+        run: /usr/bin/entrypoint all
+
+      - name: Run unit tests
+        run: /usr/bin/entrypoint tests
+
+      - name: Build packages
+        run: /usr/bin/entrypoint package

.github/workflows/codeql.yaml

@@ -0,0 +1,75 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-20.04
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    - name: Update base image
+      run: sudo apt update -y
+
+    - name: Install build dependencies
+      run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
+    - name: Prepare project
+      run: |
+          mkdir build
+          pushd build
+          cmake -DBUILD_BPF=On ..
+          popd
+
+    - name: Build
+      run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

.github/workflows/codespell.yml

@@ -0,0 +1,14 @@
+name: Codespell
+on:
+  pull_request:
+jobs:
+  codespell:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: codespell-project/actions-codespell@master
+      with:
+        skip: .git
+        ignore_words_file: .codespellignore
+        check_filenames: true
+        check_hidden: false

.gitignore

@@ -12,6 +12,4 @@ test/build
 
 .vscode/*
 
-.luacheckcache
-
 *.idea*

.luacheckrc

@@ -1,8 +0,0 @@
-std = "min"
-cache = true
-include_files = {
-    "userspace/engine/lua/*.lua",
-    "userspace/engine/lua/lyaml/*.lua",
-    "*.luacheckrc"
-}
-exclude_files = {"build"}

ADOPTERS.md

@@ -24,25 +24,29 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
 
+* [Fairwinds](https://fairwinds.com/) - [Fairwinds Insights](https://fairwinds.com/insights), Kubernetes governance software, integrates Falco to offer a single pane of glass view into potential security incidents. Insights adds out-of-the-box integrations and rules filter to reduce alert fatigue and improve security response. The platform adds security prevention, detection, and response capabilities to your existing Kubernetes infrastructure. Security and DevOps teams benefit from a centralized view of container security vulnerability scanning and runtime container security.
+
 * [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.
 
 * [Giant Swarm](https://www.giantswarm.io/) - Giant Swarm manages Kubernetes clusters and infrastructure for enterprises across multiple cloud providers as well as several flavors of on-premises data centers. Our platform provisions and monitors pure "vanilla" Kubernetes clusters which can be augmented with managed solutions to many common Kubernetes challenges, including security. We use Falco for anomaly detection as part of our collection of entirely open-source tools for securing our own clusters, and offer the same capabilities to our customers as part of our [managed security offering](https://docs.giantswarm.io/app-platform/apps/security/).
 
 * [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.
 
+* [gVisor](https://gvisor.dev/) - gVisor secures Kubernetes, containers, and workloads via an alternate execution environment that handles system calls in user space, blocking security issues before they reach the underlying host. gVisor provides defense-in-depth, protection against untrusted code execution, and a secure-by-default Kubernetes experience where containers are a security boundary. Falco can be used with gVisor to detect unusual or suspicious activity using its threat detection engine on top of gVisor runtime execution information.
+
 * [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containers which could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
 
 * [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
   * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
 
-* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).  
+* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).
 
 * [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
 
-* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
+* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPAA compliance requirements.
   * https://hipaa.preferral.com/01-preferral_hipaa_compliance/
 
-* [Qonto](https://qonto.com) - Qonto is a modern banking for SMEs and freelancers. Qonto provides a fully featured business account with a simplified accounting flow. Falco is used by our SecOps team to detect suspicous behaviors in our clusters.
+* [Qonto](https://qonto.com) - Qonto is a modern banking for SMEs and freelancers. Qonto provides a fully featured business account with a simplified accounting flow. Falco is used by our SecOps team to detect suspicious behaviors in our clusters.
 
 * [Raft](https://goraft.tech) - Raft is a government contractor that offers cloud-native solutions across many different agencies including DoD (Department of Defense), HHS (Health and Human Services), as well as within CFPB (Consumer Finance Protection Bureau). Raft leverages Falco to detect threats in our client's Kubernetes clusters and as a Host Intrusion Detection System. Raft proudly recommends Falco across all our different projects.
 
@@ -66,12 +70,16 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call driver. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
 
+* [Xenit AB](https://xenit.se/contact/) Xenit is a growth company with services within cloud and digital transformation. We provide an open-source Kubernetes framework that we leverage to help our customers get their applications to production as quickly and as securely as possible. We use Falco's detection capabilities to identify anomalous behaviour within our clusters in both Azure and AWS.
+
 ## Projects that use Falco libs
 
 * [R6/Phoenix](https://r6security.com/) is an attack surface protection company that uses moving target defense to provide fully automated, proactive and devops friendly security to its customers. There are a set of policies you can add to enable the moving target defense capabilities. Some of them are triggered by a combination of Falco's findings. You can kill, restart and rename pods according to the ever changing policies.
 
 * [SysFlow](https://sysflow.io) SysFlow is a cloud-native system telemetry framework that focuses on data abstraction, behavioral analytics, and noise reduction. At its core, SysFlow exposes a compact open telemetry format that records workload behaviors by connecting event and flow representations of process control flows, file interactions, and network communications. The resulting abstraction encodes a graph structure that enables provenance reasoning on host and container environments, and fast retrieval of security-relevant information.
 
+* [StackRox](https://stackrox.io) is the industry’s first Kubernetes-native security platform enabling organizations to build, deploy, and run cloud-native applications securely. The platform works with Kubernetes environments and integrates with DevOps and security tools, enabling teams to operationalize and secure their supply chain, infrastructure, and workloads. StackRox aims to harness containerized applications’ development speed while giving operations and security teams greater context and risk profiling. StackRox leverages cloud-native principles and declarative artifacts to automate DevSecOps best practices.
+
 ## Adding a name
 
 If you would like to add your name to this file, submit a pull request with your change.

CHANGELOG.md

@@ -1,5 +1,371 @@
 # Change Log
 
+## v0.33.1
+
+Released on 2022-11-24
+
+### Minor Changes
+
+* update(falco): fix container-gvisor and kubernetes-gvisor print options [[#2288](https://github.com/falcosecurity/falco/pull/2288)]
+* Update libs to 0.9.2, fixing potential CLBO on gVisor+Kubernetes and crash with eBPF when some CPUs are offline [[#2299](https://github.com/falcosecurity/falco/pull/2299)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+## v0.33.0
+
+Released on 2022-10-19
+
+### Major Changes
+
+
+* new: add a `drop_pct` referred to the global number of events [[#2130](https://github.com/falcosecurity/falco/pull/2130)] - [@Andreagit97](https://github.com/Andreagit97)
+* new: print some info about eBPF and enabled sources when Falco starts [[#2133](https://github.com/falcosecurity/falco/pull/2133)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(userspace): print architecture information [[#2147](https://github.com/falcosecurity/falco/pull/2147)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(CI): add CodeQL security scanning to Falco. [[#2171](https://github.com/falcosecurity/falco/pull/2171)] - [@Andreagit97](https://github.com/Andreagit97)
+* new: configure syscall buffer dimension from Falco [[#2214](https://github.com/falcosecurity/falco/pull/2214)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(cmdline): add development support for modern BPF probe [[#2221](https://github.com/falcosecurity/falco/pull/2221)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(falco-driver-loader): `DRIVERS_REPO` now supports the use of multiple download URLs (comma separated) [[#2165](https://github.com/falcosecurity/falco/pull/2165)] - [@IanRobertson-wpe](https://github.com/IanRobertson-wpe)
+* new(userspace/engine): support alternative plugin version requirements in checks [[#2190](https://github.com/falcosecurity/falco/pull/2190)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* new: support running multiple event sources in parallel [[#2182](https://github.com/falcosecurity/falco/pull/2182)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* new(userspace/falco): automatically create paths for grpc unix socket and gvisor endpoint. [[#2189](https://github.com/falcosecurity/falco/pull/2189)] - [@FedeDP](https://github.com/FedeDP)
+* new(scripts): allow falco-driver-loader to properly distinguish any ubuntu flavor [[#2178](https://github.com/falcosecurity/falco/pull/2178)] - [@FedeDP](https://github.com/FedeDP)
+* new: add option to enable event sources selectively [[#2085](https://github.com/falcosecurity/falco/pull/2085)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Minor Changes
+
+* docs(falco-driver-loader): add some comments in `falco-driver-loader` [[#2153](https://github.com/falcosecurity/falco/pull/2153)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(cmake): use latest libs tag `0.9.0` [[#2257](https://github.com/falcosecurity/falco/pull/2257)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(.circleci): re-enabled cppcheck [[#2186](https://github.com/falcosecurity/falco/pull/2186)] - [@leogr](https://github.com/leogr)
+* update(userspace/engine): improve falco files loading performance [[#2151](https://github.com/falcosecurity/falco/pull/2151)] - [@VadimZy](https://github.com/VadimZy)
+* update(cmake): use latest driver tag 3.0.1+driver [[#2251](https://github.com/falcosecurity/falco/pull/2251)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(userspace/falco)!: adapt stats writer for multiple parallel event sources [[#2182](https://github.com/falcosecurity/falco/pull/2182)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): remove falco engine APIs that returned a required_engine_version [[#2096](https://github.com/falcosecurity/falco/pull/2096)] - [@mstemm](https://github.com/mstemm)
+* update(userspace/engine): add some small changes to rules matching that reduce cpu usage with high event volumes (> 1M syscalls/sec) [[#2210](https://github.com/falcosecurity/falco/pull/2210)] - [@mstemm](https://github.com/mstemm)
+* rules: added process IDs to default rules [[#2211](https://github.com/falcosecurity/falco/pull/2211)] - [@spyder-kyle](https://github.com/spyder-kyle)
+* update(scripts/debian): falco.service systemd unit is now cleaned-up during (re)install and removal via the DEB and RPM packages [[#2138](https://github.com/falcosecurity/falco/pull/2138)] - [@Happy-Dude](https://github.com/Happy-Dude)
+* update(userspace/falco): move on from deprecated libs API for printing event list [[#2253](https://github.com/falcosecurity/falco/pull/2253)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(userspace/falco): improve cli helper and log options with debug level [[#2252](https://github.com/falcosecurity/falco/pull/2252)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace): minor pre-release improvements [[#2236](https://github.com/falcosecurity/falco/pull/2236)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: bumped libs to fd46dd139a8e35692a7d40ab2f0ed2016df827cf. [[#2201](https://github.com/falcosecurity/falco/pull/2201)] - [@FedeDP](https://github.com/FedeDP)
+* update!: gVisor sock default path changed from `/tmp/gvisor.sock` to `/run/falco/gvisor.sock`  [[#2163](https://github.com/falcosecurity/falco/pull/2163)] - [@vjjmiras](https://github.com/vjjmiras)
+* update!: gRPC server sock default path changed from `/run/falco.sock.sock` to `/run/falco/falco.sock` [[#2163](https://github.com/falcosecurity/falco/pull/2163)] - [@vjjmiras](https://github.com/vjjmiras)
+* update(scripts/falco-driver-loader): minikube environment is now correctly detected [[#2191](https://github.com/falcosecurity/falco/pull/2191)] - [@alacuku](https://github.com/alacuku)
+* update(rules/falco_rules.yaml): `required_engine_version` changed to 13 [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* refactor(userspace/falco): re-design stats writer and make it thread-safe [[#2109](https://github.com/falcosecurity/falco/pull/2109)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/falco): make signal handlers thread safe [[#2091](https://github.com/falcosecurity/falco/pull/2091)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): strengthen and document thread-safety guarantees of falco_engine::process_event [[#2082](https://github.com/falcosecurity/falco/pull/2082)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): make webserver threadiness configurable [[#2090](https://github.com/falcosecurity/falco/pull/2090)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/falco): reduce app actions dependency on app state and inspector [[#2097](https://github.com/falcosecurity/falco/pull/2097)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): use move semantics in falco logger [[#2095](https://github.com/falcosecurity/falco/pull/2095)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: use `FALCO_HOSTNAME` env var to override the hostname value [[#2174](https://github.com/falcosecurity/falco/pull/2174)] - [@leogr](https://github.com/leogr)
+* update: bump libs and driver versions to 6599e2efebce30a95f27739d655d53f0d5f686e4 [[#2177](https://github.com/falcosecurity/falco/pull/2177)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/falco): make output rate limiter optional and output engine explicitly thread-safe [[#2139](https://github.com/falcosecurity/falco/pull/2139)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(falco.yaml)!: notification rate limiter disabled by default. [[#2139](https://github.com/falcosecurity/falco/pull/2139)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Bug Fixes
+
+* fix: compute the `drop ratio` in the right way [[#2128](https://github.com/falcosecurity/falco/pull/2128)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(falco_service): falco service needs to write under /sys/module/falco [[#2238](https://github.com/falcosecurity/falco/pull/2238)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace): cleanup output of ruleset validation result [[#2248](https://github.com/falcosecurity/falco/pull/2248)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace): properly print ignored syscalls messages when not in `-A` mode [[#2243](https://github.com/falcosecurity/falco/pull/2243)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(falco): clarify pid/tid and container info in gvisor [[#2223](https://github.com/falcosecurity/falco/pull/2223)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace/engine): avoid reading duplicate exception values [[#2200](https://github.com/falcosecurity/falco/pull/2200)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix: hostname was not present when `json_output: true` [[#2174](https://github.com/falcosecurity/falco/pull/2174)] - [@leogr](https://github.com/leogr)
+
+
+### Rule Changes
+
+* rule(macro: known_gke_mount_in_privileged_containers): add new macro [[#2198](https://github.com/falcosecurity/falco/pull/2198)] - [@hi120ki](https://github.com/hi120ki)
+* rule(Mount Launched in Privileged Container): add GKE default pod into allowlist in Mount Launched of Privileged Container rule [[#2198](https://github.com/falcosecurity/falco/pull/2198)] - [@hi120ki](https://github.com/hi120ki)
+* rule(list: known_binaries_to_read_environment_variables_from_proc_files): add new list [[#2193](https://github.com/falcosecurity/falco/pull/2193)] - [@hi120ki](https://github.com/hi120ki)
+* rule(Read environment variable from /proc files): add rule to detect an attempt to read process environment variables from /proc files [[#2193](https://github.com/falcosecurity/falco/pull/2193)] - [@hi120ki](https://github.com/hi120ki)
+* rule(macro: k8s_containers): add falco no-driver images [[#2234](https://github.com/falcosecurity/falco/pull/2234)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* rule(macro: open_file_failed): add new macro [[#2118](https://github.com/falcosecurity/falco/pull/2118)] - [@incertum](https://github.com/incertum)
+* rule(macro: directory_traversal): add new macro [[#2118](https://github.com/falcosecurity/falco/pull/2118)] - [@incertum](https://github.com/incertum)
+* rule(Directory traversal monitored file read): add new rule [[#2118](https://github.com/falcosecurity/falco/pull/2118)] - [@incertum](https://github.com/incertum)
+* rule(Modify Container Entrypoint): new rule created to detect CVE-2019-5736 [[#2188](https://github.com/falcosecurity/falco/pull/2188)] - [@darryk10](https://github.com/darryk10)
+* rule(Program run with disallowed http proxy env)!: disabled by default [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* rule(Container Drift Detected (chmod))!: disabled by default [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* rule(Container Drift Detected (open+create))!: disabled by default [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* rule(Packet socket created in container)!: removed consider_packet_socket_communication macro [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_packet_socket_communication)!: remove unused macro [[#2179](https://github.com/falcosecurity/falco/pull/2179)] - [@incertum](https://github.com/incertum)
+* rule(Interpreted procs outbound network activity)!: disabled by default [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(Interpreted procs inbound network activity)!: disabled by default [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(Contact cloud metadata service from container)!: disabled by default [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_interpreted_outbound)!: remove unused macro [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_interpreted_inbound)!: remove unused macro [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_metadata_access)!: remove unused macro [[#2166](https://github.com/falcosecurity/falco/pull/2166)] - [@incertum](https://github.com/incertum)
+* rule(Unexpected outbound connection destination)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Unexpected inbound connection source)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Read Shell Configuration File)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Schedule Cron Jobs)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Launch Suspicious Network Tool on Host)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Create Hidden Files or Directories)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Outbound or Inbound Traffic not to Authorized Server Process and Port)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Network Connection outside Local Subnet)!: disabled by default [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_all_outbound_conns)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_all_inbound_conns)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_shell_config_reads)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_all_cron_jobs)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_all_inbound_conns)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_hidden_file_creation)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: allowed_port)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: enabled_rule_network_only_subnet)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_userfaultfd_activities)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(macro: consider_all_chmods)!: remove unused macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Set Setuid or Setgid bit)!: removed consider_all_chmods macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Container Drift Detected (chmod))!: removed consider_all_chmods macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+* rule(Unprivileged Delegation of Page Faults Handling to a Userspace Process)!: removed consider_userfaultfd_activities macro [[#2168](https://github.com/falcosecurity/falco/pull/2168)] - [@incertum](https://github.com/incertum)
+
+
+### Non user-facing changes
+
+* new(userspace): support `SCAP_FILTERED_EVENT` return code [[#2148](https://github.com/falcosecurity/falco/pull/2148)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore(test/utils): remove unused script [[#2157](https://github.com/falcosecurity/falco/pull/2157)] - [@Andreagit97](https://github.com/Andreagit97)
+* Enrich pull request template [[#2162](https://github.com/falcosecurity/falco/pull/2162)] - [@Andreagit97](https://github.com/Andreagit97)
+* vote: update(OWNERS): add Andrea Terzolo to owners [[#2185](https://github.com/falcosecurity/falco/pull/2185)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(CI): codespell should ignore `ro` word [[#2173](https://github.com/falcosecurity/falco/pull/2173)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore: bump plugin version [[#2256](https://github.com/falcosecurity/falco/pull/2256)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/falco): avoid using CPU when main thread waits for parallel event sources [[#2255](https://github.com/falcosecurity/falco/pull/2255)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(scripts): inject kmod script fails with some systemd versions [[#2250](https://github.com/falcosecurity/falco/pull/2250)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore(userspace/falco): make logging optional when terminating, restarting, and reopening outputs [[#2249](https://github.com/falcosecurity/falco/pull/2249)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore: bump libs version [[#2244](https://github.com/falcosecurity/falco/pull/2244)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(userspace): solve warnings and performance tips from cppcheck [[#2247](https://github.com/falcosecurity/falco/pull/2247)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/falco): make signal termination more robust with multi-threading [[#2235](https://github.com/falcosecurity/falco/pull/2235)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/falco): make termination and signal handlers more stable [[#2239](https://github.com/falcosecurity/falco/pull/2239)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace): safely check string bounded access [[#2237](https://github.com/falcosecurity/falco/pull/2237)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore: bump libs/driver to the latest release branch commit [[#2232](https://github.com/falcosecurity/falco/pull/2232)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/falco): check plugin requirements when validating rule files [[#2233](https://github.com/falcosecurity/falco/pull/2233)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace): add explicit constructors and initializations [[#2229](https://github.com/falcosecurity/falco/pull/2229)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* Add StackRox to adopters [[#2187](https://github.com/falcosecurity/falco/pull/2187)] - [@Molter73](https://github.com/Molter73)
+* fix(process_events): check the return value of `open_live_inspector` [[#2215](https://github.com/falcosecurity/falco/pull/2215)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/engine): properly include stdexcept header to fix build. [[#2197](https://github.com/falcosecurity/falco/pull/2197)] - [@FedeDP](https://github.com/FedeDP)
+* refactor(userspace/engine): split rule loader classes for a more testable design [[#2206](https://github.com/falcosecurity/falco/pull/2206)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore(OWNERS): cleanup inactive reviewer [[#2204](https://github.com/falcosecurity/falco/pull/2204)] - [@leogr](https://github.com/leogr)
+* fix(circleci): falco-driver-loader image build must be done starting from just-pushed falco master image. [[#2194](https://github.com/falcosecurity/falco/pull/2194)] - [@FedeDP](https://github.com/FedeDP)
+* Support condition parse errors in rule loading results [[#2155](https://github.com/falcosecurity/falco/pull/2155)] - [@mstemm](https://github.com/mstemm)
+* docs: readme update [[#2183](https://github.com/falcosecurity/falco/pull/2183)] - [@leogr](https://github.com/leogr)
+* cleanup: rename legacy references [[#2180](https://github.com/falcosecurity/falco/pull/2180)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): increase const coherence in falco engine [[#2081](https://github.com/falcosecurity/falco/pull/2081)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* Rules result handle multiple files [[#2158](https://github.com/falcosecurity/falco/pull/2158)] - [@mstemm](https://github.com/mstemm)
+* fix: print full rule load errors/warnings without verbose/-v [[#2156](https://github.com/falcosecurity/falco/pull/2156)] - [@mstemm](https://github.com/mstemm)
+
+
+## v0.32.2
+
+Released on 2022-08-09
+
+### Major Changes
+
+
+### Bug Fixes
+
+* fix: Added ARCH to bpf download URL [[#2142](https://github.com/falcosecurity/falco/pull/2142)] - [@eric-engberg](https://github.com/eric-engberg)
+
+
+## v0.32.1
+
+Released on 2022-07-11
+
+### Major Changes
+
+* new(falco): add gVisor support [[#2078](https://github.com/falcosecurity/falco/pull/2078)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(docker,scripts): add multiarch images and ARM64 packages [[#1990](https://github.com/falcosecurity/falco/pull/1990)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Minor Changes
+
+* update(build): Switch from RSA/SHA1 to RSA/SHA256 signature in the RPM package [[#2044](https://github.com/falcosecurity/falco/pull/2044)] - [@vjjmiras](https://github.com/vjjmiras)
+* refactor(userspace/engine): drop macro source field in rules and rule loader [[#2094](https://github.com/falcosecurity/falco/pull/2094)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* build: introduce `DRIVER_VERSION` that allows setting a driver version (which may differ from the falcosecurity/libs version) [[#2086](https://github.com/falcosecurity/falco/pull/2086)] - [@leogr](https://github.com/leogr)
+* update: add more info to `--version` output [[#2086](https://github.com/falcosecurity/falco/pull/2086)] - [@leogr](https://github.com/leogr)
+* build(scripts): publish deb repo has now a InRelease file [[#2060](https://github.com/falcosecurity/falco/pull/2060)] - [@FedeDP](https://github.com/FedeDP)
+* update(userspace/falco): make plugin init config optional and add --plugin-info CLI option [[#2059](https://github.com/falcosecurity/falco/pull/2059)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): support libs logging [[#2093](https://github.com/falcosecurity/falco/pull/2093)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(falco): update libs to 0.7.0 [[#2119](https://github.com/falcosecurity/falco/pull/2119)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+### Bug Fixes
+
+* fix(userspace/falco): ensure that only rules files named with `-V` are loaded when validating rules files. [[#2088](https://github.com/falcosecurity/falco/pull/2088)] - [@mstemm](https://github.com/mstemm)
+* fix(rules): use exit event in reverse shell detection rule [[#2076](https://github.com/falcosecurity/falco/pull/2076)] - [@alacuku](https://github.com/alacuku)
+* fix(scripts): falco-driver-loader script will now seek for drivers in driver/${ARCH}/ for x86_64 too. [[#2057](https://github.com/falcosecurity/falco/pull/2057)] - [@FedeDP](https://github.com/FedeDP)
+* fix(falco-driver-loader): building falco module with DKMS on Flatcar and supporting fetching pre-built module/eBPF probe [[#2043](https://github.com/falcosecurity/falco/pull/2043)] - [@jepio](https://github.com/jepio)
+
+
+### Rule Changes
+
+* rule(Redirect STDOUT/STDIN to Network Connection in Container): changed priority to NOTICE [[#2092](https://github.com/falcosecurity/falco/pull/2092)] - [@leogr](https://github.com/leogr)
+* rule(Java Process Class Download): detect potential log4shell exploitation [[#2041](https://github.com/falcosecurity/falco/pull/2041)] - [@pirxthepilot](https://github.com/pirxthepilot)
+
+
+### Non user-facing changes
+
+* remove kaizhe from falco rule owner [[#2050](https://github.com/falcosecurity/falco/pull/2050)] - [@Kaizhe](https://github.com/Kaizhe)
+* docs(readme): added arm64 mention + packages + badge. [[#2101](https://github.com/falcosecurity/falco/pull/2101)] - [@FedeDP](https://github.com/FedeDP)
+* new(circleci): enable integration tests for arm64. [[#2099](https://github.com/falcosecurity/falco/pull/2099)] - [@FedeDP](https://github.com/FedeDP)
+* chore(cmake): bump plugins versions [[#2102](https://github.com/falcosecurity/falco/pull/2102)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(docker): fixed deb tester sub image. [[#2100](https://github.com/falcosecurity/falco/pull/2100)] - [@FedeDP](https://github.com/FedeDP)
+* fix(ci): fix sign script - avoid interpreting '{*}$argv' too soon [[#2075](https://github.com/falcosecurity/falco/pull/2075)] - [@vjjmiras](https://github.com/vjjmiras)
+* fix(tests): make tests run locally (take 2) [[#2089](https://github.com/falcosecurity/falco/pull/2089)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(ci): creates ~/sign instead of ./sign [[#2072](https://github.com/falcosecurity/falco/pull/2072)] - [@vjjmiras](https://github.com/vjjmiras)
+* fix(ci): sign arm64 rpm packages. [[#2069](https://github.com/falcosecurity/falco/pull/2069)] - [@FedeDP](https://github.com/FedeDP)
+* update(falco_scripts): Change Flatcar dynlinker path [[#2066](https://github.com/falcosecurity/falco/pull/2066)] - [@jepio](https://github.com/jepio)
+* fix(scripts): fixed path in publish-deb script. [[#2062](https://github.com/falcosecurity/falco/pull/2062)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): docker-container buildx engine does not support retagging images. Tag all images together. [[#2058](https://github.com/falcosecurity/falco/pull/2058)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): fixed publish-docker-dev job context. [[#2056](https://github.com/falcosecurity/falco/pull/2056)] - [@FedeDP](https://github.com/FedeDP)
+* Correct linting issue in rules [[#2055](https://github.com/falcosecurity/falco/pull/2055)] - [@stephanmiehe](https://github.com/stephanmiehe)
+* Fix falco compilation issues with new libs [[#2053](https://github.com/falcosecurity/falco/pull/2053)] - [@alacuku](https://github.com/alacuku)
+* fix(scripts): forcefully create packages dir for debian packages. [[#2054](https://github.com/falcosecurity/falco/pull/2054)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): removed leftover line in circleci config. [[#2052](https://github.com/falcosecurity/falco/pull/2052)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): fixed circleCI artifacts publish for arm64. [[#2051](https://github.com/falcosecurity/falco/pull/2051)] - [@FedeDP](https://github.com/FedeDP)
+* update(docker): updated falco-builder to fix multiarch support. [[#2049](https://github.com/falcosecurity/falco/pull/2049)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): use apt instead of apk when installing deps for aws ecr publish [[#2047](https://github.com/falcosecurity/falco/pull/2047)] - [@FedeDP](https://github.com/FedeDP)
+* fix(build): try to use root user for cimg/base [[#2045](https://github.com/falcosecurity/falco/pull/2045)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): avoid double build of docker images when pushing to aws ecr [[#2046](https://github.com/falcosecurity/falco/pull/2046)] - [@FedeDP](https://github.com/FedeDP)
+* chore(k8s_audit_plugin): bump k8s audit plugin version [[#2042](https://github.com/falcosecurity/falco/pull/2042)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(tests): make run_regression_tests.sh work locally [[#2020](https://github.com/falcosecurity/falco/pull/2020)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* Circle CI build job for ARM64 [[#1997](https://github.com/falcosecurity/falco/pull/1997)] - [@odidev](https://github.com/odidev)
+
+
+## v0.32.0
+
+Released on 2022-06-03
+
+### Major Changes
+
+
+* new: added new `watch_config_files` config option, to trigger a Falco restart whenever a change is detected in the rules or config files [[#1991](https://github.com/falcosecurity/falco/pull/1991)] - [@FedeDP](https://github.com/FedeDP)
+* new(rules): add rule to detect excessively capable container [[#1963](https://github.com/falcosecurity/falco/pull/1963)] - [@loresuso](https://github.com/loresuso)
+* new(rules): add rules to detect pods sharing host pid and IPC namespaces [[#1951](https://github.com/falcosecurity/falco/pull/1951)] - [@loresuso](https://github.com/loresuso)
+* new(image): add Falco image based on RedHat UBI [[#1943](https://github.com/falcosecurity/falco/pull/1943)] - [@araujof](https://github.com/araujof)
+* new(falco): add --markdown and --list-syscall-events [[#1939](https://github.com/falcosecurity/falco/pull/1939)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+
+### Minor Changes
+
+* update(build): updated plugins to latest versions. [[#2033](https://github.com/falcosecurity/falco/pull/2033)] - [@FedeDP](https://github.com/FedeDP)
+* refactor(userspace/falco): split the currently monolithic falco_init into smaller "actions", managed by the falco application's action manager. [[#1953](https://github.com/falcosecurity/falco/pull/1953)] - [@mstemm](https://github.com/mstemm)
+* rules: out of the box ruleset for OKTA Falco Plugin [[#1955](https://github.com/falcosecurity/falco/pull/1955)] - [@darryk10](https://github.com/darryk10)
+* update(build): updated libs to 39ae7d40496793cf3d3e7890c9bbdc202263836b [[#2031](https://github.com/falcosecurity/falco/pull/2031)] - [@FedeDP](https://github.com/FedeDP)
+* update!: moving out plugins ruleset files [[#1995](https://github.com/falcosecurity/falco/pull/1995)] - [@leogr](https://github.com/leogr)
+* update: added `hostname` as a field in JSON output [[#1989](https://github.com/falcosecurity/falco/pull/1989)] - [@Milkshak3s](https://github.com/Milkshak3s)
+* refactor!: remove K8S audit logs from Falco [[#1952](https://github.com/falcosecurity/falco/pull/1952)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): use supported_operators helper from libsinsp filter parser [[#1975](https://github.com/falcosecurity/falco/pull/1975)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor!: deprecate PSP regression tests and warn for unsafe usage of <NA> in k8s audit filters [[#1976](https://github.com/falcosecurity/falco/pull/1976)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* build(cmake): upgrade catch2 to 2.13.9 [[#1977](https://github.com/falcosecurity/falco/pull/1977)] - [@leogr](https://github.com/leogr)
+* refactor(userspace/engine): reduce memory usage for resolving evttypes [[#1965](https://github.com/falcosecurity/falco/pull/1965)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader [[#1966](https://github.com/falcosecurity/falco/pull/1966)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor(userspace/engine): decoupling ruleset reading, parsing, and compilation steps [[#1970](https://github.com/falcosecurity/falco/pull/1970)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* refactor: update definitions of falco_common [[#1967](https://github.com/falcosecurity/falco/pull/1967)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: improved Falco engine event processing performance [[#1944](https://github.com/falcosecurity/falco/pull/1944)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* refactor(userspace/engine): use libsinsp filter parser and compiler inside rule loader [[#1947](https://github.com/falcosecurity/falco/pull/1947)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Bug Fixes
+
+* fix(userspace/engine): skip rules with unknown sources that also have exceptions, and skip macros with unknown sources. [[#1920](https://github.com/falcosecurity/falco/pull/1920)] - [@mstemm](https://github.com/mstemm)
+* fix(userspace/falco): enable k8s and mesos clients only when syscall source is enabled [[#2019](https://github.com/falcosecurity/falco/pull/2019)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+### Rule Changes
+
+* rule(Launch Excessively Capable Container): fix typo in description [[#1996](https://github.com/falcosecurity/falco/pull/1996)] - [@mmonitz](https://github.com/mmonitz)
+* rule(macro: known_shell_spawn_cmdlines): add `sh -c /usr/share/lighttpd/create-mime.conf.pl` to macro [[#1996](https://github.com/falcosecurity/falco/pull/1996)] - [@mmonitz](https://github.com/mmonitz)
+* rule(macro net_miner_pool): additional syscall for detection [[#2011](https://github.com/falcosecurity/falco/pull/2011)] - [@beryxz](https://github.com/beryxz)
+* rule(macro truncate_shell_history): include .ash_history [[#1956](https://github.com/falcosecurity/falco/pull/1956)] - [@bdashrad](https://github.com/bdashrad)
+* rule(macro modify_shell_history): include .ash_history [[#1956](https://github.com/falcosecurity/falco/pull/1956)] - [@bdashrad](https://github.com/bdashrad)
+* rule(Detect release_agent File Container Escapes): new rule created to detect an attempt to exploit a container escape using release_agent file [[#1969](https://github.com/falcosecurity/falco/pull/1969)] - [@darryk10](https://github.com/darryk10)
+* rule(k8s: secret): detect `get` attempts for both successful and unsuccessful attempts [[#1949](https://github.com/falcosecurity/falco/pull/1949)] - [@Dentrax](https://github.com/Dentrax)
+* rule(K8s Serviceaccount Created/Deleted): Fixed output for the rules [[#1973](https://github.com/falcosecurity/falco/pull/1973)] - [@darryk10](https://github.com/darryk10)
+* rule(Disallowed K8s User): exclude allowed EKS users [[#1960](https://github.com/falcosecurity/falco/pull/1960)] - [@darryk10](https://github.com/darryk10)
+* rule(Launch Ingress Remote File Copy Tools in Container): Removed use cases not triggering the rule [[#1968](https://github.com/falcosecurity/falco/pull/1968)] - [@darryk10](https://github.com/darryk10)
+* rule(Mount Launched in Privileged Container): added allowlist macro user_known_mount_in_privileged_containers. [[#1930](https://github.com/falcosecurity/falco/pull/1930)] - [@mmoyerfigma](https://github.com/mmoyerfigma)
+* rule(macro user_known_shell_config_modifiers): allow to allowlist shell config modifiers [[#1938](https://github.com/falcosecurity/falco/pull/1938)] - [@claudio-vellage](https://github.com/claudio-vellage)
+
+
+### Non user-facing changes
+
+* new: update plugins [[#2023](https://github.com/falcosecurity/falco/pull/2023)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): updated libs version for Falco 0.32.0 release. [[#2022](https://github.com/falcosecurity/falco/pull/2022)] - [@FedeDP](https://github.com/FedeDP)
+* update(build): updated libs to 1be924900a09cf2e4db4b4ae13d03d838959f350 [[#2024](https://github.com/falcosecurity/falco/pull/2024)] - [@FedeDP](https://github.com/FedeDP)
+* chore(userspace/falco): do not print error code in process_events.cpp [[#2030](https://github.com/falcosecurity/falco/pull/2030)] - [@alacuku](https://github.com/alacuku)
+* fix(falco-scripts): remove driver versions with `dkms-3.0.3` [[#2027](https://github.com/falcosecurity/falco/pull/2027)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore(userspace/falco): fix punctuation typo in output message when loading plugins [[#2026](https://github.com/falcosecurity/falco/pull/2026)] - [@alacuku](https://github.com/alacuku)
+* refactor(userspace): change falco engine design to properly support multiple sources [[#2017](https://github.com/falcosecurity/falco/pull/2017)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(userspace/falco): improve falco termination [[#2012](https://github.com/falcosecurity/falco/pull/2012)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(userspace/engine): introduce new `check_plugin_requirements` API [[#2009](https://github.com/falcosecurity/falco/pull/2009)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/engine): improve rule loader source checks [[#2010](https://github.com/falcosecurity/falco/pull/2010)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix: split filterchecks per source-idx [[#1999](https://github.com/falcosecurity/falco/pull/1999)] - [@FedeDP](https://github.com/FedeDP)
+* new: port CI builds to github actions [[#2000](https://github.com/falcosecurity/falco/pull/2000)] - [@FedeDP](https://github.com/FedeDP)
+* build(userspace/engine): cleanup unused include dir [[#1987](https://github.com/falcosecurity/falco/pull/1987)] - [@leogr](https://github.com/leogr)
+* rule(Anonymous Request Allowed): exclude {/livez, /readyz} [[#1954](https://github.com/falcosecurity/falco/pull/1954)] - [@sledigabel](https://github.com/sledigabel)
+* chore(falco_scripts): Update `falco-driver-loader` cleaning phase [[#1950](https://github.com/falcosecurity/falco/pull/1950)] - [@Andreagit97](https://github.com/Andreagit97)
+* new(userspace/falco): use new plugin caps API [[#1982](https://github.com/falcosecurity/falco/pull/1982)] - [@FedeDP](https://github.com/FedeDP)
+* build: correct conffiles for DEB packages [[#1980](https://github.com/falcosecurity/falco/pull/1980)] - [@leogr](https://github.com/leogr)
+* Fix exception parsing regressions [[#1985](https://github.com/falcosecurity/falco/pull/1985)] - [@mstemm](https://github.com/mstemm)
+* Add codespell GitHub Action [[#1962](https://github.com/falcosecurity/falco/pull/1962)] - [@invidian](https://github.com/invidian)
+* build: components opt-in mechanism for packages [[#1979](https://github.com/falcosecurity/falco/pull/1979)] - [@leogr](https://github.com/leogr)
+* add gVisor to ADOPTERS.md [[#1974](https://github.com/falcosecurity/falco/pull/1974)] - [@kevinGC](https://github.com/kevinGC)
+* rules: whitelist GCP's container threat detection image [[#1959](https://github.com/falcosecurity/falco/pull/1959)] - [@clmssz](https://github.com/clmssz)
+* Fix some typos [[#1961](https://github.com/falcosecurity/falco/pull/1961)] - [@invidian](https://github.com/invidian)
+* chore(rules): remove leftover [[#1958](https://github.com/falcosecurity/falco/pull/1958)] - [@leogr](https://github.com/leogr)
+* docs: readme update and plugins [[#1940](https://github.com/falcosecurity/falco/pull/1940)] - [@leogr](https://github.com/leogr)
+
+
+## v0.31.1
+
+Released on 2022-03-09
+
+### Major Changes
+
+
+* new: add a new drop category `n_drops_scratch_map` [[#1916](https://github.com/falcosecurity/falco/pull/1916)] - [@Andreagit97](https://github.com/Andreagit97)
+* new: allow to specify multiple --cri options [[#1893](https://github.com/falcosecurity/falco/pull/1893)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Minor Changes
+
+* refactor(userspace/falco): replace direct getopt_long() cmdline option parsing with third-party cxxopts library. [[#1886](https://github.com/falcosecurity/falco/pull/1886)] - [@mstemm](https://github.com/mstemm)
+* update: driver version is b7eb0dd [[#1923](https://github.com/falcosecurity/falco/pull/1923)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): correct plugins init config conversion from YAML to JSON [[#1907](https://github.com/falcosecurity/falco/pull/1907)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/engine): for rules at the informational level being loaded at the notice level [[#1885](https://github.com/falcosecurity/falco/pull/1885)] - [@mike-stewart](https://github.com/mike-stewart)
+* chore(userspace/falco): fixes truncated -b option description. [[#1915](https://github.com/falcosecurity/falco/pull/1915)] - [@andreabonanno](https://github.com/andreabonanno)
+* update(falco): updates usage description for -o, --option [[#1903](https://github.com/falcosecurity/falco/pull/1903)] - [@andreabonanno](https://github.com/andreabonanno)
+
+### Security Fixes
+
+* Fix for a TOCTOU issue that could lead to rule bypass (CVE-2022-26316). For more information, see the [advisory](https://github.com/falcosecurity/falco/security/advisories/GHSA-6v9j-2vm2-ghf7).
+
+### Rule Changes
+
+* rule(Detect outbound connections to common miner pool ports): fix url in rule output [[#1918](https://github.com/falcosecurity/falco/pull/1918)] - [@jsoref](https://github.com/jsoref)
+* rule(macro somebody_becoming_themself): renaming macro to somebody_becoming_themselves [[#1918](https://github.com/falcosecurity/falco/pull/1918)] - [@jsoref](https://github.com/jsoref)
+* rule(list package_mgmt_binaries): `npm` added [[#1866](https://github.com/falcosecurity/falco/pull/1866)] - [@rileydakota](https://github.com/rileydakota)
+* rule(Launch Package Management Process in Container): support for detecting `npm` usage [[#1866](https://github.com/falcosecurity/falco/pull/1866)] - [@rileydakota](https://github.com/rileydakota)
+* rule(Polkit Local Privilege Escalation Vulnerability): new rule created to detect CVE-2021-4034 [[#1877](https://github.com/falcosecurity/falco/pull/1877)] - [@darryk10](https://github.com/darryk10)
+* rule(macro: modify_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [[#1832](https://github.com/falcosecurity/falco/pull/1832)] - [@m4wh6k](https://github.com/m4wh6k)
+* rule(macro: truncate_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [[#1832](https://github.com/falcosecurity/falco/pull/1832)] - [@m4wh6k](https://github.com/m4wh6k)
+* rule(macro sssd_writing_krb): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [[#1825](https://github.com/falcosecurity/falco/pull/1825)] - [@mac-chaffee](https://github.com/mac-chaffee)
+* rule(macro write_etc_common): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [[#1825](https://github.com/falcosecurity/falco/pull/1825)] - [@mac-chaffee](https://github.com/mac-chaffee)
+* upgrade macro(keepalived_writing_conf) [[#1742](https://github.com/falcosecurity/falco/pull/1742)] - [@pabloopez](https://github.com/pabloopez)
+* rule_output(Delete Bucket Public Access Block) typo [[#1888](https://github.com/falcosecurity/falco/pull/1888)] - [@pabloopez](https://github.com/pabloopez)
+
+
+### Non user-facing changes
+
+* fix(build): fix civetweb linking in cmake module [[#1919](https://github.com/falcosecurity/falco/pull/1919)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(userspace/engine): remove unused lua functions and state vars [[#1908](https://github.com/falcosecurity/falco/pull/1908)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/falco): applies FALCO_INSTALL_CONF_FILE as the default … [[#1900](https://github.com/falcosecurity/falco/pull/1900)] - [@andreabonanno](https://github.com/andreabonanno)
+* fix(scripts): correct typo in `falco-driver-loader` help message [[#1899](https://github.com/falcosecurity/falco/pull/1899)] - [@leogr](https://github.com/leogr)
+* update(build)!: replaced various `PROBE` with `DRIVER` where necessary. [[#1887](https://github.com/falcosecurity/falco/pull/1887)] - [@FedeDP](https://github.com/FedeDP)
+* Add [Fairwinds](https://fairwinds.com) to the adopters list [[#1917](https://github.com/falcosecurity/falco/pull/1917)] - [@sudermanjr](https://github.com/sudermanjr)
+* build(cmake): several cmake changes to speed up/simplify builds for external projects and copying files from source-to-build directories [[#1905](https://github.com/falcosecurity/falco/pull/1905)] - [@mstemm](https://github.com/mstemm)
+
+
 ## v0.31.0
 
 Released on 2022-01-31
@@ -8,7 +374,7 @@ Released on 2022-01-31
 
 
 * new: add support for plugins to extend Falco functionality to new event sources and custom fields [[#1753](https://github.com/falcosecurity/falco/pull/1753)] - [@mstemm](https://github.com/mstemm)
-* new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurit/falco'. [[#1850](https://github.com/falcosecurity/falco/pull/1850)] - [@yoshi314](https://github.com/yoshi314)
+* new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurity/falco'. [[#1850](https://github.com/falcosecurity/falco/pull/1850)] - [@yoshi314](https://github.com/yoshi314)
 * new(configuration): support defining plugin init config as a YAML [[#1852](https://github.com/falcosecurity/falco/pull/1852)] - [@jasondellaluce](https://github.com/jasondellaluce)
 
 
@@ -44,7 +410,7 @@ Released on 2022-01-31
 * fix(userspace/engine): support jsonpointer escaping in rule parser [[#1777](https://github.com/falcosecurity/falco/pull/1777)] - [@jasondellaluce](https://github.com/jasondellaluce)
 * fix(scripts/falco-driver-loader): support kernel object files in `.zst` and `.gz` compression formats [[#1863](https://github.com/falcosecurity/falco/pull/1863)] - [@leogr](https://github.com/leogr)
 * fix(engine): correctly format json output in json_event [[#1847](https://github.com/falcosecurity/falco/pull/1847)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix: set http output contenttype to text/plain when json output is disabled [[#1829](https://github.com/falcosecurity/falco/pull/1829)] - [@FedeDP](https://github.com/FedeDP)
+* fix: set http output content type to text/plain when json output is disabled [[#1829](https://github.com/falcosecurity/falco/pull/1829)] - [@FedeDP](https://github.com/FedeDP)
 * fix(userspace/falco): accept 'Content-Type' header that contains "application/json", but it is not strictly equal to it [[#1800](https://github.com/falcosecurity/falco/pull/1800)] - [@FedeDP](https://github.com/FedeDP)
 * fix(userspace/engine): supporting enabled-only overwritten rules [[#1775](https://github.com/falcosecurity/falco/pull/1775)] - [@jasondellaluce](https://github.com/jasondellaluce)
 
@@ -62,7 +428,7 @@ Released on 2022-01-31
 * rule(Create Hardlink Over Sensitive Files): new rule to detect hard links created over sensitive files [[#1810](https://github.com/falcosecurity/falco/pull/1810)] - [@sberkovich](https://github.com/sberkovich)
 * rule(Detect crypto miners using the Stratum protocol): add `stratum2+tcp` and `stratum+ssl` protocols detection [[#1810](https://github.com/falcosecurity/falco/pull/1810)] - [@sberkovich](https://github.com/sberkovich)
 * rule(Sudo Potential Privilege Escalation): correct special case for the CVE-2021-3156 exploit [[#1810](https://github.com/falcosecurity/falco/pull/1810)] - [@sberkovich](https://github.com/sberkovich)
-* rule(list falco_hostnetwork_images): moved to k8s_audit_rules.yaml to avoid a warning when usng falco_rules.yaml only [[#1681](https://github.com/falcosecurity/falco/pull/1681)] - [@leodido](https://github.com/leodido)
+* rule(list falco_hostnetwork_images): moved to k8s_audit_rules.yaml to avoid a warning when using falco_rules.yaml only [[#1681](https://github.com/falcosecurity/falco/pull/1681)] - [@leodido](https://github.com/leodido)
 * rule(list deb_binaries): remove `apt-config` [[#1860](https://github.com/falcosecurity/falco/pull/1860)] - [@Andreagit97](https://github.com/Andreagit97)
 * rule(Launch Remote File Copy Tools in Container): add additional binaries: curl and wget. [[#1771](https://github.com/falcosecurity/falco/pull/1771)] - [@ec4n6](https://github.com/ec4n6)
 * rule(list known_sa_list): add coredns, coredns-autoscaler, endpointslicemirroring-controller, horizontal-pod-autoscaler, job-controller, node-controller (nodelifecycle), persistent-volume-binder, pv-protection-controller, pvc-protection-controller, root-ca-cert-publisher and service-account-controller as allowed service accounts in the kube-system namespace [[#1760](https://github.com/falcosecurity/falco/pull/1760)] - [@sboschman](https://github.com/sboschman)
@@ -88,7 +454,7 @@ Released on 2022-01-31
 * fix(build): use consistent 7-character build abbrev sha [[#1830](https://github.com/falcosecurity/falco/pull/1830)] - [@LucaGuerra](https://github.com/LucaGuerra)
 * add Phoenix to adopters list [[#1806](https://github.com/falcosecurity/falco/pull/1806)] - [@kaldyka](https://github.com/kaldyka)
 * remove unused files in test directory [[#1801](https://github.com/falcosecurity/falco/pull/1801)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* drop Falco luajit module, use the one provied by libs [[#1788](https://github.com/falcosecurity/falco/pull/1788)] - [@FedeDP](https://github.com/FedeDP)
+* drop Falco luajit module, use the one provided by libs [[#1788](https://github.com/falcosecurity/falco/pull/1788)] - [@FedeDP](https://github.com/FedeDP)
 * chore(build): update libs version to 7906f7e [[#1790](https://github.com/falcosecurity/falco/pull/1790)] - [@LucaGuerra](https://github.com/LucaGuerra)
 * Add SysFlow to list of libs adopters [[#1747](https://github.com/falcosecurity/falco/pull/1747)] - [@araujof](https://github.com/araujof)
 * build: dropped centos8 circleci build because it is useless [[#1882](https://github.com/falcosecurity/falco/pull/1882)] - [@FedeDP](https://github.com/FedeDP)
@@ -345,8 +711,8 @@ Released on 2021-01-18
 * docs(proposals): Exceptions handling proposal [[#1376](https://github.com/falcosecurity/falco/pull/1376)] - [@mstemm](https://github.com/mstemm)
 * docs: fix a broken link of README [[#1516](https://github.com/falcosecurity/falco/pull/1516)] - [@oke-py](https://github.com/oke-py)
 * docs: adding the kubernetes privileged use case to use cases [[#1484](https://github.com/falcosecurity/falco/pull/1484)] - [@fntlnz](https://github.com/fntlnz)
-* rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
-* rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggered when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggered when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
 * docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [[#1518](https://github.com/falcosecurity/falco/pull/1518)] - [@leodido](https://github.com/leodido)
 * build: falcosecurity/falco:master also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
 * build: falcosecurity/falco:latest also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
@@ -758,7 +1124,7 @@ Released on 2020-02-24
 * rule(write below etc): add "dsc_host" as a ms oms program [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(write below etc): let mcafee write to /etc/cma.d  [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(write below etc): let avinetworks supervisor write some ssh cfg [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below etc): alow writes to /etc/pki from openshift secrets dir [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below etc): allow writes to /etc/pki from openshift secrets dir [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(write below root): let runc write to /exec.fifo [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(change thread namespace): let cilium-cni change namespaces [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
 * rule(run shell untrusted): let puma reactor spawn shells [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
@@ -795,7 +1161,7 @@ Released on 2020-01-23
 ### Bug Fixes
 
 * fix: providing clang into docker-builder [[#972](https://github.com/falcosecurity/falco/pull/972)]
-* fix: prevent throwing json type error c++ exceptions outside of the falco engine when procesing k8s audit events. [[#928](https://github.com/falcosecurity/falco/pull/928)]
+* fix: prevent throwing json type error c++ exceptions outside of the falco engine when processing k8s audit events. [[#928](https://github.com/falcosecurity/falco/pull/928)]
 * fix(docker/kernel/linuxkit): correct from for falco minimal image [[#913](https://github.com/falcosecurity/falco/pull/913)]
 
 ### Rule Changes
@@ -910,7 +1276,7 @@ Released 2019-07-31
 
 * Fix a problem that would cause prevent container metadata lookups when falco was daemonized [[#731](https://github.com/falcosecurity/falco/pull/731)]
 
-* Allow rule priorites to be expressed as lowercase and a mix of lower/uppercase [[#737](https://github.com/falcosecurity/falco/pull/737)]
+* Allow rule priorities to be expressed as lowercase and a mix of lower/uppercase [[#737](https://github.com/falcosecurity/falco/pull/737)]
 
 ### Rule Changes
 
@@ -1105,7 +1471,7 @@ Released 2019-05-13
 
 * Docker-based builder/tester: You can now build Falco using the [falco-builder](https://falco.org/docs/source/#build-using-falco-builder-container) docker image, and run regression tests using the [falco-tester](https://falco.org/docs/source/#test-using-falco-tester-container) docker image. [[#522](https://github.com/falcosecurity/falco/pull/522)] [[#584](https://github.com/falcosecurity/falco/pull/584)]
 
-* Several small docs changes to improve clarity and readibility [[#524](https://github.com/falcosecurity/falco/pull/524)] [[#540](https://github.com/falcosecurity/falco/pull/540)] [[#541](https://github.com/falcosecurity/falco/pull/541)] [[#542](https://github.com/falcosecurity/falco/pull/542)]
+* Several small docs changes to improve clarity and readability [[#524](https://github.com/falcosecurity/falco/pull/524)] [[#540](https://github.com/falcosecurity/falco/pull/540)] [[#541](https://github.com/falcosecurity/falco/pull/541)] [[#542](https://github.com/falcosecurity/falco/pull/542)]
 
 * Add instructions on how to enable K8s Audit Logging for kops [[#535](https://github.com/falcosecurity/falco/pull/535)]
 
@@ -1220,7 +1586,7 @@ Released 2019-01-16
 
 * Fix FPs related to `apt-config`/`apt-cache`, `apk` [[#490](https://github.com/falcosecurity/falco/pull/490)]
 
-* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, `Lauch Suspicious Network Tool in Container` look for host-level network tools like `netcat`, package management tools like `apt-get`, or network tool binaries being run in a container. [[#490](https://github.com/falcosecurity/falco/pull/490)]
+* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, `Launch Suspicious Network Tool in Container` look for host-level network tools like `netcat`, package management tools like `apt-get`, or network tool binaries being run in a container. [[#490](https://github.com/falcosecurity/falco/pull/490)]
 
 * Fix the `inbound` and `outbound` macros so they work with sendto/recvfrom/sendmsg/recvmsg. [[#470](https://github.com/falcosecurity/falco/pull/470)]
 
@@ -1253,7 +1619,7 @@ Released 2018-11-09
 
 * Better coverage (e.g. reduced FPs) for critical stack, hids systems, ufw, cloud-init, etc. [[#445](https://github.com/falcosecurity/falco/pull/445)]
 
-* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, and `Lauch Suspicious Network Tool in Container` look for running various suspicious programs in a container. [[#461](https://github.com/falcosecurity/falco/pull/461)]
+* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, and `Launch Suspicious Network Tool in Container` look for running various suspicious programs in a container. [[#461](https://github.com/falcosecurity/falco/pull/461)]
 
 * Misc changes to address false positives in GKE, Istio, etc. [[#455](https://github.com/falcosecurity/falco/pull/455)] [[#439](https://github.com/falcosecurity/falco/issues/439)]
 
@@ -1308,7 +1674,7 @@ Released 2018-07-24
 
 ### Minor Changes
 
-* Rules may now have an `skip-if-unknown-filter` property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. `fd.some-new-attibute`) that is not present in the current falco version. [[#364](https://github.com/draios/falco/pull/364)] [[#345](https://github.com/draios/falco/issues/345)]
+* Rules may now have an `skip-if-unknown-filter` property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. `fd.some-new-attribute`) that is not present in the current falco version. [[#364](https://github.com/draios/falco/pull/364)] [[#345](https://github.com/draios/falco/issues/345)]
 * Small changes to Falco `COPYING` file so github automatically recognizes license [[#380](https://github.com/draios/falco/pull/380)]
 * New example integration showing how to connect Falco with Anchore to dynamically create falco rules based on negative scan results [[#390](https://github.com/draios/falco/pull/390)]
 * New example integration showing how to connect Falco, [nats](https://nats.io/), and K8s to run flexible "playbooks" based on Falco events [[#389](https://github.com/draios/falco/pull/389)]
@@ -1409,7 +1775,7 @@ Released 2017-10-10
 
 Released 2017-10-10
 
-**Important**: the location for falco's configuration file has moved from `/etc/falco.yaml` to `/etc/falco/falco.yaml`. The default rules file has moved from `/etc/falco_rules.yaml` to `/etc/falco/falco_rules.yaml`. In addition, 0.8.0 has added a _local_ ruls file to `/etc/falco/falco_rules.local.yaml`. See [the documentation](https://github.com/draios/falco/wiki/Falco-Default-and-Local-Rules-Files) for more details.
+**Important**: the location for falco's configuration file has moved from `/etc/falco.yaml` to `/etc/falco/falco.yaml`. The default rules file has moved from `/etc/falco_rules.yaml` to `/etc/falco/falco_rules.yaml`. In addition, 0.8.0 has added a _local_ rules file to `/etc/falco/falco_rules.local.yaml`. See [the documentation](https://github.com/draios/falco/wiki/Falco-Default-and-Local-Rules-Files) for more details.
 
 ### Major Changes
 

CMakeLists.txt

@@ -19,6 +19,22 @@ option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF
 option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
 option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
 
+# gVisor is currently only supported on Linux x86_64
+if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
+  option(BUILD_FALCO_GVISOR "Build gVisor support for Falco" ON)
+  if (BUILD_FALCO_GVISOR)
+    add_definitions(-DHAS_GVISOR)
+  endif()
+endif()
+
+# Modern BPF is not supported on not Linux systems and in MINIMAL_BUILD
+if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
+  option(BUILD_FALCO_MODERN_BPF "Build modern BPF support for Falco" OFF)
+  if(BUILD_FALCO_MODERN_BPF)
+    add_definitions(-DHAS_MODERN_BPF)
+  endif()
+endif()
+
 # We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419
 option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF)
 if (${EP_UPDATE_DISCONNECTED})
@@ -48,16 +64,19 @@ if(NOT DEFINED FALCO_ETC_DIR)
   set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
 endif()
 
-if(NOT DRAIOS_DEBUG_FLAGS)
-  set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
+# This will be used to print the architecture for which Falco is compiled.
+set(FALCO_TARGET_ARCH ${CMAKE_SYSTEM_PROCESSOR})
+
+if(NOT FALCO_EXTRA_DEBUG_FLAGS)
+  set(FALCO_EXTRA_DEBUG_FLAGS "-D_DEBUG")
 endif()
 
 string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
 if(CMAKE_BUILD_TYPE STREQUAL "debug")
-  set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
+  set(KBUILD_FLAGS "${FALCO_EXTRA_DEBUG_FLAGS} ${FALCO_EXTRA_FEATURE_FLAGS}")
 else()
   set(CMAKE_BUILD_TYPE "release")
-  set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
+  set(KBUILD_FLAGS "${FALCO_EXTRA_FEATURE_FLAGS}")
   add_definitions(-DBUILD_TYPE_RELEASE)
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
@@ -78,7 +97,7 @@ if(CMAKE_BUILD_TYPE STREQUAL "release")
   set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
 endif()
 
-set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
+set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${FALCO_EXTRA_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
 
 if(BUILD_WARNINGS_AS_ERRORS)
   set(CMAKE_SUPPRESSED_WARNINGS
@@ -90,8 +109,8 @@ endif()
 set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
 set(CMAKE_CXX_FLAGS "--std=c++0x ${CMAKE_COMMON_FLAGS} -Wno-class-memaccess")
 
-set(CMAKE_C_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
-set(CMAKE_CXX_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
+set(CMAKE_C_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
+set(CMAKE_CXX_FLAGS_DEBUG "${FALCO_EXTRA_DEBUG_FLAGS}")
 
 set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
@@ -102,6 +121,16 @@ set(PACKAGE_NAME "falco")
 set(DRIVER_NAME "falco")
 set(DRIVER_DEVICE_NAME "falco")
 set(DRIVERS_REPO "https://download.falco.org/driver")
+
+# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o`
+# This is the same fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`.
+set(FALCO_PROBE_BPF_FILEPATH ".${DRIVER_NAME}/${DRIVER_NAME}-bpf.o")
+add_definitions(-DFALCO_PROBE_BPF_FILEPATH="${FALCO_PROBE_BPF_FILEPATH}")
+
+if(NOT DEFINED FALCO_COMPONENT_NAME)
+    set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
+endif()
+
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
   set(CMAKE_INSTALL_PREFIX
       /usr
@@ -115,9 +144,6 @@ include(ExternalProject)
 # libs
 include(falcosecurity-libs)
 
-# LuaJit provided by libs
-include(luajit)
-
 # jq
 include(jq)
 
@@ -146,27 +172,15 @@ if(NOT MINIMAL_BUILD)
   # libcurl
   include(curl)
 
-  # civetweb
-  include(civetweb)
+  # cpp-httlib
+  include(cpp-httplib)
 endif()
 
 include(cxxopts)
 
-# Lpeg
-include(lpeg)
-
-# libyaml
-include(libyaml)
-
-# lyaml
-include(lyaml)
-
 # One TBB
 include(tbb)
 
-#string-view-lite
-include(DownloadStringViewLite)
-
 if(NOT MINIMAL_BUILD)
   include(zlib)
   include(cares)
@@ -176,7 +190,7 @@ if(NOT MINIMAL_BUILD)
 endif()
 
 # Installation
-install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
+install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${FALCO_COMPONENT_NAME}")
 
 if(NOT MINIMAL_BUILD)
   # Coverage

OWNERS

@@ -1,16 +1,12 @@
 approvers:
-  - fntlnz
-  - kris-nova
-  - leodido
   - mstemm
   - leogr
   - jasondellaluce
+  - fededp
+  - andreagit97
 reviewers:
-  - fntlnz
   - kaizhe
+emeritus_approvers:
+  - fntlnz
   - kris-nova
   - leodido
-  - mfdii
-  - mstemm
-  - leogr
-  - jasondellaluce

README.md

@@ -3,11 +3,11 @@
 
 <hr>
 
-[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
+[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING) [![Latest](https://img.shields.io/github/v/release/falcosecurity/falco?style=for-the-badge)](https://github.com/falcosecurity/falco/releases/latest) ![Architectures](https://img.shields.io/badge/ARCHS-x86__64%7Caarch64-blueviolet?style=for-the-badge)
 
-Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH3EH32) channel in the [Kubernetes Slack](https://slack.k8s.io).
+Want to talk? Join us on the [#falco](https://kubernetes.slack.com/messages/falco) channel in the [Kubernetes Slack](https://slack.k8s.io).
 
-### Latest releases
+## Latest releases
 
 Read the [change log](CHANGELOG.md).
 
@@ -49,49 +49,24 @@ Notes:
 
 -->
 
-|        | development                                                                                                                 | stable                                                                                                              |
-|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
-| rpm    | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-)][1] | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-)][2] |
-| deb    | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-)][3] | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-)][4] |
-| binary | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Fx86_64%2Ffalco-)][5] | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6] |
+|              | development                                                                                                                                                                                                                                                                                                                                                                                                                                                                | stable                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| rpm-x86_64          | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-%26delimiter=aarch64)][1]          | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=aarch64)][2]          |
+| deb-x86_64          | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-%26delimiter=aarch64)][3] | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=aarch64)][4] |
+| binary-x86_64       | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Fx86_64%2Ffalco-)][5]                                                     | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6]                                                     |
+| rpm-aarch64    | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-%26delimiter=x86_64)][1]           | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-%26delimiter=x86_64)][2]           |
+| deb-aarch64    | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-%26delimiter=x86_64)][3]  | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-%26delimiter=x86_64)][4]  |
+| binary-aarch64 | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Faarch64%2Ffalco-)][7]                                                    | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Faarch64%2Ffalco-)][8]                                                    |
 
 ---
 
 The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
-Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
+Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack. 
+Falco can also be extended to other data sources by using plugins.
 Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native.
 If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.
 
-### Installing Falco
-
-If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).
-
-##### Kubernetes
-
-| Tool     | Link                                                                                       | Note                                                               |
-|----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
-| Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
-| Minikube | [Tutorial](https://falco.org/docs/getting-started/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
-| Kind     | [Tutorial](https://falco.org/docs/getting-started/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
-| GKE      | [Tutorial](https://falco.org/docs/getting-started/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
-
-### Developing
-
-Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
-
-Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/master/userspace/falco/outputs.proto).
-The Falco Project supports various SDKs for this endpoint.
-
-##### SDKs
-
-| Language | Repository                                              |
-|----------|---------------------------------------------------------|
-| Go       | [client-go](https://github.com/falcosecurity/client-go) |
-| Rust     | [client-rs](https://github.com/falcosecurity/client-rs) |
-| Python   | [client-py](https://github.com/falcosecurity/client-py) |
-
-
-### What can Falco detect?
+## What can Falco detect?
 
 Falco can detect and alert on any behavior that involves making Linux system calls.
 Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
@@ -105,37 +80,93 @@ For example, Falco can easily detect incidents including but not limited to:
 - A standard system binary, such as `ls`, is making an outbound network connection.
 - A privileged pod is started in a Kubernetes cluster.
 
-### Documentation
+## Installing Falco
+
+If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).
+
+### Kubernetes
+
+| Tool     | Link                                                                                       | Note                                                               |
+|----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
+| Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
+| Minikube | [Tutorial](https://falco.org/docs/getting-started/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
+| Kind     | [Tutorial](https://falco.org/docs/getting-started/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
+| GKE      | [Tutorial](https://falco.org/docs/getting-started/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
+
+## Developing
+
+Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
+
+Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/master/userspace/falco/outputs.proto).
+The Falco Project supports various SDKs for this endpoint.
+
+### SDKs
+
+| Language | Repository                                              |
+|----------|---------------------------------------------------------|
+| Go       | [client-go](https://github.com/falcosecurity/client-go) |
+
+## Plugins
+
+Falco comes with a [plugin framework](https://falco.org/docs/plugins/) that extends it to potentially any cloud detection scenario. Plugins are shared libraries that conform to a documented API and allow for:
+
+- Adding new event sources that can be used in rules;
+- Adding the ability to define new fields and extract information from events.
+
+The Falco Project maintains [various plugins](https://github.com/falcosecurity/plugins) and provides SDKs for plugin development.
+
+
+### SDKs
+
+| Language | Repository                                                                    |
+|----------|-------------------------------------------------------------------------------|
+| Go       | [falcosecurity/plugin-sdk-go](https://github.com/falcosecurity/plugin-sdk-go) |
+
+
+## Documentation
 
 The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco.
 
-### Join the Community
+## Join the Community
 
 To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.
 
 How to reach out?
 
- - Join the #falco channel on the [Kubernetes Slack](https://slack.k8s.io)
+ - Join the [#falco](https://kubernetes.slack.com/messages/falco) channel on the [Kubernetes Slack](https://slack.k8s.io)
  - [Join the Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev)
  - [Read the Falco documentation](https://falco.org/docs/)
 
+## How to contribute
 
-### Contributing
-
-See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).
-
-### Security Audit
+See the [contributing guide](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) and the [code of conduct](https://github.com/falcosecurity/evolution/CODE_OF_CONDUCT.md).
+ 
+## Security Audit
 
 A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).
 
-### Reporting security vulnerabilities
+## Reporting security vulnerabilities
 
-Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
+Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/main/SECURITY.md).
 
-### License Terms
+## License
 
 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 
+## Project Evolution
+
+The [falcosecurity/evolution](https://github.com/falcosecurity/evolution) repository is the official space for the community to work together, discuss ideas, and document processes. It is also a place to make decisions. Check it out to find more helpful resources.
+
+## Resources
+
+ - [Governance](https://github.com/falcosecurity/evolution/blob/main/GOVERNANCE.md)
+ - [Code Of Conduct](https://github.com/falcosecurity/evolution/blob/main/CODE_OF_CONDUCT.md)
+ - [Maintainers Guidelines](https://github.com/falcosecurity/evolution/blob/main/MAINTAINERS_GUIDELINES.md)
+ - [Maintainers List](https://github.com/falcosecurity/evolution/blob/main/MAINTAINERS.md)
+ - [Repositories Guidelines](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md)
+ - [Repositories List](https://github.com/falcosecurity/evolution/blob/main/README.md#repositories)
+ - [Adopters List](https://github.com/falcosecurity/falco/blob/master/ADOPTERS.md)
+
 
 [1]: https://download.falco.org/?prefix=packages/rpm-dev/
 [2]: https://download.falco.org/?prefix=packages/rpm/
@@ -143,3 +174,5 @@ Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 [4]: https://download.falco.org/?prefix=packages/deb/stable/
 [5]: https://download.falco.org/?prefix=packages/bin-dev/x86_64/
 [6]: https://download.falco.org/?prefix=packages/bin/x86_64/
+[7]: https://download.falco.org/?prefix=packages/bin-dev/aarch64/
+[8]: https://download.falco.org/?prefix=packages/bin/aarch64/

RELEASE.md

@@ -1,18 +1,77 @@
 # Falco Release Process
 
-Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
 
-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+## Overview
+
+This document provides the process to create a new Falco release. In addition, it provides information about the versioning of the Falco components. At a high level each Falco release consists of the following main components:
+
+- Falco binary (userspace)
+- Falco kernel driver object files (kernel space)
+    - Option 1: Kernel module (`.ko` files)
+    - Option 2: eBPF (`.o` files)
+- Falco config and primary rules `.yaml` files (userspace)
+- Falco plugins (userspace - optional)
+
+One nice trait about releasing separate artifacts for userspace and kernel space is that Falco is amenable to supporting a large array of environments, that is, multiple kernel versions, distros and architectures (see `libs` [driver - kernel version support matrix](https://github.com/falcosecurity/libs#drivers-officially-supported-architectures)). The Falco project manages the release of both the Falco userspace binary and pre-compiled Falco kernel drivers for the most popular kernel versions and distros. The build and publish process is managed by the [test-infra](https://github.com/falcosecurity/test-infra) repo. The Falco userspace executable includes bundled dependencies, so that it can be run from anywhere.
+
+The Falco project also publishes all sources for each component. In fact, sources are included in the Falco release in the same way as some plugins (k8saudit and cloudtrail) as well as the rules that are shipped together with Falco. This empowers the end user to audit the integrity of the project as well as build kernel drivers for custom kernels or not officially supported kernels / distros (see [driverkit](https://github.com/falcosecurity/driverkit) for more information). While the Falco project is deeply embedded into an ecosystem of supporting [Falco sub-projects](https://github.com/falcosecurity/evolution) that aim to make the deployment of Falco easy, user-friendly, extendible and cloud-native, core Falco is split across two repos, [falco](https://github.com/falcosecurity/falco) (this repo) and [libs](https://github.com/falcosecurity/libs). The `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines. More details are provided in the [Falco Components Versioning](#falco-components-versioning) section.
+
+Finally, the release process follows a transparent process described in more detail in the following sections and the official [Falco docs](https://falco.org/) contain rich information around building, installing and using Falco.
+
+
+### Falco Binaries, Rules and Sources Artifacts - Quick Links
+
+The Falco project publishes all sources and the Falco userspace binaries as GitHub releases. Rules are also released in the GitHub tree Falco release tag.
+
+- [Falco Releases](https://github.com/falcosecurity/falco/releases)
+    - `tgz`, `rpm` and `deb` Falco binary packages (contains sources, including driver sources, Falco rules as well as k8saudit and cloudtrail plugins)
+    - `tgz`, `zip` source code
+- [Libs Releases](https://github.com/falcosecurity/libs/releases)
+    - `tgz`, `zip` source code
+- Falco Rules (GitHub tree approach)
+    - RELEASE="x.y.z", `https://github.com/falcosecurity/falco/tree/${RELEASE}/rules`
+
+
+Alternatively Falco binaries or plugins can be downloaded from the Falco Artifacts repo.
+
+- [Falco Artifacts Repo Packages Root](https://download.falco.org/?prefix=packages/)
+- [Falco Artifacts Repo Plugins Root](https://download.falco.org/?prefix=plugins/)
+
+
+### Falco Drivers Artifacts Repo - Quick Links
+
+
+The Falco project publishes all drivers for each release for all popular kernel versions / distros and `x86_64` and `aarch64` architectures to the Falco project managed Artifacts repo. The Artifacts repo follows standard directory level conventions. The respective driver object file is prefixed by distro and named / versioned by kernel release - `$(uname -r)`. Pre-compiled drivers are released with a [best effort](https://github.com/falcosecurity/falco/blob/master/proposals/20200818-artifacts-storage.md#notice) notice. This is because gcc (`kmod`) and clang (`bpf`) compilers or for example the eBPF verifier are not perfect. More details around driver versioning and driver compatibility are provided in the [Falco Components Versioning](#falco-components-versioning) section. Short preview: If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with.
+
+- [Falco Artifacts Repo Drivers Root](https://download.falco.org/?prefix=driver/)
+    - Option 1: Kernel module (`.ko` files) - all under same driver version directory
+    - Option 2: eBPF (`.o` files) - all under same driver version directory
+
+
+### Timeline
 
 Falco releases are due to happen 3 times per year. Our current schedule sees a new release by the end of January, May, and September each year. Hotfix releases can happen whenever it's needed.
 
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+
+
+### Procedures
+
+The release process is mostly automated requiring only a few manual steps to initiate and complete it.
+
 Moreover, we need to assign owners for each release (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community).
 
+At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order:
+
+- [1 - 3] `libs` (+ `driver`) and `plugins` components releases
+- [4] Falco driver pre-compiled object files push to Falco's Artifacts repo
+- [5] Falco userspace binary + rules release
+
 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
 
 ## Pre-Release Checklist
 
-Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
+Prior to cutting a release the following preparatory steps should take 5 minutes using the GitHub UI.
 
 ### 1. Release notes
 - Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
@@ -68,9 +127,12 @@ Now assume `x.y.z` is the new version.
 
     | Packages | Download                                                                                                                                               |
     | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-x86_64.rpm)        |
-    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-x86_64.deb) |
-    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-x.y.z-x86_64.tar.gz) |
+    | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-x86_64.rpm)        |
+    | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-x86_64.deb) |
+    | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-x.y.z-x86_64.tar.gz) |
+    | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-aarch64.rpm)        |
+    | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-aarch64.deb) |
+    | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/aarch64/falco-x.y.z-aarch64.tar.gz) |
 
     | Images                                                                      |
     | --------------------------------------------------------------------------- |
@@ -95,7 +157,7 @@ Now assume `x.y.z` is the new version.
 
     #### Release Manager <github handle>
 
-    <!-- Substitute Github handle with the release manager's one -->
+    <!-- Substitute GitHub handle with the release manager's one -->
     ```
 
 - Finally, publish the release!
@@ -118,3 +180,39 @@ Announce the new release to the world!
 - Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
 - Let folks in the slack #falco channel know about a new release came out
 - IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
+
+
+## Falco Components Versioning
+
+This section provides more details around the versioning of all components that make up core Falco. It can also be a useful guide for the uninitiated to be more informed about Falco's source. Because the `libs` repo contains >90% of Falco's core features and is the home of each of the kernel drivers and engines, the [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) is an excellent additional resource. In addition, the [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) provides similar details around Falco's plugins. `SHA256` checksums are provided throughout Falco's source code to empower the end user to perform integrity checks. All Falco releases also contain the sources as part of the packages.
+
+
+### Falco repo (this repo)
+- Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.
+- [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax or `falco --list -N | sha256sum` has changed. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The primary idea behind the hash is that when new filter / display fields (see currently supported [Falco fields](https://falco.org/docs/rules/supported-fields/)) are introduced a version bump indicates that this field was not available in previous engine versions. In case a new Falco rule uses new fields, the [Falco rules](https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml) file needs to bump this version as well via setting `required_engine_version` to the new version.
+- During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable Libs version is used (read below).
+- Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release.
+- At release time Plugin, Libs and Driver versions are compatible with Falco.
+- If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with (read more below under Libs).
+
+
+```
+Falco version: x.y.z (sem-ver like)
+Libs version:  x.y.z (sem-ver like)
+Plugin API:    x.y.z (sem-ver like)
+Driver:
+  API version:    x.y.z (sem-ver)
+  Schema version: x.y.z (sem-ver)
+  Default driver: x.y.z+driver (sem-ver like, indirectly encodes compatibility range in addition to default version Falco is shipped with)
+```
+
+
+### Libs repo
+- Libs version is a git tag (`x.y.z`) and when building Falco the libs version is set via the `FALCOSECURITY_LIBS_VERSION` flag (see above).
+- Driver version in and of itself is not directly tied to the Falco binary as opposed to the libs version being part of the source code used to compile Falco's userspace binary. This is because of the strict separation between userspace and kernel space artifacts, so things become a bit more interesting here. This is why the concept of a `Default driver` has been introduced to still implicitly declare the compatible driver versions. For example, if the default driver version is `2.0.0+driver`, Falco works with all driver versions >= 2.0.0 and < 3.0.0. This is a consequence of how the driver version is constructed starting from the `Driver API version` and `Driver Schema version`. Driver API and Schema versions are explained in the respective [libs driver doc](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md) -> Falco's `driver-loader` will always fetch the default driver, therefore a Falco release is always "shipped" with the driver version corresponding to the default driver.
+- See [libs release doc](https://github.com/falcosecurity/libs/blob/master/release.md) for more information.
+
+### Plugins repo
+
+- Plugins version is a git tag (`x.y.z`)
+- See [plugins release doc](https://github.com/falcosecurity/plugins/blob/master/release.md) for more information.

brand/README.md

@@ -5,7 +5,7 @@
 
 This document describes The Falco Project's branding guidelines, language, and message.
 
-Content in this document can be used to publically share about Falco.
+Content in this document can be used to publicly share about Falco.
 
 
 
@@ -56,7 +56,7 @@ If a rule has been violated, Falco triggers an alert.
 ### How does Falco work?
 
 Falco traces kernel events and reports information about the system calls being executed at runtime.
-Falco leverages the extended berkley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
+Falco leverages the extended berkeley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
 Falco enriches these kernel events with information about containers running on the system.
 Falco also can consume signals from other input streams such as the containerd socket, the Kubernetes API server and the Kubernetes audit log.
 At runtime, Falco will reason about these events and assert them against configured security rules.
@@ -113,7 +113,7 @@ Falco ultimately is a security engine. It reasons about signals coming from a sy
 
 ##### Anomaly detection
 
-This refers to an event that occurs with something unsual, concerning, or odd occurs.
+This refers to an event that occurs with something unusual, concerning, or odd occurs.
 We can associate anomalies with unwanted behavior, and alert in their presence.
 
 ##### Detection tooling
@@ -143,6 +143,10 @@ Sometimes this word is incorrectly used to refer to a `probe`.
 
 The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
 
+#### Plugin
+
+Used to describe a dynamic shared library (`.so` files in Unix, `.dll` files in Windows) that conforms to a documented API and allows to extend Falco's capabilities.
+
 #### Falco
 
 The name of the project, and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,11 +1,13 @@
 if(CPACK_GENERATOR MATCHES "DEB")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")

cmake/cpack/debian/conffiles

@@ -1,4 +1,3 @@
 /etc/falco/falco.yaml
-/etc/falco/falco_rules.yaml
 /etc/falco/rules.available/application_rules.yaml
 /etc/falco/falco_rules.local.yaml

cmake/modules/CPackConfig.cmake

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -25,6 +25,17 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")
 
+# Built packages will include only the following components
+set(CPACK_INSTALL_CMAKE_PROJECTS
+  "${CMAKE_CURRENT_BINARY_DIR};${FALCO_COMPONENT_NAME};${FALCO_COMPONENT_NAME};/"
+  "${CMAKE_CURRENT_BINARY_DIR};${DRIVER_COMPONENT_NAME};${DRIVER_COMPONENT_NAME};/"
+)
+if(NOT MUSL_OPTIMIZED_BUILD) # static builds do not have plugins
+  list(APPEND CPACK_INSTALL_CMAKE_PROJECTS
+    "${CMAKE_CURRENT_BINARY_DIR};${PLUGINS_COMPONENT_NAME};${PLUGINS_COMPONENT_NAME};/"
+  )
+endif()
+
 if(NOT CPACK_GENERATOR)
     set(CPACK_GENERATOR DEB RPM TGZ)
 endif()

cmake/modules/CatchAddTests.cmake

@@ -45,7 +45,7 @@ string(REPLACE "\n" ";" output "${output}")
 # Parse output
 foreach(line ${output})
   set(test ${line})
-  # use escape commas to handle properly test cases with commans inside the name
+  # use escape commas to handle properly test cases with commands inside the name
   string(REPLACE "," "\\," test_name ${test})
   # ...and add to script
   add_command(add_test "${prefix}${test}${suffix}" ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" "${test_name}" ${extra_args})

cmake/modules/DownloadCatch.cmake

@@ -14,8 +14,8 @@ include(ExternalProject)
 
 set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)
 
-set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.12.1.tar.gz URL_HASH
-                       SHA256=e5635c082282ea518a8dd7ee89796c8026af8ea9068cd7402fb1615deacd91c3)
+set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.13.9.tar.gz URL_HASH
+                       SHA256=06dbc7620e3b96c2b69d57bf337028bf245a211b3cddb843835bfe258f427a52)
 
 ExternalProject_Add(
   catch2

cmake/modules/DownloadStringViewLite.cmake

@@ -1,30 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-include(ExternalProject)
-
-set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
-set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
-message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}")
-
-ExternalProject_Add(
-  string-view-lite
-  PREFIX ${STRING_VIEW_LITE_PREFIX}
-  GIT_REPOSITORY "https://github.com/martinmoene/string-view-lite.git"
-  GIT_TAG "v1.4.0"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  UPDATE_COMMAND ""
-  INSTALL_COMMAND
-    ${CMAKE_COMMAND} -E copy ${STRING_VIEW_LITE_PREFIX}/src/string-view-lite/include/nonstd/string_view.hpp
-    ${STRING_VIEW_LITE_INCLUDE}/nonstd/string_view.hpp)

cmake/modules/GetFalcoVersion.cmake

@@ -16,18 +16,32 @@ include(GetGitRevisionDescription)
 
 # Create the falco version variable according to git index
 if(NOT FALCO_VERSION)
-  string(STRIP "${FALCO_HASH}" FALCO_HASH)
   # Try to obtain the exact git tag
   git_get_exact_tag(FALCO_TAG)
   if(NOT FALCO_TAG)
-    # Obtain the closest tag
-    git_describe(FALCO_VERSION "--always" "--tags" "--abbrev=7")
-    # Fallback version
-    if(FALCO_VERSION MATCHES "NOTFOUND$")
-      set(FALCO_VERSION "0.0.0")
-    endif()
-    # Format FALCO_VERSION to be semver with prerelease and build part
-    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+      # Fetch current hash
+      get_git_head_revision(refspec FALCO_HASH)
+      if(NOT FALCO_HASH OR FALCO_HASH MATCHES "NOTFOUND$")
+        set(FALCO_VERSION "0.0.0")
+      else()
+        # Obtain the closest tag
+        git_get_latest_tag(FALCO_LATEST_TAG)
+        if(NOT FALCO_LATEST_TAG OR FALCO_LATEST_TAG MATCHES "NOTFOUND$")
+          set(FALCO_VERSION "0.0.0")
+        else()
+          # Compute commit delta since tag
+          git_get_delta_from_tag(FALCO_DELTA ${FALCO_LATEST_TAG} ${FALCO_HASH})
+          if(NOT FALCO_DELTA OR FALCO_DELTA MATCHES "NOTFOUND$")
+            set(FALCO_VERSION "0.0.0")
+          else()
+            # Cut hash to 7 bytes
+            string(SUBSTRING ${FALCO_HASH} 0 7 FALCO_HASH)
+            # Format FALCO_VERSION to be semver with prerelease and build part
+            set(FALCO_VERSION
+                  "${FALCO_LATEST_TAG}-${FALCO_DELTA}+${FALCO_HASH}")
+           endif()
+        endif()
+      endif()
   else()
     # A tag has been found: use it as the Falco version
     set(FALCO_VERSION "${FALCO_TAG}")

cmake/modules/GetGitRevisionDescription.cmake

@@ -86,29 +86,36 @@ function(get_git_head_revision _refspecvar _hashvar)
       PARENT_SCOPE)
 endfunction()
 
-function(git_describe _var)
+function(git_get_latest_tag _var)
   if(NOT GIT_FOUND)
     find_package(Git QUIET)
   endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-        "GIT-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-        "HEAD-HASH-NOTFOUND"
-        PARENT_SCOPE)
+
+  # We use git describe --tags `git rev-list --tags --max-count=1`
+  execute_process(COMMAND
+          "${GIT_EXECUTABLE}"
+          rev-list
+          --tags
+          --max-count=1
+          WORKING_DIRECTORY
+          "${CMAKE_CURRENT_SOURCE_DIR}"
+          COMMAND tail -n1
+          RESULT_VARIABLE
+          res
+          OUTPUT_VARIABLE
+          tag_hash
+          ERROR_QUIET
+          OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(out "${tag_hash}-${res}-NOTFOUND" PARENT_SCOPE)
     return()
   endif()
 
   execute_process(COMMAND
     "${GIT_EXECUTABLE}"
     describe
-    ${hash}
-    ${ARGN}
+    --tags
+    ${tag_hash}
     WORKING_DIRECTORY
     "${CMAKE_CURRENT_SOURCE_DIR}"
     RESULT_VARIABLE
@@ -120,10 +127,108 @@ function(git_describe _var)
   if(NOT res EQUAL 0)
     set(out "${out}-${res}-NOTFOUND")
   endif()
+  set(${_var} "${out}" PARENT_SCOPE)
+endfunction()
+
+function(git_get_delta_from_tag _var tag hash)
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+
+  # Count commits in HEAD
+  execute_process(COMMAND
+    "${GIT_EXECUTABLE}"
+    rev-list
+    --count
+    ${hash}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_counter_head
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "HEADCOUNT-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+
+  # Count commits in latest tag
+  execute_process(COMMAND
+    "${GIT_EXECUTABLE}"
+    rev-list
+    --count
+    ${tag}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_counter_tag
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "TAGCOUNT-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+
+  execute_process(COMMAND
+    expr
+    ${out_counter_head} - ${out_counter_tag}
+    WORKING_DIRECTORY
+    "${CMAKE_CURRENT_SOURCE_DIR}"
+    RESULT_VARIABLE
+    res
+    OUTPUT_VARIABLE
+    out_delta
+    ERROR_QUIET
+    OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(${_var} "DELTA-NOTFOUND" PARENT_SCOPE)
+    return()
+  endif()
+  set(${_var} "${out_delta}" PARENT_SCOPE)
+endfunction()
+
+function(git_describe _var)
+  if(NOT GIT_FOUND)
+    find_package(Git QUIET)
+  endif()
+  get_git_head_revision(refspec hash)
+  if(NOT GIT_FOUND)
+    set(${_var}
+            "GIT-NOTFOUND"
+            PARENT_SCOPE)
+    return()
+  endif()
+  if(NOT hash)
+    set(${_var}
+            "HEAD-HASH-NOTFOUND"
+            PARENT_SCOPE)
+    return()
+  endif()
+
+  execute_process(COMMAND
+          "${GIT_EXECUTABLE}"
+          describe
+          ${hash}
+          ${ARGN}
+          WORKING_DIRECTORY
+          "${CMAKE_CURRENT_SOURCE_DIR}"
+          RESULT_VARIABLE
+          res
+          OUTPUT_VARIABLE
+          out
+          ERROR_QUIET
+          OUTPUT_STRIP_TRAILING_WHITESPACE)
+  if(NOT res EQUAL 0)
+    set(out "${out}-${res}-NOTFOUND")
+  endif()
 
   set(${_var}
-      "${out}"
-      PARENT_SCOPE)
+          "${out}"
+          PARENT_SCOPE)
 endfunction()
 
 function(git_get_exact_tag _var)

cmake/modules/civetweb.cmake

@@ -1,52 +0,0 @@
-#
-# Copyright (C) 2021 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/${CMAKE_INSTALL_LIBDIR}/libcivetweb.a")
-SET(CIVETWEB_CPP_LIB "${CIVETWEB_SRC}/install/${CMAKE_INSTALL_LIBDIR}/libcivetweb-cpp.a")
-set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-if (USE_BUNDLED_OPENSSL)
-    ExternalProject_Add(
-            civetweb
-            DEPENDS openssl
-            URL "https://github.com/civetweb/civetweb/archive/v1.15.tar.gz"
-            URL_HASH "SHA256=90a533422944ab327a4fbb9969f0845d0dba05354f9cacce3a5005fa59f593b9"
-            INSTALL_DIR ${CIVETWEB_SRC}/install
-            CMAKE_ARGS
-            -DBUILD_TESTING=off
-            -DCIVETWEB_BUILD_TESTING=off
-            -DCIVETWEB_ENABLE_CXX=on
-            -DCIVETWEB_ENABLE_SERVER_EXECUTABLE=off
-            -DCIVETWEB_ENABLE_SSL_DYNAMIC_LOADING=off
-            -DCIVETWEB_SERVE_NO_FILES=on
-            -DCMAKE_INSTALL_PREFIX=${CIVETWEB_SRC}/install
-            -DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR}
-            -DOPENSSL_USE_STATIC_LIBS:BOOL=TRUE
-            BUILD_BYPRODUCTS ${CIVETWEB_LIB} ${CIVETWEB_CPP_LIB})
-else()
-    ExternalProject_Add(
-            civetweb
-            URL "https://github.com/civetweb/civetweb/archive/v1.15.tar.gz"
-            URL_HASH "SHA256=90a533422944ab327a4fbb9969f0845d0dba05354f9cacce3a5005fa59f593b9"
-            INSTALL_DIR ${CIVETWEB_SRC}/install
-            CMAKE_ARGS
-            -DBUILD_TESTING=off
-            -DCIVETWEB_BUILD_TESTING=off
-            -DCIVETWEB_ENABLE_CXX=on
-            -DCIVETWEB_ENABLE_SERVER_EXECUTABLE=off
-            -DCIVETWEB_ENABLE_SSL_DYNAMIC_LOADING=off
-            -DCIVETWEB_SERVE_NO_FILES=on
-            -DCMAKE_INSTALL_PREFIX=${CIVETWEB_SRC}/install
-            BUILD_BYPRODUCTS ${CIVETWEB_LIB} ${CIVETWEB_CPP_LIB})
-endif()

cmake/modules/cpp-httplib.cmake

@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+#
+# cpp-httplib (https://github.com/yhirose/cpp-httplib)
+#
+if(CPPHTTPLIB_INCLUDE)
+	# we already have cpp-httplib
+else()
+	set(CPPHTTPLIB_SRC "${PROJECT_BINARY_DIR}/cpp-httplib-prefix/src/cpp-httplib")
+	set(CPPHTTPLIB_INCLUDE "${CPPHTTPLIB_SRC}")
+
+	message(STATUS "Using bundled cpp-httplib in '${CPPHTTPLIB_SRC}'")
+
+	ExternalProject_Add(cpp-httplib
+		PREFIX "${PROJECT_BINARY_DIR}/cpp-httplib-prefix"
+		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.10.4.tar.gz"
+		URL_HASH "SHA256=7719ff9f309c807dd8a574048764836b6a12bcb7d6ae9e129e7e4289cfdb4bd4"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND "")	
+endif()

cmake/modules/driver-repo/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -9,13 +9,21 @@
 # Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
+#
+cmake_minimum_required(VERSION 3.5.1)
 
-file(GLOB_RECURSE lua_files ${CMAKE_CURRENT_SOURCE_DIR} *.lua)
+project(driver-repo NONE)
 
-add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/falco_engine_lua_files.cpp
-	COMMAND bash ${CMAKE_CURRENT_SOURCE_DIR}/lua-to-cpp.sh ${CMAKE_CURRENT_SOURCE_DIR} ${LYAML_LUA_DIR} ${CMAKE_CURRENT_BINARY_DIR}
-	DEPENDS ${lua_files} ${CMAKE_CURRENT_SOURCE_DIR}/lua-to-cpp.sh lyaml)
+include(ExternalProject)
+message(STATUS "Driver version: ${DRIVER_VERSION}")
 
-add_library(luafiles falco_engine_lua_files.cpp)
-
-target_include_directories(luafiles PUBLIC ${CMAKE_CURRENT_BINARY_DIR})
+ExternalProject_Add(
+  driver
+  URL "https://github.com/falcosecurity/libs/archive/${DRIVER_VERSION}.tar.gz"
+  URL_HASH "${DRIVER_CHECKSUM}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND ""
+  TEST_COMMAND ""
+  PATCH_COMMAND sh -c "mv ./driver ../driver.tmp && rm -rf ./* && mv ../driver.tmp/* ."
+)

cmake/modules/driver.cmake

@@ -0,0 +1,48 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(DRIVER_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/driver-repo")
+set(DRIVER_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/driver-repo")
+
+file(MAKE_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR})
+
+if(DRIVER_SOURCE_DIR)
+  set(DRIVER_VERSION "0.0.0-local")
+  message(STATUS "Using local version for driver: '${DRIVER_SOURCE_DIR}'")
+else()
+  # DRIVER_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository
+  # which contains the driver source code under the `/driver` directory.
+  # The chosen driver version must be compatible with the given FALCOSECURITY_LIBS_VERSION.
+  # In case you want to test against another driver version (or branch, or commit) just pass the variable -
+  # ie., `cmake -DDRIVER_VERSION=dev ..`
+  if(NOT DRIVER_VERSION)
+    set(DRIVER_VERSION "dd443b67c6b04464cb8ee2771af8ada8777e7fac")
+    set(DRIVER_CHECKSUM "SHA256=df373099d0f4cd4417a0103bb57f26c7412ffa86cde2bb2d579c6feba841626d")
+  endif()
+
+  # cd /path/to/build && cmake /path/to/source
+  execute_process(COMMAND "${CMAKE_COMMAND}" -DDRIVER_VERSION=${DRIVER_VERSION} -DDRIVER_CHECKSUM=${DRIVER_CHECKSUM}
+    ${DRIVER_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${DRIVER_CMAKE_WORKING_DIR})
+
+  # cmake --build .
+  execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${DRIVER_CMAKE_WORKING_DIR}")
+  set(DRIVER_SOURCE_DIR "${DRIVER_CMAKE_WORKING_DIR}/driver-prefix/src/driver")
+endif()
+
+add_definitions(-D_GNU_SOURCE)
+
+set(DRIVER_NAME "falco")
+set(DRIVER_PACKAGE_NAME "falco")
+set(DRIVER_COMPONENT_NAME "falco-driver")
+
+add_subdirectory(${DRIVER_SOURCE_DIR} ${PROJECT_BINARY_DIR}/driver)

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -15,7 +15,7 @@ cmake_minimum_required(VERSION 3.5.1)
 project(falcosecurity-libs-repo NONE)
 
 include(ExternalProject)
-message(STATUS "Driver version: ${FALCOSECURITY_LIBS_VERSION}")
+message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")
 
 ExternalProject_Add(
   falcosecurity-libs
@@ -24,4 +24,5 @@ ExternalProject_Add(
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND ""
-  TEST_COMMAND "")
+  TEST_COMMAND ""
+)

cmake/modules/falcosecurity-libs.cmake

@@ -16,72 +16,75 @@ set(FALCOSECURITY_LIBS_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/falcosecurity-libs
 
 file(MAKE_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
 
+# explicitly disable the bundled driver, since we pull it separately
+set(USE_BUNDLED_DRIVER OFF CACHE BOOL "")
+
 if(FALCOSECURITY_LIBS_SOURCE_DIR)
-  set(FALCOSECURITY_LIBS_VERSION "local")
-  message(STATUS "Using local falcosecurity/libs in '${FALCOSECURITY_LIBS_SOURCE_DIR}'")
+  set(FALCOSECURITY_LIBS_VERSION "0.0.0-local")
+  message(STATUS "Using local version of falcosecurity/libs: '${FALCOSECURITY_LIBS_SOURCE_DIR}'")
 else()
-  # The falcosecurity/libs git reference (branch name, commit hash, or tag) To update falcosecurity/libs version for the next release, change the
-  # default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
-  # -DFALCOSECURITY_LIBS_VERSION=dev ..`
+  # FALCOSECURITY_LIBS_VERSION accepts a git reference (branch name, commit hash, or tag) to the falcosecurity/libs repository.
+  # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
+  # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "39e05ab79c77cfb05a3fa2309becc346d2b0fa2b")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=3f9a20e871d22333bfa34ea3f4a05d0697202895450dd3a7d519096c9e587b1e")
+    set(FALCOSECURITY_LIBS_VERSION "dd443b67c6b04464cb8ee2771af8ada8777e7fac")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=df373099d0f4cd4417a0103bb57f26c7412ffa86cde2bb2d579c6feba841626d")
   endif()
 
   # cd /path/to/build && cmake /path/to/source
   execute_process(COMMAND "${CMAKE_COMMAND}" -DFALCOSECURITY_LIBS_VERSION=${FALCOSECURITY_LIBS_VERSION} -DFALCOSECURITY_LIBS_CHECKSUM=${FALCOSECURITY_LIBS_CHECKSUM}
-                          ${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
-
-  # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
-
-  # execute_process(COMMAND "${CMAKE_COMMAND}" -B ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR} WORKING_DIRECTORY
-  # "${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR}")
+    ${FALCOSECURITY_LIBS_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR})
 
+  # cmake --build .
   execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}")
   set(FALCOSECURITY_LIBS_SOURCE_DIR "${FALCOSECURITY_LIBS_CMAKE_WORKING_DIR}/falcosecurity-libs-prefix/src/falcosecurity-libs")
 endif()
 
+set(LIBS_PACKAGE_NAME "falcosecurity")
+
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
+
 if(MUSL_OPTIMIZED_BUILD)
   add_definitions(-DMUSL_OPTIMIZED)
 endif()
 
-set(DRIVER_VERSION "${FALCOSECURITY_LIBS_VERSION}")
-set(DRIVER_NAME "falco")
-set(DRIVER_PACKAGE_NAME "falco")
-set(SCAP_BPF_PROBE_ENV_VAR_NAME "FALCO_BPF_PROBE")
 set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT")
 
 if(NOT LIBSCAP_DIR)
   set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
 endif()
+
 set(LIBSINSP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}")
 
+# configure gVisor support
+set(BUILD_LIBSCAP_GVISOR ${BUILD_FALCO_GVISOR} CACHE BOOL "")
+
+# configure modern BPF support
+set(BUILD_LIBSCAP_MODERN_BPF ${BUILD_FALCO_MODERN_BPF} CACHE BOOL "")
+
 # explicitly disable the tests/examples of this dependency
 set(CREATE_TEST_TARGETS OFF CACHE BOOL "")
 set(BUILD_LIBSCAP_EXAMPLES OFF CACHE BOOL "")
 
-# todo(leogr): although Falco does not actually depend on chisels, we need this for the lua_parser. 
-# Hopefully, we can switch off this in the future
-set(WITH_CHISEL ON CACHE BOOL "")
-
 set(USE_BUNDLED_TBB ON CACHE BOOL "")
 set(USE_BUNDLED_B64 ON CACHE BOOL "")
 set(USE_BUNDLED_JSONCPP ON CACHE BOOL "")
-set(USE_BUNDLED_LUAJIT ON CACHE BOOL "")
+set(USE_BUNDLED_VALIJSON ON CACHE BOOL "")
+set(USE_BUNDLED_RE2 ON CACHE BOOL "")
 
 list(APPEND CMAKE_MODULE_PATH "${FALCOSECURITY_LIBS_SOURCE_DIR}/cmake/modules")
 
 include(CheckSymbolExists)
 check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
+
 if(HAVE_STRLCPY)
-	message(STATUS "Existing strlcpy found, will *not* use local definition by setting -DHAVE_STRLCPY.")
-	add_definitions(-DHAVE_STRLCPY)
+  message(STATUS "Existing strlcpy found, will *not* use local definition by setting -DHAVE_STRLCPY.")
+  add_definitions(-DHAVE_STRLCPY)
 else()
-	message(STATUS "No strlcpy found, will use local definition")
+  message(STATUS "No strlcpy found, will use local definition")
 endif()
 
+include(driver)
 include(libscap)
 include(libsinsp)
-

cmake/modules/lpeg.cmake

@@ -1,28 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
-set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
-message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
-set(LPEG_DEPENDENCIES "")
-list(APPEND LPEG_DEPENDENCIES "luajit")
-ExternalProject_Add(
-  lpeg
-  DEPENDS ${LPEG_DEPENDENCIES}
-  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
-  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
-  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
-  BUILD_IN_SOURCE 1
-  BUILD_BYPRODUCTS ${LPEG_LIB}
-  CONFIGURE_COMMAND ""
-  INSTALL_COMMAND "")

cmake/modules/lyaml.cmake

@@ -1,28 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(LYAML_ROOT "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml")
-set(LYAML_LIB "${LYAML_ROOT}/ext/yaml/.libs/yaml.a")
-set(LYAML_LUA_DIR "${LYAML_ROOT}/lib")
-message(STATUS "Using bundled lyaml in '${LYAML_ROOT}'")
-externalproject_add(
-  lyaml
-  DEPENDS luajit libyaml
-  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
-  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  BUILD_BYPRODUCTS ${LYAML_LIB}
-  INSTALL_COMMAND ""
-  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
-)

cmake/modules/plugins.cmake

@@ -15,22 +15,77 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
 
+if(NOT DEFINED PLUGINS_COMPONENT_NAME)
+    set(PLUGINS_COMPONENT_NAME "${CMAKE_PROJECT_NAME}-plugins")
+endif()
+
+set(PLUGIN_K8S_AUDIT_VERSION "0.4.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_K8S_AUDIT_HASH "ded0b5419f40084547620ccc48b19768e5e89457b85cfe8fbe496ca72267a3a4")
+else() # aarch64
+    set(PLUGIN_K8S_AUDIT_HASH "775cba666612114bc5b0c36f2e3c4557f5adbffcca2d77e72be87c6fcbf51ceb")
+endif()
+
 ExternalProject_Add(
-  cloudtrail-plugin
-  URL "https://download.falco.org/plugins/stable/cloudtrail-0.2.3-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=3dfce36f37a4f834b6078c6b78776414472a6ee775e8f262535313cc4031d0b7"
+  k8saudit-plugin
+  URL "https://download.falco.org/plugins/stable/k8saudit-${PLUGIN_K8S_AUDIT_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_K8S_AUDIT_HASH}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
-install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so" DESTINATION "${FALCO_PLUGINS_DIR}")
+install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+ExternalProject_Add(
+  k8saudit-rules
+  URL "https://download.falco.org/plugins/stable/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
+  URL_HASH "SHA256=53948fac0345e718d673142a992ac820135f771141dfaa9719c7575ac8ae6878"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+set(PLUGIN_CLOUDTRAIL_VERSION "0.6.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_CLOUDTRAIL_HASH "80e0c33f30c01a90efb7e9a671d978ff9679c462e3105020238abf31230e49a9")
+else() # aarch64
+    set(PLUGIN_CLOUDTRAIL_HASH "a3e739932e66d44be848a68857fa15f56134d5246a1b9ab912c81f91b68fb23f")
+endif()
+
+ExternalProject_Add(
+  cloudtrail-plugin
+  URL "https://download.falco.org/plugins/stable/cloudtrail-${PLUGIN_CLOUDTRAIL_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_CLOUDTRAIL_HASH}"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+ExternalProject_Add(
+  cloudtrail-rules
+  URL "https://download.falco.org/plugins/stable/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
+  URL_HASH "SHA256=e0dccb7b0f1d24b1e526a33ffd973ea5f2ac2879dbc999e119419ebfd24305ff"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND "")
+
+  install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
+
+set(PLUGIN_JSON_VERSION "0.6.0")
+if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+    set(PLUGIN_JSON_HASH "15fb7eddd978e8bb03f05412e9446e264e4548d7423b3d724b99d6d87a8c1b27")
+else() # aarch64
+    set(PLUGIN_JSON_HASH "4db23f35a750e10a5b7b54c9aa469a7587705e7faa22927e941b41f3c5533e9f")
+endif()
 
 ExternalProject_Add(
   json-plugin
-  URL "https://download.falco.org/plugins/stable/json-0.2.2-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
-  URL_HASH "SHA256=83eb411c9f2125695875b229c6e7974e6a4cc7f028be146b79d26db30372af5e"
+  URL "https://download.falco.org/plugins/stable/json-${PLUGIN_JSON_VERSION}-${PLUGINS_SYSTEM_NAME}-${CMAKE_HOST_SYSTEM_PROCESSOR}.tar.gz"
+  URL_HASH "SHA256=${PLUGIN_JSON_HASH}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
 
-install(FILES "${PROJECT_BINARY_DIR}/json-plugin-prefix/src/json-plugin/libjson.so" DESTINATION "${FALCO_PLUGINS_DIR}")
+install(FILES "${PROJECT_BINARY_DIR}/json-plugin-prefix/src/json-plugin/libjson.so" DESTINATION "${FALCO_PLUGINS_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")

cmake/modules/static-analysis.cmake

@@ -25,11 +25,10 @@ else()
       "--force"
       "--inconclusive"
       "--inline-suppr" # allows to specify suppressions directly in source code
-      "--project=${CMAKE_CURRENT_BINARY_DIR}/compile_commands.json" # use the compilation database as source
-      "--quiet"
       "--xml" # we want to generate a report
       "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
       "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
+      "${CMAKE_SOURCE_DIR}"
   )
 endif() # CPPCHECK
 

docker/OWNERS

@@ -2,5 +2,4 @@ labels:
   - area/integration
 approvers:
   - leogr
-reviewers:
-  - leogr
+

docker/README.md

@@ -7,10 +7,11 @@ This directory contains various ways to package Falco as a container and related
 | Name | Directory | Description |
 |---|---|---|
 | [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
+| _not yet published (experimental)_ | docker/ubi | Falco (built from RedHat's UBI base image) with the building toolchain. |
 | [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
 | [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
 | [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/getting-started/source/) for more details on building from source. Used to build Falco (CI). |
 | [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). |
-| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
+| _not to be published_ | docker/local | Built on-the-fly and used by falco-tester. |
 
 > Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.

docker/builder/Dockerfile

@@ -10,6 +10,7 @@ ARG BUILD_BPF=OFF
 ARG BUILD_WARNINGS_AS_ERRORS=ON
 ARG MAKE_JOBS=4
 ARG FALCO_VERSION
+ARG CMAKE_VERSION=3.22.5
 
 ENV BUILD_TYPE=${BUILD_TYPE}
 ENV BUILD_DRIVER=${BUILD_DRIVER}
@@ -17,22 +18,22 @@ ENV BUILD_BPF=${BUILD_BPF}
 ENV BUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS}
 ENV MAKE_JOBS=${MAKE_JOBS}
 ENV FALCO_VERSION=${FALCO_VERSION}
+ENV CMAKE_VERSION=${CMAKE_VERSION}
 
 # build toolchain
 RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel rpm-build libyaml-devel" && \
+    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel llvm-toolset-7.0 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel rpm-build libyaml-devel" && \
     yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS
 
-ARG CMAKE_VERSION=3.6.3
-RUN source scl_source enable devtoolset-7 llvm-toolset-7 && \
-    cd /tmp && \
-    curl -L https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz | tar xz; \
-    cd cmake-${CMAKE_VERSION} && \
-    ./bootstrap --system-curl && \
-    make -j${MAKE_JOBS} && \
-    make install && \
-    rm -rf /tmp/cmake-${CMAKE_VERSION}
+
+RUN source scl_source enable devtoolset-7 llvm-toolset-7.0
+
+RUN curl -L -o /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
+    gzip -d /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar.gz && \
+    tar -xpf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m).tar --directory=/tmp && \
+    cp -R /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)/* /usr && \
+    rm -rf /tmp/cmake-${CMAKE_VERSION}-linux-$(uname -m)
 
 COPY ./root /
 

docker/builder/root/usr/bin/entrypoint

@@ -9,10 +9,10 @@ shift
 
 # Build type can be "debug" or "release", fallbacks to "release" by default
 BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
-DRAIOS_DEBUG_FLAGS=
+FALCO_EXTRA_DEBUG_FLAGS=
 case "$BUILD_TYPE" in
 "debug")
-    DRAIOS_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
+    FALCO_EXTRA_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
     ;;
 *)
     BUILD_TYPE="release"
@@ -37,7 +37,7 @@ case "$CMD" in
     -DBUILD_BPF="$BUILD_BPF" \
     -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
     -DFALCO_VERSION="$FALCO_VERSION" \
-    -DDRAIOS_DEBUG_FLAGS="$DRAIOS_DEBUG_FLAGS" \
+    -DFALCO_EXTRA_DEBUG_FLAGS="$FALCO_EXTRA_DEBUG_FLAGS" \
     -DUSE_BUNDLED_DEPS=ON \
     "$SOURCE_DIR/falco"
     exit "$(printf '%d\n' $?)"

docker/builder/root/usr/bin/scl_enable

@@ -1,6 +1,6 @@
 # IMPORTANT: Do not add more content to this file unless you know what you are doing.
-#            This file is sourced everytime the shell session is opened.
+#            This file is sourced every time the shell session is opened.
 #
 # This will make scl collection binaries work out of box.
 unset BASH_ENV PROMPT_COMMAND ENV
-source scl_source enable devtoolset-7 llvm-toolset-7
+source scl_source enable devtoolset-7 llvm-toolset-7.0

docker/falco/Dockerfile

@@ -4,6 +4,8 @@ LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
 
+ARG TARGETARCH
+
 ARG FALCO_VERSION=latest
 ARG VERSION_BUCKET=deb
 ENV VERSION_BUCKET=${VERSION_BUCKET}
@@ -29,45 +31,53 @@ RUN apt-get update \
 	jq \
 	libc6-dev \
 	libelf-dev \
-	libmpx2 \
 	libssl-dev \
 	llvm-7 \
 	netcat \
+	patchelf \
 	xz-utils \
 	&& rm -rf /var/lib/apt/lists/*
 
+RUN if [ "$TARGETARCH" = "amd64" ]; \
+    then apt-get install -y --no-install-recommends libmpx2; \
+    fi
+
 # gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libubsan0_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
+	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
+	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
 
 # gcc 5 is no longer included in debian stable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
+	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
+	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
@@ -99,10 +109,16 @@ RUN rm -df /lib/modules \
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
+
+RUN if [ "$TARGETARCH" = "amd64" ] ; then \
+    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    else  \
+    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    fi
+
+RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/local/Dockerfile

@@ -1,8 +1,10 @@
-FROM debian:stable
+FROM debian:buster
 
 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
+ARG TARGETARCH
+
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}
@@ -37,43 +39,50 @@ RUN apt-get update \
 	libatomic1 \
 	liblsan0 \
 	libtsan0 \
-	libmpx2 \
-	libquadmath0 \
 	libcc1-0 \
+	patchelf \
 	&& rm -rf /var/lib/apt/lists/*
 
+RUN if [ "$TARGETARCH" = "amd64" ]; \
+    then apt-get install -y --no-install-recommends libmpx2 libquadmath0; \
+    fi
+
 # gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libcilkrts5_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o gcc-6_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libasan3_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libubsan0_6.3.0-18_${TARGETARCH}.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_${TARGETARCH}.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-1_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-1_${TARGETARCH}.deb \
+	&& dpkg -i cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libcilkrts5_6.3.0-18_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb \
+	&& rm -f cpp-6_6.3.0-18_${TARGETARCH}.deb gcc-6-base_6.3.0-18_${TARGETARCH}.deb gcc-6_6.3.0-18_${TARGETARCH}.deb libasan3_6.3.0-18_${TARGETARCH}.deb libcilkrts5_6.3.0-18_${TARGETARCH}.deb libgcc-6-dev_6.3.0-18_${TARGETARCH}.deb libubsan0_6.3.0-18_${TARGETARCH}.deb libmpfr4_3.1.3-2_${TARGETARCH}.deb libisl15_0.18-1_${TARGETARCH}.deb
 
 # gcc 5 is no longer included in debian stable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN if [ "$TARGETARCH" = "amd64" ]; then curl -L -o libmpx0_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    curl -L -o cpp-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o gcc-5_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libasan2_5.5.0-12_${TARGETARCH}.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb \
+	&& curl -L -o libisl15_0.18-4_${TARGETARCH}.deb https://download.falco.org/dependencies/libisl15_0.18-4_${TARGETARCH}.deb \
+	&& dpkg -i cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb; \
+    if [ "$TARGETARCH" = "amd64" ]; then dpkg -i libmpx0_5.5.0-12_${TARGETARCH}.deb; fi; \
+    dpkg -i libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb \
+	&& rm -f cpp-5_5.5.0-12_${TARGETARCH}.deb gcc-5-base_5.5.0-12_${TARGETARCH}.deb gcc-5_5.5.0-12_${TARGETARCH}.deb libasan2_5.5.0-12_${TARGETARCH}.deb libgcc-5-dev_5.5.0-12_${TARGETARCH}.deb libisl15_0.18-4_${TARGETARCH}.deb libmpx0_5.5.0-12_${TARGETARCH}.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
@@ -90,8 +99,8 @@ RUN rm -rf /usr/bin/clang \
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
-ADD falco-${FALCO_VERSION}-x86_64.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
+ADD falco-${FALCO_VERSION}-*.deb /
+RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
 
 # Change the falco config within the container to enable ISO 8601
 # output.
@@ -101,10 +110,15 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN if [ "$TARGETARCH" = "amd64" ] ; then \
+    curl -L -o binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    else  \
+    curl -L -o  binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-aarch64-linux-gnu_2.30-22_${TARGETARCH}.deb; \
+    fi
+
+RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o libbinutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/libbinutils_2.30-22_${TARGETARCH}.deb \
+	&& curl -L -o binutils-common_2.30-22_${TARGETARCH}.deb https://download.falco.org/dependencies/binutils-common_2.30-22_${TARGETARCH}.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/no-driver/Dockerfile

@@ -11,10 +11,10 @@ RUN apt-get -y update && apt-get -y install gridsite-clients curl
 WORKDIR /
 
 RUN curl -L -o falco.tar.gz \
-    https://download.falco.org/packages/${VERSION_BUCKET}/x86_64/falco-$(urlencode ${FALCO_VERSION})-x86_64.tar.gz && \
+    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-$(urlencode ${FALCO_VERSION})-$(uname -m).tar.gz && \
     tar -xvf falco.tar.gz && \
     rm -f falco.tar.gz && \
-    mv falco-${FALCO_VERSION}-x86_64 falco && \
+    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
     rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
 
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
@@ -32,4 +32,4 @@ ENV HOME /root
 
 COPY --from=ubuntu /falco /
 
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/tester/Dockerfile

@@ -4,17 +4,24 @@ LABEL name="falcosecurity/falco-tester"
 LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
+ARG TARGETARCH
+
 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release
 
-ADD https://github.com/fullstorydev/grpcurl/releases/download/v1.6.0/grpcurl_1.6.0_linux_x86_64.tar.gz /
+RUN if [ "$TARGETARCH" = "amd64" ] ; then curl -L -o grpcurl.tar.gz \
+    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_x86_64.tar.gz; \
+    else curl -L -o grpcurl.tar.gz \
+    https://github.com/fullstorydev/grpcurl/releases/download/v1.8.6/grpcurl_1.8.6_linux_arm64.tar.gz; \
+    fi;
+
 RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
 RUN pip install --user watchdog==0.10.2
 RUN pip install --user pathtools==0.1.2
-RUN tar -C /usr/bin -xvf grpcurl_1.6.0_linux_x86_64.tar.gz
+RUN tar -C /usr/bin -xvf grpcurl.tar.gz
 
 COPY ./root /
 

docker/tester/root/runners/deb.Dockerfile

@@ -8,8 +8,8 @@ ENV FALCO_VERSION ${FALCO_VERSION}
 RUN apt update -y
 RUN apt install dkms -y
 
-ADD falco-${FALCO_VERSION}-x86_64.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
+ADD falco-${FALCO_VERSION}-*.deb /
+RUN dpkg -i /falco-${FALCO_VERSION}-$(uname -m).deb
 
 # Change the falco config within the container to enable ISO 8601 output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \

docker/tester/root/runners/rpm.Dockerfile

@@ -9,8 +9,8 @@ ENV FALCO_VERSION ${FALCO_VERSION}
 RUN yum update -y
 RUN yum install epel-release -y
 
-ADD falco-${FALCO_VERSION}-x86_64.rpm /
-RUN yum install -y /falco-${FALCO_VERSION}-x86_64.rpm
+ADD falco-${FALCO_VERSION}-*.rpm /
+RUN yum install -y /falco-${FALCO_VERSION}-$(uname -m).rpm
 
 # Change the falco config within the container to enable ISO 8601 output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \

docker/tester/root/runners/tar.gz.Dockerfile

@@ -8,8 +8,8 @@ ENV FALCO_VERSION ${FALCO_VERSION}
 RUN apt update -y
 RUN apt install dkms curl -y
 
-ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
-RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
+ADD falco-${FALCO_VERSION}-*.tar.gz /
+RUN cp -R /falco-${FALCO_VERSION}-$(uname -m)/* /
 
 # Change the falco config within the container to enable ISO 8601 output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \

docker/tester/root/usr/bin/entrypoint

@@ -25,7 +25,7 @@ build_image() {
     BUILD_TYPE=$2
     FALCO_VERSION=$3
     PACKAGE_TYPE=$4
-    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-x86_64.${PACKAGE_TYPE}"
+    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-$(uname -m).${PACKAGE_TYPE}"
     if [ ! -f "$PACKAGE" ]; then
         echo "Package not found: ${PACKAGE}." >&2
         exit 1

docker/ubi/Dockerfile

@@ -0,0 +1,45 @@
+ARG UBI_VERSION=latest
+FROM registry.access.redhat.com/ubi8/ubi:${UBI_VERSION}
+
+ARG FALCO_VERSION
+RUN test -n "$FALCO_VERSION" || (echo "FALCO_VERSION  not set" && false)
+ENV FALCO_VERSION=${FALCO_VERSION}
+
+LABEL "name"="Falco Runtime Security"
+LABEL "vendor"="Falco"
+LABEL "version"="${FALCO_VERSION}"
+LABEL "release"="${FALCO_VERSION}"
+LABEL "ubi-version"="${UBI_VERSION}"
+LABEL "summary"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
+LABEL "description"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
+LABEL "io.k8s.display-name"="Falco"
+LABEL "io.k8s.description"="Falco is a security policy engine that monitors system calls and cloud events, and fires alerts when security policies are violated."
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
+
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+RUN  dnf -y update && \
+     dnf -y install \
+          curl \
+          make \
+          cmake \
+          gcc \
+          llvm-toolset \
+          clang \
+          kmod \
+     && dnf -y clean all ; rm -rf /var/cache/{dnf,yum}
+
+RUN mkdir /build && cd /build/ && curl --remote-name-all -L https://github.com/dell/dkms/archive/refs/tags/v3.0.3.tar.gz && \
+     tar xvf v3.0.3.tar.gz && cd dkms-3.0.3 && make install-redhat && rm -rf /build
+
+RUN mkdir /deploy && cd /deploy/ && curl --remote-name-all -L https://download.falco.org/packages/bin/$(uname -m)/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
+     cd / && tar --strip-components=1 -xvf /deploy/falco-${FALCO_VERSION}-$(uname -m).tar.gz && \
+     rm -rf /deploy
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["/usr/bin/falco"]

docker/ubi/docker-entrypoint.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
+
+if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
+
+    # Required by dkms to find the required dependencies on RedHat UBI
+    rm -fr /usr/src/kernels/ && rm -fr /usr/src/debug/
+    rm -fr /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules
+    rm -fr /boot && ln -s $HOST_ROOT/boot /boot
+
+    echo "* Setting up /usr/src links from host"
+
+    for i in "$HOST_ROOT/usr/src"/*
+    do
+        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$base"
+    done
+
+    /usr/bin/falco-driver-loader
+fi
+
+exec "$@"

falco.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -30,10 +30,8 @@
 rules_file:
   - /etc/falco/falco_rules.yaml
   - /etc/falco/falco_rules.local.yaml
-  - /etc/falco/k8s_audit_rules.yaml
   - /etc/falco/rules.d
 
-
 #
 # Plugins that are available for use. These plugins are not loaded by
 # default, as they require explicit configuration to point to
@@ -44,13 +42,19 @@ rules_file:
 # init_config/open_params for the cloudtrail plugin, see the README at
 # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md.
 plugins:
+  - name: k8saudit
+    library_path: libk8saudit.so
+    init_config:
+    #   maxEventSize: 262144
+    #   webhookMaxBatchSize: 12582912
+    #   sslCertificate: /etc/falco/falco.pem
+    open_params: "http://:9765/k8s-audit"
   - name: cloudtrail
     library_path: libcloudtrail.so
-    init_config: ""
-    open_params: ""
+    # see docs for init_config and open_params:
+    # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md
   - name: json
     library_path: libjson.so
-    init_config: ""
 
 # Setting this list to empty ensures that the above plugins are *not*
 # loaded and enabled by default. If you want to use the above plugins,
@@ -59,12 +63,19 @@ plugins:
 # load_plugins: [cloudtrail, json]
 load_plugins: []
 
+# Watch config file and rules files for modification.
+# When a file is modified, Falco will propagate new config,
+# by reloading itself.
+watch_config_files: true
+
 # If true, the times displayed in log messages and output messages
 # will be in ISO 8601. By default, times are displayed in the local
 # time zone, as governed by /etc/localtime.
 time_format_iso_8601: false
 
-# Whether to output events in json or text
+# If "true", print falco alert messages and rules file
+# loading/validation results as json, which allows for easier
+# consumption by downstream programs. Default is "false".
 json_output: false
 
 # When using json output, whether or not to include the "output" property
@@ -89,6 +100,17 @@ log_syslog: true
 # "alert", "critical", "error", "warning", "notice", "info", "debug".
 log_level: info
 
+# Falco is capable of managing the logs coming from libs. If enabled,
+# the libs logger send its log records the same outputs supported by
+# Falco (stderr and syslog). Disabled by default.
+libs_logger:
+  enabled: false
+  # Minimum log severity to include in the libs logs. Note: this value is
+  # separate from the log level of the Falco logger and does not affect it.
+  # Can be one of "fatal", "critical", "error", "warning", "notice",
+  # "info", "debug", "trace".
+  severity: debug
+
 # Minimum rule priority level to load and run. All rules having a
 # priority more severe than this level will be loaded/run.  Can be one
 # of "emergency", "alert", "critical", "error", "warning", "notice",
@@ -128,6 +150,7 @@ syscall_event_drops:
     - alert
   rate: .03333
   max_burst: 1
+  simulate_drops: false
 
 # Falco uses a shared buffer between the kernel and userspace to receive
 # the events (eg., system call information) in userspace.
@@ -147,6 +170,61 @@ syscall_event_drops:
 syscall_event_timeouts:
   max_consecutives: 1000
 
+# --- [Description]
+#
+# This is an index that controls the dimension of the syscall buffers.
+# The syscall buffer is the shared space between Falco and its drivers where all the syscall events
+# are stored.
+# Falco uses a syscall buffer for every online CPU, and all these buffers share the same dimension.
+# So this parameter allows you to control the size of all the buffers!
+#
+# --- [Usage]
+#
+# You can choose between different indexes: from `1` to `10` (`0` is reserved for future uses).
+# Every index corresponds to a dimension in bytes:
+#
+# [(*), 1 MB, 2 MB, 4 MB, 8 MB, 16 MB, 32 MB, 64 MB, 128 MB, 256 MB, 512 MB]
+#   ^    ^     ^     ^     ^     ^      ^      ^       ^       ^       ^
+#   |    |     |     |     |     |      |      |       |       |       |
+#   0    1     2     3     4     5      6      7       8       9       10
+#
+# As you can see the `0` index is reserved, while the index `1` corresponds to
+# `1 MB` and so on.
+#
+# These dimensions in bytes derive from the fact that the buffer size must be:
+# (1) a power of 2.
+# (2) a multiple of your system_page_dimension.
+# (3) greater than `2 * (system_page_dimension)`.
+#
+# According to these constraints is possible that sometimes you cannot use all the indexes, let's consider an
+# example to better understand it:
+# If you have a `page_size` of 1 MB the first available buffer size is 4 MB because 2 MB is exactly
+# `2 * (system_page_size)` -> `2 * 1 MB`, but this is not enough we need more than `2 * (system_page_size)`!
+# So from this example is clear that if you have a page size of 1 MB the first index that you can use is `3`.
+#
+# Please note: this is a very extreme case just to let you understand the mechanism, usually the page size is something
+# like 4 KB so you have no problem at all and you can use all the indexes (from `1` to `10`).
+#
+# To check your system page size use the Falco `--page-size` command line option. The output on a system with a page
+# size of 4096 Bytes (4 KB) should be the following:
+#
+# "Your system page size is: 4096 bytes."
+#
+# --- [Suggestions]
+#
+# Before the introduction of this param the buffer size was fixed to 8 MB (so index `4`, as you can see
+# in the default value below).
+# You can increase the buffer size when you face syscall drops. A size of 16 MB (so index `5`) can reduce
+# syscall drops in production-heavy systems without noticeable impact. Very large buffers however could
+# slow down the entire machine.
+# On the other side you can try to reduce the buffer size to speed up the system, but this could
+# increase the number of syscall drops!
+# As a final remark consider that the buffer size is mapped twice in the process' virtual memory so a buffer of 8 MB
+# will result in a 16 MB area in the process virtual memory.
+# Please pay attention when you use this parameter and change it only if the default size doesn't fit your use case.
+
+syscall_buf_size_preset: 4
+
 # Falco continuously monitors outputs performance. When an output channel does not allow
 # to deliver an alert within a given deadline, an error is reported indicating
 # which output is blocking notifications.
@@ -165,19 +243,22 @@ syscall_event_timeouts:
 output_timeout: 2000
 
 # A throttling mechanism implemented as a token bucket limits the
-# rate of falco notifications. This throttling is controlled by the following configuration
-# options:
+# rate of Falco notifications. One rate limiter is assigned to each event
+# source, so that alerts coming from one can't influence the throttling
+# mechanism of the others. This is controlled by the following options:
 #  - rate: the number of tokens (i.e. right to send a notification)
-#    gained per second. Defaults to 1.
+#    gained per second. When 0, the throttling mechanism is disabled.
+#    Defaults to 0.
 #  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
 #
-# With these defaults, falco could send up to 1000 notifications after
-# an initial quiet period, and then up to 1 notification per second
+# With these defaults, the throttling mechanism is disabled.
+# For example, by setting rate to 1 Falco could send up to 1000 notifications
+# after an initial quiet period, and then up to 1 notification per second
 # afterward. It would gain the full burst back after 1000 seconds of
 # no activity.
 
 outputs:
-  rate: 1
+  rate: 0
   max_burst: 1000
 
 # Where security notifications should go.
@@ -202,9 +283,10 @@ file_output:
 stdout_output:
   enabled: true
 
-# Falco contains an embedded webserver that can be used to accept K8s
-# Audit Events. These config options control the behavior of that
-# webserver. (By default, the webserver is enabled).
+# Falco contains an embedded webserver that is used to implement an health
+# endpoint for checking if Falco is up and running. These config options control
+# the behavior of that webserver. By default, the webserver is enabled and
+# the endpoint is /healthz.
 #
 # The ssl_certificate is a combination SSL Certificate and corresponding
 # key contained in a single file. You can generate a key/cert as follows:
@@ -212,13 +294,11 @@ stdout_output:
 # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
 # $ cat certificate.pem key.pem > falco.pem
 # $ sudo cp falco.pem /etc/falco/falco.pem
-#
-# It also exposes a healthy endpoint that can be used to check if Falco is up and running
-# By default the endpoint is /healthz
 webserver:
   enabled: true
+  # when threadiness is 0, Falco automatically guesses it depending on the number of online cores
+  threadiness: 0
   listen_port: 8765
-  k8s_audit_endpoint: /k8s-audit
   k8s_healthz_endpoint: /healthz
   ssl_enabled: false
   ssl_certificate: /etc/falco/falco.pem
@@ -272,7 +352,7 @@ http_output:
 # gRPC server using an unix socket
 grpc:
   enabled: false
-  bind_address: "unix:///var/run/falco.sock"
+  bind_address: "unix:///run/falco/falco.sock"
   # when threadiness is 0, Falco automatically guesses it depending on the number of online cores
   threadiness: 0
 

proposals/20190826-grpc-outputs.md

@@ -47,7 +47,7 @@ The motivation behind this proposal is to design a new output implementation tha
 ### Non-Goals
 
 - To substitute existing outputs (stdout, syslog, etc.)
-- To support different queing systems than the default (round-robin) one
+- To support different queuing systems than the default (round-robin) one
 - To support queuing mechanisms for message retransmission
   - Users can have a local gRPC relay server along with Falco that multiplexes connections and handles retires and backoff
 - To change the output format

proposals/20190909-psp-rules-support.md

@@ -27,7 +27,7 @@ That's where Falco comes in. We want to make it possible for Falco to perform a
 
 Transparently read a candidate PSP into an equivalent set of Falco rules that can look for the conditions in the PSP.
 
-The PSP is converted into a set of Falco rules which can be either saved as a file for later use/inspection, or loaded directly so they they can monitor system calls and k8s audit activity.
+The PSP is converted into a set of Falco rules which can be either saved as a file for later use/inspection, or loaded directly so that they can monitor system calls and k8s audit activity.
 
 ### Non-Goals
 
@@ -51,6 +51,6 @@ No diagrams yet.
 
 * We'll use [inja](https://github.com/pantor/inja) as the templating engine.
 
-* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisions betweeen values in an event and values in the comparison right-hand-side.
+* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisons between values in an event and values in the comparison right-hand-side.
 
 * This will rely heavily on existing support for [K8s Audit Events](https://falco.org/docs/event-sources/kubernetes-audit/) in Falco.

proposals/20191030-api.md

@@ -6,13 +6,13 @@ This is a proposal to better structure the Falco API.
 
 The Falco API is a set of contracts describing how users can interacts with Falco.
 
-By definiing a set of interfaces the Falco Authors intend to decouple Falco from other softwares and data (eg., from the input sources) and, at the same time, make it more extensible.
+By defining a set of interfaces the Falco Authors intend to decouple Falco from other software and data (eg., from the input sources) and, at the same time, make it more extensible.
 
-Thus, this document intent is to propose a list of services that contistute the Falco API (targeting the first stable version of Falco, v1.0.0).
+Thus, this document intent is to propose a list of services that constitute the Falco API (targeting the first stable version of Falco, v1.0.0).
 
 ## Motivation
 
-We want to enable users to use thirdy-party clients to interface with Falco outputs, inputs, rules, and configurations.
+We want to enable users to use third-party clients to interface with Falco outputs, inputs, rules, and configurations.
 
 Such ability would enable the community to create a whole set of OSS tools, built on top of Falco.
 
@@ -94,7 +94,7 @@ This translates in having the following set of `proto` files.
     }
     ```
 
-- one or more `.proto` containing the commond models - ie., the already existing `schema.proto` containing source enum, etc.
+- one or more `.proto` containing the command models - ie., the already existing `schema.proto` containing source enum, etc.
 
     ```proto3
     # schema.proto

proposals/20191217-rules-naming-convention.md

@@ -36,7 +36,7 @@ There will be no intention to cover Falco rule syntax in this proposal.
 
 ### Use cases
 
-When new PRs are created in the area of rules, reviewers need to examine whether there are new rules, macros or lists are introduced. If yes, check wether follow the naming convention.
+When new PRs are created in the area of rules, reviewers need to examine whether there are new rules, macros or lists are introduced. If yes, check whether follow the naming convention.
 
 ### Diagrams
 

proposals/20200506-artifacts-scope-part-1.md

@@ -82,7 +82,7 @@ This is done as needed, and can best be measured by the need to cut a release an
 
 ### official support
 
-As the need for a project grows, it can ultimately achieve the highest and most coveted status within The Falco Project. "_Offical support_."
+As the need for a project grows, it can ultimately achieve the highest and most coveted status within The Falco Project. "_Official support_."
 
 The artifacts listed above are part of the official Falco release process. These artifact will be refined and amended by the [Part 2](./20200506-artifacts-scope-part-2.md).
 
@@ -111,4 +111,4 @@ Update documentation in [falco-website#184](https://github.com/falcosecurity/fal
 ### Adjusting projects
 
  - YAML manifest documentation to be moved to `contrib`
- - Minkube, Kind, Puppet, Ansible, etc documentation to be moved to `contrib`
+ - Minikube, Kind, Puppet, Ansible, etc documentation to be moved to `contrib`

proposals/20200828-structured-exception-handling.md

@@ -196,13 +196,13 @@ Exception values will most commonly be defined in rules with append: true. Here'
 
 A rule exception applies if for a given event, the fields in a rule.exception match all of the values in some exception.item. For example, if a program `apk` writes to a file below `/usr/lib/alpine`, the rule will not trigger, even if the condition is met.
 
-Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parantheses will be added.
+Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parentheses will be added.
 
 Finally, note that the structure of the values property differs between the items where fields is a list of fields (proc_writer/container_writer/proc_filenames) and when it is a single field (procs_only). This changes how the condition snippet is constructed.
 
 ### Implementation
 
-For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implict "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented.
+For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implicit "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented.
 
 When a rule is parsed, the original condition will be wrapped in an extra layer of parentheses and all exception values will be appended to the condition. For example, using the example above, the resulting condition will be:
 
@@ -214,7 +214,7 @@ When a rule is parsed, the original condition will be wrapped in an extra layer
 	(fd.filename in (python, go))))
 ```
 
-The exceptions are effectively syntatic sugar that allows expressing sets of exceptions in a concise way.
+The exceptions are effectively syntactic sugar that allows expressing sets of exceptions in a concise way.
 
 ### Advantages
 

proposals/20200901-artifacts-cleanup.md

@@ -2,7 +2,7 @@
 
 This document reflects when and how we clean up the Falco artifacts from their storage location.
 
-**Superseeded by**: [drivers-storage-s3 proposal](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md).
+**Superseded by**: [drivers-storage-s3 proposal](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md).
 
 ## Motivation
 
@@ -90,7 +90,7 @@ This way, assuming the number of prebuilt drivers does not skyrocket, we can rea
 
 Notice that, in case a Falco stable release will not depend on a new driver version, this means the last two driver versions will, in this case, cover more than the two Falco stable releases.
 
-### Archivation
+### Archiving
 
 Since the process of building drivers is time and resource consuming, this document also proposes to move the driver versions in other storage facilities.
 

proposals/20210501-plugin-system.md

@@ -66,7 +66,7 @@ Source plugins also provide an "id", which is globally unique and is used in cap
 
 An extractor plugin focuses only on field extraction from events generated by other plugins, or by the core libraries. It does *not* provide an event source, but can extract fields from other event sources. An example is json field extraction, where a plugin might be able to extract fields from arbitrary json payloads.
 
-An extractor plugin provides an optional set of event sources. When the framework receives an event with an event source in the plugin's set of event sources, fields in expressions/Falco outputs will be extracted from events using the plugin. An extractor plugin can also *not* name a set of event sources. In this case, fields will be extracted from *all* events, regardless of source. In this case, the exctractor plugin must detect the format of arbitrary payloads and be able to return NULL/no value when the payload is not supported.
+An extractor plugin provides an optional set of event sources. When the framework receives an event with an event source in the plugin's set of event sources, fields in expressions/Falco outputs will be extracted from events using the plugin. An extractor plugin can also *not* name a set of event sources. In this case, fields will be extracted from *all* events, regardless of source. In this case, the extractor plugin must detect the format of arbitrary payloads and be able to return NULL/no value when the payload is not supported.
 
 ### Support for Plugin Events in Capture Files.
 
@@ -91,7 +91,7 @@ The libraries will do everything possible to validate the data coming from the p
 
 ### Plugin/Event Source registries
 
-Every source plugin requires its own, unique plugin ID to interoperate with Falco and the other plugins. The plugin ID will be used by the libs to properly process incoming events (for example, when saving events to file and loading them back), and by plugins to unuambiguosly recognize their dependencies.
+Every source plugin requires its own, unique plugin ID to interoperate with Falco and the other plugins. The plugin ID will be used by the libs to properly process incoming events (for example, when saving events to file and loading them back), and by plugins to unambiguously recognize their dependencies.
 
 To facilitate the allocation and distribution of plugin IDs, we will require that plugin developers request IDs for their plugins to the Falco organization. The mechanism used for plugin allocation is not determined yet and will be discussed in the future.
 
@@ -270,7 +270,7 @@ typedef struct
 	// Arguments:
 	// - s: the plugin state returned by init()
 	// - params: the open parameters, as a string. The format is defined by the plugin
-	//   itsef
+	//   itself
 	// - rc: pointer to an integer that will contain the open result, as a SCAP_* value
 	//   (e.g. SCAP_SUCCESS=0, SCAP_FAILURE=1)
 	// Return value: a pointer to the open context that will be passed to next(),
@@ -474,7 +474,7 @@ typedef struct
 	// Return value: a json array of strings containing event
 	//   sources returned by a source plugin's get_event_source()
 	//   function.
-	// This function is optional--if NULL then the exctractor
+	// This function is optional--if NULL then the extractor
 	// plugin will receive every event.
 	//
 	char* (*get_extract_event_sources)();
@@ -526,7 +526,7 @@ We will also make a change to compile rules/macros/lists selectively based on th
 
 ### Handling Duplicate/Overlapping Fields in Plugins/Libraries Core
 
-At an initial glance, adding plugins introduces the possibility of tens/hundreds of new filtercheck fields that could potentially overlap/conflict. For example, what happens if a plugin defines a "proc.name" field? However, the notion of "event source" makes these potential conflicts managable.
+At an initial glance, adding plugins introduces the possibility of tens/hundreds of new filtercheck fields that could potentially overlap/conflict. For example, what happens if a plugin defines a "proc.name" field? However, the notion of "event source" makes these potential conflicts manageable.
 
 Remember that field extraction is always done in the context of an event, and each event can be mapped back to an event source. So we only need to ensure that filtercheck fields are distinct for a given event source. For example, it's perfectly valid for an AWS Cloudtrail plugin to define a proc.name field, as the events generated by that plugin are wholly separate from syscall events. For syscall events, the AWS Cloudtrail plugin is not involved and the core libraries extract the process name for the tid performing a syscall. For AWS Cloudtrail events, the core libraries are not involved in field extraction and is performed by the AWS Cloudtrail plugin instead.
 

rules/CMakeLists.txt

@@ -22,11 +22,10 @@ if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
   set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
   set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
   set(FALCO_APP_RULES_DEST_FILENAME "application_rules.yaml")
-  set(FALCO_K8S_AUDIT_RULES_DEST_FILENAME "k8s_audit_rules.yaml")
-  set(FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME "aws_cloudtrail_rules.yaml")
 endif()
 
-if(DEFINED FALCO_COMPONENT)
+
+if(DEFINED FALCO_COMPONENT) # Allow a slim version of Falco to be embedded in other projects, intentionally *not* installing all rulesets.
   install(
     FILES falco_rules.yaml
     COMPONENT "${FALCO_COMPONENT}"
@@ -38,32 +37,24 @@ if(DEFINED FALCO_COMPONENT)
     COMPONENT "${FALCO_COMPONENT}"
     DESTINATION "${FALCO_ETC_DIR}"
     RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-# Intentionally *not* installing application_rules.yaml. Not needed when falco is embedded in other projects.
-else()
+else() # Default Falco installation
   install(
     FILES falco_rules.yaml
     DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_RULES_DEST_FILENAME}")
+    RENAME "${FALCO_RULES_DEST_FILENAME}"
+    COMPONENT "${FALCO_COMPONENT_NAME}")
 
   install(
     FILES falco_rules.local.yaml
     DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
-
-  install(
-    FILES k8s_audit_rules.yaml
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_K8S_AUDIT_RULES_DEST_FILENAME}")
+    RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}"
+    COMPONENT "${FALCO_COMPONENT_NAME}")
 
   install(
     FILES application_rules.yaml
     DESTINATION "${FALCO_ETC_DIR}/rules.available"
-    RENAME "${FALCO_APP_RULES_DEST_FILENAME}")
+    RENAME "${FALCO_APP_RULES_DEST_FILENAME}"
+    COMPONENT "${FALCO_COMPONENT_NAME}")
 
-  install(
-    FILES aws_cloudtrail_rules.yaml
-    DESTINATION "${FALCO_ETC_DIR}"
-    RENAME "${FALCO_AWS_CLOUDTRAIL_RULES_DEST_FILENAME}")
-
-  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d")
+  install(DIRECTORY DESTINATION "${FALCO_ETC_DIR}/rules.d" COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()

rules/OWNERS

@@ -1,12 +1,10 @@
 approvers:
   - mstemm
-  - kaizhe
 reviewers:
   - leodido
   - fntlnz
   - mfdii
   - kaizhe
-  - mstemm
+  - darryk10
 labels:
   - area/rules
-

rules/aws_cloudtrail_rules.yaml

@@ -1,442 +0,0 @@
-#
-# Copyright (C) 2022 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# All rules files related to plugins should require engine version 10
-- required_engine_version: 10
-
-# These rules can be read by cloudtrail plugin version 0.1.0, or
-# anything semver-compatible.
-- required_plugin_versions:
-  - name: cloudtrail
-    version: 0.2.3
-  - name: json
-    version: 0.2.2
-
-# Note that this rule is disabled by default. It's useful only to
-# verify that the cloudtrail plugin is sending events properly.  The
-# very broad condition evt.num > 0 only works because the rule source
-# is limited to aws_cloudtrail. This ensures that the only events that
-# are matched against the rule are from the cloudtrail plugin (or
-# a different plugin with the same source).
-- rule: All Cloudtrail Events
-  desc: Match all cloudtrail events.
-  condition:
-    evt.num > 0
-  output: Some Cloudtrail Event (evtnum=%evt.num info=%evt.plugininfo ts=%evt.time.iso8601 id=%ct.id error=%ct.error)
-  priority: DEBUG
-  tags:
-  - cloud
-  - aws
-  source: aws_cloudtrail
-  enabled: false
-
-- rule: Console Login Through Assume Role
-  desc: Detect a console login through Assume Role.
-  condition:
-    ct.name="ConsoleLogin" and not ct.error exists
-    and ct.user.identitytype="AssumedRole"
-    and json.value[/responseElements/ConsoleLogin]="Success"
-  output:
-    Detected a console login through Assume Role
-    (principal=%ct.user.principalid,
-    assumedRole=%ct.user.arn,
-    requesting IP=%ct.srcip,
-    AWS region=%ct.region)
-  priority: WARNING
-  tags:
-  - cloud
-  - aws
-  - aws_console
-  - aws_iam
-  source: aws_cloudtrail
-
-- rule: Console Login Without MFA
-  desc: Detect a console login without MFA.
-  condition:
-    ct.name="ConsoleLogin" and not ct.error exists
-    and ct.user.identitytype!="AssumedRole"
-    and json.value[/responseElements/ConsoleLogin]="Success"
-    and json.value[/additionalEventData/MFAUsed]="No"
-  output:
-    Detected a console login without MFA
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_console
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: Console Root Login Without MFA
-  desc: Detect root console login without MFA.
-  condition:
-    ct.name="ConsoleLogin" and not ct.error exists
-    and json.value[/additionalEventData/MFAUsed]="No"
-    and ct.user.identitytype!="AssumedRole"
-    and json.value[/responseElements/ConsoleLogin]="Success"
-    and ct.user.identitytype="Root"
-  output:
-    Detected a root console login without MFA.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_console
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: Deactivate MFA for Root User
-  desc: Detect deactivating MFA configuration for root.
-  condition:
-    ct.name="DeactivateMFADevice" and not ct.error exists
-    and ct.user.identitytype="Root"
-    and ct.request.username="AWS ROOT USER"
-  output:
-    Multi Factor Authentication configuration has been disabled for root
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     MFA serial number=%ct.request.serialnumber)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: Create AWS user
-  desc: Detect creation of a new AWS user.
-  condition:
-    ct.name="CreateUser" and not ct.error exists
-  output:
-    A new AWS user has been created
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     new user created=%ct.request.username)
-  priority: INFO
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: Create Group
-  desc: Detect creation of a new user group.
-  condition:
-    ct.name="CreateGroup" and not ct.error exists
-  output:
-    A new user group has been created.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     group name=%ct.request.groupname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: Delete Group
-  desc: Detect deletion of a user group.
-  condition:
-    ct.name="DeleteGroup" and not ct.error exists
-  output:
-    A user group has been deleted.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     group name=%ct.request.groupname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_iam
-  source: aws_cloudtrail
-
-- rule: ECS Service Created
-  desc: Detect a new service is created in ECS.
-  condition:
-    ct.src="ecs.amazonaws.com" and
-    ct.name="CreateService" and
-    not ct.error exists
-  output:
-    A new service has been created in ECS
-    (requesting user=%ct.user,
-    requesting IP=%ct.srcip,
-    AWS region=%ct.region,
-    cluster=%ct.request.cluster,
-    service name=%ct.request.servicename,
-    task definition=%ct.request.taskdefinition)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ecs
-    - aws_fargate
-  source: aws_cloudtrail
-
-- rule: ECS Task Run or Started
-  desc: Detect a new task is started in ECS.
-  condition:
-    ct.src="ecs.amazonaws.com" and
-    (ct.name="RunTask" or ct.name="StartTask") and
-    not ct.error exists
-  output:
-    A new task has been started in ECS
-    (requesting user=%ct.user,
-    requesting IP=%ct.srcip,
-    AWS region=%ct.region,
-    cluster=%ct.request.cluster,
-    task definition=%ct.request.taskdefinition)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ecs
-    - aws_fargate
-  source: aws_cloudtrail
-
-- rule: Create Lambda Function
-  desc: Detect creation of a Lambda function.
-  condition:
-    ct.name="CreateFunction20150331" and not ct.error exists
-  output:
-    Lambda function has been created.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     lambda function=%ct.request.functionname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_lambda
-  source: aws_cloudtrail
-
-- rule: Update Lambda Function Code
-  desc: Detect updates to a Lambda function code.
-  condition:
-    ct.name="UpdateFunctionCode20150331v2" and not ct.error exists
-  output:
-    The code of a Lambda function has been updated.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     lambda function=%ct.request.functionname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_lambda
-  source: aws_cloudtrail
-
-- rule: Update Lambda Function Configuration
-  desc: Detect updates to a Lambda function configuration.
-  condition:
-    ct.name="UpdateFunctionConfiguration20150331v2" and not ct.error exists
-  output:
-    The configuration of a Lambda function has been updated.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     lambda function=%ct.request.functionname)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_lambda
-  source: aws_cloudtrail
-
-- rule: Run Instances
-  desc: Detect launching of a specified number of instances.
-  condition:
-    ct.name="RunInstances" and not ct.error exists
-  output:
-    A number of instances have been launched.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     availability zone=%ct.request.availabilityzone,
-     subnet id=%ct.response.subnetid,
-     reservation id=%ct.response.reservationid)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ec2
-  source: aws_cloudtrail
-
-# Only instances launched on regions in this list are approved.
-- list: approved_regions
-  items:
-    - us-east-0
-
-- rule: Run Instances in Non-approved Region
-  desc: Detect launching of a specified number of instances in a non-approved region.
-  condition:
-    ct.name="RunInstances" and not ct.error exists and
-    not ct.region in (approved_regions)
-  output:
-    A number of instances have been launched in a non-approved region.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     availability zone=%ct.request.availabilityzone,
-     subnet id=%ct.response.subnetid,
-     reservation id=%ct.response.reservationid,
-     image id=%json.value[/responseElements/instancesSet/items/0/instanceId])
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_ec2
-  source: aws_cloudtrail
-
-- rule: Delete Bucket Encryption
-  desc: Detect deleting configuration to use encryption for bucket storage.
-  condition:
-    ct.name="DeleteBucketEncryption" and not ct.error exists
-  output:
-    A encryption configuration for a bucket has been deleted
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket=%s3.bucket)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
-- rule: Delete Bucket Public Access Block
-  desc: Detect deleting blocking public access to bucket.
-  condition:
-    ct.name="PutBucketPublicAccessBlock" and not ct.error exists and
-    json.value[/requestParameters/publicAccessBlock]="" and
-      (json.value[/requestParameters/PublicAccessBlockConfiguration/RestrictPublicBuckets]=false or
-      json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicPolicy]=false or
-      json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicAcls]=false or
-      json.value[/requestParameters/PublicAccessBlockConfiguration/IgnorePublicAcls]=false)
-  output:
-    A public access block for a bucket has been deleted
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket=%s3.bucket)
-  priority: CRITICAL
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
-- rule: List Buckets
-  desc: Detect listing of all S3 buckets.
-  condition:
-    ct.name="ListBuckets" and not ct.error exists
-  output:
-    A list of all S3 buckets has been requested.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     host=%ct.request.host)
-  priority: WARNING
-  enabled: false
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
-- rule: Put Bucket ACL
-  desc: Detect setting the permissions on an existing bucket using access control lists.
-  condition:
-    ct.name="PutBucketAcl" and not ct.error exists
-  output:
-    The permissions on an existing bucket have been set using access control lists.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket name=%s3.bucket)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
-- rule: Put Bucket Policy
-  desc: Detect applying an Amazon S3 bucket policy to an Amazon S3 bucket.
-  condition:
-    ct.name="PutBucketPolicy" and not ct.error exists
-  output:
-    An Amazon S3 bucket policy has been applied to an Amazon S3 bucket.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     bucket name=%s3.bucket,
-     policy=%ct.request.policy)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_s3
-  source: aws_cloudtrail
-
-- rule: CloudTrail Trail Created
-  desc: Detect creation of a new trail.
-  condition:
-    ct.name="CreateTrail" and not ct.error exists
-  output:
-    A new trail has been created.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     trail name=%ct.request.name)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_cloudtrail
-  source: aws_cloudtrail
-
-- rule: CloudTrail Logging Disabled
-  desc: The CloudTrail logging has been disabled, this could be potentially malicious.
-  condition:
-    ct.name="StopLogging" and not ct.error exists
-  output:
-    The CloudTrail logging has been disabled.
-    (requesting user=%ct.user,
-     requesting IP=%ct.srcip,
-     AWS region=%ct.region,
-     resource name=%ct.request.name)
-  priority: WARNING
-  tags:
-    - cloud
-    - aws
-    - aws_cloudtrail
-  source: aws_cloudtrail
-

rules/k8s_audit_rules.yaml

@@ -1,670 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- required_engine_version: 2
-
-# Like always_true/always_false, but works with k8s audit events
-- macro: k8s_audit_always_true
-  condition: (jevt.rawtime exists)
-
-- macro: k8s_audit_never_true
-  condition: (jevt.rawtime=0)
-
-# Generally only consider audit events once the response has completed
-- list: k8s_audit_stages
-  items: ["ResponseComplete"]
-
-# Generally exclude users starting with "system:"
-- macro: non_system_user
-  condition: (not ka.user.name startswith "system:")
-
-# This macro selects the set of Audit Events used by the below rules.
-- macro: kevt
-  condition: (jevt.value[/stage] in (k8s_audit_stages))
-
-- macro: kevt_started
-  condition: (jevt.value[/stage]=ResponseStarted)
-
-# If you wish to restrict activity to a specific set of users, override/append to this list.
-# users created by kops are included
-- list: vertical_pod_autoscaler_users
-  items: ["vpa-recommender", "vpa-updater"]
-
-- list: allowed_k8s_users
-  items: [
-    "minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
-    "kubernetes-admin",
-    vertical_pod_autoscaler_users,
-    cluster-autoscaler,
-    "system:addon-manager",
-    "cloud-controller-manager",
-    "eks:node-manager",
-    "system:kube-controller-manager"
-    ]
-
-- rule: Disallowed K8s User
-  desc: Detect any k8s operation by users outside of an allowed set of users.
-  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
-  output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# In a local/user rules file, you could override this macro to
-# explicitly enumerate the container images that you want to run in
-# your environment. In this main falco rules file, there isn't any way
-# to know all the containers that can run, so any container is
-# allowed, by using the always_true macro. In the overridden macro, the condition
-# would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image))
-- macro: allowed_k8s_containers
-  condition: (k8s_audit_always_true)
-
-- macro: response_successful
-  condition: (ka.response.code startswith 2)
-
-- macro: kcreate
-  condition: ka.verb=create
-
-- macro: kmodify
-  condition: (ka.verb in (create,update,patch))
-
-- macro: kdelete
-  condition: ka.verb=delete
-
-- macro: pod
-  condition: ka.target.resource=pods and not ka.target.subresource exists
-
-- macro: pod_subresource
-  condition: ka.target.resource=pods and ka.target.subresource exists
-
-- macro: deployment
-  condition: ka.target.resource=deployments
-
-- macro: service
-  condition: ka.target.resource=services
-
-- macro: configmap
-  condition: ka.target.resource=configmaps
-
-- macro: namespace
-  condition: ka.target.resource=namespaces
-
-- macro: serviceaccount
-  condition: ka.target.resource=serviceaccounts
-
-- macro: clusterrole
-  condition: ka.target.resource=clusterroles
-
-- macro: clusterrolebinding
-  condition: ka.target.resource=clusterrolebindings
-
-- macro: role
-  condition: ka.target.resource=roles
-
-- macro: secret
-  condition: ka.target.resource=secrets
-
-- macro: health_endpoint
-  condition: ka.uri=/healthz
-
-- rule: Create Disallowed Pod
-  desc: >
-    Detect an attempt to start a pod with a container image outside of a list of allowed images.
-  condition: kevt and pod and kcreate and not allowed_k8s_containers
-  output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: Create Privileged Pod
-  desc: >
-    Detect an attempt to start a pod with a privileged container
-  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
-  output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: sensitive_vol_mount
-  condition: >
-    (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root, /var/run/crio/crio.sock, /home/admin, /var/lib/kubelet, /var/lib/kubelet/pki, /etc/kubernetes, /etc/kubernetes/manifests))
-
-- rule: Create Sensitive Mount Pod
-  desc: >
-    Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
-    Exceptions are made for known trusted images.
-  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
-  output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# These container images are allowed to run with hostnetwork=true
-- list: falco_hostnetwork_images
-  items: [
-    gcr.io/google-containers/prometheus-to-sd,
-    gcr.io/projectcalico-org/typha,
-    gcr.io/projectcalico-org/node,
-    gke.gcr.io/gke-metadata-server,
-    gke.gcr.io/kube-proxy,
-    gke.gcr.io/netd-amd64,
-    k8s.gcr.io/ip-masq-agent-amd64
-    k8s.gcr.io/prometheus-to-sd,
-    ]
-
-# Corresponds to K8s CIS Benchmark 1.7.4
-- rule: Create HostNetwork Pod
-  desc: Detect an attempt to start a pod using the host network.
-  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
-  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: user_known_node_port_service
-  condition: (k8s_audit_never_true)
-
-- rule: Create NodePort Service
-  desc: >
-    Detect an attempt to start a service with a NodePort service type
-  condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
-  output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: contains_private_credentials
-  condition: >
-    (ka.req.configmap.obj contains "aws_access_key_id" or
-     ka.req.configmap.obj contains "aws-access-key-id" or
-     ka.req.configmap.obj contains "aws_s3_access_key_id" or
-     ka.req.configmap.obj contains "aws-s3-access-key-id" or
-     ka.req.configmap.obj contains "password" or
-     ka.req.configmap.obj contains "passphrase")
-
-- rule: Create/Modify Configmap With Private Credentials
-  desc: >
-     Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
-  condition: kevt and configmap and kmodify and contains_private_credentials
-  output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Corresponds to K8s CIS Benchmark, 1.1.1.
-- rule: Anonymous Request Allowed
-  desc: >
-    Detect any request made by the anonymous user that was allowed
-  condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
-  output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Roughly corresponds to K8s CIS Benchmark, 1.1.12. In this case,
-# notifies an attempt to exec/attach to a privileged container.
-
-# Ideally, we'd add a more stringent rule that detects attaches/execs
-# to a privileged pod, but that requires the engine for k8s audit
-# events to be stateful, so it could know if a container named in an
-# attach request was created privileged or not. For now, we have a
-# less severe rule that detects attaches/execs to any pod.
-#
-# For the same reason, you can't use things like image names/prefixes,
-# as the event that creates the pod (which has the images) is a
-# separate event than the actual exec/attach to the pod.
-
-- macro: user_known_exec_pod_activities
-  condition: (k8s_audit_never_true)
-
-- rule: Attach/Exec Pod
-  desc: >
-    Detect any attempt to attach/exec to a pod
-  condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
-  output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
-  priority: NOTICE
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: user_known_pod_debug_activities
-  condition: (k8s_audit_never_true)
-
-# Only works when feature gate EphemeralContainers is enabled
-- rule: EphemeralContainers Created
-  desc: >
-    Detect any ephemeral container created
-  condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
-  output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
-  priority: NOTICE
-  source: k8s_audit
-  tags: [k8s]
-
-# In a local/user rules fie, you can append to this list to add additional allowed namespaces
-- list: allowed_namespaces
-  items: [kube-system, kube-public, default]
-
-- rule: Create Disallowed Namespace
-  desc: Detect any attempt to create a namespace outside of a set of known namespaces
-  condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
-  output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Only defined for backwards compatibility. Use the more specific
-# user_allowed_kube_namespace_image_list instead.
-- list: user_trusted_image_list
-  items: []
-
-- list: user_allowed_kube_namespace_image_list
-  items: [user_trusted_image_list]
-
-# Only defined for backwards compatibility. Use the more specific
-# allowed_kube_namespace_image_list instead.
-- list: k8s_image_list
-  items: []
-
-- list: allowed_kube_namespace_image_list
-  items: [
-    gcr.io/google-containers/prometheus-to-sd,
-    gcr.io/projectcalico-org/node,
-    gke.gcr.io/addon-resizer,
-    gke.gcr.io/heapster,
-    gke.gcr.io/gke-metadata-server,
-    k8s.gcr.io/ip-masq-agent-amd64,
-    k8s.gcr.io/kube-apiserver,
-    gke.gcr.io/kube-proxy,
-    gke.gcr.io/netd-amd64,
-    k8s.gcr.io/addon-resizer
-    k8s.gcr.io/prometheus-to-sd,
-    k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
-    k8s.gcr.io/k8s-dns-kube-dns-amd64,
-    k8s.gcr.io/k8s-dns-sidecar-amd64,
-    k8s.gcr.io/metrics-server-amd64,
-    kope/kube-apiserver-healthcheck,
-    k8s_image_list
-    ]
-
-- macro: allowed_kube_namespace_pods
-  condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
-              ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
-
-# Detect any new pod created in the kube-system namespace
-- rule: Pod Created in Kube Namespace
-  desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
-  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
-  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- list: user_known_sa_list
-  items: []
-
-- list: known_sa_list
-  items: [
-    coredns,
-    coredns-autoscaler,
-    cronjob-controller,
-    daemon-set-controller,
-    deployment-controller,
-    disruption-controller,
-    endpoint-controller,
-    endpointslice-controller,
-    endpointslicemirroring-controller,
-    generic-garbage-collector,
-    horizontal-pod-autoscaler,
-    job-controller,
-    namespace-controller,
-    node-controller,
-    persistent-volume-binder,
-    pod-garbage-collector,
-    pv-protection-controller,
-    pvc-protection-controller,
-    replicaset-controller,
-    resourcequota-controller,
-    root-ca-cert-publisher,
-    service-account-controller,
-    statefulset-controller
-    ]
-
-- macro: trusted_sa
-  condition: (ka.target.name in (known_sa_list, user_known_sa_list))
-
-# Detect creating a service account in the kube-system/kube-public namespace
-- rule: Service Account Created in Kube Namespace
-  desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
-  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
-  output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Detect any modify/delete to any ClusterRole starting with
-# "system:". "system:coredns" is excluded as changes are expected in
-# normal operation.
-- rule: System ClusterRole Modified/Deleted
-  desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
-  condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
-             not ka.target.name in (system:coredns, system:managed-certificate-controller)
-  output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
-# (exapand this to any built-in cluster role that does "sensitive" things)
-- rule: Attach to cluster-admin Role
-  desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
-  condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
-  output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: ClusterRole With Wildcard Created
-  desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
-  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
-  output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: writable_verbs
-  condition: >
-    (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))
-
-- rule: ClusterRole With Write Privileges Created
-  desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
-  condition: kevt and (role or clusterrole) and kcreate and writable_verbs
-  output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
-  priority: NOTICE
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: ClusterRole With Pod Exec Created
-  desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
-  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
-  output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-# The rules below this point are less discriminatory and generally
-# represent a stream of activity for a cluster. If you wish to disable
-# these events, modify the following macro.
-- macro: consider_activity_events
-  condition: (k8s_audit_always_true)
-
-- macro: kactivity
-  condition: (kevt and consider_activity_events)
-
-- rule: K8s Deployment Created
-  desc: Detect any attempt to create a deployment
-  condition: (kactivity and kcreate and deployment and response_successful)
-  output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Deployment Deleted
-  desc: Detect any attempt to delete a deployment
-  condition: (kactivity and kdelete and deployment and response_successful)
-  output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Service Created
-  desc: Detect any attempt to create a service
-  condition: (kactivity and kcreate and service and response_successful)
-  output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Service Deleted
-  desc: Detect any attempt to delete a service
-  condition: (kactivity and kdelete and service and response_successful)
-  output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s ConfigMap Created
-  desc: Detect any attempt to create a configmap
-  condition: (kactivity and kcreate and configmap and response_successful)
-  output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s ConfigMap Deleted
-  desc: Detect any attempt to delete a configmap
-  condition: (kactivity and kdelete and configmap and response_successful)
-  output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Namespace Created
-  desc: Detect any attempt to create a namespace
-  condition: (kactivity and kcreate and namespace and response_successful)
-  output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Namespace Deleted
-  desc: Detect any attempt to delete a namespace
-  condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
-  output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Serviceaccount Created
-  desc: Detect any attempt to create a service account
-  condition: (kactivity and kcreate and serviceaccount and response_successful)
-  output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Serviceaccount Deleted
-  desc: Detect any attempt to delete a service account
-  condition: (kactivity and kdelete and serviceaccount and response_successful)
-  output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Role/Clusterrole Created
-  desc: Detect any attempt to create a cluster role/role
-  condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
-  output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Role/Clusterrole Deleted
-  desc: Detect any attempt to delete a cluster role/role
-  condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
-  output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Role/Clusterrolebinding Created
-  desc: Detect any attempt to create a clusterrolebinding
-  condition: (kactivity and kcreate and clusterrolebinding and response_successful)
-  output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Role/Clusterrolebinding Deleted
-  desc: Detect any attempt to delete a clusterrolebinding
-  condition: (kactivity and kdelete and clusterrolebinding and response_successful)
-  output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Secret Created
-  desc: Detect any attempt to create a secret. Service account tokens are excluded.
-  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
-  output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Secret Deleted
-  desc: Detect any attempt to delete a secret Service account tokens are excluded.
-  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
-  output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-# This rule generally matches all events, and as a result is disabled
-# by default. If you wish to enable these events, modify the
-# following macro.
-#  condition: (jevt.rawtime exists)
-- macro: consider_all_events
-  condition: (k8s_audit_never_true)
-
-- macro: kall
-  condition: (kevt and consider_all_events)
-
-- rule: All K8s Audit Events
-  desc: Match all K8s Audit Events
-  condition: kall
-  output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
-  priority: DEBUG
-  source: k8s_audit
-  tags: [k8s]
-
-
-# This macro disables following rule, change to k8s_audit_never_true to enable it
-- macro: allowed_full_admin_users
-  condition: (k8s_audit_always_true)
-
-# This list includes some of the default user names for an administrator in several K8s installations
-- list: full_admin_k8s_users
-  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
-
-# This rules detect an operation triggered by an user name that is
-# included in the list of those that are default administrators upon
-# cluster creation. This may signify a permission setting too broader.
-# As we can't check for role of the user on a general ka.* event, this
-# may or may not be an administrator. Customize the full_admin_k8s_users
-# list to your needs, and activate at your discrection.
-
-# # How to test:
-# # Execute any kubectl command connected using default cluster user, as:
-# kubectl create namespace rule-test
-
-- rule: Full K8s Administrative Access
-  desc: Detect any k8s operation by a user name that may be an administrator with full access.
-  condition: >
-    kevt
-    and non_system_user
-    and ka.user.name in (full_admin_k8s_users)
-    and not allowed_full_admin_users
-  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-- macro: ingress
-  condition: ka.target.resource=ingresses
-
-- macro: ingress_tls
-  condition: (jevt.value[/requestObject/spec/tls] exists)
-
-# # How to test:
-# # Create an ingress.yaml file with content:
-# apiVersion: networking.k8s.io/v1beta1
-# kind: Ingress
-# metadata:
-#   name: test-ingress
-#   annotations:
-#     nginx.ingress.kubernetes.io/rewrite-target: /
-# spec:
-#   rules:
-#   - http:
-#       paths:
-#       - path: /testpath
-#         backend:
-#           serviceName: test
-#           servicePort: 80
-# # Execute: kubectl apply -f ingress.yaml
-
-- rule: Ingress Object without TLS Certificate Created
-  desc: Detect any attempt to create an ingress without TLS certification.
-  condition: >
-    (kactivity and kcreate and ingress and response_successful and not ingress_tls)
-  output: >
-    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
-    namespace=%ka.target.namespace)
-  source: k8s_audit
-  priority: WARNING
-  tags: [k8s, network]
-
-- macro: node
-  condition: ka.target.resource=nodes
-
-- macro: allow_all_k8s_nodes
-  condition: (k8s_audit_always_true)
-
-- list: allowed_k8s_nodes
-  items: []
-
-# # How to test:
-# # Create a Falco monitored cluster with Kops
-# # Increase the number of minimum nodes with:
-# kops edit ig nodes
-# kops apply --yes
-
-- rule: Untrusted Node Successfully Joined the Cluster
-  desc: >
-    Detect a node successfully joined the cluster outside of the list of allowed nodes.
-  condition: >
-    kevt and node
-    and kcreate
-    and response_successful
-    and not allow_all_k8s_nodes
-    and not ka.target.name in (allowed_k8s_nodes)
-  output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
-  priority: ERROR
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: Untrusted Node Unsuccessfully Tried to Join the Cluster
-  desc: >
-    Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
-  condition: >
-    kevt and node
-    and kcreate
-    and not response_successful
-    and not allow_all_k8s_nodes
-    and not ka.target.name in (allowed_k8s_nodes)
-  output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-

scripts/CMakeLists.txt

@@ -22,6 +22,9 @@ configure_file(debian/prerm.in debian/prerm)
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
 
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
+
 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)
@@ -29,9 +32,12 @@ configure_file(rpm/preuninstall.in rpm/preuninstall)
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
 
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
+	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+
 configure_file(falco-driver-loader falco-driver-loader @ONLY)
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
 	install(PROGRAMS ${PROJECT_BINARY_DIR}/scripts/falco-driver-loader
-		DESTINATION ${FALCO_BIN_DIR})
+		DESTINATION ${FALCO_BIN_DIR} COMPONENT "${FALCO_COMPONENT_NAME}")
 endif()

scripts/build-lpeg.sh

@@ -1,45 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-set -ex
-
-PREFIX=$1
-
-if [ -z "$PREFIX" ]; then
-    PREFIX=.
-fi
-
-mkdir -p $PREFIX
-
-gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpcap.c -o $PREFIX/lpcap.o
-gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpcode.c -o $PREFIX/lpcode.o
-gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpprint.c -o $PREFIX/lpprint.o
-gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lptree.c -o $PREFIX/lptree.o
-gcc -O2 -fPIC -I"$LUA_INCLUDE" -c lpvm.c -o $PREFIX/lpvm.o
-
-
-# For building lpeg.so, which we don't need now that we're statically linking lpeg.a into falco
-#gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o
-#gcc -shared -o lpeg.so -L/usr/local/lib lpcap.o lpcode.o lpprint.o lptree.o lpvm.o
-
-pushd $PREFIX
-/usr/bin/ar cr lpeg.a lpcap.o lpcode.o lpprint.o lptree.o lpvm.o
-/usr/bin/ranlib lpeg.a
-popd
-
-chmod ug+w re.lua

scripts/debian/falco.service

@@ -1,11 +1,12 @@
 [Unit]
 Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
 User=root
-ExecStartPre=/sbin/modprobe falco
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
 ExecStopPost=/sbin/rmmod falco
 UMask=0077
@@ -17,6 +18,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 

scripts/debian/falco_inject_kmod.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+
+[Install]
+WantedBy=multi-user.target

scripts/debian/postinst.in

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -41,3 +41,34 @@ case "$1" in
 		fi
 	;;
 esac
+
+# Based off what debhelper dh_systemd_enable/13.3.4 would have added
+# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
+
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+        # This will only remove masks created by d-s-h on package removal.
+        deb-systemd-helper unmask 'falco.service' >/dev/null || true
+
+        # was-enabled defaults to true, so new installations run enable.
+        if deb-systemd-helper --quiet was-enabled 'falco.service'; then
+                # Enables the unit on first installation, creates new
+                # symlinks on upgrades if the unit file has changed.
+                deb-systemd-helper enable 'falco.service' >/dev/null || true
+        else
+                # Update the statefile to add new symlinks (if any), which need to be
+                # cleaned up on purge. Also remove old symlinks.
+                deb-systemd-helper update-state 'falco.service' >/dev/null || true
+        fi
+fi
+
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+        if [ -d /run/systemd/system ]; then
+                systemctl --system daemon-reload >/dev/null || true
+                if [ -n "$2" ]; then
+                        _dh_action=restart
+                else
+                        _dh_action=start
+                fi
+                deb-systemd-invoke $_dh_action 'falco.service' >/dev/null || true
+        fi
+fi

scripts/debian/postrm.in

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,3 +15,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+
+# Based off what debhelper dh_systemd_enable/13.3.4 would have added
+# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
+
+set -e
+
+if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
+        systemctl --system daemon-reload >/dev/null || true
+fi
+
+if [ "$1" = "remove" ]; then
+        if [ -x "/usr/bin/deb-systemd-helper" ]; then
+                deb-systemd-helper mask 'falco.service' >/dev/null || true
+        fi
+fi
+
+if [ "$1" = "purge" ]; then
+        if [ -x "/usr/bin/deb-systemd-helper" ]; then
+                deb-systemd-helper purge 'falco.service' >/dev/null || true
+                deb-systemd-helper unmask 'falco.service' >/dev/null || true
+        fi
+fi

scripts/debian/prerm.in

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,13 +17,16 @@
 #
 set -e
 
-DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
-DKMS_VERSION="@DRIVER_VERSION@"
+# Based off what debhelper dh_systemd_enable/13.3.4 would have added
+# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
+# Currently running falco service uses the driver, so stop it before driver cleanup
+
+if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
+        deb-systemd-invoke stop 'falco.service' >/dev/null || true
+fi
 
 case "$1" in
 	remove|upgrade|deconfigure)
-		if [  "$(dkms status -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION)" ]; then
-			dkms remove -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION --all
-		fi
+		/usr/bin/falco-driver-loader --clean
 	;;
 esac

scripts/falco-driver-loader

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -113,11 +113,14 @@ get_target_id() {
 	elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
 		# Older CentOS distros
 		OS_ID=centos
-	elif [ -f "${HOST_ROOT}/etc/VERSION" ]; then
-		OS_ID=minikube
 	else
-		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
-		exit 1
+		return 1
+	fi
+
+	# Overwrite the OS_ID if /etc/VERSION file is present.
+	# Not sure if there is a better way to detect minikube.
+	if [ -f "${HOST_ROOT}/etc/VERSION" ]; then
+		OS_ID=minikube
 	fi
 
 	case "${OS_ID}" in
@@ -129,16 +132,64 @@ get_target_id() {
 		fi
 		;;
 	("ubuntu")
-		if [[ $KERNEL_RELEASE == *"aws"* ]]; then
-			TARGET_ID="ubuntu-aws"
+		# Extract the flavor from the kernelrelease
+		# Examples:
+		# 5.0.0-1028-aws-5.0 -> ubuntu-aws-5.0
+		# 5.15.0-1009-aws -> ubuntu-aws
+		if [[ $KERNEL_RELEASE =~ -([a-zA-Z]+)(-.*)?$ ]];
+		then
+			TARGET_ID="ubuntu-${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
 		else
 			TARGET_ID="ubuntu-generic"
 		fi
 		;;
+	("flatcar")
+		KERNEL_RELEASE="${VERSION_ID}"
+		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
+		;;
+	("minikube")
+		TARGET_ID="${OS_ID}"
+		# Extract the minikube version. Ex. With minikube version equal to "v1.26.0-1655407986-14197" the extracted version
+		# will be "1.26.0"
+		if [[ $(cat ${HOST_ROOT}/etc/VERSION) =~ ([0-9]+(\.[0-9]+){2}) ]]; then
+			# kernel version for minikube is always in "1_minikubeversion" format. Ex "1_1.26.0".
+			KERNEL_VERSION="1_${BASH_REMATCH[1]}"
+		else
+			echo "* Unable to extract minikube version from ${HOST_ROOT}/etc/VERSION"
+			exit 1
+		fi
+		;;
 	(*)
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		;;
 	esac
+	return 0
+}
+
+flatcar_relocate_tools() {
+	local -a tools=(
+		scripts/basic/fixdep
+		scripts/mod/modpost
+		tools/objtool/objtool
+	)
+	local -r hostld=$(ls /host/usr/lib64/ld-linux-*.so.*)
+	local -r kdir=/lib/modules/$(ls /lib/modules/)/build
+	echo "** Found host dl interpreter: ${hostld}"
+	for host_tool in ${tools[@]}; do
+		t=${host_tool}
+		tool=$(basename $t)
+		tool_dir=$(dirname $t)
+		host_tool=${kdir}/${host_tool}
+		if [ ! -f ${host_tool} ]; then
+			continue
+		fi
+		umount ${host_tool} 2>/dev/null || true
+		mkdir -p /tmp/${tool_dir}/
+		cp -a ${host_tool} /tmp/${tool_dir}/
+		echo "** Setting host dl interpreter for $host_tool"
+		patchelf --set-interpreter ${hostld} --set-rpath /host/usr/lib64 /tmp/${tool_dir}/${tool}
+		mount -o bind /tmp/${tool_dir}/${tool} ${host_tool}
+	done
 }
 
 load_kernel_module_compile() {
@@ -153,6 +204,12 @@ load_kernel_module_compile() {
 		return
 	fi
 
+	if [ "${TARGET_ID}" == "flatcar" ]; then
+		KERNEL_RELEASE=$(uname -r)
+		echo "* Flatcar detected (version ${VERSION_ID}); relocating kernel tools"
+		flatcar_relocate_tools
+	fi
+
 	# Try to compile using all the available gcc versions
 	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -n -r -k 2 -t -); do
 		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
@@ -196,18 +253,14 @@ load_kernel_module_compile() {
 }
 
 load_kernel_module_download() {
-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
-
-	local URL
-	URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
+	local URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
 
 	echo "* Trying to download a prebuilt ${DRIVER_NAME} module from ${URL}"
-	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
+	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "* Download succeeded"
-		chcon -t modules_object_t "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		if insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}"; then
+		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
+		if insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}"; then
 			echo "* Success: ${DRIVER_NAME} module found and inserted"
 			exit 0
 		else
@@ -219,59 +272,122 @@ load_kernel_module_download() {
 	fi
 }
 
-load_kernel_module() {
-	if ! hash lsmod > /dev/null 2>&1; then
-		>&2 echo "This program requires lsmod"
-		exit 1
-	fi
+print_clean_termination() {
+	echo
+	echo "[SUCCESS] Cleaning phase correctly terminated."
+	echo 
+	echo "================ Cleaning phase ================"
+	echo 
+}
 
-	if ! hash modprobe > /dev/null 2>&1; then
-		>&2 echo "This program requires modprobe"
+print_filename_components() {
+	echo " - driver name: ${DRIVER_NAME}"
+	echo " - target identifier: ${TARGET_ID}"
+	echo " - kernel release: ${KERNEL_RELEASE}"
+	echo " - kernel version: ${KERNEL_VERSION}"
+}
+
+clean_kernel_module() {
+	echo 
+	echo "================ Cleaning phase ================"
+	echo 
+
+	if ! hash lsmod > /dev/null 2>&1; then
+		>&2 echo "This program requires lsmod."
 		exit 1
 	fi
 
 	if ! hash rmmod > /dev/null 2>&1; then
-		>&2 echo "This program requires rmmod"
+		>&2 echo "This program requires rmmod."
 		exit 1
 	fi
 
-	echo "* Unloading ${DRIVER_NAME} module, if present"
-	rmmod "${DRIVER_NAME}" 2>/dev/null
-	WAIT_TIME=0
 	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
-		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
-			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
-			break
-		fi
-		((++WAIT_TIME))
-		if (( WAIT_TIME % 5 == 0 )); then
-			echo "* ${DRIVER_NAME} module still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)"
-		fi
-		sleep 1
-	done
+	echo "* 1. Check if kernel module '${KMOD_NAME}' is still loaded:"
 
-	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" > /dev/null 2>&1; then
-		echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
-		exit 0
+	if ! lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
+		echo "- OK! There is no '${KMOD_NAME}' module loaded."
+		echo
 	fi
 
+	# Wait 50s = MAX_RMMOD_WAIT * 5s
+	MAX_RMMOD_WAIT=10
+	# Remove kernel module if is still loaded.
+	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $MAX_RMMOD_WAIT -gt 0 ]; do
+		echo "- Kernel module '${KMOD_NAME}' is still loaded."
+		echo "- Trying to unload it with 'rmmod ${KMOD_NAME}'..."
+		if rmmod ${KMOD_NAME}; then
+			echo "- OK! Unloading '${KMOD_NAME}' module succeeded."
+			echo
+		else
+			echo "- Nothing to do...'falco-driver-loader' will wait until you remove the kernel module to have a clean termination."
+			echo "- Check that no process is using the kernel module with 'lsmod | grep ${KMOD_NAME}'."
+			echo "- Sleep 5 seconds..."
+			echo
+			((--MAX_RMMOD_WAIT))
+			sleep 5
+		fi
+	done
+
+	if [ ${MAX_RMMOD_WAIT} -eq 0 ]; then
+		echo "[WARNING] '${KMOD_NAME}' module is still loaded, you could have incompatibility issues."
+		echo
+	fi
+	
+	if ! hash dkms >/dev/null 2>&1; then
+		echo "- Skipping dkms remove (dkms not found)."
+		print_clean_termination
+		return
+	fi
+
+	# Remove all versions of this module from dkms.
+	echo "* 2. Check all versions of kernel module '${KMOD_NAME}' in dkms:"
+	DRIVER_VERSIONS=$(dkms status -m "${KMOD_NAME}" | tr -d "," | tr -d ":" | tr "/" " " | cut -d' ' -f2)
+	if [ -z "${DRIVER_VERSIONS}" ]; then
+		echo "- OK! There are no '${KMOD_NAME}' module versions in dkms."
+	else
+		echo "- There are some versions of '${KMOD_NAME}' module in dkms."
+		echo
+		echo "* 3. Removing all the following versions from dkms:"
+		echo "${DRIVER_VERSIONS}"
+		echo
+	fi
+
+	for CURRENT_VER in ${DRIVER_VERSIONS}; do
+		echo "- Removing ${CURRENT_VER}..."
+		if dkms remove -m ${KMOD_NAME} -v "${CURRENT_VER}" --all; then
+			echo
+			echo "- OK! Removing '${CURRENT_VER}' succeeded."
+			echo
+		else
+			echo "[WARNING] Removing '${KMOD_NAME}' version '${CURRENT_VER}' failed."
+		fi
+	done
+
+	print_clean_termination
+}
+
+load_kernel_module() {
+	clean_kernel_module
 
 	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
 
-	get_target_id
-
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
+	echo "* Filename '${FALCO_KERNEL_MODULE_FILENAME}' is composed of:"
+	print_filename_components
 
-	if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
-		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
-		chcon -t modules_object_t "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
-		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
+	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
+		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
+		chcon -t modules_object_t "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" > /dev/null 2>&1 || true
+		insmod "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
 		exit $?
 	fi
 
 	if [ -n "$ENABLE_DOWNLOAD" ]; then
-		load_kernel_module_download
+		IFS=", " read -r -a urls <<< "${DRIVERS_REPO}"
+		for url in "${urls[@]}"; do
+			load_kernel_module_download $url
+		done
 	fi
 
 	if [ -n "$ENABLE_COMPILE" ]; then
@@ -290,48 +406,6 @@ load_kernel_module() {
 	exit 1
 }
 
-clean_kernel_module() {
-	if ! hash lsmod > /dev/null 2>&1; then
-		>&2 echo "This program requires lsmod"
-		exit 1
-	fi
-
-	if ! hash rmmod > /dev/null 2>&1; then
-		>&2 echo "This program requires rmmod"
-		exit 1
-	fi
-
-	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
-		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
-			echo "* Unloading ${DRIVER_NAME} module succeeded"
-		else
-			echo "* Unloading ${DRIVER_NAME} module failed"
-		fi
-	else
-		echo "* There is no ${DRIVER_NAME} module loaded"
-	fi
-
-	if ! hash dkms >/dev/null 2>&1; then
-		echo "* Skipping dkms remove (dkms not found)"
-		return
-	fi
-
-	DRIVER_VERSIONS=$(dkms status -m "${DRIVER_NAME}" | cut -d',' -f1 | sed -e 's/^[[:space:]]*//')
-	if [ -z "${DRIVER_VERSIONS}" ]; then
-		echo "* There is no ${DRIVER_NAME} module in dkms"
-		return
-	fi
-	for CURRENT_VER in ${DRIVER_VERSIONS}; do
-		if dkms remove "${CURRENT_VER}" --all 2>/dev/null; then
-			echo "* Removing ${CURRENT_VER} succeeded"
-		else
-			echo "* Removing ${CURRENT_VER} failed"
-			exit 1
-		fi
-	done
-}
-
 load_bpf_probe_compile() {
 	local BPF_KERNEL_SOURCES_URL=""
 	local STRIP_COMPONENTS=1
@@ -437,8 +511,8 @@ load_bpf_probe_compile() {
 
 	make -C "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf" > /dev/null
 
-	mkdir -p "${HOME}/.falco"
-	mv "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"
+	mkdir -p "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}"
+	mv "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
 
 	if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
 		rm -r /tmp/kernel
@@ -448,47 +522,54 @@ load_bpf_probe_compile() {
 
 load_bpf_probe_download() {
 	local URL
-	URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
+	URL=$(echo "${1}/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
 
 	echo "* Trying to download a prebuilt eBPF probe from ${URL}"
 
-	if ! curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"; then
+	if ! curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" "${URL}"; then
 		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} eBPF probe"
-		return
+		return 1
 	fi
+	return 0
 }
 
 load_bpf_probe() {
-	echo "* Mounting debugfs"
 
 	if [ ! -d /sys/kernel/debug/tracing ]; then
+		echo "* Mounting debugfs"
 		mount -t debugfs nodev /sys/kernel/debug
 	fi
 
-	get_target_id
-
 	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
+	echo "* Filename '${BPF_PROBE_FILENAME}' is composed of:"
+	print_filename_components
 
 	if [ -n "$ENABLE_DOWNLOAD" ]; then
-		if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
-			echo "* Skipping download, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
+		if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" ]; then
+			echo "* Skipping download, eBPF probe is already present in ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
 		else
-			load_bpf_probe_download
+			IFS=", " read -r -a urls <<< "${DRIVERS_REPO}"
+			for url in "${urls[@]}"; do
+				load_bpf_probe_download $url
+				if [ $? -eq 0 ]; then
+                	break
+                fi
+			done
 		fi
 	fi
 
 	if [ -n "$ENABLE_COMPILE" ]; then
-		if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
-			echo "* Skipping compilation, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
+		if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" ]; then
+			echo "* Skipping compilation, eBPF probe is already present in ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
 		else
 			load_bpf_probe_compile
 		fi
 	fi
 
-	if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
-		echo "* eBPF probe located in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
+	if [ -f "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" ]; then
+		echo "* eBPF probe located in ${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}"
 
-		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" \
+		ln -sf "${HOME}/.falco/${DRIVER_VERSION}/${ARCH}/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" \
 			&& echo "* Success: eBPF probe symlinked to ${HOME}/.falco/${DRIVER_NAME}-bpf.o"
 		exit $?
 	else
@@ -514,7 +595,7 @@ print_usage() {
 	echo "  --source-only  skip execution and allow sourcing in another script"
 	echo ""
 	echo "Environment variables:"
-	echo "  DRIVERS_REPO             specify a different URL where to look for prebuilt Falco drivers"
+	echo "  DRIVERS_REPO             specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
 	echo "  DRIVER_NAME              specify a different name for the driver"
 	echo "  DRIVER_INSECURE_DOWNLOAD whether you want to allow insecure downloads or not"
 	echo ""
@@ -547,10 +628,12 @@ if [[ -z "$MAX_RMMOD_WAIT" ]]; then
 	MAX_RMMOD_WAIT=60
 fi
 
-DRIVER_VERSION="@DRIVER_VERSION@"
+DRIVER_VERSION=${DRIVER_VERSION:-"@DRIVER_VERSION@"}
 DRIVER_NAME=${DRIVER_NAME:-"@DRIVER_NAME@"}
 FALCO_VERSION="@FALCO_VERSION@"
 
+TARGET_ID="placeholder" # when no target id can be fetched, we try to build the driver from source anyway, using a placeholder name
+
 DRIVER="module"
 if [ -v FALCO_BPF_PROBE ]; then
 	DRIVER="bpf"
@@ -617,13 +700,25 @@ if [ -z "$has_opts" ]; then
 fi
 
 if [ -z "$source_only" ]; then
-	echo "* Running falco-driver-loader for: falco version=${FALCO_VERSION}, driver version=${DRIVER_VERSION}"
+	echo "* Running falco-driver-loader for: falco version=${FALCO_VERSION}, driver version=${DRIVER_VERSION}, arch=${ARCH}, kernel release=${KERNEL_RELEASE}, kernel version=${KERNEL_VERSION}"
 
 	if [ "$(id -u)" != 0 ]; then
 		>&2 echo "This program must be run as root (or with sudo)"
 		exit 1
 	fi
 
+	get_target_id
+	res=$?
+	if [ $res != 0 ]; then
+		if [ -n "$ENABLE_COMPILE" ]; then
+			ENABLE_DOWNLOAD=
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community. Trying to compile anyway."
+		else
+			>&2 echo "Detected an unsupported target system, please get in touch with the Falco community."
+			exit 1
+		fi
+	fi
+
 	if [ -n "$clean" ]; then
 		if [ -n "$has_opts" ]; then
 			>&2 echo "Cannot use --clean with other options"

scripts/publish-deb

@@ -2,7 +2,7 @@
 set -e
 
 usage() {
-    echo "usage: $0 -f <package.deb> -r <deb|deb-dev>"
+    echo "usage: $0 -f <package_x86_64.deb> -f <package_aarch64.deb> -r <deb|deb-dev>"
     exit 1
 }
 
@@ -14,6 +14,13 @@ check_program() {
   fi
 }
 
+# Used to get comma separated list of architectures
+join_arr() {
+  local IFS="$1"
+  shift
+  echo "$*"
+}
+
 # Add a package to the local DEB repository
 #
 # $1: path of the repository.
@@ -25,6 +32,26 @@ add_deb() {
     rm -f $(basename -- $3).asc
     gpg --detach-sign --digest-algo SHA256 --armor $(basename -- $3)
     popd > /dev/null
+
+    # Get package architecture from dpkg
+    local arch=$(dpkg --info $3 |  awk '/Architecture/ {printf "%s", $2}')
+    # Store architecture in array
+    architectures+=("${arch}")
+}
+
+falco_arch_from_deb_arch() {
+    case "$1" in
+      "amd64")
+        echo -n "x86_64"
+        ;;
+      "arm64")
+        echo -n "aarch64"
+        ;;
+      *)
+        echo "Wrong arch."
+        exit 1
+        ;;
+    esac  
 }
 
 # Update the local DEB repository
@@ -32,26 +59,25 @@ add_deb() {
 # $1: path of the repository
 # $2: suite (eg. "stable")
 update_repo() {
-    # fixme(leogr): we cannot use apt-ftparchive --arch packages ...
-    # since our .deb files ends with "_x86_64" instead of "amd64".
-    # See https://manpages.debian.org/jessie/apt-utils/apt-ftparchive.1.en.html
-    #
-    # As a workaround, we temporarily stick here with "amd64" 
-    # (the only supported arch at the moment)
-    local arch=amd64
-
     local component=main
     local debs_dir=$2
     local release_dir=dists/$2
-    local packages_dir=${release_dir}/${component}/binary-${arch}
 
     pushd $1 > /dev/null
 
     # packages metadata
-    apt-ftparchive packages ${debs_dir} > ${packages_dir}/Packages
-    gzip -c ${packages_dir}/Packages > ${packages_dir}/Packages.gz
-    bzip2 -z -c ${packages_dir}/Packages > ${packages_dir}/Packages.bz2
-    
+    for arch in "${architectures[@]}"; do
+      local packages_dir=${release_dir}/${component}/binary-${arch}
+      mkdir -p ${packages_dir}
+      truncate -s 0 ${packages_dir}/Packages
+      # Find all ${arch} deb files.
+      # Note that debian uses {arm64,amd64}, while 
+      # Falco packages use {x86_64,aarch64}.
+      find ${debs_dir} -name "falco-*-$(falco_arch_from_deb_arch ${arch}).deb" -exec apt-ftparchive packages {} \; >> ${packages_dir}/Packages
+      gzip -c ${packages_dir}/Packages > ${packages_dir}/Packages.gz
+      bzip2 -z -c ${packages_dir}/Packages > ${packages_dir}/Packages.bz2
+    done
+
     # release metadata
     apt-ftparchive release \
       -o APT::FTPArchive::Release::Origin=Falco \
@@ -59,13 +85,18 @@ update_repo() {
       -o APT::FTPArchive::Release::Suite=$2 \
       -o APT::FTPArchive::Release::Codename=$2 \
       -o APT::FTPArchive::Release::Components=${component} \
-      -o APT::FTPArchive::Release::Architectures=${arch} \
+      -o APT::FTPArchive::Release::Architectures="$(join_arr , "${architectures[@]}")" \
       ${release_dir} > ${release_dir}/Release
 
-    # release signature
+    # release signature - Release.gpg file
     gpg --detach-sign --digest-algo SHA256 --armor ${release_dir}/Release
     rm -f ${release_dir}/Release.gpg
     mv ${release_dir}/Release.asc ${release_dir}/Release.gpg
+    
+    # release signature - InRelease file
+    gpg --armor --sign --clearsign --digest-algo SHA256 ${release_dir}/Release
+    rm -f ${release_dir}/InRelease
+    mv ${release_dir}/Release.asc ${release_dir}/InRelease
 
     popd > /dev/null
 }
@@ -74,7 +105,7 @@ update_repo() {
 while getopts ":f::r:" opt; do
     case "${opt}" in
         f )
-          file=${OPTARG}
+          files+=("${OPTARG}")
           ;;
         r )
           repo="${OPTARG}"
@@ -93,7 +124,7 @@ done
 shift $((OPTIND-1))
 
 # check options
-if [ -z "${file}" ] || [ -z "${repo}" ]; then
+if [ ${#files[@]} -eq 0 ] || [ -z "${repo}" ]; then
     usage
 fi
 
@@ -103,6 +134,7 @@ check_program gzip
 check_program bzip2
 check_program gpg
 check_program aws
+check_program dpkg
 
 # settings
 debSuite=stable
@@ -116,17 +148,23 @@ mkdir -p ${tmp_repo_path}
 aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
 
 # update the repo
-echo "Adding ${file}..."
-add_deb ${tmp_repo_path} ${debSuite} ${file}
+for file in "${files[@]}"; do
+  echo "Adding ${file}..."
+  add_deb ${tmp_repo_path} ${debSuite} ${file}
+done
 update_repo ${tmp_repo_path} ${debSuite}
 
 # publish
-package=$(basename -- ${file})
-echo "Publishing ${package} to ${s3_bucket_repo}..."
-aws s3 cp ${tmp_repo_path}/${debSuite}/${package} ${s3_bucket_repo}/${debSuite}/${package} --acl public-read
-aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
-aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
+for file in "${files[@]}"; do
+  package=$(basename -- ${file})
+  echo "Publishing ${package} to ${s3_bucket_repo}..."
+  aws s3 cp ${tmp_repo_path}/${debSuite}/${package} ${s3_bucket_repo}/${debSuite}/${package} --acl public-read
+  aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
 
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}.asc
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}.asc
+done
+
+# sync dists
+aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
 aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*

scripts/publish-rpm

@@ -2,7 +2,7 @@
 set -e
 
 usage() {
-    echo "usage: $0 -f <package.rpm> -r <rpm|rpm-dev>"
+    echo "usage: $0 -f <package_x86_64.rpm> -f <package_aarch64.rpm> -r <rpm|rpm-dev>"
     exit 1
 }
 
@@ -42,7 +42,7 @@ update_repo() {
 while getopts ":f::r:" opt; do
     case "${opt}" in
         f )
-          file=${OPTARG}
+          files+=("${OPTARG}")
           ;;
         r )
           repo="${OPTARG}"
@@ -60,7 +60,7 @@ while getopts ":f::r:" opt; do
 done
 shift $((OPTIND-1))
 
-if [ -z "${file}" ] || [ -z "${repo}" ]; then
+if [ ${#files[@]} -eq 0 ] || [ -z "${repo}" ]; then
     usage
 fi
 
@@ -80,17 +80,23 @@ mkdir -p ${tmp_repo_path}
 aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
 
 # update the repo
-echo "Adding ${file}..."
-add_rpm ${tmp_repo_path} ${file}
+for file in "${files[@]}"; do
+  echo "Adding ${file}..."
+  add_rpm ${tmp_repo_path} ${file}
+done
 update_repo ${tmp_repo_path}
 
 # publish
-package=$(basename -- ${file})
-echo "Publishing ${package} to ${s3_bucket_repo}..."
-aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
-aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
-aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
+for file in "${files[@]}"; do
+  package=$(basename -- ${file})
+  echo "Publishing ${package} to ${s3_bucket_repo}..."
+  aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
+  aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
 
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
-aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
+  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
+done
+
+# sync repodata
+aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
 aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*

scripts/rpm/falco.service

@@ -1,11 +1,12 @@
 [Unit]
 Description=Falco: Container Native Runtime Security
 Documentation=https://falco.org/docs/
+After=falco_inject_kmod.service
+Requires=falco_inject_kmod.service
 
 [Service]
 Type=simple
 User=root
-ExecStartPre=/sbin/modprobe falco
 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
 ExecStopPost=/sbin/rmmod falco
 UMask=0077
@@ -17,6 +18,7 @@ NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=full
 ProtectKernelTunables=true
+ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null

scripts/rpm/falco_inject_kmod.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+Before=falco.service
+Wants=falco.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/sbin/modprobe falco
+
+[Install]
+WantedBy=multi-user.target

scripts/rpm/postinstall.in

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,6 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+set -e
 
 mod_version="@DRIVER_VERSION@"
 dkms add -m falco -v $mod_version --rpm_safe_upgrade
@@ -29,3 +30,35 @@ else
 	echo -e "Module build for the currently running kernel was skipped since the"
 	echo -e "kernel source for this kernel does not seem to be installed."
 fi
+
+# validate rpm macros by `rpm -qp --scripts <rpm>`
+# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
+#                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+
+# systemd_post macro expands to
+# if postinst:
+#   `systemd-update-helper install-system-units <service>`
+%systemd_post 'falco.service'
+
+# post install mirrored from .deb
+if [ $1 -eq 1 ]; then
+        # This will only remove masks created on package removal.
+        /usr/bin/systemctl --system unmask 'falco.service' >/dev/null || true
+
+        # enable falco on installation
+        # note: DEB postinstall script checks for changed symlinks
+        /usr/bin/systemctl --system enable 'falco.service' >/dev/null || true
+
+        # start falco on installation
+        /usr/bin/systemctl --system start 'falco.service' >/dev/null || true
+fi
+
+# post upgrade mirrored from .deb
+if [ $1 -gt 1 ]; then
+    if [ -d /run/systemd/system ]; then
+        /usr/bin/systemctl --system daemon-reload >/dev/null || true
+
+        # restart falco on upgrade if service is already running
+        /usr/bin/systemctl --system condrestart 'falco.service' >/dev/null || true
+    fi
+fi

scripts/rpm/postuninstall.in

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,3 +14,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+
+set -e
+
+# post uninstall mirrored from .deb
+if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then
+        /usr/bin/systemctl --system daemon-reload >/dev/null || true
+        /usr/bin/systemctl --system mask 'falco.service' >/dev/null || true
+fi
+
+# validate rpm macros by `rpm -qp --scripts <rpm>`
+# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
+#                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+
+# systemd_postun_with_restart macro expands to
+# if package upgrade, not uninstall:
+#   `systemd-update-helper mark-restart-system-units <service>`
+%systemd_postun_with_restart 'falco.service'

scripts/rpm/preuninstall.in

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,6 +14,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+set -e
 
-mod_version="@DRIVER_VERSION@"
-dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade
+# pre uninstall mirrored from .deb
+# Currently running falco service uses the driver, so stop it before driver cleanup
+if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
+        # stop falco service before uninstall
+        /usr/bin/systemctl --system stop 'falco.service' >/dev/null || true
+fi
+
+/usr/bin/falco-driver-loader --clean
+
+# validate rpm macros by `rpm -qp --scripts <rpm>`
+# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
+#                 https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+
+# systemd_preun macro expands to
+# if preuninstall:
+#  `systemd-update-helper remove-system-units <service>`
+%systemd_preun 'falco.service'

test/.gitignore

@@ -1 +1,2 @@
-falco_traces.yaml
+falco_traces.yaml
+venv/*

test/README.md

@@ -10,7 +10,6 @@ You can find instructions on how to run this test suite on the Falco website [he
 - [falco_traces](./falco_traces.yaml.in)
 - [falco_tests_package](./falco_tests_package.yaml)
 - [falco_k8s_audit_tests](./falco_k8s_audit_tests.yaml)
-- [falco_tests_psp](./falco_tests_psp.yaml)
 
 ## Running locally
 
@@ -18,13 +17,7 @@ This step assumes you already built Falco.
 
 Note that the tests are intended to be run against a [release build](https://falco.org/docs/getting-started/source/#specify-the-build-type) of Falco, at the moment.
 
-Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
-
-```console
-make test-trace-files
-```
-
-It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
+Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below).
 
 **Requirements**
 
@@ -71,7 +64,7 @@ The `falco_traces.yaml` test suite gets generated through the `falco_traces.yaml
 
 ### falco_tests_package
 
-The `falco_tests_package.yaml` test suite requires some additional setup steps to be succesfully run on your local machine.
+The `falco_tests_package.yaml` test suite requires some additional setup steps to be successfully run on your local machine.
 
 In particular, it requires some runners (ie., docker images) to be already built and present into your local machine.
 
@@ -117,7 +110,7 @@ In case you want to run all the test suites at once, you can directly use the `r
 
 ```console
 cd test
-./run_regression_tests.sh -v
+./run_regression_tests.sh -v -d ../build
 ```
 
 Just make sure you followed all the previous setup steps.

test/confs/plugins/k8s_audit.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2022 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,6 +14,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-- macro: my_macro
-  condition: proc.name=not-cat
-  append: true
+stdout_output:
+  enabled: true
+
+plugins:
+  - name: k8saudit
+    library_path: BUILD_DIR/k8saudit-plugin-prefix/src/k8saudit-plugin/libk8saudit.so
+    init_config: ""
+    open_params: "" # to be filled out by each test case
+  - name: json
+    library_path: BUILD_DIR/json-plugin-prefix/src/json-plugin/libjson.so
+    init_config: ""
+
+load_plugins: [k8saudit, json]

test/confs/plugins/multiple_source_plugins.yaml

@@ -1,15 +0,0 @@
-stdout_output:
-  enabled: true
-
-plugins:
-  - name: cloudtrail
-    library_path: BUILD_DIR/cloudtrail-plugin-prefix/src/cloudtrail-plugin/libcloudtrail.so
-    init_config: ""
-    open_params: "BUILD_DIR/test/trace_files/plugins/alice_start_instances.json"
-  - name: test_source
-    library_path: BUILD_DIR/test/plugins/libtest_source.so
-    init_config: ""
-    open_params: ""
-
-# Optional
-load_plugins: [cloudtrail, test_source]

test/confs/psp.yaml

@@ -1,171 +0,0 @@
-#
-# Copyright (C) 2016-2018 The Falco Authors.
-#
-# This file is part of falco .
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# File(s) or Directories containing Falco rules, loaded at startup.
-# The name "rules_file" is only for backwards compatibility.
-# If the entry is a file, it will be read directly. If the entry is a directory,
-# every file in that directory will be read, in alphabetical order.
-#
-# falco_rules.yaml ships with the falco package and is overridden with
-# every new software version. falco_rules.local.yaml is only created
-# if it doesn't exist. If you want to customize the set of rules, add
-# your customizations to falco_rules.local.yaml.
-#
-# The files will be read in the order presented here, so make sure if
-# you have overrides they appear in later files.
-rules_file: []
-
-# If true, the times displayed in log messages and output messages
-# will be in ISO 8601. By default, times are displayed in the local
-# time zone, as governed by /etc/localtime.
-time_format_iso_8601: false
-
-# Whether to output events in json or text
-json_output: false
-
-# When using json output, whether or not to include the "output" property
-# itself (e.g. "File below a known binary directory opened for writing
-# (user=root ....") in the json output.
-json_include_output_property: true
-
-# When using json output, whether or not to include the "tags" property
-# itself in the json output. If set to true, outputs caused by rules
-# with no tags will have a "tags" field set to an empty array. If set to
-# false, the "tags" field will not be included in the json output at all.
-json_include_tags_property: true
-
-# Send information logs to stderr and/or syslog Note these are *not* security
-# notification logs! These are just Falco lifecycle (and possibly error) logs.
-log_stderr: true
-log_syslog: true
-
-# Minimum log level to include in logs. Note: these levels are
-# separate from the priority field of rules. This refers only to the
-# log level of falco's internal logging. Can be one of "emergency",
-# "alert", "critical", "error", "warning", "notice", "info", "debug".
-log_level: info
-
-# Minimum rule priority level to load and run. All rules having a
-# priority more severe than this level will be loaded/run.  Can be one
-# of "emergency", "alert", "critical", "error", "warning", "notice",
-# "info", "debug".
-priority: debug
-
-# Whether or not output to any of the output channels below is
-# buffered. Defaults to false
-buffered_outputs: false
-
-# Falco uses a shared buffer between the kernel and userspace to pass
-# system call information. When falco detects that this buffer is
-# full and system calls have been dropped, it can take one or more of
-# the following actions:
-#   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
-#   - "log": log a CRITICAL message noting that the buffer was full.
-#   - "alert": emit a falco alert noting that the buffer was full.
-#   - "exit": exit falco with a non-zero rc.
-#
-# The rate at which log/alert messages are emitted is governed by a
-# token bucket. The rate corresponds to one message every 30 seconds
-# with a burst of 10 messages.
-
-syscall_event_drops:
-  actions:
-    - log
-    - alert
-  rate: .03333
-  max_burst: 10
-
-# A throttling mechanism implemented as a token bucket limits the
-# rate of falco notifications. This throttling is controlled by the following configuration
-# options:
-#  - rate: the number of tokens (i.e. right to send a notification)
-#    gained per second. Defaults to 1.
-#  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
-#
-# With these defaults, falco could send up to 1000 notifications after
-# an initial quiet period, and then up to 1 notification per second
-# afterward. It would gain the full burst back after 1000 seconds of
-# no activity.
-
-outputs:
-  rate: 1
-  max_burst: 1000
-
-# Where security notifications should go.
-# Multiple outputs can be enabled.
-
-syslog_output:
-  enabled: true
-
-# If keep_alive is set to true, the file will be opened once and
-# continuously written to, with each output message on its own
-# line. If keep_alive is set to false, the file will be re-opened
-# for each output message.
-#
-# Also, the file will be closed and reopened if falco is signaled with
-# SIGUSR1.
-
-file_output:
-  enabled: false
-  keep_alive: false
-  filename: ./events.txt
-
-stdout_output:
-  enabled: true
-
-# Falco contains an embedded webserver that can be used to accept K8s
-# Audit Events. These config options control the behavior of that
-# webserver. (By default, the webserver is disabled).
-#
-# The ssl_certificate is a combination SSL Certificate and corresponding
-# key contained in a single file. You can generate a key/cert as follows:
-#
-# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
-# $ cat certificate.pem key.pem > falco.pem
-# $ sudo cp falco.pem /etc/falco/falco.pem
-
-webserver:
-  enabled: true
-  listen_port: 8765
-  k8s_audit_endpoint: /k8s-audit
-  ssl_enabled: false
-  ssl_certificate: /etc/falco/falco.pem
-
-# Possible additional things you might want to do with program output:
-#   - send to a slack webhook:
-#         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
-#   - logging (alternate method than syslog):
-#         program: logger -t falco-test
-#   - send over a network connection:
-#         program: nc host.example.com 80
-
-# If keep_alive is set to true, the program will be started once and
-# continuously written to, with each output message on its own
-# line. If keep_alive is set to false, the program will be re-spawned
-# for each output message.
-#
-# Also, the program will be closed and reopened if falco is signaled with
-# SIGUSR1.
-program_output:
-  enabled: false
-  keep_alive: false
-  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
-
-http_output:
-  enabled: false
-  url: http://some.url

test/falco_k8s_audit_tests.yaml

@@ -19,627 +19,758 @@ trace_files: !mux
   compat_engine_v4_create_disallowed_pod:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
       - ./rules/k8s_audit/engine_v4/allow_only_apache_container.yaml
     detect_counts:
       - Create Disallowed Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   compat_engine_v4_create_allowed_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
       - ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   compat_engine_v4_create_privileged_pod:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
     detect_counts:
       - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
 
   compat_engine_v4_create_privileged_trusted_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
 
   compat_engine_v4_create_unprivileged_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   compat_engine_v4_create_hostnetwork_pod:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
     detect_counts:
       - Create HostNetwork Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
 
   compat_engine_v4_create_hostnetwork_trusted_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
 
   user_outside_allowed_set:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
     detect_counts:
       - Disallowed K8s User: 1
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
 
   user_in_allowed_set:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
       - ./rules/k8s_audit/allow_user_some-user.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
 
   create_disallowed_pod:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_only_apache_container.yaml
     detect_counts:
       - Create Disallowed Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   create_allowed_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   create_privileged_pod:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
 
   create_privileged_no_secctx_1st_container_2nd_container_pod:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
 
   create_privileged_2nd_container_pod:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Privileged Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
 
   create_privileged_trusted_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
 
   create_unprivileged_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   create_unprivileged_trusted_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
 
   create_sensitive_mount_pod:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Sensitive Mount Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
 
   create_sensitive_mount_2nd_container_pod:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create Sensitive Mount Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
 
   create_sensitive_mount_trusted_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
 
   create_unsensitive_mount_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
 
   create_unsensitive_mount_trusted_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
 
   create_hostnetwork_pod:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Create HostNetwork Pod: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
 
   create_hostnetwork_trusted_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
 
   create_nohostnetwork_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
 
   create_nohostnetwork_trusted_pod:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/trust_nginx_container.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
 
   create_nodeport_service:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
     detect_counts:
       - Create NodePort Service: 1
-    trace_file: trace_files/k8s_audit/create_nginx_service_nodeport.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nodeport.json
 
   create_nonodeport_service:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/create_nginx_service_nonodeport.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nonodeport.json
 
   create_configmap_private_creds:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
     detect_counts:
       - Create/Modify Configmap With Private Credentials: 6
-    trace_file: trace_files/k8s_audit/create_configmap_sensitive_values.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_sensitive_values.json
 
   create_configmap_no_private_creds:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/create_configmap_no_sensitive_values.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_no_sensitive_values.json
 
   anonymous_user:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Anonymous Request Allowed: 1
-    trace_file: trace_files/k8s_audit/anonymous_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/anonymous_creates_namespace_foo.json
 
   pod_exec:
     detect: True
     detect_level: NOTICE
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Attach/Exec Pod: 1
-    trace_file: trace_files/k8s_audit/exec_pod.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/exec_pod.json
 
   pod_attach:
     detect: True
     detect_level: NOTICE
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Attach/Exec Pod: 1
-    trace_file: trace_files/k8s_audit/attach_pod.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_pod.json
 
   namespace_outside_allowed_set:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_user_some-user.yaml
     detect_counts:
       - Create Disallowed Namespace: 1
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
 
   namespace_in_allowed_set:
     detect: False
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
       - ./rules/k8s_audit/disallow_kactivity.yaml
-    trace_file: trace_files/k8s_audit/minikube_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/minikube_creates_namespace_foo.json
 
   create_pod_in_kube_system_namespace:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Pod Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_pod_kube_system_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_system_namespace.json
 
   create_pod_in_kube_public_namespace:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Pod Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_pod_kube_public_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_public_namespace.json
 
   create_serviceaccount_in_kube_system_namespace:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Service Account Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
 
   create_serviceaccount_in_kube_public_namespace:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Service Account Created in Kube Namespace: 1
-    trace_file: trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
 
   system_clusterrole_deleted:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - System ClusterRole Modified/Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
 
   system_clusterrole_modified:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - System ClusterRole Modified/Deleted: 1
-    trace_file: trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
 
   attach_cluster_admin_role:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - Attach to cluster-admin Role: 1
-    trace_file: trace_files/k8s_audit/attach_cluster_admin_role.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_cluster_admin_role.json
 
   create_cluster_role_wildcard_resources:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Wildcard Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
 
   create_cluster_role_wildcard_verbs:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Wildcard Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
 
   create_writable_cluster_role:
     detect: True
     detect_level: NOTICE
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Write Privileges Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_write_privileges.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_write_privileges.json
 
   create_pod_exec_cluster_role:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - ClusterRole With Pod Exec Created: 1
-    trace_file: trace_files/k8s_audit/create_cluster_role_pod_exec.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_pod_exec.json
 
   create_deployment:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Deployment Created: 1
-    trace_file: trace_files/k8s_audit/create_deployment.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_deployment.json
 
   delete_deployment:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Deployment Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_deployment.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_deployment.json
 
   create_service:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Service Created: 1
-    trace_file: trace_files/k8s_audit/create_service.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service.json
 
   delete_service:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Service Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_service.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_service.json
 
   create_configmap:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s ConfigMap Created: 1
-    trace_file: trace_files/k8s_audit/create_configmap.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap.json
 
   delete_configmap:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s ConfigMap Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_configmap.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_configmap.json
 
   create_namespace:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
       - ./rules/k8s_audit/allow_namespace_foo.yaml
       - ./rules/k8s_audit/allow_user_some-user.yaml
     detect_counts:
       - K8s Namespace Created: 1
-    trace_file: trace_files/k8s_audit/some-user_creates_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
 
   delete_namespace:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Namespace Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_namespace_foo.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_namespace_foo.json
 
   create_serviceaccount:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Serviceaccount Created: 1
-    trace_file: trace_files/k8s_audit/create_serviceaccount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount.json
 
   delete_serviceaccount:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Serviceaccount Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_serviceaccount.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_serviceaccount.json
 
   create_clusterrole:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrole Created: 1
-    trace_file: trace_files/k8s_audit/create_clusterrole.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrole.json
 
   delete_clusterrole:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrole Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_clusterrole.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrole.json
 
   create_clusterrolebinding:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrolebinding Created: 1
-    trace_file: trace_files/k8s_audit/create_clusterrolebinding.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrolebinding.json
 
   delete_clusterrolebinding:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrolebinding Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrolebinding.json
 
   create_secret:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Secret Created: 1
-    trace_file: trace_files/k8s_audit/create_secret.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_secret.json
 
   # Should *not* result in any event as the secret rules skip service account token secrets
   create_service_account_token_secret:
     detect: False
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_service_account_token_secret.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service_account_token_secret.json
 
   create_kube_system_secret:
     detect: False
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_kube_system_secret.json
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_kube_system_secret.json
 
   delete_secret:
     detect: True
     detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Secret Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_secret.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_secret.json
 
   fal_01_003:
     detect: False
-    detect_level: INFO
+    enable_source: k8s_audit
     rules_file:
       - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/fal_01_003.json
-    stderr_contains: 'Could not read k8s audit event line #1, "{"kind": 0}": Data not recognized as a k8s audit event, stopping'
+      - BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/fal_01_003.json
+    stderr_contains: 'data not recognized as a k8s audit event'
 
   json_pointer_correct_parse:
     detect: True
     detect_level: WARNING
+    enable_source: k8s_audit
     rules_file:
       - ./rules/k8s_audit/single_rule_with_json_pointer.yaml
     detect_counts:
       - json_pointer_example: 1
-    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+    conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
+    addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json

test/falco_test.py

@@ -44,9 +44,6 @@ class FalcoTest(Test):
 
         self.falcodir = self.params.get('falcodir', '/', default=build_dir)
 
-        self.psp_conv_path = os.path.join(build_dir, "falcoctl")
-        self.psp_conv_url = "https://github.com/falcosecurity/falcoctl/releases/download/v0.0.4/falcoctl-0.0.4-linux-amd64"
-
         self.stdout_is = self.params.get('stdout_is', '*', default='')
         self.stderr_is = self.params.get('stderr_is', '*', default='')
 
@@ -80,6 +77,10 @@ class FalcoTest(Test):
             else:
                 self.stderr_not_contains = [self.stderr_not_contains]
 
+        self.validate_ok = self.params.get('validate_ok', '*', default='')
+        self.validate_warnings = self.params.get('validate_warnings', '*', default='')
+        self.validate_errors = self.params.get('validate_errors', '*', default='')
+
         self.exit_status = self.params.get('exit_status', '*', default=0)
         self.should_detect = self.params.get('detect', '*', default=False)
         self.check_detection_counts = self.params.get('check_detection_counts', '*', default=True)
@@ -96,6 +97,7 @@ class FalcoTest(Test):
         self.all_events = self.params.get('all_events', '*', default=False)
         self.priority = self.params.get('priority', '*', default='debug')
         self.addl_cmdline_opts = self.params.get('addl_cmdline_opts', '*', default='')
+        self.enable_source = self.params.get('enable_source', '*', default='')
         self.rules_file = self.params.get(
             'rules_file', '*', default=os.path.join(self.basedir, '../rules/falco_rules.yaml'))
 
@@ -108,18 +110,21 @@ class FalcoTest(Test):
         if self.validate_rules_file == False:
             self.validate_rules_file = []
         else:
+            # Always enable json output when validating rules
+            # files. Makes parsing errors/warnings easier
+            self.json_output = True
             if not isinstance(self.validate_rules_file, list):
                 self.validate_rules_file = [self.validate_rules_file]
-
-        self.psp_rules_file = os.path.join(build_dir, "psp_rules.yaml")
-
-        self.psp_file = self.params.get('psp_file', '*', default="")
+        
+        # can be either empty, a string, or a list
+        if self.enable_source == '':
+            self.enable_source = []
+        else:
+            if not isinstance(self.enable_source, list):
+                self.enable_source = [self.enable_source]
 
         self.rules_args = ""
 
-        if self.psp_file != "":
-            self.rules_args = self.rules_args + "-r " + self.psp_rules_file + " "
-
         for file in self.validate_rules_file:
             if not os.path.isabs(file):
                 file = os.path.join(self.basedir, file)
@@ -127,7 +132,7 @@ class FalcoTest(Test):
 
         for file in self.rules_file:
             if not os.path.isabs(file):
-                file = os.path.join(self.basedir, file)
+                file = os.path.join(self.basedir, file.replace("BUILD_DIR", build_dir))
             self.rules_args = self.rules_args + "-r " + file + " "
 
         self.conf_file = self.params.get(
@@ -163,13 +168,6 @@ class FalcoTest(Test):
                     detect_counts[key] = value
             self.detect_counts = detect_counts
 
-        self.rules_warning = self.params.get(
-            'rules_warning', '*', default=False)
-        if self.rules_warning == False:
-            self.rules_warning = set()
-        else:
-            self.rules_warning = set(self.rules_warning)
-
         # Maps from rule name to set of evttypes
         self.rules_events = self.params.get('rules_events', '*', default=False)
         if self.rules_events == False:
@@ -242,7 +240,7 @@ class FalcoTest(Test):
         self.grpcurl_res = None
         self.grpc_observer = None
         self.grpc_address = self.params.get(
-            'address', 'grpc/*', default='/var/run/falco.sock')
+            'address', 'grpc/*', default='/run/falco/falco.sock')
         if self.grpc_address.startswith("unix://"):
             self.is_grpc_using_unix_socket = True
             self.grpc_address = self.grpc_address[len("unix://"):]
@@ -275,22 +273,6 @@ class FalcoTest(Test):
         if self.package != 'None':
             self.uninstall_package()
 
-    def check_rules_warnings(self, res):
-
-        found_warning = set()
-
-        for match in re.finditer('Rule ([^:]+): warning \(([^)]+)\):', res.stderr.decode("utf-8")):
-            rule = match.group(1)
-            warning = match.group(2)
-            found_warning.add(rule)
-
-        self.log.debug("Expected warning rules: {}".format(self.rules_warning))
-        self.log.debug("Actual warning rules: {}".format(found_warning))
-
-        if found_warning != self.rules_warning:
-            self.fail("Expected rules with warnings {} does not match actual rules with warnings {}".format(
-                self.rules_warning, found_warning))
-
     def check_rules_events(self, res):
 
         found_events = {}
@@ -386,7 +368,68 @@ class FalcoTest(Test):
 
         return True
 
-    def check_json_output(self, res):
+    def get_validate_json(self, res):
+        if self.validate_json is None:
+            # The first line of stdout should be the validation result as json
+            self.validate_json = json.loads(res.stdout.decode("utf-8").partition('\n')[0])
+        return self.validate_json
+
+    def check_validate_ok(self, res):
+        if self.validate_ok != '':
+            vobj = self.get_validate_json(res)
+            for expected in self.validate_ok:
+                found = False
+                for vres in vobj["falco_load_results"]:
+                    if vres["successful"] and os.path.basename(vres["name"]) == expected:
+                        found = True
+                        break
+                if not found:
+                    self.fail("Validation json did not contain a successful result for file '{}'".format(expected))
+
+    def check_validate_warnings(self, res):
+        if self.validate_warnings != '':
+            vobj = self.get_validate_json(res)
+            for warnobj in self.validate_warnings:
+                found = False
+                for vres in vobj["falco_load_results"]:
+                    for warning in vres["warnings"]:
+                        if warning["code"] == warnobj["code"]:
+                            if ("message" in warnobj and warning["message"] == warnobj["message"]) or ("message_contains" in warnobj and warnobj["message_contains"] in warning["message"]):
+                                for loc in warning["context"]["locations"]:
+                                    if loc["item_type"] == warnobj["item_type"] and loc["item_name"] == warnobj["item_name"]:
+                                        found = True
+                                        break
+                if not found:
+                    if "message" in warnobj:
+                        self.fail("Validation json did not contain a warning '{}' for '{}' '{}' with message '{}'".format(
+                            warnobj["code"], warnobj["item_type"], warnobj["item_name"], warnobj["message"]))
+                    else:
+                        self.fail("Validation json did not contain a warning '{}' for '{}' '{}' with message containing '{}'".format(
+                            warnobj["code"], warnobj["item_type"], warnobj["item_name"], warnobj["message_contains"]))
+
+    def check_validate_errors(self, res):
+        if self.validate_errors != '':
+            vobj = self.get_validate_json(res)
+            for errobj in self.validate_errors:
+                found = False
+                for vres in vobj["falco_load_results"]:
+                    for error in vres["errors"]:
+                        if error["code"] == errobj["code"]:
+                            if ("message" in errobj and error["message"] == errobj["message"]) or ("message_contains" in errobj and errobj["message_contains"] in error["message"]):
+                                for loc in error["context"]["locations"]:
+                                    if loc["item_type"] == errobj["item_type"] and loc["item_name"] == errobj["item_name"]:
+                                        found = True
+                                        break
+                if not found:
+                    if "message" in errobj:
+                        self.fail("Validation json did not contain a error '{}' for '{}' '{}' with message '{}'".format(
+                            errobj["code"], errobj["item_type"], errobj["item_name"], errobj["message"]))
+                    else:
+                        self.fail("Validation json did not contain a error '{}' for '{}' '{}' with message containing '{}'".format(
+                            errobj["code"], errobj["item_type"], errobj["item_name"], errobj["message_contains"]))
+
+
+    def check_json_event_output(self, res):
         if self.json_output:
             # Just verify that any lines starting with '{' are valid json objects.
             # Doesn't do any deep inspection of the contents.
@@ -588,41 +631,22 @@ class FalcoTest(Test):
             # This sets falco_binary_path as a side-effect.
             self.install_package()
 
+        self.validate_json = None
+
         trace_arg = self.trace_file
 
         if self.trace_file:
             trace_arg = "-e {}".format(self.trace_file)
 
-        # Possibly run psp converter
-        if self.psp_file != "":
-
-            if not os.path.isfile(self.psp_conv_path):
-                self.log.info("Downloading {} to {}".format(
-                    self.psp_conv_url, self.psp_conv_path))
-
-                urllib.request.urlretrieve(
-                    self.psp_conv_url, self.psp_conv_path)
-                os.chmod(self.psp_conv_path, stat.S_IEXEC)
-
-            conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
-                self.psp_conv_path, os.path.join(self.basedir, self.psp_file), self.psp_rules_file)
-
-            conv_proc = process.SubProcess(conv_cmd)
-
-            conv_res = conv_proc.run(timeout=180, sig=9)
-
-            if conv_res.exit_status != 0:
-                self.error("psp_conv command \"{}\" exited with unexpected return value {}. Full stdout={} stderr={}".format(
-                    conv_cmd, conv_res.exit_status, conv_res.stdout, conv_res.stderr))
-
-            with open(self.psp_rules_file, 'r') as myfile:
-                psp_rules = myfile.read()
-                self.log.debug("Converted Rules: {}".format(psp_rules))
+        extra_cmdline = ''
+        for source in self.enable_source:
+            extra_cmdline += ' --enable-source="{}"'.format(source)
+        extra_cmdline += ' ' + self.addl_cmdline_opts
 
         # Run falco
         cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o json_include_tags_property={} -o priority={} -v {}'.format(
             self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output,
-            self.json_include_output_property, self.json_include_tags_property, self.priority, self.addl_cmdline_opts)
+            self.json_include_output_property, self.json_include_tags_property, self.priority, extra_cmdline)
 
         for tag in self.disable_tags:
             cmd += ' -T {}'.format(tag)
@@ -639,7 +663,7 @@ class FalcoTest(Test):
         if self.time_iso_8601:
             cmd += ' -o time_format_iso_8601=true'
 
-        self.falco_proc = process.SubProcess(cmd)
+        self.falco_proc = process.SubProcess(cmd, env=dict(os.environ, FALCO_HOSTNAME="test-falco-hostname"))
 
         res = self.falco_proc.run(timeout=180, sig=9)
 
@@ -680,18 +704,22 @@ class FalcoTest(Test):
             self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(
                 cmd, res.exit_status, self.exit_status))
 
+        self.check_validate_ok(res)
+        self.check_validate_errors(res)
+        self.check_validate_warnings(res)
+
         # No need to check any outputs if the falco process exited abnormally.
         if res.exit_status != 0:
             return
 
-        self.check_rules_warnings(res)
         if len(self.rules_events) > 0:
             self.check_rules_events(res)
         if len(self.validate_rules_file) == 0 and self.check_detection_counts:
             self.check_detections(res)
         if len(self.detect_counts) > 0:
             self.check_detections_by_rule(res)
-        self.check_json_output(res)
+        if not self.validate_rules_file:
+            self.check_json_event_output(res)
         self.check_outputs()
         self.check_output_strictly_contains(res)
         self.check_grpc()

test/falco_tests.yaml

@@ -20,22 +20,55 @@ trace_files: !mux
   builtin_rules_no_warnings:
     detect: False
     trace_file: trace_files/empty.scap
-    rules_warning: False
 
+  # The rules_events part of this test was mistakenly disabled when
+  # generic events (e.g. k8s_audit support) was added (#1715).
+  # The implementation no longer prints messages of the form:
+  # "Event types for rule (<RULE>): (<EVENT TYPES>)
+  # And without that output, none of the checks below rules_events
+  # are considered.
+  # XXX/mstemm add it back
   test_warnings:
     detect: False
     trace_file: trace_files/empty.scap
-    rules_file: rules/falco_rules_warnings.yaml
-    rules_warning:
-      - no_evttype
-      - evttype_not_equals
-      - leading_not
-      - not_equals_at_end
-      - not_at_end
-      - not_equals_and_not
-      - leading_in_not_equals_at_evttype
-      - not_with_evttypes
-      - not_with_evttypes_addl
+    validate_rules_file: rules/falco_rules_warnings.yaml
+    validate_warnings:
+      - item_type: rule
+        item_name: no_evttype
+        code: LOAD_NO_EVTTYPE
+        message: "Rule matches too many evt.type values. This has a significant performance penalty."
+      - item_type: rule
+        item_name: evttype_not_equals
+        code: LOAD_NO_EVTTYPE
+        message: "Rule matches too many evt.type values. This has a significant performance penalty."
+      - item_type: rule
+        item_name: leading_not
+        code: LOAD_NO_EVTTYPE
+        message: "Rule matches too many evt.type values. This has a significant performance penalty."
+      - item_type: rule
+        item_name: not_equals_at_end
+        code: LOAD_NO_EVTTYPE
+        message: "Rule matches too many evt.type values. This has a significant performance penalty."
+      - item_type: rule
+        item_name: not_at_end
+        code: LOAD_NO_EVTTYPE
+        message: "Rule matches too many evt.type values. This has a significant performance penalty."
+      - item_type: rule
+        item_name: not_equals_and_not
+        code: LOAD_NO_EVTTYPE
+        message: "Rule matches too many evt.type values. This has a significant performance penalty."
+      - item_type: rule
+        item_name: leading_in_not_equals_at_evttype
+        code: LOAD_NO_EVTTYPE
+        message: "Rule matches too many evt.type values. This has a significant performance penalty."
+      - item_type: rule
+        item_name: not_with_evttypes
+        code: LOAD_NO_EVTTYPE
+        message: "Rule matches too many evt.type values. This has a significant performance penalty."
+      - item_type: rule
+        item_name: not_with_evttypes_addl
+        code: LOAD_NO_EVTTYPE
+        message: "Rule matches too many evt.type values. This has a significant performance penalty."
     rules_events:
       - no_warnings: [execve]
       - no_evttype: [all]
@@ -44,8 +77,8 @@ trace_files: !mux
       - not_equals_after_evttype: [execve]
       - not_after_evttype: [execve]
       - leading_trailing_evttypes: [execve,open]
-      - leading_multtrailing_evttypes: [connect,execve,open]
-      - leading_multtrailing_evttypes_using_in: [connect,execve,open]
+      - leading_multitrailing_evttypes: [connect,execve,open]
+      - leading_multitrailing_evttypes_using_in: [connect,execve,open]
       - not_equals_at_end: [all]
       - not_at_end: [all]
       - not_before_trailing_evttype: [all]
@@ -251,171 +284,149 @@ trace_files: !mux
 
   invalid_not_yaml:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rules content is not yaml
-      ---
-      This is not yaml
-      ---
+    validate_errors:
+      - item_type: rules content
+        item_name: ""
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Rules content is not yaml"
     validate_rules_file:
       - rules/invalid_not_yaml.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_not_array:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rules content is not yaml array of objects
-      ---
-      foo: bar
-      ---
+    validate_errors:
+      - item_type: rules content
+        item_name: ""
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Rules content is not yaml array of objects"
     validate_rules_file:
       - rules/invalid_not_array.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_array_item_not_object:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Unexpected element of type string. Each element should be a yaml associative array.
-      ---
-      - foo
-      ---
+    validate_errors:
+      - item_type: rules content item
+        item_name: ""
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Unexpected element type. Each element should be a yaml associative array."
     validate_rules_file:
       - rules/invalid_array_item_not_object.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_engine_version_not_number:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Value of required_engine_version must be a number
-      ---
-      - required_engine_version: not-a-number
-      ---
+    validate_errors:
+      - item_type: required_engine_version
+        item_name: ""
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Can't decode YAML scalar value"
     validate_rules_file:
       - rules/invalid_engine_version_not_number.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_yaml_parse_error:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      mapping values are not allowed in this context
-      ---
-      this : is : not : yaml
-      ---
+    validate_errors:
+      - item_type: rules content
+        item_name: ""
+        code: LOAD_ERR_YAML_PARSE
+        message: "yaml-cpp: error at line 1, column 11: illegal map value"
     validate_rules_file:
       - rules/invalid_yaml_parse_error.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_list_without_items:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      List must have property items
-      ---
-      - list: bad_list
-        no_items: foo
-      ---
+    validate_errors:
+      - item_type: list
+        item_name: bad_list
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Item has no mapping for key 'items'"
     validate_rules_file:
       - rules/invalid_list_without_items.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_macro_without_condition:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Macro must have property condition
-      ---
-      - macro: bad_macro
-        nope: 1
-      ---
+    validate_errors:
+      - item_type: macro
+        item_name: bad_macro
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Item has no mapping for key 'condition'"
     validate_rules_file:
       - rules/invalid_macro_without_condition.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_rule_without_output:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule must have property output
-      ---
-      - rule: no output rule
-        desc: some desc
-        condition: evt.type=fork
-        priority: INFO
-      ---
+    validate_errors:
+      - item_type: rule
+        item_name: no output rule
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Item has no mapping for key 'output'"
     validate_rules_file:
       - rules/invalid_rule_without_output.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_append_rule_without_condition:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Appended rule must have exceptions or condition property
-      ---
-      - rule: no condition rule
-        append: true
-      ---
+    validate_errors:
+      - item_type: rule
+        item_name: no condition rule
+        code: LOAD_ERR_VALIDATE
+        message: "Appended rule must have exceptions or condition property"
     validate_rules_file:
       - rules/invalid_append_rule_without_condition.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_append_macro_dangling:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Macro dangling append has 'append' key but no macro by that name already exists
-      ---
-      - macro: dangling append
-        condition: and evt.type=execve
-        append: true
-      ---
+    validate_errors:
+      - item_type: macro
+        item_name: dangling append
+        code: LOAD_ERR_VALIDATE
+        message: "Macro has 'append' key but no macro by that name already exists"
     validate_rules_file:
       - rules/invalid_append_macro_dangling.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_list_append_dangling:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      List my_list has 'append' key but no list by that name already exists
-      ---
-      - list: my_list
-        items: [not-cat]
-        append: true
-      ---
+    validate_errors:
+      - item_type: list
+        item_name: my_list
+        code: LOAD_ERR_VALIDATE
+        message: "List has 'append' key but no list by that name already exists"
     validate_rules_file:
       - rules/list_append_failure.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_rule_append_dangling:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule my_rule has 'append' key but no rule by that name already exists
-      ---
-      - rule: my_rule
-        condition: evt.type=open
-        append: true
-      ---
+    validate_errors:
+      - item_type: rule
+        item_name: my_rule
+        code: LOAD_ERR_VALIDATE
+        message: "Rule has 'append' key but no rule by that name already exists"
     validate_rules_file:
       - rules/rule_append_failure.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_overwrite_macro:
     exit_status: 1
-    stdout_contains: |+
-      .*invalid_base_macro.yaml: Ok
-      .*invalid_overwrite_macro.yaml: 1 errors:
-      Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
-      ---
-      - macro: some macro
-        condition: foo
-        append: false
-      ---
+    validate_ok: [invalid_base_macro.yaml]
+    validate_errors:
+      - item_type: macro
+        item_name: some macro
+        code: LOAD_ERR_VALIDATE
+        message: "Undefined macro 'foo' used in filter."
+    validate_warnings:
+      - item_type: macro
+        item_name: some macro
+        code: LOAD_UNUSED_MACRO
+        message:  "Macro not referred to by any other rule/macro"
     validate_rules_file:
       - rules/invalid_base_macro.yaml
       - rules/invalid_overwrite_macro.yaml
@@ -423,18 +434,17 @@ trace_files: !mux
 
   invalid_append_macro:
     exit_status: 1
-    stdout_contains: |+
-      .*invalid_base_macro.yaml: Ok
-      .*invalid_append_macro.yaml: 1 errors:
-      Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
-      ---
-      - macro: some macro
-        condition: evt.type=execve
-
-      - macro: some macro
-        condition: foo
-        append: true
-      ---
+    validate_ok: [invalid_base_macro.yaml]
+    validate_errors:
+      - item_type: macro
+        item_name: some macro
+        code: LOAD_ERR_COMPILE_CONDITION
+        message: "unexpected token after 'execve', expecting 'or', 'and'"
+    validate_warnings:
+      - item_type: macro
+        item_name: some macro
+        code: LOAD_UNUSED_MACRO
+        message: "Macro not referred to by any other rule/macro"
     validate_rules_file:
       - rules/invalid_base_macro.yaml
       - rules/invalid_append_macro.yaml
@@ -442,49 +452,34 @@ trace_files: !mux
 
   invalid_overwrite_macro_multiple_docs:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
-      ---
-      - macro: some macro
-        condition: foo
-        append: false
-      ---
+    validate_errors:
+      - item_type: macro
+        item_name: some macro
+        code: LOAD_ERR_VALIDATE
+        message: "Undefined macro 'foo' used in filter."
     validate_rules_file:
       - rules/invalid_overwrite_macro_multiple_docs.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_append_macro_multiple_docs:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
-      ---
-      - macro: some macro
-        condition: evt.type=execve
-
-      - macro: some macro
-        condition: foo
-        append: true
-      ---
+    validate_errors:
+      - item_type: macro
+        item_name: some macro
+        code: LOAD_ERR_COMPILE_CONDITION
+        message: "unexpected token after 'execve', expecting 'or', 'and'"
     validate_rules_file:
       - rules/invalid_append_macro_multiple_docs.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_overwrite_rule:
     exit_status: 1
-    stdout_contains: |+
-      .*invalid_base_rule.yaml: Ok
-      .*invalid_overwrite_rule.yaml: 1 errors:
-      Undefined macro 'bar' used in filter.
-      ---
-      - rule: some rule
-        desc: some desc
-        condition: bar
-        output: some output
-        priority: INFO
-        append: false
-      ---
+    validate_ok: [invalid_base_rule.yaml]
+    validate_errors:
+      - item_type: rule
+        item_name: some rule
+        code: LOAD_ERR_VALIDATE
+        message: "Undefined macro 'bar' used in filter."
     validate_rules_file:
       - rules/invalid_base_rule.yaml
       - rules/invalid_overwrite_rule.yaml
@@ -492,24 +487,12 @@ trace_files: !mux
 
   invalid_append_rule:
     exit_status: 1
-    stdout_contains: |+
-      .*invalid_base_rule.yaml: Ok
-      .*invalid_append_rule.yaml: 1 errors:
-      Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
-      ---
-      - rule: some rule
-        desc: some desc
-        condition: evt.type=open
-        output: some output
-        priority: INFO
-
-      - rule: some rule
-        desc: some desc
-        condition: bar
-        output: some output
-        priority: INFO
-        append: true
-      ---
+    validate_ok: [invalid_base_rule.yaml]
+    validate_errors:
+      - item_type: rule
+        item_name: some rule
+        code: LOAD_ERR_COMPILE_CONDITION
+        message: "unexpected token after 'open', expecting 'or', 'and'"
     validate_rules_file:
       - rules/invalid_base_rule.yaml
       - rules/invalid_append_rule.yaml
@@ -517,96 +500,66 @@ trace_files: !mux
 
   invalid_overwrite_rule_multiple_docs:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Undefined macro 'bar' used in filter.
-      ---
-      - rule: some rule
-        desc: some desc
-        condition: bar
-        output: some output
-        priority: INFO
-        append: false
-      ---
+    validate_errors:
+      - item_type: rule
+        item_name: some rule
+        code: LOAD_ERR_VALIDATE
+        message: "Undefined macro 'bar' used in filter."
     validate_rules_file:
       - rules/invalid_overwrite_rule_multiple_docs.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_append_rule_multiple_docs:
     exit_status: 1
-    stdout_contains: |+
-      Compilation error when compiling "evt.type=open bar": 15: syntax error, unexpected 'bar', expecting 'or', 'and'
-      ---
-      - rule: some rule
-        desc: some desc
-        condition: evt.type=open
-        output: some output
-        priority: INFO
-
-      - rule: some rule
-        desc: some desc
-        condition: bar
-        output: some output
-        priority: INFO
-        append: true
-      ---
+    validate_errors:
+      - item_type: rule
+        item_name: some rule
+        code: LOAD_ERR_COMPILE_CONDITION
+        message: "unexpected token after 'open', expecting 'or', 'and'"
     validate_rules_file:
       - rules/invalid_append_rule_multiple_docs.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_missing_rule_name:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule name is empty
-      ---
-      - rule:
-        desc: some desc
-        condition: evt.type=execve
-        output: some output
-      ---
+    validate_errors:
+      - item_type: rule
+        item_name: ""
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Mapping for key 'rule' is empty"
     validate_rules_file:
       - rules/invalid_missing_rule_name.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_missing_list_name:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      List name is empty
-      ---
-      - list:
-        items: [foo]
-      ---
+    validate_errors:
+      - item_type: list
+        item_name: ""
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Mapping for key 'list' is empty"
     validate_rules_file:
       - rules/invalid_missing_list_name.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_missing_macro_name:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Macro name is empty
-      ---
-      - macro:
-        condition: evt.type=execve
-      ---
+    validate_errors:
+      - item_type: macro
+        item_name: ""
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Mapping for key 'macro' is empty"
     validate_rules_file:
       - rules/invalid_missing_macro_name.yaml
     trace_file: trace_files/cat_write.scap
 
   invalid_rule_output:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'
-      ---
-      - rule: rule_with_invalid_output
-        desc: A rule with an invalid output field
-        condition: evt.type=open
-        output: "An open was seen %not_a_real_field"
-        priority: WARNING
-      ---
+    validate_errors:
+      - item_type: rule
+        item_name: rule_with_invalid_output
+        code: LOAD_ERR_COMPILE_OUTPUT
+        message: "invalid formatting token not_a_real_field"
     validate_rules_file:
       - rules/invalid_rule_output.yaml
     trace_file: trace_files/cat_write.scap
@@ -634,13 +587,13 @@ trace_files: !mux
     rules_file:
       - rules/single_rule_enabled_flag.yaml
     trace_file: trace_files/cat_write.scap
-  
+
   disabled_rule_using_false_enabled_flag_only:
     detect: False
     rules_file:
       - rules/disabled_rule_using_enabled_flag_only.yaml
     trace_file: trace_files/cat_write.scap
-  
+
   enabled_rule_using_false_enabled_flag_only:
     detect: True
     detect_level: WARNING
@@ -766,7 +719,7 @@ trace_files: !mux
       - "Write below etc": 1
       - "System procs network activity": 1
       - "Mkdir binary dirs": 1
-      - "System user interactive": 1
+      - "System user interactive": 0
       - "DB program spawned process": 1
       - "Non sudo setuid": 1
       - "Create files below dev": 1
@@ -1037,13 +990,6 @@ trace_files: !mux
       - open_12: 0
       - open_13: 0
 
-  list_append_failure:
-    exit_status: 1
-    stderr_contains: "List my_list has 'append' key but no list by that name already exists"
-    rules_file:
-      - rules/list_append_failure.yaml
-    trace_file: trace_files/cat_write.scap
-
   list_append:
     detect: True
     detect_level: WARNING
@@ -1057,13 +1003,6 @@ trace_files: !mux
       - rules/list_append_false.yaml
     trace_file: trace_files/cat_write.scap
 
-  macro_append_failure:
-    exit_status: 1
-    stderr_contains: "Macro my_macro has 'append' key but no macro by that name already exists"
-    rules_file:
-      - rules/macro_append_failure.yaml
-    trace_file: trace_files/cat_write.scap
-
   macro_append:
     detect: True
     detect_level: WARNING
@@ -1077,13 +1016,6 @@ trace_files: !mux
       - rules/macro_append_false.yaml
     trace_file: trace_files/cat_write.scap
 
-  rule_append_failure:
-    exit_status: 1
-    stderr_contains: "Rule my_rule has 'append' key but no rule by that name already exists"
-    rules_file:
-      - rules/rule_append_failure.yaml
-    trace_file: trace_files/cat_write.scap
-
   rule_append_skipped:
     detect: False
     priority: ERROR
@@ -1161,13 +1093,21 @@ trace_files: !mux
       - rules/catchall_order.yaml
     detect_counts:
       - open_dev_null: 1
-        dev_null: 0
+        dev_null: 6
     trace_file: trace_files/cat_write.scap
 
-  skip_unknown_noevt:
+  validate_skip_unknown_noevt:
+    validate_warnings:
+      - item_type: rule
+        item_name: "Contains Unknown Event And Skipping"
+        code: LOAD_UNKNOWN_FIELD
+        message: "filter_check called with nonexistent field proc.nobody"
+    validate_rules_file:
+      - rules/skip_unknown_evt.yaml
+    trace_file: trace_files/cat_write.scap
+
+  detect_skip_unknown_noevt:
     detect: False
-    rules_warning:
-      - Contains Unknown Event And Skipping
     rules_file:
       - rules/skip_unknown_evt.yaml
     trace_file: trace_files/cat_write.scap
@@ -1180,41 +1120,34 @@ trace_files: !mux
 
   skip_unknown_error:
     exit_status: 1
-    stderr_contains: |+
-      Could not load rules file.*skip_unknown_error.yaml: 1 errors:
-      Rule Contains Unknown Event And Not Skipping: error filter_check called with nonexistent field proc.nobody
-      ---
-      - rule: Contains Unknown Event And Not Skipping
-        desc: Contains an unknown event
-        condition: proc.nobody=cat
-        output: Never
-        skip-if-unknown-filter: false
-        priority: INFO
-      ---
-    rules_file:
+    validate_errors:
+      - item_type: rule
+        item_name: "Contains Unknown Event And Not Skipping"
+        code: LOAD_ERR_COMPILE_CONDITION
+        message: "filter_check called with nonexistent field proc.nobody"
+    validate_rules_file:
       - rules/skip_unknown_error.yaml
     trace_file: trace_files/cat_write.scap
 
   skip_unknown_unspec_error:
     exit_status: 1
-    stderr_contains: |+
-      Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
-      Rule Contains Unknown Event And Unspecified: error filter_check called with nonexistent field proc.nobody
-      ---
-      - rule: Contains Unknown Event And Unspecified
-        desc: Contains an unknown event
-        condition: proc.nobody=cat
-        output: Never
-        priority: INFO
-      ---
-    rules_file:
+    validate_errors:
+      - item_type: rule
+        item_name: "Contains Unknown Event And Unspecified"
+        code: LOAD_ERR_COMPILE_CONDITION
+        message: "filter_check called with nonexistent field proc.nobody"
+    validate_rules_file:
       - rules/skip_unknown_unspec.yaml
     trace_file: trace_files/cat_write.scap
 
   engine_version_mismatch:
     exit_status: 1
-    stderr_contains: Rules require engine version 9999999, but engine version is
-    rules_file:
+    validate_errors:
+      - item_type: required_engine_version
+        item_name: ""
+        code: LOAD_ERR_VALIDATE
+        message_contains: "Rules require engine version 9999999, but engine version is"
+    validate_rules_file:
       - rules/engine_version_mismatch.yaml
     trace_file: trace_files/cat_write.scap
 

test/falco_tests_exceptions.yaml

@@ -20,175 +20,99 @@ trace_files: !mux
 
   rule_exception_no_fields:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception item ex1: must have fields property with a list of fields
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-        priority: error
-      ---
+    validate_errors:
+      - item_type: exception
+        item_name: ex1
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Item has no mapping for key 'fields'"
     validate_rules_file:
       - rules/exceptions/item_no_fields.yaml
     trace_file: trace_files/cat_write.scap
 
   rule_exception_no_name:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception item must have name property
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - fields: [proc.name, fd.filename]
-        priority: error
-      ---
+    validate_errors:
+      - item_type: exception
+        item_name: ""
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Item has no mapping for key 'name'"
     validate_rules_file:
       - rules/exceptions/item_no_name.yaml
     trace_file: trace_files/cat_write.scap
 
   rule_exception_append_no_name:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception item must have name property
-      ---
-      - rule: My Rule
-        exceptions:
-          - values:
-              - [nginx, /tmp/foo]
-        append: true
-      ---
+    validate_errors:
+      - item_type: exception
+        item_name: ""
+        code: LOAD_ERR_YAML_VALIDATE
+        message: "Item has no mapping for key 'name'"
     validate_rules_file:
       - rules/exceptions/append_item_no_name.yaml
     trace_file: trace_files/cat_write.scap
 
   rule_exception_unknown_fields:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception item ex1: field name not.exist is not a supported filter field
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-            fields: [not.exist]
-        priority: error
-      ---
+    validate_errors:
+      - item_type: exception
+        item_name: ex1
+        code: LOAD_ERR_VALIDATE
+        message: "'not.exist' is not a supported filter field"
     validate_rules_file:
       - rules/exceptions/item_unknown_fields.yaml
     trace_file: trace_files/cat_write.scap
 
   rule_exception_comps_fields_len_mismatch:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception item ex1: fields and comps lists must have equal length
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-            fields: [proc.name, fd.filename]
-            comps: [=]
-        priority: error
-      ---
+    validate_errors:
+      - item_type: exception
+        item_name: ex1
+        code: LOAD_ERR_VALIDATE
+        message: "Fields and comps lists must have equal length"
     validate_rules_file:
       - rules/exceptions/item_comps_fields_len_mismatch.yaml
     trace_file: trace_files/cat_write.scap
 
   rule_exception_unknown_comp:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception item ex1: comparison operator no-comp is not a supported comparison operator
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-            fields: [proc.name, fd.filename]
-            comps: [=, no-comp]
-        priority: error
-      ---
+    validate_errors:
+      - item_type: exception
+        item_name: ex1
+        code: LOAD_ERR_VALIDATE
+        message: "'no-comp' is not a supported comparison operator"
     validate_rules_file:
       - rules/exceptions/item_unknown_comp.yaml
     trace_file: trace_files/cat_write.scap
 
   rule_exception_fields_values_len_mismatch:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Exception item ex1: fields and values lists must have equal length
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-            fields: [proc.name, fd.filename]
-            values:
-              - [nginx]
-        priority: error
-      ---
+    validate_errors:
+      - item_type: exception
+        item_name: ex1
+        code: LOAD_ERR_VALIDATE
+        message: "Fields and values lists must have equal length"
     validate_rules_file:
       - rules/exceptions/item_fields_values_len_mismatch.yaml
     trace_file: trace_files/cat_write.scap
 
   rule_exception_append_fields_values_len_mismatch:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Exception item ex1: fields and values lists must have equal length
-      ---
-      - rule: My Rule
-        desc: Some desc
-        condition: evt.type=open and proc.name=cat
-        output: Some output
-        exceptions:
-          - name: ex1
-            fields: [proc.name, fd.filename]
-        priority: error
-
-      - rule: My Rule
-        exceptions:
-          - name: ex1
-            values:
-              - [nginx]
-        append: true
-      ---
+    validate_errors:
+      - item_type: exception
+        item_name: ex1
+        code: LOAD_ERR_VALIDATE
+        message: "Fields and values lists must have equal length"
     validate_rules_file:
       - rules/exceptions/append_item_fields_values_len_mismatch.yaml
     trace_file: trace_files/cat_write.scap
 
   rule_exception_append_item_not_in_rule:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception new item ex2: must have fields property with a list of fields
-      ---
-      - rule: My Rule
-        exceptions:
-          - name: ex2
-            values:
-              - [apache, /tmp]
-        append: true
-      ---
+    validate_errors:
+      - item_type: exception
+        item_name: ex2
+        code: LOAD_ERR_VALIDATE
+        message: "Rule exception must have fields property with a list of fields"
     validate_rules_file:
       - rules/exceptions/append_item_not_in_rule.yaml
     trace_file: trace_files/cat_write.scap
@@ -325,7 +249,7 @@ trace_files: !mux
     rules_file:
       - rules/exceptions/rule_exception_new_single_field_append.yaml
     trace_file: trace_files/cat_write.scap
-  
+
   rule_exception_new_second_field_append:
     detect: False
     detect_level: WARNING
@@ -335,18 +259,11 @@ trace_files: !mux
 
   rule_exception_new_append_no_field:
     exit_status: 1
-    stdout_is: |+
-      1 errors:
-      Rule exception new item proc_cmdline: must have fields property with a list of fields
-      ---
-      - rule: Open From Cat
-        exceptions:
-          - name: proc_cmdline
-            comps: in
-            values:
-              - "cat /dev/null"
-        append: true
-      ---
+    validate_errors:
+      - item_type: exception
+        item_name: proc_cmdline
+        code: LOAD_ERR_VALIDATE
+        message: "Rule exception must have fields property with a list of fields"
     validate_rules_file:
       - rules/exceptions/rule_exception_new_no_field_append.yaml
     trace_file: trace_files/cat_write.scap

test/falco_tests_plugins.yaml

@@ -24,7 +24,7 @@ trace_files: !mux
       - rules/plugins/cloudtrail_create_instances.yaml
     conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
     addl_cmdline_opts: --list-plugins
-    stdout_contains: "2 Plugins Loaded.*Name: cloudtrail.*Type: source plugin.*Name: json.*Type: extractor plugin"
+    stdout_contains: "2 Plugins Loaded.*Name: cloudtrail.*Name: json.*"
 
   list_plugin_fields:
     check_detection_counts: False
@@ -35,6 +35,7 @@ trace_files: !mux
     stdout_contains: "ct.id"
 
   detect_create_instance:
+    enable_source: aws_cloudtrail
     detect: True
     detect_level: INFO
     rules_file:
@@ -44,6 +45,7 @@ trace_files: !mux
     conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
 
   detect_create_instance_bigevent:
+    enable_source: aws_cloudtrail
     detect: True
     detect_level: INFO
     rules_file:
@@ -52,55 +54,60 @@ trace_files: !mux
       - 'Cloudtrail Create Instance': 1
     conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances_bigevent.yaml
 
-  multiple_source_plugins:
-    exit_status: 1
-    stderr_contains: "Runtime error: Can not load multiple source plugins. cloudtrail already loaded. Exiting."
-    conf_file: BUILD_DIR/test/confs/plugins/multiple_source_plugins.yaml
-    rules_file:
-      - rules/plugins/cloudtrail_create_instances.yaml
-
   incompatible_extract_sources:
     exit_status: 1
-    stderr_contains: "Runtime error: Extractor plugin not compatible with event source aws_cloudtrail. Exiting."
+    stderr_contains: "Plugin '.*' has field extraction capability but is not compatible with any known event source"
     conf_file: BUILD_DIR/test/confs/plugins/incompatible_extract_sources.yaml
     rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml
 
   overlap_extract_sources:
     exit_status: 1
-    stderr_contains: "Runtime error: Extractor plugins have overlapping compatible event source test_source. Exiting."
+    stderr_contains: "Plugin '.*' supports extraction of field 'test.field' that is overlapping for source 'test_source'"
     conf_file: BUILD_DIR/test/confs/plugins/overlap_extract_sources.yaml
     rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml
 
   incompat_plugin_api:
     exit_status: 1
-    stderr_contains: "Unsupported plugin required api version 10000000.0.0"
+    stderr_contains: "plugin required API version '10000000.0.0' not compatible with the framework's API version '.*'"
     conf_file: BUILD_DIR/test/confs/plugins/incompatible_plugin_api.yaml
     rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml
 
   incompat_plugin_rules_version:
     exit_status: 1
-    stderr_contains: "Runtime error: Plugin cloudtrail version .* not compatible with required plugin version 100000.0.0. Exiting."
+    stderr_contains: "Plugin 'cloudtrail' version '.*' is not compatible with required plugin version '100000.0.0'"
     conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
     rules_file:
       - rules/plugins/cloudtrail_incompat_plugin_version.yaml
 
   wrong_plugin_path:
     exit_status: 1
-    stderr_contains: "error loading plugin.*No such file or directory. Exiting"
+    stderr_contains: "cannot load plugin.*No such file or directory"
     conf_file: BUILD_DIR/test/confs/plugins/wrong_plugin_path.yaml
     rules_file:
       - rules/plugins/cloudtrail_incompat_plugin_version.yaml
 
   no_plugins_unknown_source:
-    detect: False
-    rules_file:
+    exit_status: 0
+    validate_warnings:
+      - item_type: rule
+        item_name: Cloudtrail Create Instance
+        code: LOAD_UNKNOWN_SOURCE
+        message: "Unknown source aws_cloudtrail, skipping"
+    validate_rules_file:
       - rules/plugins/cloudtrail_create_instances.yaml
-    trace_file: trace_files/empty.scap
-    rules_warning:
-      - Cloudtrail Create Instance
-    stderr_contains: "Rule Cloudtrail Create Instance: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
+
+  no_plugins_unknown_source_rule_exception:
+    exit_status: 0
+    validate_warnings:
+      - item_type: rule
+        item_name: Cloudtrail Create Instance
+        code: LOAD_UNKNOWN_SOURCE
+        message: "Unknown source aws_cloudtrail, skipping"
+    validate_rules_file:
+      - rules/plugins/cloudtrail_create_instances_exceptions.yaml
+
 
 

test/falco_tests_psp.yaml

@@ -1,666 +0,0 @@
-#
-# Copyright (C) 2016-2018 The Falco Authors.
-#
-# This file is part of falco.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-trace_files: !mux
-
-  privileged_detect_k8s_audit:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged.yaml
-    trace_file: trace_files/psp/privileged.json
-
-  privileged_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged.yaml
-    trace_file: trace_files/psp/privileged.scap
-
-  privileged_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_pid_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_host_pid Violation (hostPID)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_pid.yaml
-    trace_file: trace_files/psp/host_pid.json
-
-  host_pid_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_pid.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_ipc_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_host_ipc Violation (hostIPC)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_ipc.yaml
-    trace_file: trace_files/psp/host_ipc.json
-
-  host_ipc_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_ipc.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_network_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_host_network Violation (hostNetwork)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network.yaml
-    trace_file: trace_files/psp/host_network.json
-
-  host_network_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  host_network_ports_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP host_ports_100_200_only Violation (hostPorts)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network_ports.yaml
-    trace_file: trace_files/psp/host_network_ports.json
-
-  host_network_ports_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/host_network_ports.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  volumes_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP only_secret_volumes Violation (volumes)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/volumes.yaml
-    trace_file: trace_files/psp/mount_etc_using_host_path.json
-
-  volumes_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/volumes.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_host_paths_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP only_mount_host_usr Violation (allowedHostPaths)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_host_paths.yaml
-    trace_file: trace_files/psp/mount_etc_using_host_path.json
-
-  allowed_host_paths_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_host_paths.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_flex_volumes_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP only_lvm_cifs_flex_volumes Violation (allowedFlexVolumes)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/flex_volumes.yaml
-    trace_file: trace_files/psp/flex_volumes.json
-
-  allowed_flex_volumes_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/flex_volumes.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  fs_group_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_must_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  fs_group_must_run_as:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_must_run_as.yaml
-    trace_file: trace_files/psp/fs_group.json
-
-  fs_group_may_run_as:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP fs_group_may_run_as_30 Violation (fsGroup)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_may_run_as.yaml
-    trace_file: trace_files/psp/fs_group.json
-
-  fs_group_may_run_as_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_may_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  fs_group_run_as_any:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_run_as_any.yaml
-    trace_file: trace_files/psp/fs_group.json
-
-  fs_group_run_as_any_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/fs_group_run_as_any.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  read_only_root_fs_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP read_only_root_fs Violation (readOnlyRootFilesystem) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/read_only_root_fs.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  read_only_root_fs_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP read_only_root_fs Violation (readOnlyRootFilesystem) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/read_only_root_fs.yaml
-    trace_file: trace_files/psp/write_tmp_test.scap
-
-  read_only_root_fs_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/read_only_root_fs.yaml
-    trace_file: trace_files/psp/read_only_root_fs.json
-
-  user_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  user_must_run_as_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_1000_container.json
-
-  user_must_run_as_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_65534_container.scap
-
-  user_must_run_as_not_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_30_container.json
-
-  user_must_run_as_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
-
-  user_must_run_as_not_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_30_sec_ctx.json
-
-  user_must_run_as_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_30_sec_ctx_1000_container.json
-
-  user_must_run_as_not_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx_30_container.json
-
-  user_must_run_as_non_root_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_container.json
-
-  user_must_run_as_non_root_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_container.scap
-
-  user_must_run_as_non_root_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_1000_container.json
-
-  user_must_run_as_non_root_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_sec_ctx.json
-
-  user_must_run_as_non_root_no_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
-
-  user_must_run_as_non_root_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_1000_sec_ctx_0_container.json
-
-  user_must_run_as_non_root_no_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/user_must_run_as_non_root.yaml
-    trace_file: trace_files/psp/run_as_user_0_sec_ctx_1000_container.json
-
-  group_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  group_must_run_as_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_container.json
-
-  group_must_run_as_detect_syscall:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_user_65534_container.scap
-
-  group_must_run_as_not_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_container.json
-
-  group_must_run_as_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
-
-  group_must_run_as_not_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
-
-  group_must_run_as_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
-
-  group_must_run_as_not_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_must_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
-
-  group_may_run_as_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  group_may_run_as_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_container.json
-
-  group_may_run_as_not_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_container.json
-
-  group_may_run_as_detect_sec_ctx:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
-
-  group_may_run_as_not_detect_sec_ctx:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
-
-  group_may_run_as_detect_both:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
-
-  group_may_run_as_not_detect_both:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/group_may_run_as.yaml
-    trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
-
-  supplemental_groups_must_run_as_with_unset:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  supplemental_groups_must_run_as_no_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_must_run_as_partial_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_must_run_as_30_10 Violation (supplementalGroups=MustRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_30_40_10_15.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_must_run_as_overlap:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_must_run_as_overlap_multiple_ranges:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_must_run_as_10_40_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_with_unset:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  supplemental_groups_may_run_as_no_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_may_run_as_30 Violation (supplementalGroups=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_partial_overlap:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP supplemental_groups_may_run_as_30_10 Violation (supplementalGroups=MayRunAs)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_30_40_10_15.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_overlap:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  supplemental_groups_may_run_as_overlap_multiple_ranges:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/supplemental_groups_may_run_as_10_40_10_20.yaml
-    trace_file: trace_files/psp/supplemental_groups_10_20.json
-
-  privilege_escalation_privilege_escalation_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privilege_escalation Violation (allowPrivilegeEscalation)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privilege_escalation.yaml
-    trace_file: trace_files/psp/privilege_escalation.json
-
-  allowed_capabilities_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP allow_capability_sys_nice Violation (allowedCapabilities)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_capabilities.yaml
-    trace_file: trace_files/psp/capability_add_sys_time.json
-
-  allowed_capabilities_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_capabilities.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_capabilities_match:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_capabilities.yaml
-    trace_file: trace_files/psp/capability_add_sys_nice.json
-
-  allowed_proc_mount_types_detect:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP allow_default_proc_mount_type Violation (allowedProcMountTypes)": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_proc_mount_types.yaml
-    trace_file: trace_files/psp/proc_mount_type_unmasked.json
-
-  allowed_proc_mount_types_no_detect:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_proc_mount_types.yaml
-    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
-
-  allowed_proc_mount_types_match:
-    detect: False
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/allowed_proc_mount_types.yaml
-    trace_file: trace_files/psp/proc_mount_type_default.json
-
-  psp_name_with_dashes:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged_name_with_dashes.yaml
-    trace_file: trace_files/psp/privileged.scap
-
-  psp_name_with_spaces:
-    detect: True
-    detect_level: WARNING
-    detect_counts:
-      - "PSP no_privileged Violation (privileged) System Activity": 1
-    rules_file: []
-    conf_file: confs/psp.yaml
-    psp_file: psps/privileged_name_with_spaces.yaml
-    trace_file: trace_files/psp/privileged.scap

test/falco_traces.yaml.in

@@ -30,6 +30,7 @@ traces: !mux
 
   container-privileged:
     trace_file: traces-positive/container-privileged.scap
+    all_events: True
     detect: True
     detect_level: INFO
     detect_counts:
@@ -37,6 +38,7 @@ traces: !mux
 
   container-sensitive-mount:
     trace_file: traces-positive/container-sensitive-mount.scap
+    all_events: True
     detect: True
     detect_level: INFO
     detect_counts:
@@ -51,6 +53,7 @@ traces: !mux
 
   db-program-spawned-process:
     trace_file: traces-positive/db-program-spawned-process.scap
+    all_events: True
     detect: True
     detect_level: NOTICE
     detect_counts:
@@ -59,7 +62,7 @@ traces: !mux
   falco-event-generator:
     trace_file: traces-positive/falco-event-generator.scap
     detect: True
-    detect_level: [ERROR, WARNING, INFO, NOTICE, DEBUG]
+    detect_level: [ERROR, WARNING, NOTICE, DEBUG]
     detect_counts:
       - "Write below binary dir": 1
       - "Read sensitive file untrusted": 3
@@ -68,7 +71,7 @@ traces: !mux
       - "Write below etc": 1
       - "System procs network activity": 1
       - "Mkdir binary dirs": 1
-      - "System user interactive": 1
+      - "System user interactive": 0
       - "DB program spawned process": 1
       - "Non sudo setuid": 1
       - "Create files below dev": 1
@@ -120,8 +123,10 @@ traces: !mux
   # falco-event-generator.scap so the rule is still being tested.
   run-shell-untrusted:
     trace_file: traces-positive/run-shell-untrusted.scap
-    detect: False
+    detect: True
     detect_level: DEBUG
+    detect_counts:
+      - "Run shell untrusted": 1
 
   system-binaries-network-activity:
     trace_file: traces-positive/system-binaries-network-activity.scap
@@ -132,6 +137,7 @@ traces: !mux
 
   system-user-interactive:
     trace_file: traces-positive/system-user-interactive.scap
+    all_events: True
     detect: True
     detect_level: INFO
     detect_counts:
@@ -139,6 +145,7 @@ traces: !mux
 
   user-mgmt-binaries:
     trace_file: traces-positive/user-mgmt-binaries.scap
+    all_events: True
     detect: True
     detect_level: NOTICE
     detect_counts:
@@ -164,3 +171,13 @@ traces: !mux
     detect_level: ERROR
     detect_counts:
       - "Write below rpm database": 1
+
+  # This generates two notices starting from https://github.com/falcosecurity/falco/pull/2092
+  # When a new version of the scap files is generated this should then become "traces-positive"
+  docker-compose:
+    trace_file: traces-negative/docker-compose.scap
+    all_events: True
+    detect: True
+    detect_level: NOTICE
+    detect_counts:
+      - "Redirect STDOUT/STDIN to Network Connection in Container": 2

test/output_files/single_rule_with_cat_write.json

@@ -1,8 +1,8 @@
-{"output":"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time.iso8601":1470327477881781397,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time.iso8601":1470327477881785348,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time.iso8601":1470327477881796705,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time.iso8601":1470327477881799840,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time.iso8601":1470327477882003104,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time.iso8601":1470327477882008208,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time.iso8601":1470327477882045694,"proc.cmdline":"cat /dev/null"}}
-{"output":"2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time.iso8601":1470327477882054739,"proc.cmdline":"cat /dev/null"}}
+{"hostname":"test-falco-hostname","output":"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time.iso8601":1470327477881781397,"proc.cmdline":"cat /dev/null"}}
+{"hostname":"test-falco-hostname","output":"2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time.iso8601":1470327477881785348,"proc.cmdline":"cat /dev/null"}}
+{"hostname":"test-falco-hostname","output":"2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time.iso8601":1470327477881796705,"proc.cmdline":"cat /dev/null"}}
+{"hostname":"test-falco-hostname","output":"2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time.iso8601":1470327477881799840,"proc.cmdline":"cat /dev/null"}}
+{"hostname":"test-falco-hostname","output":"2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time.iso8601":1470327477882003104,"proc.cmdline":"cat /dev/null"}}
+{"hostname":"test-falco-hostname","output":"2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time.iso8601":1470327477882008208,"proc.cmdline":"cat /dev/null"}}
+{"hostname":"test-falco-hostname","output":"2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time.iso8601":1470327477882045694,"proc.cmdline":"cat /dev/null"}}
+{"hostname":"test-falco-hostname","output":"2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","source":"syscall","tags":["filesystem","process","testing"],"time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time.iso8601":1470327477882054739,"proc.cmdline":"cat /dev/null"}}

test/plugins/test_extract.cpp

@@ -19,15 +19,14 @@ limitations under the License.
 #include <string.h>
 #include <plugin_info.h>
 
-static const char *pl_required_api_version = "0.1.0";
-static uint32_t    pl_type                 = TYPE_EXTRACTOR_PLUGIN;
+static const char *pl_required_api_version = PLUGIN_API_VERSION_STR;
 static const char *pl_name_base            = "test_extract";
 static char pl_name[1024];
 static const char *pl_desc                 = "Test Plugin For Regression Tests";
 static const char *pl_contact              = "github.com/falcosecurity/falco";
 static const char *pl_version              = "0.1.0";
 static const char *pl_extract_sources      = "[\"test_source\"]";
-static const char *pl_fields               = "[]";
+static const char *pl_fields               = "[{\"type\": \"uint64\", \"name\": \"test.field\", \"desc\": \"Describing test field\"}]";
 
 // This struct represents the state of a plugin. Just has a placeholder string value.
 typedef struct plugin_state
@@ -40,18 +39,12 @@ const char* plugin_get_required_api_version()
 	return pl_required_api_version;
 }
 
-extern "C"
-uint32_t plugin_get_type()
-{
-	return pl_type;
-}
-
 extern "C"
 const char* plugin_get_name()
 {
 	// Add a random-ish suffix to the end, as some tests load
 	// multiple copies of this plugin
-	snprintf(pl_name, sizeof(pl_name)-1, "%s%ld\n", pl_name_base, random());
+	snprintf(pl_name, sizeof(pl_name)-1, "%s%ld", pl_name_base, random());
 	return pl_name;
 }
 

test/plugins/test_source.cpp

@@ -20,8 +20,7 @@ limitations under the License.
 
 #include <plugin_info.h>
 
-static const char *pl_required_api_version = "0.1.0";
-static uint32_t    pl_type                 = TYPE_SOURCE_PLUGIN;
+static const char *pl_required_api_version = PLUGIN_API_VERSION_STR;
 static uint32_t    pl_id                   = 999;
 static const char *pl_name                 = "test_source";
 static const char *pl_desc                 = "Test Plugin For Regression Tests";
@@ -45,12 +44,6 @@ const char* plugin_get_required_api_version()
 	return pl_required_api_version;
 }
 
-extern "C"
-uint32_t plugin_get_type()
-{
-	return pl_type;
-}
-
 extern "C"
 uint32_t plugin_get_id()
 {

test/psps/allowed_capabilities.yaml

@@ -1,10 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: allow_capability_sys_nice
-spec:
-  allowedCapabilities:
-    - SYS_NICE
-

test/psps/allowed_host_paths.yaml

@@ -1,11 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: only_mount_host_usr
-spec:
-  allowedHostPaths:
-    - pathPrefix: /usr
-      readOnly: true
-

test/psps/allowed_proc_mount_types.yaml

@@ -1,10 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: allow_default_proc_mount_type
-spec:
-  allowedProcMountTypes:
-    - Default
-

test/psps/flex_volumes.yaml

@@ -1,13 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: only_lvm_cifs_flex_volumes
-spec:
-  volumes:
-    - flexVolume
-  allowedFlexVolumes:
-    - driver: example/lvm
-    - driver: example/cifs
-

test/psps/fs_group_may_run_as.yaml

@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: fs_group_may_run_as_30
-spec:
-  fsGroup:
-    rule: "MayRunAs"
-    ranges:
-      - min: 30
-        max: 40

test/psps/fs_group_must_run_as.yaml

@@ -1,12 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    falco-rules-psp-images: "[nginx]"
-  name: fs_group_must_run_as_30
-spec:
-  fsGroup:
-    rule: "MustRunAs"
-    ranges:
-      - min: 30
-        max: 40