docs(CHANGELOG.md): Changelog for 0.31.1

Signed-off-by: Luca Guerra <luca@guerra.sh>

.circleci/config.yml

@@ -13,7 +13,7 @@ jobs:
           command: apk update
       - run:
           name: Install build dependencies
-          command: apk add g++ gcc cmake cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
+          command: apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
       - run:
           name: Prepare project
           command: |
@@ -661,7 +661,7 @@ workflows:
               only: master
           requires:
             - publish/docker-dev
-      # - "quality/static-analysis" # This is temporarly disabled: https://github.com/falcosecurity/falco/issues/1526
+      # - "quality/static-analysis" # This is temporarily disabled: https://github.com/falcosecurity/falco/issues/1526
   release:
     jobs:
       - "build/musl":

.cmake-format

@@ -7,7 +7,7 @@ line_width = 120
 # How many spaces to tab for indent
 tab_size = 2
 
-# If arglists are longer than this, break them always
+# If arg lists are longer than this, break them always
 max_subargs_per_line = 3
 
 # If true, separate flow control names from their parentheses with a space
@@ -21,7 +21,7 @@ separate_fn_name_with_space = False
 dangle_parens = False
 
 # If the statement spelling length (including space and parenthesis is larger
-# than the tab width by more than this amoung, then force reject un-nested
+# than the tab width by more than this among, then force reject un-nested
 # layouts.
 max_prefix_chars = 2
 
@@ -54,7 +54,7 @@ always_wrap = []
 algorithm_order = [0, 1, 2, 3, 4]
 
 # If true, the argument lists which are known to be sortable will be sorted
-# lexicographicall
+# lexicographically
 enable_sort = True
 
 # If true, the parsers may infer whether or not an argument list is sortable

ADOPTERS.md

@@ -24,6 +24,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
 
+* [Fairwinds](https://fairwinds.com/) - [Fairwinds Insights](https://fairwinds.com/insights), Kubernetes governance software, integrates Falco to offer a single pane of glass view into potential security incidents. Insights adds out-of-the-box integrations and rules filter to reduce alert fatigue and improve security response. The platform adds security prevention, detection, and response capabilities to your existing Kubernetes infrastructure. Security and DevOps teams benefit from a centralized view of container security vulnerability scanning and runtime container security.
+
 * [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.
 
 * [Giant Swarm](https://www.giantswarm.io/) - Giant Swarm manages Kubernetes clusters and infrastructure for enterprises across multiple cloud providers as well as several flavors of on-premises data centers. Our platform provisions and monitors pure "vanilla" Kubernetes clusters which can be augmented with managed solutions to many common Kubernetes challenges, including security. We use Falco for anomaly detection as part of our collection of entirely open-source tools for securing our own clusters, and offer the same capabilities to our customers as part of our [managed security offering](https://docs.giantswarm.io/app-platform/apps/security/).
@@ -39,10 +41,10 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
 
-* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
+* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPAA compliance requirements.
   * https://hipaa.preferral.com/01-preferral_hipaa_compliance/
 
-* [Qonto](https://qonto.com) - Qonto is a modern banking for SMEs and freelancers. Qonto provides a fully featured business account with a simplified accounting flow. Falco is used by our SecOps team to detect suspicous behaviors in our clusters.
+* [Qonto](https://qonto.com) - Qonto is a modern banking for SMEs and freelancers. Qonto provides a fully featured business account with a simplified accounting flow. Falco is used by our SecOps team to detect suspicious behaviors in our clusters.
 
 * [Raft](https://goraft.tech) - Raft is a government contractor that offers cloud-native solutions across many different agencies including DoD (Department of Defense), HHS (Health and Human Services), as well as within CFPB (Consumer Finance Protection Bureau). Raft leverages Falco to detect threats in our client's Kubernetes clusters and as a Host Intrusion Detection System. Raft proudly recommends Falco across all our different projects.
 
@@ -64,7 +66,7 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
 
-* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call driver. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
 
 ## Projects that use Falco libs
 

CHANGELOG.md

@@ -1,5 +1,56 @@
 # Change Log
 
+## v0.31.1
+
+Released on 2022-03-09
+
+### Major Changes
+
+
+* new: add a new drop category `n_drops_scratch_map` [[#1916](https://github.com/falcosecurity/falco/pull/1916)] - [@Andreagit97](https://github.com/Andreagit97)
+* new: allow to specify multiple --cri options [[#1893](https://github.com/falcosecurity/falco/pull/1893)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Minor Changes
+
+* refactor(userspace/falco): replace direct getopt_long() cmdline option parsing with third-party cxxopts library. [[#1886](https://github.com/falcosecurity/falco/pull/1886)] - [@mstemm](https://github.com/mstemm)
+* update: driver version is b7eb0dd [[#1923](https://github.com/falcosecurity/falco/pull/1923)] - [@LucaGuerra](https://github.com/LucaGuerra)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): correct plugins init config conversion from YAML to JSON [[#1907](https://github.com/falcosecurity/falco/pull/1907)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/engine): for rules at the informational level being loaded at the notice level [[#1885](https://github.com/falcosecurity/falco/pull/1885)] - [@mike-stewart](https://github.com/mike-stewart)
+* chore(userspace/falco): fixes truncated -b option description. [[#1915](https://github.com/falcosecurity/falco/pull/1915)] - [@andreabonanno](https://github.com/andreabonanno)
+* update(falco): updates usage description for -o, --option [[#1903](https://github.com/falcosecurity/falco/pull/1903)] - [@andreabonanno](https://github.com/andreabonanno)
+
+
+### Rule Changes
+
+* rule(Detect outbound connections to common miner pool ports): fix url in rule output [[#1918](https://github.com/falcosecurity/falco/pull/1918)] - [@jsoref](https://github.com/jsoref)
+* rule(macro somebody_becoming_themself): renaming macro to somebody_becoming_themselves [[#1918](https://github.com/falcosecurity/falco/pull/1918)] - [@jsoref](https://github.com/jsoref)
+* rule(list package_mgmt_binaries): `npm` added [[#1866](https://github.com/falcosecurity/falco/pull/1866)] - [@rileydakota](https://github.com/rileydakota)
+* rule(Launch Package Management Process in Container): support for detecting `npm` usage [[#1866](https://github.com/falcosecurity/falco/pull/1866)] - [@rileydakota](https://github.com/rileydakota)
+* rule(Polkit Local Privilege Escalation Vulnerability): new rule created to detect CVE-2021-4034 [[#1877](https://github.com/falcosecurity/falco/pull/1877)] - [@darryk10](https://github.com/darryk10)
+* rule(macro: modify_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [[#1832](https://github.com/falcosecurity/falco/pull/1832)] - [@m4wh6k](https://github.com/m4wh6k)
+* rule(macro: truncate_shell_history): avoid false-positive alerts triggered by modifications to .zsh_history.new and .zsh_history.LOCK files [[#1832](https://github.com/falcosecurity/falco/pull/1832)] - [@m4wh6k](https://github.com/m4wh6k)
+* rule(macro sssd_writing_krb): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [[#1825](https://github.com/falcosecurity/falco/pull/1825)] - [@mac-chaffee](https://github.com/mac-chaffee)
+* rule(macro write_etc_common): fixed a false-positive alert that was being generated when SSSD updates /etc/krb5.keytab [[#1825](https://github.com/falcosecurity/falco/pull/1825)] - [@mac-chaffee](https://github.com/mac-chaffee)
+* upgrade macro(keepalived_writing_conf) [[#1742](https://github.com/falcosecurity/falco/pull/1742)] - [@pabloopez](https://github.com/pabloopez)
+* rule_output(Delete Bucket Public Access Block) typo [[#1888](https://github.com/falcosecurity/falco/pull/1888)] - [@pabloopez](https://github.com/pabloopez)
+
+
+### Non user-facing changes
+
+* fix(build): fix civetweb linking in cmake module [[#1919](https://github.com/falcosecurity/falco/pull/1919)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore(userspace/engine): remove unused lua functions and state vars [[#1908](https://github.com/falcosecurity/falco/pull/1908)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* fix(userspace/falco): applies FALCO_INSTALL_CONF_FILE as the default … [[#1900](https://github.com/falcosecurity/falco/pull/1900)] - [@andreabonanno](https://github.com/andreabonanno)
+* fix(scripts): correct typo in `falco-driver-loader` help message [[#1899](https://github.com/falcosecurity/falco/pull/1899)] - [@leogr](https://github.com/leogr)
+* update(build)!: replaced various `PROBE` with `DRIVER` where necessary. [[#1887](https://github.com/falcosecurity/falco/pull/1887)] - [@FedeDP](https://github.com/FedeDP)
+* Add [Fairwinds](https://fairwinds.com) to the adopters list [[#1917](https://github.com/falcosecurity/falco/pull/1917)] - [@sudermanjr](https://github.com/sudermanjr)
+* build(cmake): several cmake changes to speed up/simplify builds for external projects and copying files from source-to-build directories [[#1905](https://github.com/falcosecurity/falco/pull/1905)] - [@mstemm](https://github.com/mstemm)
+
+
 ## v0.31.0
 
 Released on 2022-01-31
@@ -8,7 +59,7 @@ Released on 2022-01-31
 
 
 * new: add support for plugins to extend Falco functionality to new event sources and custom fields [[#1753](https://github.com/falcosecurity/falco/pull/1753)] - [@mstemm](https://github.com/mstemm)
-* new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurit/falco'. [[#1850](https://github.com/falcosecurity/falco/pull/1850)] - [@yoshi314](https://github.com/yoshi314)
+* new: add ability to set User-Agent http header when sending http output. Provide default value of 'falcosecurity/falco'. [[#1850](https://github.com/falcosecurity/falco/pull/1850)] - [@yoshi314](https://github.com/yoshi314)
 * new(configuration): support defining plugin init config as a YAML [[#1852](https://github.com/falcosecurity/falco/pull/1852)] - [@jasondellaluce](https://github.com/jasondellaluce)
 
 
@@ -44,7 +95,7 @@ Released on 2022-01-31
 * fix(userspace/engine): support jsonpointer escaping in rule parser [[#1777](https://github.com/falcosecurity/falco/pull/1777)] - [@jasondellaluce](https://github.com/jasondellaluce)
 * fix(scripts/falco-driver-loader): support kernel object files in `.zst` and `.gz` compression formats [[#1863](https://github.com/falcosecurity/falco/pull/1863)] - [@leogr](https://github.com/leogr)
 * fix(engine): correctly format json output in json_event [[#1847](https://github.com/falcosecurity/falco/pull/1847)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix: set http output contenttype to text/plain when json output is disabled [[#1829](https://github.com/falcosecurity/falco/pull/1829)] - [@FedeDP](https://github.com/FedeDP)
+* fix: set http output content type to text/plain when json output is disabled [[#1829](https://github.com/falcosecurity/falco/pull/1829)] - [@FedeDP](https://github.com/FedeDP)
 * fix(userspace/falco): accept 'Content-Type' header that contains "application/json", but it is not strictly equal to it [[#1800](https://github.com/falcosecurity/falco/pull/1800)] - [@FedeDP](https://github.com/FedeDP)
 * fix(userspace/engine): supporting enabled-only overwritten rules [[#1775](https://github.com/falcosecurity/falco/pull/1775)] - [@jasondellaluce](https://github.com/jasondellaluce)
 
@@ -88,7 +139,7 @@ Released on 2022-01-31
 * fix(build): use consistent 7-character build abbrev sha [[#1830](https://github.com/falcosecurity/falco/pull/1830)] - [@LucaGuerra](https://github.com/LucaGuerra)
 * add Phoenix to adopters list [[#1806](https://github.com/falcosecurity/falco/pull/1806)] - [@kaldyka](https://github.com/kaldyka)
 * remove unused files in test directory [[#1801](https://github.com/falcosecurity/falco/pull/1801)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* drop Falco luajit module, use the one provied by libs [[#1788](https://github.com/falcosecurity/falco/pull/1788)] - [@FedeDP](https://github.com/FedeDP)
+* drop Falco luajit module, use the one provided by libs [[#1788](https://github.com/falcosecurity/falco/pull/1788)] - [@FedeDP](https://github.com/FedeDP)
 * chore(build): update libs version to 7906f7e [[#1790](https://github.com/falcosecurity/falco/pull/1790)] - [@LucaGuerra](https://github.com/LucaGuerra)
 * Add SysFlow to list of libs adopters [[#1747](https://github.com/falcosecurity/falco/pull/1747)] - [@araujof](https://github.com/araujof)
 * build: dropped centos8 circleci build because it is useless [[#1882](https://github.com/falcosecurity/falco/pull/1882)] - [@FedeDP](https://github.com/FedeDP)
@@ -345,8 +396,8 @@ Released on 2021-01-18
 * docs(proposals): Exceptions handling proposal [[#1376](https://github.com/falcosecurity/falco/pull/1376)] - [@mstemm](https://github.com/mstemm)
 * docs: fix a broken link of README [[#1516](https://github.com/falcosecurity/falco/pull/1516)] - [@oke-py](https://github.com/oke-py)
 * docs: adding the kubernetes privileged use case to use cases [[#1484](https://github.com/falcosecurity/falco/pull/1484)] - [@fntlnz](https://github.com/fntlnz)
-* rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
-* rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggered when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggered when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
 * docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [[#1518](https://github.com/falcosecurity/falco/pull/1518)] - [@leodido](https://github.com/leodido)
 * build: falcosecurity/falco:master also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
 * build: falcosecurity/falco:latest also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
@@ -795,7 +846,7 @@ Released on 2020-01-23
 ### Bug Fixes
 
 * fix: providing clang into docker-builder [[#972](https://github.com/falcosecurity/falco/pull/972)]
-* fix: prevent throwing json type error c++ exceptions outside of the falco engine when procesing k8s audit events. [[#928](https://github.com/falcosecurity/falco/pull/928)]
+* fix: prevent throwing json type error c++ exceptions outside of the falco engine when processing k8s audit events. [[#928](https://github.com/falcosecurity/falco/pull/928)]
 * fix(docker/kernel/linuxkit): correct from for falco minimal image [[#913](https://github.com/falcosecurity/falco/pull/913)]
 
 ### Rule Changes
@@ -910,7 +961,7 @@ Released 2019-07-31
 
 * Fix a problem that would cause prevent container metadata lookups when falco was daemonized [[#731](https://github.com/falcosecurity/falco/pull/731)]
 
-* Allow rule priorites to be expressed as lowercase and a mix of lower/uppercase [[#737](https://github.com/falcosecurity/falco/pull/737)]
+* Allow rule priorities to be expressed as lowercase and a mix of lower/uppercase [[#737](https://github.com/falcosecurity/falco/pull/737)]
 
 ### Rule Changes
 
@@ -1105,7 +1156,7 @@ Released 2019-05-13
 
 * Docker-based builder/tester: You can now build Falco using the [falco-builder](https://falco.org/docs/source/#build-using-falco-builder-container) docker image, and run regression tests using the [falco-tester](https://falco.org/docs/source/#test-using-falco-tester-container) docker image. [[#522](https://github.com/falcosecurity/falco/pull/522)] [[#584](https://github.com/falcosecurity/falco/pull/584)]
 
-* Several small docs changes to improve clarity and readibility [[#524](https://github.com/falcosecurity/falco/pull/524)] [[#540](https://github.com/falcosecurity/falco/pull/540)] [[#541](https://github.com/falcosecurity/falco/pull/541)] [[#542](https://github.com/falcosecurity/falco/pull/542)]
+* Several small docs changes to improve clarity and readability [[#524](https://github.com/falcosecurity/falco/pull/524)] [[#540](https://github.com/falcosecurity/falco/pull/540)] [[#541](https://github.com/falcosecurity/falco/pull/541)] [[#542](https://github.com/falcosecurity/falco/pull/542)]
 
 * Add instructions on how to enable K8s Audit Logging for kops [[#535](https://github.com/falcosecurity/falco/pull/535)]
 
@@ -1220,7 +1271,7 @@ Released 2019-01-16
 
 * Fix FPs related to `apt-config`/`apt-cache`, `apk` [[#490](https://github.com/falcosecurity/falco/pull/490)]
 
-* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, `Lauch Suspicious Network Tool in Container` look for host-level network tools like `netcat`, package management tools like `apt-get`, or network tool binaries being run in a container. [[#490](https://github.com/falcosecurity/falco/pull/490)]
+* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, `Launch Suspicious Network Tool in Container` look for host-level network tools like `netcat`, package management tools like `apt-get`, or network tool binaries being run in a container. [[#490](https://github.com/falcosecurity/falco/pull/490)]
 
 * Fix the `inbound` and `outbound` macros so they work with sendto/recvfrom/sendmsg/recvmsg. [[#470](https://github.com/falcosecurity/falco/pull/470)]
 
@@ -1253,7 +1304,7 @@ Released 2018-11-09
 
 * Better coverage (e.g. reduced FPs) for critical stack, hids systems, ufw, cloud-init, etc. [[#445](https://github.com/falcosecurity/falco/pull/445)]
 
-* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, and `Lauch Suspicious Network Tool in Container` look for running various suspicious programs in a container. [[#461](https://github.com/falcosecurity/falco/pull/461)]
+* New rules `Launch Package Management Process in Container`, `Netcat Remote Code Execution in Container`, and `Launch Suspicious Network Tool in Container` look for running various suspicious programs in a container. [[#461](https://github.com/falcosecurity/falco/pull/461)]
 
 * Misc changes to address false positives in GKE, Istio, etc. [[#455](https://github.com/falcosecurity/falco/pull/455)] [[#439](https://github.com/falcosecurity/falco/issues/439)]
 
@@ -1308,7 +1359,7 @@ Released 2018-07-24
 
 ### Minor Changes
 
-* Rules may now have an `skip-if-unknown-filter` property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. `fd.some-new-attibute`) that is not present in the current falco version. [[#364](https://github.com/draios/falco/pull/364)] [[#345](https://github.com/draios/falco/issues/345)]
+* Rules may now have an `skip-if-unknown-filter` property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. `fd.some-new-attribute`) that is not present in the current falco version. [[#364](https://github.com/draios/falco/pull/364)] [[#345](https://github.com/draios/falco/issues/345)]
 * Small changes to Falco `COPYING` file so github automatically recognizes license [[#380](https://github.com/draios/falco/pull/380)]
 * New example integration showing how to connect Falco with Anchore to dynamically create falco rules based on negative scan results [[#390](https://github.com/draios/falco/pull/390)]
 * New example integration showing how to connect Falco, [nats](https://nats.io/), and K8s to run flexible "playbooks" based on Falco events [[#389](https://github.com/draios/falco/pull/389)]
@@ -1409,7 +1460,7 @@ Released 2017-10-10
 
 Released 2017-10-10
 
-**Important**: the location for falco's configuration file has moved from `/etc/falco.yaml` to `/etc/falco/falco.yaml`. The default rules file has moved from `/etc/falco_rules.yaml` to `/etc/falco/falco_rules.yaml`. In addition, 0.8.0 has added a _local_ ruls file to `/etc/falco/falco_rules.local.yaml`. See [the documentation](https://github.com/draios/falco/wiki/Falco-Default-and-Local-Rules-Files) for more details.
+**Important**: the location for falco's configuration file has moved from `/etc/falco.yaml` to `/etc/falco/falco.yaml`. The default rules file has moved from `/etc/falco_rules.yaml` to `/etc/falco/falco_rules.yaml`. In addition, 0.8.0 has added a _local_ rules file to `/etc/falco/falco_rules.local.yaml`. See [the documentation](https://github.com/draios/falco/wiki/Falco-Default-and-Local-Rules-Files) for more details.
 
 ### Major Changes
 

CMakeLists.txt

@@ -58,6 +58,7 @@ if(CMAKE_BUILD_TYPE STREQUAL "debug")
 else()
   set(CMAKE_BUILD_TYPE "release")
   set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
+  add_definitions(-DBUILD_TYPE_RELEASE)
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
 
@@ -98,8 +99,8 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 include(GetFalcoVersion)
 
 set(PACKAGE_NAME "falco")
-set(PROBE_NAME "falco")
-set(PROBE_DEVICE_NAME "falco")
+set(DRIVER_NAME "falco")
+set(DRIVER_DEVICE_NAME "falco")
 set(DRIVERS_REPO "https://download.falco.org/driver")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
   set(CMAKE_INSTALL_PREFIX
@@ -149,6 +150,8 @@ if(NOT MINIMAL_BUILD)
   include(civetweb)
 endif()
 
+include(cxxopts)
+
 # Lpeg
 include(lpeg)
 

RELEASE.md

@@ -95,7 +95,7 @@ Now assume `x.y.z` is the new version.
 
     #### Release Manager <github handle>
 
-    <!-- Substitute Github handle with the release manager's one -->
+    <!-- Substitute GitHub handle with the release manager's one -->
     ```
 
 - Finally, publish the release!

brand/README.md

@@ -56,7 +56,7 @@ If a rule has been violated, Falco triggers an alert.
 ### How does Falco work?
 
 Falco traces kernel events and reports information about the system calls being executed at runtime.
-Falco leverages the extended berkley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
+Falco leverages the extended berkeley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
 Falco enriches these kernel events with information about containers running on the system.
 Falco also can consume signals from other input streams such as the containerd socket, the Kubernetes API server and the Kubernetes audit log.
 At runtime, Falco will reason about these events and assert them against configured security rules.
@@ -113,7 +113,7 @@ Falco ultimately is a security engine. It reasons about signals coming from a sy
 
 ##### Anomaly detection
 
-This refers to an event that occurs with something unsual, concerning, or odd occurs.
+This refers to an event that occurs with something unusual, concerning, or odd occurs.
 We can associate anomalies with unwanted behavior, and alert in their presence.
 
 ##### Detection tooling

cmake/modules/CatchAddTests.cmake

@@ -45,7 +45,7 @@ string(REPLACE "\n" ";" output "${output}")
 # Parse output
 foreach(line ${output})
   set(test ${line})
-  # use escape commas to handle properly test cases with commans inside the name
+  # use escape commas to handle properly test cases with commands inside the name
   string(REPLACE "," "\\," test_name ${test})
   # ...and add to script
   add_command(add_test "${prefix}${test}${suffix}" ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" "${test_name}" ${extra_args})

cmake/modules/DownloadStringViewLite.cmake

@@ -24,6 +24,7 @@ ExternalProject_Add(
   GIT_TAG "v1.4.0"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
+  UPDATE_COMMAND ""
   INSTALL_COMMAND
     ${CMAKE_COMMAND} -E copy ${STRING_VIEW_LITE_PREFIX}/src/string-view-lite/include/nonstd/string_view.hpp
     ${STRING_VIEW_LITE_INCLUDE}/nonstd/string_view.hpp)

cmake/modules/civetweb.cmake

@@ -12,8 +12,8 @@
 #
 
 set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/${CMAKE_INSTALL_LIBDIR}/libcivetweb.a")
-SET(CIVETWEB_CPP_LIB "${CIVETWEB_SRC}/install/${CMAKE_INSTALL_LIBDIR}/libcivetweb-cpp.a")
+set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
+SET(CIVETWEB_CPP_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb-cpp.a")
 set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
 message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
 if (USE_BUNDLED_OPENSSL)
@@ -25,6 +25,7 @@ if (USE_BUNDLED_OPENSSL)
             INSTALL_DIR ${CIVETWEB_SRC}/install
             CMAKE_ARGS
             -DBUILD_TESTING=off
+            -DCMAKE_INSTALL_LIBDIR=lib
             -DCIVETWEB_BUILD_TESTING=off
             -DCIVETWEB_ENABLE_CXX=on
             -DCIVETWEB_ENABLE_SERVER_EXECUTABLE=off

cmake/modules/copy_files_to_build_dir.cmake

@@ -0,0 +1,30 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+function(copy_files_to_build_dir source_files targetsuffix)
+
+  set(build_files)
+
+  foreach(file_path ${source_files})
+	  get_filename_component(trace_file ${file_path} NAME)
+	  list(APPEND build_files ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
+  endforeach()
+
+  add_custom_target(copy-files-${targetsuffix} ALL
+	  DEPENDS ${build_files})
+
+  add_custom_command(OUTPUT ${build_files}
+	  COMMAND ${CMAKE_COMMAND} -E copy_if_different ${source_files} ${CMAKE_CURRENT_BINARY_DIR}
+	  DEPENDS ${source_files})
+
+endfunction()

cmake/modules/cxxopts.cmake

@@ -0,0 +1,23 @@
+#
+# Copyright (C) 2022 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(CXXOPTS_SRC "${PROJECT_BINARY_DIR}/cxxopts-prefix/src/cxxopts/")
+set(CXXOPTS_INCLUDE_DIR "${CXXOPTS_SRC}/include")
+
+ExternalProject_Add(
+        cxxopts
+        URL "https://github.com/jarro2783/cxxopts/archive/refs/tags/v3.0.0.tar.gz"
+        URL_HASH "SHA256=36f41fa2a46b3c1466613b63f3fa73dc24d912bc90d667147f1e43215a8c6d00"
+	CONFIGURE_COMMAND ""
+	BUILD_COMMAND ""
+	INSTALL_COMMAND "")

cmake/modules/falcosecurity-libs.cmake

@@ -24,8 +24,8 @@ else()
   # default below In case you want to test against another falcosecurity/libs version just pass the variable - ie., `cmake
   # -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "319368f1ad778691164d33d59945e00c5752cd27")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=2cf44f06a282e8cee7aa1f775a08ea94c06e275faaf0636b21eb06af28cf4b3f")
+    set(FALCOSECURITY_LIBS_VERSION "b7eb0dd65226a8dc254d228c8d950d07bf3521d2")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=0f6dcdc3b94243c91294698ee343806539af81c5b33c60c6acf83fc1aa455e85")
   endif()
 
   # cd /path/to/build && cmake /path/to/source
@@ -47,8 +47,8 @@ if(MUSL_OPTIMIZED_BUILD)
   add_definitions(-DMUSL_OPTIMIZED)
 endif()
 
-set(PROBE_VERSION "${FALCOSECURITY_LIBS_VERSION}")
-set(PROBE_NAME "falco")
+set(DRIVER_VERSION "${FALCOSECURITY_LIBS_VERSION}")
+set(DRIVER_NAME "falco")
 set(DRIVER_PACKAGE_NAME "falco")
 set(SCAP_BPF_PROBE_ENV_VAR_NAME "FALCO_BPF_PROBE")
 set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT")

docker/local/rules/CMakeLists.txt

@@ -1,13 +1,7 @@
+include(copy_files_to_build_dir)
+
 # Note: list of rules is created at cmake time, not build time
 file(GLOB test_rule_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/rules/*.yaml")
 
-foreach(rule_file_path ${test_rule_files})
-	get_filename_component(rule_file ${rule_file_path} NAME)
-	add_custom_target(docker-local-rule-${rule_file} ALL
-		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${rule_file})
-	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
-		COMMAND ${CMAKE_COMMAND} -E copy ${rule_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
-		DEPENDS ${rule_file_path})
-endforeach()
-
+copy_files_to_build_dir("${test_rule_files}" docker-local-rules)

docker/local/traces/CMakeLists.txt

@@ -1,13 +1,7 @@
+include(copy_files_to_build_dir)
+
 # Note: list of traces is created at cmake time, not build time
 file(GLOB test_trace_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/trace_files/*.scap")
 
-foreach(trace_file_path ${test_trace_files})
-	get_filename_component(trace_file ${trace_file_path} NAME)
-	add_custom_target(docker-local-trace-${trace_file} ALL
-		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
-	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		DEPENDS ${trace_file_path})
-endforeach()
-
+copy_files_to_build_dir("${test_trace_files}" docker-local-traces)

proposals/20190909-psp-rules-support.md

@@ -27,7 +27,7 @@ That's where Falco comes in. We want to make it possible for Falco to perform a
 
 Transparently read a candidate PSP into an equivalent set of Falco rules that can look for the conditions in the PSP.
 
-The PSP is converted into a set of Falco rules which can be either saved as a file for later use/inspection, or loaded directly so they they can monitor system calls and k8s audit activity.
+The PSP is converted into a set of Falco rules which can be either saved as a file for later use/inspection, or loaded directly so that they can monitor system calls and k8s audit activity.
 
 ### Non-Goals
 
@@ -51,6 +51,6 @@ No diagrams yet.
 
 * We'll use [inja](https://github.com/pantor/inja) as the templating engine.
 
-* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisions betweeen values in an event and values in the comparison right-hand-side.
+* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisons between values in an event and values in the comparison right-hand-side.
 
 * This will rely heavily on existing support for [K8s Audit Events](https://falco.org/docs/event-sources/kubernetes-audit/) in Falco.

proposals/20191030-api.md

@@ -6,13 +6,13 @@ This is a proposal to better structure the Falco API.
 
 The Falco API is a set of contracts describing how users can interacts with Falco.
 
-By definiing a set of interfaces the Falco Authors intend to decouple Falco from other softwares and data (eg., from the input sources) and, at the same time, make it more extensible.
+By defining a set of interfaces the Falco Authors intend to decouple Falco from other softwares and data (eg., from the input sources) and, at the same time, make it more extensible.
 
-Thus, this document intent is to propose a list of services that contistute the Falco API (targeting the first stable version of Falco, v1.0.0).
+Thus, this document intent is to propose a list of services that constitute the Falco API (targeting the first stable version of Falco, v1.0.0).
 
 ## Motivation
 
-We want to enable users to use thirdy-party clients to interface with Falco outputs, inputs, rules, and configurations.
+We want to enable users to use third-party clients to interface with Falco outputs, inputs, rules, and configurations.
 
 Such ability would enable the community to create a whole set of OSS tools, built on top of Falco.
 
@@ -94,7 +94,7 @@ This translates in having the following set of `proto` files.
     }
     ```
 
-- one or more `.proto` containing the commond models - ie., the already existing `schema.proto` containing source enum, etc.
+- one or more `.proto` containing the command models - ie., the already existing `schema.proto` containing source enum, etc.
 
     ```proto3
     # schema.proto

proposals/20191217-rules-naming-convention.md

@@ -36,7 +36,7 @@ There will be no intention to cover Falco rule syntax in this proposal.
 
 ### Use cases
 
-When new PRs are created in the area of rules, reviewers need to examine whether there are new rules, macros or lists are introduced. If yes, check wether follow the naming convention.
+When new PRs are created in the area of rules, reviewers need to examine whether there are new rules, macros or lists are introduced. If yes, check whether follow the naming convention.
 
 ### Diagrams
 

proposals/20200506-artifacts-scope-part-1.md

@@ -82,7 +82,7 @@ This is done as needed, and can best be measured by the need to cut a release an
 
 ### official support
 
-As the need for a project grows, it can ultimately achieve the highest and most coveted status within The Falco Project. "_Offical support_."
+As the need for a project grows, it can ultimately achieve the highest and most coveted status within The Falco Project. "_Official support_."
 
 The artifacts listed above are part of the official Falco release process. These artifact will be refined and amended by the [Part 2](./20200506-artifacts-scope-part-2.md).
 
@@ -111,4 +111,4 @@ Update documentation in [falco-website#184](https://github.com/falcosecurity/fal
 ### Adjusting projects
 
  - YAML manifest documentation to be moved to `contrib`
- - Minkube, Kind, Puppet, Ansible, etc documentation to be moved to `contrib`
+ - Minikube, Kind, Puppet, Ansible, etc documentation to be moved to `contrib`

proposals/20200828-structured-exception-handling.md

@@ -196,13 +196,13 @@ Exception values will most commonly be defined in rules with append: true. Here'
 
 A rule exception applies if for a given event, the fields in a rule.exception match all of the values in some exception.item. For example, if a program `apk` writes to a file below `/usr/lib/alpine`, the rule will not trigger, even if the condition is met.
 
-Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parantheses will be added.
+Notice that an item in a values list can be a list. This allows building exceptions with operators like "in", "pmatch", etc. that work on a list of items. The item can also be a name of an existing list. If not present surrounding parentheses will be added.
 
 Finally, note that the structure of the values property differs between the items where fields is a list of fields (proc_writer/container_writer/proc_filenames) and when it is a single field (procs_only). This changes how the condition snippet is constructed.
 
 ### Implementation
 
-For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implict "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented.
+For exception items where the fields property is a list of field names, each exception can be thought of as an implicit "and not (field1 cmp1 val1 and field2 cmp2 val2 and...)" appended to the rule's condition. For exception items where the fields property is a single field name, the exception can be thought of as an implicit "and not field cmp (val1, val2, ...)". In practice, that's how exceptions will be implemented.
 
 When a rule is parsed, the original condition will be wrapped in an extra layer of parentheses and all exception values will be appended to the condition. For example, using the example above, the resulting condition will be:
 
@@ -214,7 +214,7 @@ When a rule is parsed, the original condition will be wrapped in an extra layer
 	(fd.filename in (python, go))))
 ```
 
-The exceptions are effectively syntatic sugar that allows expressing sets of exceptions in a concise way.
+The exceptions are effectively syntactic sugar that allows expressing sets of exceptions in a concise way.
 
 ### Advantages
 

proposals/20200901-artifacts-cleanup.md

@@ -2,7 +2,7 @@
 
 This document reflects when and how we clean up the Falco artifacts from their storage location.
 
-**Superseeded by**: [drivers-storage-s3 proposal](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md).
+**Superseded by**: [drivers-storage-s3 proposal](https://github.com/falcosecurity/falco/blob/master/proposals/20201025-drivers-storage-s3.md).
 
 ## Motivation
 
@@ -90,7 +90,7 @@ This way, assuming the number of prebuilt drivers does not skyrocket, we can rea
 
 Notice that, in case a Falco stable release will not depend on a new driver version, this means the last two driver versions will, in this case, cover more than the two Falco stable releases.
 
-### Archivation
+### Archiving
 
 Since the process of building drivers is time and resource consuming, this document also proposes to move the driver versions in other storage facilities.
 

proposals/20210501-plugin-system.md

@@ -66,7 +66,7 @@ Source plugins also provide an "id", which is globally unique and is used in cap
 
 An extractor plugin focuses only on field extraction from events generated by other plugins, or by the core libraries. It does *not* provide an event source, but can extract fields from other event sources. An example is json field extraction, where a plugin might be able to extract fields from arbitrary json payloads.
 
-An extractor plugin provides an optional set of event sources. When the framework receives an event with an event source in the plugin's set of event sources, fields in expressions/Falco outputs will be extracted from events using the plugin. An extractor plugin can also *not* name a set of event sources. In this case, fields will be extracted from *all* events, regardless of source. In this case, the exctractor plugin must detect the format of arbitrary payloads and be able to return NULL/no value when the payload is not supported.
+An extractor plugin provides an optional set of event sources. When the framework receives an event with an event source in the plugin's set of event sources, fields in expressions/Falco outputs will be extracted from events using the plugin. An extractor plugin can also *not* name a set of event sources. In this case, fields will be extracted from *all* events, regardless of source. In this case, the extractor plugin must detect the format of arbitrary payloads and be able to return NULL/no value when the payload is not supported.
 
 ### Support for Plugin Events in Capture Files.
 
@@ -91,7 +91,7 @@ The libraries will do everything possible to validate the data coming from the p
 
 ### Plugin/Event Source registries
 
-Every source plugin requires its own, unique plugin ID to interoperate with Falco and the other plugins. The plugin ID will be used by the libs to properly process incoming events (for example, when saving events to file and loading them back), and by plugins to unuambiguosly recognize their dependencies.
+Every source plugin requires its own, unique plugin ID to interoperate with Falco and the other plugins. The plugin ID will be used by the libs to properly process incoming events (for example, when saving events to file and loading them back), and by plugins to unambiguously recognize their dependencies.
 
 To facilitate the allocation and distribution of plugin IDs, we will require that plugin developers request IDs for their plugins to the Falco organization. The mechanism used for plugin allocation is not determined yet and will be discussed in the future.
 
@@ -474,7 +474,7 @@ typedef struct
 	// Return value: a json array of strings containing event
 	//   sources returned by a source plugin's get_event_source()
 	//   function.
-	// This function is optional--if NULL then the exctractor
+	// This function is optional--if NULL then the extractor
 	// plugin will receive every event.
 	//
 	char* (*get_extract_event_sources)();
@@ -526,7 +526,7 @@ We will also make a change to compile rules/macros/lists selectively based on th
 
 ### Handling Duplicate/Overlapping Fields in Plugins/Libraries Core
 
-At an initial glance, adding plugins introduces the possibility of tens/hundreds of new filtercheck fields that could potentially overlap/conflict. For example, what happens if a plugin defines a "proc.name" field? However, the notion of "event source" makes these potential conflicts managable.
+At an initial glance, adding plugins introduces the possibility of tens/hundreds of new filtercheck fields that could potentially overlap/conflict. For example, what happens if a plugin defines a "proc.name" field? However, the notion of "event source" makes these potential conflicts manageable.
 
 Remember that field extraction is always done in the context of an event, and each event can be mapped back to an event source. So we only need to ensure that filtercheck fields are distinct for a given event source. For example, it's perfectly valid for an AWS Cloudtrail plugin to define a proc.name field, as the events generated by that plugin are wholly separate from syscall events. For syscall events, the AWS Cloudtrail plugin is not involved and the core libraries extract the process name for the tid performing a syscall. For AWS Cloudtrail events, the core libraries are not involved in field extraction and is performed by the AWS Cloudtrail plugin instead.
 

rules/aws_cloudtrail_rules.yaml

@@ -341,7 +341,7 @@
       json.value[/requestParameters/PublicAccessBlockConfiguration/BlockPublicAcls]=false or
       json.value[/requestParameters/PublicAccessBlockConfiguration/IgnorePublicAcls]=false)
   output:
-    A pulic access block for a bucket has been deleted
+    A public access block for a bucket has been deleted
     (requesting user=%ct.user,
      requesting IP=%ct.srcip,
      AWS region=%ct.region,

rules/falco_rules.yaml

@@ -225,7 +225,7 @@
 # The truncated dpkg-preconfigu is intentional, process names are
 # truncated at the falcosecurity-libs level.
 - list: package_mgmt_binaries
-  items: [rpm_binaries, deb_binaries, update-alternat, gem, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]
+  items: [rpm_binaries, deb_binaries, update-alternat, gem, npm, pip, pip3, sane-utils.post, alternatives, chef-client, apk, snapd]
 
 - macro: package_mgmt_procs
   condition: proc.name in (package_mgmt_binaries)
@@ -564,7 +564,7 @@
 
 # Qualys seems to run a variety of shell subprocesses, at various
 # levels. This checks at a few levels without the cost of a full
-# proc.aname, which traverses the full parent heirarchy.
+# proc.aname, which traverses the full parent hierarchy.
 - macro: run_by_qualys
   condition: >
     (proc.pname=qualys-cloud-ag or
@@ -775,6 +775,9 @@
 - macro: centrify_writing_krb
   condition: (proc.name in (adjoin,addns) and fd.name startswith /etc/krb5)
 
+- macro: sssd_writing_krb
+  condition: (proc.name=adcli and proc.aname[2]=sssd and fd.name startswith /etc/krb5)
+
 - macro: cockpit_writing_conf
   condition: >
     ((proc.pname=cockpit-kube-la or proc.aname[2]=cockpit-kube-la)
@@ -1103,7 +1106,7 @@
   condition: (proc.name=oc and fd.name startswith /etc/origin/node)
 
 - macro: keepalived_writing_conf
-  condition: (proc.name=keepalived and fd.name=/etc/keepalived/keepalived.conf)
+  condition: (proc.name in (keepalived, kube-keepalived) and fd.name=/etc/keepalived/keepalived.conf)
 
 - macro: etcd_manager_updating_dns
   condition: (container and proc.name=etcd-manager and fd.name=/etc/hosts)
@@ -1218,6 +1221,7 @@
     and not nginx_writing_certs
     and not chef_client_writing_conf
     and not centrify_writing_krb
+    and not sssd_writing_krb
     and not cockpit_writing_conf
     and not ipsec_writing_conf
     and not httpd_writing_ssl_conf
@@ -2189,7 +2193,7 @@
 #   output: "sshd sent error message to syslog (error=%evt.buffer)"
 #   priority: WARNING
 
-- macro: somebody_becoming_themself
+- macro: somebody_becoming_themselves
   condition: ((user.name=nobody and evt.arg.uid=nobody) or
               (user.name=www-data and evt.arg.uid=www-data) or
               (user.name=_apt and evt.arg.uid=_apt) or
@@ -2227,7 +2231,7 @@
     evt.type=setuid and evt.dir=>
     and (known_user_in_container or not container)
     and not (user.name=root or user.uid=0)
-    and not somebody_becoming_themself
+    and not somebody_becoming_themselves
     and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
                           nomachine_binaries)
     and not proc.name startswith "runc:"
@@ -2251,7 +2255,7 @@
     activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded.
     Activity in containers is also excluded--some containers create custom users on top
     of a base linux distribution at startup.
-    Some innocuous commandlines that don't actually change anything are excluded.
+    Some innocuous command lines that don't actually change anything are excluded.
   condition: >
     spawned_process and proc.name in (user_mgmt_binaries) and
     not proc.name in (su, sudo, lastlog, nologin, unix_chkpwd) and not container and
@@ -2301,7 +2305,7 @@
 # explicitly enumerate the container images that you want to allow
 # access to EC2 metadata. In this main falco rules file, there isn't
 # any way to know all the containers that should have access, so any
-# container is alllowed, by repeating the "container" macro. In the
+# container is allowed, by repeating the "container" macro. In the
 # overridden macro, the condition would look something like
 # (container.image.repository = vendor/container-1 or
 # container.image.repository = vendor/container-2 or ...)
@@ -2564,15 +2568,15 @@
   condition: >
     (modify and (
       evt.arg.name contains "bash_history" or
-      evt.arg.name contains "zsh_history" or
+      evt.arg.name endswith "zsh_history" or
       evt.arg.name contains "fish_read_history" or
       evt.arg.name endswith "fish_history" or
       evt.arg.oldpath contains "bash_history" or
-      evt.arg.oldpath contains "zsh_history" or
+      evt.arg.oldpath endswith "zsh_history" or
       evt.arg.oldpath contains "fish_read_history" or
       evt.arg.oldpath endswith "fish_history" or
       evt.arg.path contains "bash_history" or
-      evt.arg.path contains "zsh_history" or
+      evt.arg.path endswith "zsh_history" or
       evt.arg.path contains "fish_read_history" or
       evt.arg.path endswith "fish_history"))
 
@@ -2580,7 +2584,7 @@
   condition: >
     (open_write and (
       fd.name contains "bash_history" or
-      fd.name contains "zsh_history" or
+      fd.name endswith "zsh_history" or
       fd.name contains "fish_read_history" or
       fd.name endswith "fish_history") and evt.arg.flags contains "O_TRUNC")
 
@@ -2619,7 +2623,7 @@
   items: [hyperkube, kubelet, k3s-agent]
 
 # This macro should be overridden in user rules as needed. This is useful if a given application
-# should not be ignored alltogether with the user_known_chmod_applications list, but only in
+# should not be ignored altogether with the user_known_chmod_applications list, but only in
 # specific conditions.
 - macro: user_known_set_setuid_or_setgid_bit_conditions
   condition: (never_true)
@@ -2814,7 +2818,7 @@
   desc: Miners typically connect to miner pools on common ports.
   condition: net_miner_pool and not trusted_images_query_miner_domain_dns
   enabled: false
-  output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
+  output: Outbound connection to IP/Port flagged by https://cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
   priority: CRITICAL
   tags: [network, mitre_execution]
 
@@ -3058,7 +3062,7 @@
   condition: (proc.args="" or proc.args intersects ("-V", "-l", "-h"))
 
 - rule: Mount Launched in Privileged Container
-  desc: Detect file system mount happened inside a privilegd container which might lead to container escape.
+  desc: Detect file system mount happened inside a privileged container which might lead to container escape.
   condition: >
     spawned_process and container
     and container.privileged=true
@@ -3120,7 +3124,17 @@
   priority: NOTICE
   tags: [network, process, mitre_command_and_control]
 
+# This rule helps detect CVE-2021-4034:
+# A privilege escalation to root through memory corruption
+- rule: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
+  desc: "This rule detects an attempt to exploit a privilege escalation vulnerability in Polkit's pkexec. By running specially crafted code, a local user can leverage this flaw to gain root privileges on a compromised system"
+  condition:
+    spawned_process and user.uid != 0 and proc.name=pkexec and proc.args = ''
+  output:
+    "Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) (user=%user.loginname uid=%user.loginuid command=%proc.cmdline args=%proc.args)"
+  priority: CRITICAL
+  tags: [process, mitre_privilege_escalation]
+
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.
-

rules/k8s_audit_rules.yaml

@@ -366,7 +366,7 @@
   tags: [k8s]
 
 # Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
-# (exapand this to any built-in cluster role that does "sensitive" things)
+# (expand this to any built-in cluster role that does "sensitive" things)
 - rule: Attach to cluster-admin Role
   desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
   condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
@@ -572,7 +572,7 @@
 # cluster creation. This may signify a permission setting too broader.
 # As we can't check for role of the user on a general ka.* event, this
 # may or may not be an administrator. Customize the full_admin_k8s_users
-# list to your needs, and activate at your discrection.
+# list to your needs, and activate at your discretion.
 
 # # How to test:
 # # Execute any kubectl command connected using default cluster user, as:

scripts/debian/postinst.in

@@ -18,7 +18,7 @@
 set -e
 
 DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
-DKMS_VERSION="@PROBE_VERSION@"
+DKMS_VERSION="@DRIVER_VERSION@"
 NAME="@PACKAGE_NAME@"
 
 postinst_found=0

scripts/debian/prerm.in

@@ -18,7 +18,7 @@
 set -e
 
 DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
-DKMS_VERSION="@PROBE_VERSION@"
+DKMS_VERSION="@DRIVER_VERSION@"
 
 case "$1" in
 	remove|upgrade|deconfigure)

scripts/falco-driver-loader

@@ -514,7 +514,7 @@ print_usage() {
 	echo "  --source-only  skip execution and allow sourcing in another script"
 	echo ""
 	echo "Environment variables:"
-	echo "  DRIVER_REPO              specify a different URL where to look for prebuilt Falco drivers"
+	echo "  DRIVERS_REPO             specify a different URL where to look for prebuilt Falco drivers"
 	echo "  DRIVER_NAME              specify a different name for the driver"
 	echo "  DRIVER_INSECURE_DOWNLOAD whether you want to allow insecure downloads or not"
 	echo ""
@@ -547,8 +547,8 @@ if [[ -z "$MAX_RMMOD_WAIT" ]]; then
 	MAX_RMMOD_WAIT=60
 fi
 
-DRIVER_VERSION="@PROBE_VERSION@"
-DRIVER_NAME=${DRIVER_NAME:-"@PROBE_NAME@"}
+DRIVER_VERSION="@DRIVER_VERSION@"
+DRIVER_NAME=${DRIVER_NAME:-"@DRIVER_NAME@"}
 FALCO_VERSION="@FALCO_VERSION@"
 
 DRIVER="module"

scripts/rpm/postinstall.in

@@ -15,7 +15,7 @@
 # limitations under the License.
 #
 
-mod_version="@PROBE_VERSION@"
+mod_version="@DRIVER_VERSION@"
 dkms add -m falco -v $mod_version --rpm_safe_upgrade
 if [ `uname -r | grep -c "BOOT"` -eq 0 ] && [ -e /lib/modules/`uname -r`/build/include ]; then
 	dkms build -m falco -v $mod_version

scripts/rpm/preuninstall.in

@@ -15,5 +15,5 @@
 # limitations under the License.
 #
 
-mod_version="@PROBE_VERSION@"
+mod_version="@DRIVER_VERSION@"
 dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade

test/CMakeLists.txt

@@ -1,7 +1,4 @@
 add_subdirectory(trace_files)
 
-add_custom_target(test-trace-files ALL)
-add_dependencies(test-trace-files trace-files-base-scap trace-files-psp trace-files-k8s-audit trace-files-plugins)
-
 add_subdirectory(plugins)
 add_subdirectory(confs/plugins)

test/README.md

@@ -71,7 +71,7 @@ The `falco_traces.yaml` test suite gets generated through the `falco_traces.yaml
 
 ### falco_tests_package
 
-The `falco_tests_package.yaml` test suite requires some additional setup steps to be succesfully run on your local machine.
+The `falco_tests_package.yaml` test suite requires some additional setup steps to be successfully run on your local machine.
 
 In particular, it requires some runners (ie., docker images) to be already built and present into your local machine.
 

test/falco_test.py

@@ -524,10 +524,10 @@ class FalcoTest(Test):
                 ["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
             config_hash = md5_output.split(" ")[0]
 
-            probe_filename = "falco-{}-{}-{}-{}.ko".format(
+            driver_filename = "falco-{}-{}-{}-{}.ko".format(
                 falco_version, arch, kernel_release, config_hash)
             driver_path = os.path.join(self.falcodir, "driver", "falco.ko")
-            module_path = os.path.join(self.module_dir, probe_filename)
+            module_path = os.path.join(self.module_dir, driver_filename)
             self.log.debug("Copying {} to {}".format(driver_path, module_path))
             shutil.copyfile(driver_path, module_path)
 

test/falco_tests.yaml

@@ -44,8 +44,8 @@ trace_files: !mux
       - not_equals_after_evttype: [execve]
       - not_after_evttype: [execve]
       - leading_trailing_evttypes: [execve,open]
-      - leading_multtrailing_evttypes: [connect,execve,open]
-      - leading_multtrailing_evttypes_using_in: [connect,execve,open]
+      - leading_multitrailing_evttypes: [connect,execve,open]
+      - leading_multitrailing_evttypes_using_in: [connect,execve,open]
       - not_equals_at_end: [all]
       - not_at_end: [all]
       - not_before_trailing_evttype: [all]
@@ -408,8 +408,7 @@ trace_files: !mux
   invalid_overwrite_macro:
     exit_status: 1
     stdout_contains: |+
-      .*invalid_base_macro.yaml: 1 warnings:
-      macro some macro not refered to by any rule/macro
+      .*invalid_base_macro.yaml: Ok
       .*invalid_overwrite_macro.yaml: 1 errors:
       Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
       ---
@@ -425,8 +424,7 @@ trace_files: !mux
   invalid_append_macro:
     exit_status: 1
     stdout_contains: |+
-      .*invalid_base_macro.yaml: 1 warnings:
-      macro some macro not refered to by any rule/macro
+      .*invalid_base_macro.yaml: Ok
       .*invalid_append_macro.yaml: 1 errors:
       Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
       ---
@@ -1183,7 +1181,7 @@ trace_files: !mux
   skip_unknown_error:
     exit_status: 1
     stderr_contains: |+
-      When loading rules: 1 errors:
+      Could not load rules file.*skip_unknown_error.yaml: 1 errors:
       Rule Contains Unknown Event And Not Skipping: error filter_check called with nonexistent field proc.nobody
       ---
       - rule: Contains Unknown Event And Not Skipping
@@ -1200,7 +1198,7 @@ trace_files: !mux
   skip_unknown_unspec_error:
     exit_status: 1
     stderr_contains: |+
-      When loading rules: 1 errors:
+      Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
       Rule Contains Unknown Event And Unspecified: error filter_check called with nonexistent field proc.nobody
       ---
       - rule: Contains Unknown Event And Unspecified

test/falco_tests_plugins.yaml

@@ -82,9 +82,7 @@ trace_files: !mux
 
   incompat_plugin_rules_version:
     exit_status: 1
-    stderr_contains: |+
-      Runtime error: When loading rules: 1 errors:
-      Plugin cloudtrail version .* not compatible with required plugin version 100000.0.0
+    stderr_contains: "Runtime error: Plugin cloudtrail version .* not compatible with required plugin version 100000.0.0. Exiting."
     conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
     rules_file:
       - rules/plugins/cloudtrail_incompat_plugin_version.yaml

test/rules/falco_rules_warnings.yaml

@@ -56,13 +56,13 @@
   output: "None"
   priority: WARNING
 
-- rule: leading_multtrailing_evttypes
+- rule: leading_multitrailing_evttypes
   desc: one evttype at beginning, multiple at end
   condition: evt.type=execve and proc.name=foo or evt.type=open or evt.type=connect
   output: "None"
   priority: WARNING
 
-- rule: leading_multtrailing_evttypes_using_in
+- rule: leading_multitrailing_evttypes_using_in
   desc: one evttype at beginning, multiple at end, using in
   condition: evt.type=execve and proc.name=foo or evt.type in (open, connect)
   output: "None"

test/rules/k8s_audit/engine_v4_k8s_audit_rules.yaml

@@ -246,7 +246,7 @@
   tags: [k8s]
 
 # Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
-# (exapand this to any built-in cluster role that does "sensitive" things)
+# (expand this to any built-in cluster role that does "sensitive" things)
 - rule: Attach to cluster-admin Role
   desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
   condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin

test/trace_files/CMakeLists.txt

@@ -2,19 +2,11 @@ add_subdirectory(k8s_audit)
 add_subdirectory(psp)
 add_subdirectory(plugins)
 
+include(copy_files_to_build_dir)
+
 # Note: list of traces is created at cmake time, not build time
 file(GLOB test_trace_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/*.scap")
 
-foreach(trace_file_path ${test_trace_files})
-	get_filename_component(trace_file ${trace_file_path} NAME)
-	add_custom_target(test-trace-${trace_file} ALL
-		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
-	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		DEPENDS ${trace_file_path})
-	list(APPEND BASE_SCAP_TRACE_FILES_TARGETS test-trace-${trace_file})
-endforeach()
+copy_files_to_build_dir("${test_trace_files}" base-scap)
 
-add_custom_target(trace-files-base-scap ALL)
-add_dependencies(trace-files-base-scap ${BASE_SCAP_TRACE_FILES_TARGETS})

test/trace_files/k8s_audit/CMakeLists.txt

@@ -1,16 +1,7 @@
+include(copy_files_to_build_dir)
+
 # Note: list of traces is created at cmake time, not build time
 file(GLOB test_trace_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/*.json")
 
-foreach(trace_file_path ${test_trace_files})
-	get_filename_component(trace_file ${trace_file_path} NAME)
-	add_custom_target(test-trace-${trace_file} ALL
-		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
-	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		DEPENDS ${trace_file_path})
-	list(APPEND K8S_AUDIT_TRACE_FILES_TARGETS test-trace-${trace_file})
-endforeach()
-
-add_custom_target(trace-files-k8s-audit ALL)
-add_dependencies(trace-files-k8s-audit ${K8S_AUDIT_TRACE_FILES_TARGETS})
+copy_files_to_build_dir("${test_trace_files}" k8s-audit)

test/trace_files/plugins/CMakeLists.txt

@@ -1,16 +1,7 @@
+include(copy_files_to_build_dir)
+
 # Note: list of traces is created at cmake time, not build time
 file(GLOB test_trace_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/*.json")
 
-foreach(trace_file_path ${test_trace_files})
-	get_filename_component(trace_file ${trace_file_path} NAME)
-	add_custom_target(test-trace-${trace_file} ALL
-		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
-	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		DEPENDS ${trace_file_path})
-	list(APPEND PLUGINS_TRACE_FILES_TARGETS test-trace-${trace_file})
-endforeach()
-
-add_custom_target(trace-files-plugins ALL)
-add_dependencies(trace-files-plugins ${PLUGINS_TRACE_FILES_TARGETS})
+copy_files_to_build_dir("${test_trace_files}" plugins)

test/trace_files/psp/CMakeLists.txt

@@ -1,17 +1,8 @@
+include(copy_files_to_build_dir)
+
 # Note: list of traces is created at cmake time, not build time
 file(GLOB test_trace_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/*.json"
 	"${CMAKE_CURRENT_SOURCE_DIR}/*.scap")
 
-foreach(trace_file_path ${test_trace_files})
-	get_filename_component(trace_file ${trace_file_path} NAME)
-	add_custom_target(test-trace-${trace_file} ALL
-		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
-	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		DEPENDS ${trace_file_path})
-	list(APPEND PSP_TRACE_FILES_TARGETS test-trace-${trace_file})
-endforeach()
-
-add_custom_target(trace-files-psp ALL)
-add_dependencies(trace-files-psp ${PSP_TRACE_FILES_TARGETS})
+copy_files_to_build_dir("${test_trace_files}" psp)

userspace/engine/CMakeLists.txt

@@ -18,7 +18,8 @@ set(FALCO_ENGINE_SOURCE_FILES
     falco_engine.cpp
     falco_utils.cpp
     json_evt.cpp
-    ruleset.cpp)
+    ruleset.cpp
+    formats.cpp)
 
 add_library(falco_engine STATIC ${FALCO_ENGINE_SOURCE_FILES})
 add_dependencies(falco_engine njson lyaml lpeg string-view-lite)

userspace/engine/falco_engine.cpp

@@ -20,11 +20,14 @@ limitations under the License.
 #include <fstream>
 
 #include <sinsp.h>
+#include <plugin.h>
 
 #include "falco_engine.h"
 #include "falco_utils.h"
 #include "falco_engine_version.h"
 
+#include "formats.h"
+
 extern "C" {
 #include "lpeg.h"
 #include "lyaml.h"
@@ -52,6 +55,8 @@ falco_engine::falco_engine(bool seed_rng)
 	falco_common::init();
 	falco_rules::init(m_ls);
 
+	m_required_plugin_versions.clear();
+
 	if(seed_rng)
 	{
 		srandom((unsigned) getpid());
@@ -143,11 +148,6 @@ void falco_engine::list_fields(std::string &source, bool verbose, bool names_onl
 	}
 }
 
-void falco_engine::set_plugin_infos(std::list<sinsp_plugin::info> &plugin_infos)
-{
-	m_plugin_infos = plugin_infos;
-}
-
 void falco_engine::load_rules(const string &rules_content, bool verbose, bool all_events)
 {
 	uint64_t dummy;
@@ -157,20 +157,18 @@ void falco_engine::load_rules(const string &rules_content, bool verbose, bool al
 
 void falco_engine::load_rules(const string &rules_content, bool verbose, bool all_events, uint64_t &required_engine_version)
 {
-	rulesfile rf;
-	rf.content = rules_content;
-
-	load_result res(rf);
-
-	load_rules(rf, verbose, all_events, res);
-
-	if(!res.successful)
+	if(!m_rules)
 	{
-		bool include_filenames = false;
+		m_rules.reset(new falco_rules(this,
+					      m_ls));
 
-		// This version assembles the errors and/or warnings into an exception.
-		throw falco_exception(res.as_string(include_filenames, verbose));
+		for(auto const &it : m_filter_factories)
+		{
+			m_rules->add_filter_factory(it.first, it.second);
+		}
 	}
+
+	m_rules->load_rules(rules_content, verbose, all_events, m_extra, m_replace_container_info, m_min_priority, required_engine_version, m_required_plugin_versions);
 }
 
 void falco_engine::load_rules_file(const string &rules_filename, bool verbose, bool all_events)
@@ -198,105 +196,6 @@ void falco_engine::load_rules_file(const string &rules_filename, bool verbose, b
 	load_rules(rules_content, verbose, all_events, required_engine_version);
 }
 
-falco_engine::rulesfile::rulesfile()
-{
-}
-
-falco_engine::load_result::load_result(const rulesfile &rulesfile)
-	: rf(rulesfile)
-{
-}
-
-falco_engine::load_result::~load_result()
-{
-}
-
-std::string falco_engine::load_result::as_string(bool include_filenames, bool include_warnings)
-{
-	std::ostringstream os;
-
-	if(include_filenames)
-	{
-		os << rf.name << ": ";
-	}
-
-	if((errors.size() + warnings.size()) == 0)
-	{
-		os << "Ok" << std::endl;
-	} else {
-
-		if (errors.size() > 0)
-		{
-			os << errors.size() << " errors:" << std::endl;
-			for(auto err : errors)
-			{
-				os << err << std::endl;
-			}
-		}
-
-		if (include_warnings && warnings.size() > 0)
-		{
-			os << warnings.size() << " warnings:" << std::endl;
-			for(auto warn : warnings)
-			{
-				os << warn << std::endl;
-			}
-		}
-	}
-
-	return os.str();
-}
-
-bool falco_engine::rulesfile::load(const std::string &filename, std::string &errstr)
-{
-	std::ifstream is;
-
-	is.open(filename);
-	if (!is.is_open())
-	{
-		errstr = "Could not open rules filename " +
-			filename + " " + "for reading";
-		return false;
-	}
-
-	name = filename;
-	content.assign((istreambuf_iterator<char>(is)),
-		       istreambuf_iterator<char>());
-
-	return true;
-}
-
-falco_engine::rulesfile::~rulesfile()
-{
-}
-
-void falco_engine::load_rules(falco_engine::rulesfile &rf,
-			      bool verbose, bool all_events,
-			      falco_engine::load_result &result)
-{
-	if(!m_rules)
-	{
-		m_rules.reset(new falco_rules(this,
-					      m_ls));
-
-		for(auto const &it : m_filter_factories)
-		{
-			m_rules->add_filter_factory(it.first, it.second);
-		}
-	}
-
-	uint64_t required_engine_version;
-	std::map<std::string, std::list<std::string>> required_plugin_versions;
-
-	result.successful = m_rules->load_rules(rf.content, verbose, all_events,
-						m_extra, m_replace_container_info,
-						m_min_priority,
-						result.warnings,
-						result.errors,
-						required_engine_version,
-						m_plugin_infos);
-}
-
 void falco_engine::enable_rule(const string &substring, bool enabled, const string &ruleset)
 {
 	uint16_t ruleset_id = find_ruleset_id(ruleset);
@@ -488,7 +387,7 @@ void falco_engine::describe_rule(string *rule)
 	return m_rules->describe_rule(rule);
 }
 
-// Print statistics on the the rules that triggered
+// Print statistics on the rules that triggered
 void falco_engine::print_stats()
 {
 	lua_getglobal(m_ls, lua_print_stats.c_str());
@@ -529,6 +428,36 @@ bool falco_engine::is_source_valid(const std::string &source)
 	return (m_rulesets.find(source) != m_rulesets.end());
 }
 
+bool falco_engine::is_plugin_compatible(const std::string &name,
+					const std::string &version,
+					std::string &required_version)
+{
+	sinsp_plugin::version plugin_version(version);
+
+	if(!plugin_version.m_valid)
+	{
+		throw falco_exception(string("Plugin version string ") + version + " not valid");
+	}
+
+	if(m_required_plugin_versions.find(name) == m_required_plugin_versions.end())
+	{
+		// No required engine versions, so no restrictions. Compatible.
+		return true;
+	}
+
+	for(auto &rversion : m_required_plugin_versions[name])
+	{
+		sinsp_plugin::version req_version(rversion);
+		if (!plugin_version.check(req_version))
+		{
+			required_version = rversion;
+			return false;
+		}
+	}
+
+	return true;
+}
+
 void falco_engine::clear_filters()
 {
 	m_rulesets.clear();
@@ -538,6 +467,8 @@ void falco_engine::clear_filters()
 		std::shared_ptr<falco_ruleset> ruleset(new falco_ruleset());
 		m_rulesets[it.first] = ruleset;
 	}
+
+	m_required_plugin_versions.clear();
 }
 
 void falco_engine::set_sampling_ratio(uint32_t sampling_ratio)

userspace/engine/falco_engine.h

@@ -56,12 +56,6 @@ public:
 	// If source is non-empty, only fields for the provided source are printed.
 	void list_fields(std::string &source, bool verbose, bool names_only);
 
-	// Optional--pass info on the currently loaded set of
-	// plugins. If provided, when loading rules content plugin
-	// info will be checked against any required_plugin_version
-	// blocks in the rules content.
-	void set_plugin_infos(std::list<sinsp_plugin::info> &plugin_infos);
-
 	//
 	// Load rules either directly or from a filename.
 	//
@@ -75,44 +69,6 @@ public:
 	void load_rules_file(const std::string &rules_filename, bool verbose, bool all_events, uint64_t &required_engine_version);
 	void load_rules(const std::string &rules_content, bool verbose, bool all_events, uint64_t &required_engine_version);
 
-	// Represents a block of rules. The name is only for
-	// logging/identification purposes, but generally is the path
-	// to the file that contained content.
-	class rulesfile {
-	public:
-		rulesfile();
-		virtual ~rulesfile();
-
-		bool load(const std::string &filename, std::string &errstr);
-
-		std::string name;
-		std::string content;
-	};
-
-	// Represents the result of loading a block of rules.
-	//  - successful: true if the file was loaded, false otherwise
-	//  - warnings: any warnings from loading the rules
-	//  - errors: any errors from loading the rules
-	class load_result {
-	public:
-		load_result(const rulesfile &rulesfile);
-		~load_result();
-
-		std::string as_string(bool include_filenames, bool include_warnings);
-
-		const rulesfile &rf;
-		bool successful;
-		std::list<std::string> warnings;
-		std::list<std::string> errors;
-	};
-
-	// Improved variant that explicitly passes back a load_result
-	// struct containing lists of errors/warnings, etc. instead of
-	// throwing an exception on error.
-	void load_rules(rulesfile &rf,
-			bool verbose, bool all_events,
-			load_result &result);
-
 	//
 	// Enable/Disable any rules matching the provided substring.
 	// If the substring is "", all rules are enabled/disabled.
@@ -250,6 +206,12 @@ public:
 	std::shared_ptr<gen_event_formatter> create_formatter(const std::string &source,
 							      const std::string &output);
 
+	// Return whether the provided plugin name + version is
+	// compatible with the current set of loaded rules files.
+	// required_version will be filled in with the required
+	// version when the method returns false.
+	bool is_plugin_compatible(const std::string &name, const std::string &version, std::string &required_version);
+
 private:
 
 	//
@@ -259,9 +221,6 @@ private:
 	//
 	inline bool should_drop_evt();
 
-	// Optional--info on any loaded plugins.
-	std::list<sinsp_plugin::info> m_plugin_infos;
-
 	// Maps from event source to object that can generate filters from rules
 	std::map<std::string, std::shared_ptr<gen_event_filter_factory>> m_filter_factories;
 
@@ -276,6 +235,10 @@ private:
 	std::map<string, uint16_t> m_known_rulesets;
 	falco_common::priority_type m_min_priority;
 
+	// Maps from plugin to a list of required plugin versions
+	// found in any loaded rules files.
+	std::map<std::string, std::list<std::string>> m_required_plugin_versions;
+
 	void populate_rule_result(unique_ptr<struct rule_result> &res, gen_event *ev);
 
 	//

userspace/engine/formats.cpp

@@ -17,13 +17,13 @@ limitations under the License.
 #include <json/json.h>
 
 #include "formats.h"
-#include "swappable_falco_engine.h"
+#include "falco_engine.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
-falco_formats::falco_formats(swappable_falco_engine &swengine,
+falco_formats::falco_formats(falco_engine *engine,
 			     bool json_include_output_property,
 			     bool json_include_tags_property)
-	: m_swengine(swengine),
+	: m_falco_engine(engine),
 	m_json_include_output_property(json_include_output_property),
 	m_json_include_tags_property(json_include_tags_property)
 {
@@ -40,7 +40,7 @@ string falco_formats::format_event(gen_event *evt, const std::string &rule, cons
 
 	std::shared_ptr<gen_event_formatter> formatter;
 
-	formatter = m_swengine.engine()->create_formatter(source, format);
+	formatter = m_falco_engine->create_formatter(source, format);
 
 	// Format the original output string, regardless of output format
 	formatter->tostring_withformat(evt, line, gen_event_formatter::OF_NORMAL);
@@ -134,7 +134,7 @@ map<string, string> falco_formats::get_field_values(gen_event *evt, const std::s
 {
 	std::shared_ptr<gen_event_formatter> formatter;
 
-	formatter = m_swengine.engine()->create_formatter(source, format);
+	formatter = m_falco_engine->create_formatter(source, format);
 
 	map<string, string> ret;
 

userspace/engine/formats.h

@@ -28,12 +28,12 @@ extern "C"
 
 #include <gen_filter.h>
 
-#include "swappable_falco_engine.h"
+#include "falco_engine.h"
 
 class falco_formats
 {
 public:
-	falco_formats(swappable_falco_engine &swengine,
+	falco_formats(falco_engine *engine,
 		      bool json_include_output_property,
 		      bool json_include_tags_property);
 	virtual ~falco_formats();
@@ -45,7 +45,7 @@ public:
 					     const std::string &format);
 
 protected:
-	swappable_falco_engine &m_swengine;
+	falco_engine *m_falco_engine;
 	bool m_json_include_output_property;
 	bool m_json_include_tags_property;
 };

userspace/engine/json_evt.h

@@ -278,7 +278,7 @@ private:
 	// events. See alias struct for usage.
 	std::list<nlohmann::json::json_pointer> m_jptrs;
 
-	// Theextraction function to use. May not be defined, in which
+	// The extraction function to use. May not be defined, in which
 	// case the default function is used.
 	extract_t m_extract;
 

userspace/engine/lua/modules/compiler.lua

@@ -40,8 +40,8 @@ end
    The AST is changed in-place.
 
    The return value is a boolean which is true if any macro was
-   substitued. This allows a caller to re-traverse until no more macros are
-   found, a simple strategy for recursive resoltuions (e.g. when a macro
+   substituted. This allows a caller to re-traverse until no more macros are
+   found, a simple strategy for recursive resolutions (e.g. when a macro
    definition uses another macro).
 
 --]]
@@ -113,31 +113,6 @@ function expand_macros(ast, defs, changed)
    return true, changed
 end
 
-function get_macros(ast, set)
-   if (ast.type == "Macro") then
-      set[ast.value] = true
-      return set
-   end
-
-   if ast.type == "Filter" then
-      return get_macros(ast.value, set)
-   end
-
-   if ast.type == "BinaryBoolOp" then
-      local left = get_macros(ast.left, {})
-      local right = get_macros(ast.right, {})
-
-      for m, _ in pairs(left) do set[m] = true end
-      for m, _ in pairs(right) do set[m] = true end
-
-      return set
-   end
-   if ast.type == "UnaryBoolOp" then
-      return get_macros(ast.argument, set)
-   end
-   return set
-end
-
 function get_filters(ast)
 
    local filters = {}

userspace/engine/lua/modules/parser.lua

@@ -57,7 +57,7 @@ local function geterrorinfo()
       end
 end
 
--- creates an errror message using the farthest failure position
+-- creates an error message using the farthest failure position
 local function errormsg()
    return geterrorinfo() / function(t)
          local p = t.ffp or 1

userspace/engine/lua/rule_loader.lua

@@ -59,10 +59,10 @@ end
 
 -- Permissive for case and for common abbreviations.
 priorities = {
-   Emergency=0, Alert=1, Critical=2, Error=3, Warning=4, Notice=5, Informational=5, Debug=7,
-   emergency=0, alert=1, critical=2, error=3, warning=4, notice=5, informational=5, debug=7,
-   EMERGENCY=0, ALERT=1, CRITICAL=2, ERROR=3, WARNING=4, NOTICE=5, INFORMATIONAL=5, DEBUG=7,
-   INFO=5, info=5
+   Emergency=0, Alert=1, Critical=2, Error=3, Warning=4, Notice=5, Informational=6, Debug=7,
+   emergency=0, alert=1, critical=2, error=3, warning=4, notice=5, informational=6, debug=7,
+   EMERGENCY=0, ALERT=1, CRITICAL=2, ERROR=3, WARNING=4, NOTICE=5, INFORMATIONAL=6, DEBUG=7,
+   INFO=6, info=6
 }
 
 --[[
@@ -157,17 +157,6 @@ local function create_filter_obj(node, lua_parser, parent_bool_op)
    return nil
 end
 
-function set_output(output_format, state)
-
-   if(output_ast.type == "OutputFormat") then
-
-      local format
-
-   else
-      error ("Unexpected type in set_output: ".. output_ast.type)
-   end
-end
-
 -- This should be keep in sync with parser.lua
 defined_comp_operators = {
    ["="]=1,
@@ -197,7 +186,7 @@ defined_list_comp_operators = {
 -- object. The by_name index is used for things like describing rules,
 -- and the by_idx index is used to map the relational node index back
 -- to a rule.
-local state = {macros={}, lists={}, filter_ast=nil, rules_by_name={},
+local state = {macros={}, lists={}, rules_by_name={},
 	       skipped_rules_by_name={}, macros_by_name={}, lists_by_name={},
 	       n_rules=0, rules_by_idx={}, ordered_rule_names={}, ordered_macro_names={}, ordered_list_names={}}
 
@@ -620,7 +609,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 			return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
 		     end
 
-		     -- Seperate case when a exception name is not found
+		     -- Separate case when a exception name is not found
 		     -- This means that a new exception is being appended
 
 		     local new_exception = true
@@ -1067,14 +1056,6 @@ function load_rules(rules_content,
 	    end
 	 end
 
-	 -- Rule ASTs are merged together into one big AST, with "OR" between each
-	 -- rule.
-	 if (state.filter_ast == nil) then
-	    state.filter_ast = filter_ast.filter.value
-	 else
-	    state.filter_ast = { type = "BinaryBoolOp", operator = "or", left = state.filter_ast, right = filter_ast.filter.value }
-	 end
-
 	 -- Enable/disable the rule
 	 if (v['enabled'] == nil) then
 	    v['enabled'] = true

userspace/engine/rules.cpp

@@ -397,17 +397,13 @@ static void get_lua_table_list_values(lua_State *ls,
 }
 
 
-bool falco_rules::load_rules(const string &rules_content,
+void falco_rules::load_rules(const string &rules_content,
 			     bool verbose, bool all_events,
 			     string &extra, bool replace_container_info,
 			     falco_common::priority_type min_priority,
-			     std::list<std::string> &warnings,
-			     std::list<std::string> &errors,
 			     uint64_t &required_engine_version,
-			     std::list<sinsp_plugin::info> &plugin_infos)
+			     std::map<std::string, std::list<std::string>> &required_plugin_versions)
 {
-	std::map<std::string, std::list<std::string>> required_plugin_versions;
-
 	lua_getglobal(m_ls, m_lua_load_rules.c_str());
 	if(lua_isfunction(m_ls, -1))
 	{
@@ -436,42 +432,46 @@ bool falco_rules::load_rules(const string &rules_content,
 		bool successful = lua_toboolean(m_ls, -5);
 		required_engine_version = lua_tonumber(m_ls, -4);
 		get_lua_table_list_values(m_ls, -3, required_plugin_versions);
-		errors = get_lua_table_values(m_ls, -2);
-		warnings = get_lua_table_values(m_ls, -1);
+		std::list<std::string> errors = get_lua_table_values(m_ls, -2);
+		std::list<std::string> warnings = get_lua_table_values(m_ls, -1);
 
-		lua_pop(m_ls, 4);
-
-		// Also check plugin compatibility. Only meaningful if
-		// plugin_infos is non-empty.
-		for(auto &pinfo : plugin_infos)
+		// Concatenate errors/warnings
+		std::ostringstream os;
+		if (errors.size() > 0)
 		{
-			if(required_plugin_versions.find(pinfo.name) == required_plugin_versions.end())
+			os << errors.size() << " errors:" << std::endl;
+			for(auto err : errors)
 			{
-				// No required engine versions, so no restrictions. Compatible.
-				continue;
+				os << err << std::endl;
 			}
+		}
 
-			for(auto &rversion : required_plugin_versions[pinfo.name])
+		if (warnings.size() > 0)
+		{
+			os << warnings.size() << " warnings:" << std::endl;
+			for(auto warn : warnings)
 			{
-				sinsp_plugin::version req_version(rversion.c_str());
-				if(!pinfo.plugin_version.check(req_version))
-				{
-					errors.push_back(std::string("Plugin ") + pinfo.name + " version " + pinfo.plugin_version.as_string() + " not compatible with required plugin version " + rversion);
-					successful = false;
-				}
+				os << warn << std::endl;
 			}
 		}
 
 		if(!successful)
 		{
-			return false;
+			throw falco_exception(os.str());
 		}
 
+		if (verbose && os.str() != "") {
+			// We don't really have a logging callback
+			// from the falco engine, but this would be a
+			// good place to use it.
+			fprintf(stderr, "When reading rules content: %s", os.str().c_str());
+		}
+
+		lua_pop(m_ls, 4);
+
 	} else {
 		throw falco_exception("No function " + m_lua_load_rules + " found in lua rule module");
 	}
-
-	return true;
 }
 
 void falco_rules::describe_rule(std::string *rule)

userspace/engine/rules.h

@@ -39,13 +39,11 @@ class falco_rules
 	void add_filter_factory(const std::string &source,
 				std::shared_ptr<gen_event_filter_factory> factory);
 
-	bool load_rules(const string &rules_content, bool verbose, bool all_events,
+	void load_rules(const string &rules_content, bool verbose, bool all_events,
 			std::string &extra, bool replace_container_info,
 			falco_common::priority_type min_priority,
-			std::list<std::string> &warnings,
-			std::list<std::string> &errors,
 			uint64_t &required_engine_version,
-			std::list<sinsp_plugin::info> &plugin_infos);
+			std::map<std::string, std::list<std::string>> &required_plugin_versions);
 	void describe_rule(string *rule);
 
 	bool is_source_valid(const std::string &source);

userspace/engine/ruleset.h

@@ -80,7 +80,7 @@ private:
 		std::shared_ptr<gen_event_filter> filter;
 		std::set<uint16_t> evttypes()
 		{
-			// todo(jasondellaluce,leogr): temp workarond, remove when fixed in libs
+			// todo(jasondellaluce,leogr): temp workaround, remove when fixed in libs
 			if(source == "syscall" || source == "k8s_audit")
 			{
 				return filter->evttypes();

userspace/falco/CMakeLists.txt

@@ -15,6 +15,8 @@ configure_file(config_falco.h.in config_falco.h)
 
 set(
   FALCO_SOURCES
+  application.cpp
+  app_cmdline_options.cpp
   configuration.cpp
   logger.cpp
   falco_outputs.cpp
@@ -25,8 +27,6 @@ set(
   event_drops.cpp
   statsfilewriter.cpp
   falco.cpp
-  formats.cpp
-  swappable_falco_engine.cpp
 )
 
 set(
@@ -35,6 +35,7 @@ set(
   "${PROJECT_BINARY_DIR}/userspace/falco"
   "${PROJECT_BINARY_DIR}/driver/src"
   "${STRING_VIEW_LITE_INCLUDE}"
+  "${CXXOPTS_INCLUDE_DIR}"
   "${YAMLCPP_INCLUDE_DIR}"
   "${CMAKE_CURRENT_BINARY_DIR}"
   "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include"
@@ -48,6 +49,7 @@ set(
   luajit
   lpeg
   lyaml
+  cxxopts
 )
 
 set(
@@ -78,8 +80,6 @@ if(NOT MINIMAL_BUILD)
     ${CMAKE_CURRENT_BINARY_DIR}/version.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/rules.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/rules.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
   )
 
@@ -154,10 +154,6 @@ if(NOT MINIMAL_BUILD)
     ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/outputs.grpc.pb.h
     ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/rules.grpc.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/rules.grpc.pb.h
-    ${CMAKE_CURRENT_BINARY_DIR}/rules.pb.cc
-    ${CMAKE_CURRENT_BINARY_DIR}/rules.pb.h
     ${CMAKE_CURRENT_BINARY_DIR}/outputs.pb.h
     ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.cc
     ${CMAKE_CURRENT_BINARY_DIR}/schema.pb.h
@@ -174,12 +170,6 @@ if(NOT MINIMAL_BUILD)
     COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
     ${CMAKE_CURRENT_SOURCE_DIR}/outputs.proto
     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
-    # Falco gRPC Rules API
-    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/rules.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --cpp_out=. ${CMAKE_CURRENT_SOURCE_DIR}/rules.proto
-    COMMAND ${PROTOC} -I ${CMAKE_CURRENT_SOURCE_DIR} --grpc_out=. --plugin=protoc-gen-grpc=${GRPC_CPP_PLUGIN}
-    ${CMAKE_CURRENT_SOURCE_DIR}/rules.proto
-    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
   )
 endif()
 

userspace/falco/app_cmdline_options.cpp

@@ -0,0 +1,203 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "app_cmdline_options.h"
+#include "configuration.h"
+#include "config_falco.h"
+
+#include <fstream>
+
+namespace falco {
+namespace app {
+
+// Most bool member variables do not need to be set explicitly, as
+// they are bound to command line options that have default
+// values. However, a few options can be ifdef'd out so explicitly
+// initialize their linked variables.
+cmdline_options::cmdline_options()
+	: event_buffer_format(sinsp_evt::PF_NORMAL),
+	  list_plugins(false),
+	  m_cmdline_opts("falco", "Falco - Cloud Native Runtime Security")
+{
+	define();
+}
+
+cmdline_options::~cmdline_options()
+{
+}
+
+bool cmdline_options::parse(int argc, char **argv, std::string &errstr)
+{
+	try {
+		m_cmdline_parsed = m_cmdline_opts.parse(argc, argv);
+	}
+	catch (std::exception &e)
+	{
+		errstr = e.what();
+		return false;
+	}
+
+	// Some options require additional processing/validation
+	std::ifstream conf_stream;
+	if (!conf_filename.empty())
+	{
+		conf_stream.open(conf_filename);
+		if (!conf_stream.is_open())
+		{
+			errstr = std::string("Could not find configuration file at ") + conf_filename;
+			return false;
+		}
+	}
+	else
+	{
+#ifndef BUILD_TYPE_RELEASE
+		conf_stream.open(FALCO_SOURCE_CONF_FILE);
+		if (conf_stream.is_open())
+		{
+			conf_filename = FALCO_SOURCE_CONF_FILE;
+		}
+		else
+#endif
+		{
+			conf_stream.open(FALCO_INSTALL_CONF_FILE);
+			if (conf_stream.is_open())
+			{
+				conf_filename = FALCO_INSTALL_CONF_FILE;
+			}
+			else
+			{
+				// Note we do not return false here. Although there is
+				// no valid config file, some ways of running falco
+				// (e.g. --help, --list) do not need a config file.
+				//
+				// Later, when it comes time to read a config file, if
+				// the filename is empty we exit with an error.
+				conf_filename = "";
+			}
+		}
+	}
+
+	if(m_cmdline_parsed.count("b") > 0)
+	{
+		event_buffer_format = sinsp_evt::PF_BASE64;
+	}
+
+	// Expand any paths provided via -r and fill in rules_filenames
+	if(m_cmdline_parsed.count("r") > 0)
+	{
+		for(auto &path : m_cmdline_parsed["r"].as<std::vector<std::string>>())
+		{
+			falco_configuration::read_rules_file_directory(path, rules_filenames);
+		}
+	}
+
+	// Convert the vectors of enabled/disabled tags into sets to match falco engine API
+	if(m_cmdline_parsed.count("T") > 0)
+	{
+		for(auto &tag : m_cmdline_parsed["T"].as<std::vector<std::string>>())
+		{
+			disabled_rule_tags.insert(tag);
+		}
+	}
+
+	if(m_cmdline_parsed.count("t") > 0)
+	{
+		for(auto &tag : m_cmdline_parsed["t"].as<std::vector<std::string>>())
+		{
+			enabled_rule_tags.insert(tag);
+		}
+	}
+
+	// Some combinations of arguments are not allowed.
+
+	// You can't both disable and enable rules
+	if((disabled_rule_substrings.size() + disabled_rule_tags.size() > 0) &&
+	   enabled_rule_tags.size() > 0)
+	{
+		errstr = std::string("You can not specify both disabled (-D/-T) and enabled (-t) rules");
+		return false;
+	}
+
+	if (daemon && pidfilename == "") {
+		errstr = std::string("If -d is provided, a pid file must also be provided");
+		return false;
+	}
+
+	list_fields = m_cmdline_parsed.count("list") > 0 ? true : false;
+
+	return true;
+}
+
+std::string cmdline_options::usage()
+{
+	return m_cmdline_opts.help();
+}
+
+void cmdline_options::define()
+{
+	m_cmdline_opts.add_options()
+		("h,help",                        "Print this page", cxxopts::value(help)->default_value("false"))
+#ifdef BUILD_TYPE_RELEASE
+		("c",                             "Configuration file. If not specified uses " FALCO_INSTALL_CONF_FILE ".", cxxopts::value(conf_filename), "<path>")
+#else
+		("c",                             "Configuration file. If not specified tries " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ".", cxxopts::value(conf_filename), "<path>")
+#endif
+		("A",                             "Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.", cxxopts::value(all_events)->default_value("false"))
+		("b,print-base64",                "Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to consume this format.")
+		("cri",                           "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses libs default. It can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "<path>")
+		("d,daemon",                      "Run as a daemon.", cxxopts::value(daemon)->default_value("false"))
+		("disable-cri-async",             "Disable asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false"))
+		("disable-source",                "Disable a specific event source. Available event sources are: syscall, k8s_audit, or any source from a configured source plugin. It can be passed multiple times. Can not disable all event sources.", cxxopts::value(disable_sources), "<event_source>")
+		("D",                             "Disable any rules with names having the substring <substring>. Can be specified multiple times. Can not be specified with -t.", cxxopts::value(disabled_rule_substrings), "<substring>")
+		("e",                             "Read the events from <events_file> (in .scap format for sinsp events, or jsonl for k8s audit events) instead of tapping into live.", cxxopts::value(trace_filename), "<events_file>")
+		("i",                             "Print all events that are ignored by default (i.e. without the -A flag) and exit.", cxxopts::value(print_ignored_events)->default_value("false"))
+#ifndef MINIMAL_BUILD
+		("k,k8s-api",                     "Enable Kubernetes support by connecting to the API server specified as argument. E.g. \"http://admin:password@127.0.0.1:8080\". The API server can also be specified via the environment variable FALCO_K8S_API.", cxxopts::value(k8s_api), "<url>")
+		("K,k8s-api-cert",                "Use the provided files names to authenticate user and (optionally) verify the K8S API server identity. Each entry must specify full (absolute, or relative to the current directory) path to the respective file. Private key password is optional (needed only if key is password protected). CA certificate is optional. For all files, only PEM file format is supported. Specifying CA certificate only is obsoleted - when single entry is provided for this option, it will be interpreted as the name of a file containing bearer token. Note that the format of this command-line option prohibits use of files whose names contain ':' or '#' characters in the file name.", cxxopts::value(k8s_api_cert), "(<bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>])")
+		("k8s-node",                      "The node name will be used as a filter when requesting metadata of pods to the API server. Usually, it should be set to the current node on which Falco is running. If empty, no filter is set, which may have a performance penalty on large clusters.", cxxopts::value(k8s_node_name), "<node_name>")
+#endif
+		("L",                             "Show the name and description of all rules and exit.", cxxopts::value(describe_all_rules)->default_value("false"))
+		("l",                             "Show the name and description of the rule with name <rule> and exit.", cxxopts::value(describe_rule), "<rule>")
+		("list",                          "List all defined fields. If <source> is provided, only list those fields for the source <source>. Current values for <source> are \"syscall\", \"k8s_audit\", or any source from a configured source plugin.", cxxopts::value(list_source_fields)->implicit_value(""), "<source>")
+#ifndef MUSL_OPTIMIZED
+		("list-plugins",                  "Print info on all loaded plugins and exit.", cxxopts::value(list_plugins)->default_value("false"))
+#endif
+#ifndef MINIMAL_BUILD
+		("m,mesos-api",                   "Enable Mesos support by connecting to the API server specified as argument. E.g. \"http://admin:password@127.0.0.1:5050\". Marathon url is optional and defaults to Mesos address, port 8080. The API servers can also be specified via the environment variable FALCO_MESOS_API.", cxxopts::value(mesos_api), "<url[,marathon_url]>")
+#endif
+		("M",                             "Stop collecting after <num_seconds> reached.", cxxopts::value(duration_to_tot)->default_value("0"), "<num_seconds>")
+		("N",                             "When used with --list/--list-source, only print field names.", cxxopts::value(names_only)->default_value("false"))
+		("o,option",                      "Set the value of option <opt> to <val>. Overrides values in configuration file. <opt> can be identified using its location in configuration file using dot notation. Elements which are entries of lists can be accessed via square brackets [].\n    E.g. base.id = val\n         base.subvalue.subvalue2 = val\n         base.list[1]=val", cxxopts::value(cmdline_config_options), "<opt>=<val>")
+		("p,print",                       "Add additional information to each falco notification's output.\nWith -pc or -pcontainer will use a container-friendly format.\nWith -pk or -pkubernetes will use a kubernetes-friendly format.\nWith -pm or -pmesos will use a mesos-friendly format.\nAdditionally, specifying -pc/-pk/-pm will change the interpretation of %container.info in rule output fields.", cxxopts::value(print_additional), "<output_format>")
+		("P,pidfile",                     "When run as a daemon, write pid to specified file", cxxopts::value(pidfilename)->default_value("/var/run/falco.pid"), "<pid_file>")
+		("r",                             "Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml). Can be specified multiple times to read from multiple files/directories.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
+		("s",                             "If specified, append statistics related to Falco's reading/processing of events to this file (only useful in live mode).", cxxopts::value(stats_filename), "<stats_file>")
+		("stats-interval",                "When using -s <stats_file>, write statistics every <msec> ms. This uses signals, so don't recommend intervals below 200 ms. Defaults to 5000 (5 seconds).", cxxopts::value(stats_interval)->default_value("5000"),  "<msec>")
+		("S,snaplen",                     "Capture the first <len> bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files.", cxxopts::value(snaplen)->default_value("0"), "<len>")
+		("support",                       "Print support information including version, rules files used, etc. and exit.", cxxopts::value(print_support)->default_value("false"))
+		("T",                             "Disable any rules with a tag=<tag>. Can be specified multiple times. Can not be specified with -t", cxxopts::value<std::vector<std::string>>(), "<tag>")
+		("t",                             "Only run those rules with a tag=<tag>. Can be specified multiple times. Can not be specified with -T/-D.", cxxopts::value<std::vector<std::string>>(), "<tag>")
+		("U,unbuffered",                  "Turn off output buffering to configured outputs. This causes every single line emitted by falco to be flushed which generates higher CPU usage but is useful when piping those outputs into another process or into a script.", cxxopts::value(unbuffered_outputs)->default_value("false"))
+		("u,userspace",                   "Parse events from userspace. To be used in conjunction with the ptrace(2) based driver (pdig)", cxxopts::value(userspace)->default_value("false"))
+		("V,validate",                    "Read the contents of the specified rules(s) file and exit. Can be specified multiple times to validate multiple files.", cxxopts::value(validate_rules_filenames), "<rules_file>")
+		("v",                             "Verbose output.", cxxopts::value(verbose)->default_value("false"))
+		("version",                       "Print version number.", cxxopts::value(print_version_info)->default_value("false"));
+
+	m_cmdline_opts.set_width(140);
+}
+
+}; // namespace app
+}; // namespace falco

userspace/falco/app_cmdline_options.h

@@ -0,0 +1,85 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include <event.h>
+
+#include <cxxopts.hpp>
+
+#include <string>
+#include <vector>
+#include <set>
+
+namespace falco {
+namespace app {
+
+class cmdline_options {
+public:
+	cmdline_options();
+	~cmdline_options();
+
+	// Each of these maps directly to a command line option.
+	bool help;
+	std::string conf_filename;
+	bool all_events;
+	sinsp_evt::param_fmt event_buffer_format;
+	std::vector<std::string> cri_socket_paths;
+	bool daemon;
+	bool disable_cri_async;
+	std::vector<std::string> disable_sources;
+	std::vector<std::string> disabled_rule_substrings;
+	std::string trace_filename;
+	std::string k8s_api;
+	std::string k8s_api_cert;
+	std::string k8s_node_name;
+	bool describe_all_rules;
+	std::string describe_rule;
+	bool print_ignored_events;
+	bool list_fields;
+	std::string list_source_fields;
+	bool list_plugins;
+	std::string mesos_api;
+	int duration_to_tot;
+	bool names_only;
+	std::vector<std::string> cmdline_config_options;
+	std::string print_additional;
+	std::string pidfilename;
+	std::list<std::string> rules_filenames;
+	std::string stats_filename;
+	uint64_t stats_interval;
+	uint64_t snaplen;
+	bool print_support;
+	std::set<std::string> disabled_rule_tags;
+	std::set<std::string> enabled_rule_tags;
+	bool unbuffered_outputs;
+	bool userspace;
+	std::vector<std::string> validate_rules_filenames;
+	bool verbose;
+	bool print_version_info;
+
+	bool parse(int argc, char **argv, std::string &errstr);
+
+	std::string usage();
+private:
+	void define();
+
+	cxxopts::Options m_cmdline_opts;
+	cxxopts::ParseResult m_cmdline_parsed;
+};
+
+}; // namespace application
+}; // namespace falco

userspace/falco/application.cpp

@@ -0,0 +1,61 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// The falco "app" holds application-level configuration and contains
+// the implementation of any subcommand-like behaviors like --list, -i
+// (print_ignored_events), etc.
+
+// It also contains the code to initialize components like the
+// inspector, falco engine, etc.
+
+#include "application.h"
+#include "falco_common.h"
+
+namespace falco {
+namespace app {
+
+application::application()
+	: m_initialized(false)
+{
+}
+
+application::~application()
+{
+}
+
+cmdline_options &application::options()
+{
+	if(!m_initialized)
+	{
+		throw falco_exception("App init() not called yet");
+	}
+
+	return m_cmdline_options;
+}
+
+bool application::init(int argc, char **argv, std::string &errstr)
+{
+	if(!m_cmdline_options.parse(argc, argv, errstr))
+	{
+		return false;
+	}
+
+	m_initialized = true;
+	return true;
+}
+
+}; // namespace app
+}; // namespace falco

userspace/falco/application.h

@@ -0,0 +1,53 @@
+/*
+Copyright (C) 2022 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// The falco "app" will eventually replace the monolithic code in
+// falco.cpp. We expect it will be responsible for the following:
+//  - Parsing/validating command line options
+//  - Parsing/validating falco config
+//  - Initialize prerequisites (inspector, falco engine, webserver, etc)
+//  - Loading plugins
+//  - Loading/validating rules
+//  - Command/subcommand execution (e.g. --list/--list-fields, or
+//    nothing specified to run "main" loop)
+
+// For now, it is only responsible for command line options.
+#pragma once
+
+#include "app_cmdline_options.h"
+
+#include <string>
+
+namespace falco {
+namespace app {
+
+class application {
+public:
+
+	application();
+	virtual ~application();
+
+	cmdline_options &options();
+	bool init(int argc, char **argv, std::string &errstr);
+
+private:
+
+	cmdline_options m_cmdline_options;
+	bool m_initialized;
+};
+
+}; // namespace app
+}; // namespace falco

userspace/falco/config_falco.h.in

@@ -30,5 +30,5 @@ limitations under the License.
 #define FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml"
 #define FALCO_ENGINE_PLUGINS_DIR "${FALCO_ABSOLUTE_SHARE_DIR}/plugins/"
 
-#define PROBE_NAME "@PROBE_NAME@"
-#define DRIVER_VERSION "@PROBE_VERSION@"
+#define DRIVER_NAME "@DRIVER_NAME@"
+#define DRIVER_VERSION "@DRIVER_VERSION@"

userspace/falco/configuration.cpp

@@ -51,7 +51,7 @@ falco_configuration::~falco_configuration()
 	}
 }
 
-void falco_configuration::init(string conf_filename, list<string> &cmdline_options)
+void falco_configuration::init(string conf_filename, const vector<string> &cmdline_options)
 {
 	string m_config_file = conf_filename;
 	m_config = new yaml_configuration();
@@ -390,7 +390,7 @@ static bool split(const string &str, char delim, pair<string, string> &parts)
 	return true;
 }
 
-void falco_configuration::init_cmdline_options(list<string> &cmdline_options)
+void falco_configuration::init_cmdline_options(const vector<string> &cmdline_options)
 {
 	for(const string &option : cmdline_options)
 	{

userspace/falco/configuration.h

@@ -216,8 +216,8 @@ public:
 	falco_configuration();
 	virtual ~falco_configuration();
 
-	void init(std::string conf_filename, std::list<std::string>& cmdline_options);
-	void init(std::list<std::string>& cmdline_options);
+	void init(std::string conf_filename, const std::vector<std::string>& cmdline_options);
+	void init(const std::vector<std::string>& cmdline_options);
 
 	static void read_rules_file_directory(const string& path, list<string>& rules_filenames);
 
@@ -266,7 +266,7 @@ public:
 	std::vector<plugin_config> m_plugins;
 
 private:
-	void init_cmdline_options(std::list<std::string>& cmdline_options);
+	void init_cmdline_options(const std::vector<std::string>& cmdline_options);
 
 	/**
 	 * Given a <key>=<value> specifier, set the appropriate option
@@ -288,12 +288,12 @@ namespace YAML {
 			double double_val;
 			bool bool_val;
 			std::string str_val;
-			nlohmann::json sub{};
 
 			switch (node.Type()) {
 				case YAML::NodeType::Map:
 					for (auto &&it: node)
 					{
+						nlohmann::json sub{};
 						YAML::convert<nlohmann::json>::decode(it.second, sub);
 						res[it.first.as<std::string>()] = sub;
 					}
@@ -301,6 +301,7 @@ namespace YAML {
 				case YAML::NodeType::Sequence:
 					for (auto &&it : node)
 					{
+						nlohmann::json sub{};
 						YAML::convert<nlohmann::json>::decode(it, sub);
 						res.emplace_back(sub);
 					}

userspace/falco/event_drops.cpp

@@ -73,6 +73,7 @@ bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
 		delta.n_evts = stats.n_evts - m_last_stats.n_evts;
 		delta.n_drops = stats.n_drops - m_last_stats.n_drops;
 		delta.n_drops_buffer = stats.n_drops_buffer - m_last_stats.n_drops_buffer;
+		delta.n_drops_scratch_map = stats.n_drops_scratch_map - m_last_stats.n_drops_scratch_map;
 		delta.n_drops_pf = stats.n_drops_pf - m_last_stats.n_drops_pf;
 		delta.n_drops_bug = stats.n_drops_bug - m_last_stats.n_drops_bug;
 		delta.n_preemptions = stats.n_preemptions - m_last_stats.n_preemptions;
@@ -148,6 +149,7 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now, scap_stats &delta, bool
 			output_fields["n_evts"] = std::to_string(delta.n_evts);
 			output_fields["n_drops"] = std::to_string(delta.n_drops);
 			output_fields["n_drops_buffer"] = std::to_string(delta.n_drops_buffer);
+			output_fields["n_drops_scratch_map"] = std::to_string(delta.n_drops_scratch_map);
 			output_fields["n_drops_pf"] = std::to_string(delta.n_drops_pf);
 			output_fields["n_drops_bug"] = std::to_string(delta.n_drops_bug);
 			output_fields["ebpf_enabled"] = std::to_string(bpf_enabled);

userspace/falco/falco_outputs.cpp

@@ -60,7 +60,7 @@ falco_outputs::~falco_outputs()
 	}
 }
 
-void falco_outputs::init(swappable_falco_engine &swengine,
+void falco_outputs::init(falco_engine *engine,
 			 bool json_output,
 			 bool json_include_output_property,
 			 bool json_include_tags_property,
@@ -74,7 +74,7 @@ void falco_outputs::init(swappable_falco_engine &swengine,
 		throw falco_exception("falco_outputs already initialized");
 	}
 
-	m_formats.reset(new falco_formats(swengine, json_include_output_property, json_include_tags_property));
+	m_formats.reset(new falco_formats(engine, json_include_output_property, json_include_tags_property));
 
 	m_json_output = json_output;
 

userspace/falco/falco_outputs.h

@@ -23,7 +23,7 @@ limitations under the License.
 #include "json_evt.h"
 #include "falco_common.h"
 #include "token_bucket.h"
-#include "swappable_falco_engine.h"
+#include "falco_engine.h"
 #include "outputs.h"
 #include "formats.h"
 #include "tbb/concurrent_queue.h"
@@ -39,7 +39,7 @@ public:
 	falco_outputs();
 	virtual ~falco_outputs();
 
-	void init(swappable_falco_engine &swengine,
+	void init(falco_engine *engine,
 		  bool json_output,
 		  bool json_include_output_property,
 		  bool json_include_tags_property,

userspace/falco/grpc_request_context.cpp

@@ -139,78 +139,6 @@ void request_context<version::service, version::request, version::response>::end
 	start(srv);
 }
 
-template<>
-void request_context<rules::service, rules::rules_files, rules::reload_response>::start(server* srv)
-{
-	m_state = request_context_base::REQUEST;
-	m_srv_ctx.reset(new ::grpc::ServerContext);
-	auto srvctx = m_srv_ctx.get();
-	m_res_writer.reset(new ::grpc::ServerAsyncResponseWriter<rules::reload_response>(srvctx));
-	m_req.Clear();
-	auto cq = srv->m_completion_queue.get();
-	// Request to start processing given requests.
-	// Using "this" - ie., the memory address of this context - as the tag that uniquely identifies the request.
-	// In this way, different contexts can serve different requests concurrently.
-	(srv->m_rules_svc.*m_request_func)(srvctx, &m_req, m_res_writer.get(), cq, cq, this);
-}
-
-template<>
-void request_context<rules::service, rules::rules_files, rules::reload_response>::process(server* srv)
-{
-	rules::reload_response res;
-	(srv->*m_process_func)(m_srv_ctx.get(), m_req, res);
-
-	// Notify the gRPC runtime that this processing is done
-	m_state = request_context_base::FINISH;
-	// Using "this"- ie., the memory address of this context - to uniquely identify the event.
-	m_res_writer->Finish(res, ::grpc::Status::OK, this);
-}
-
-template<>
-void request_context<rules::service, rules::rules_files, rules::reload_response>::end(server* srv, bool error)
-{
-	// todo(leodido) > handle processing errors here
-
-	// Ask to start processing requests
-	start(srv);
-}
-
-template<>
-void request_context<rules::service, rules::rules_files, rules::validate_response>::start(server* srv)
-{
-	m_state = request_context_base::REQUEST;
-	m_srv_ctx.reset(new ::grpc::ServerContext);
-	auto srvctx = m_srv_ctx.get();
-	m_res_writer.reset(new ::grpc::ServerAsyncResponseWriter<rules::validate_response>(srvctx));
-	m_req.Clear();
-	auto cq = srv->m_completion_queue.get();
-	// Request to start processing given requests.
-	// Using "this" - ie., the memory address of this context - as the tag that uniquely identifies the request.
-	// In this way, different contexts can serve different requests concurrently.
-	(srv->m_rules_svc.*m_request_func)(srvctx, &m_req, m_res_writer.get(), cq, cq, this);
-}
-
-template<>
-void request_context<rules::service, rules::rules_files, rules::validate_response>::process(server* srv)
-{
-	rules::validate_response res;
-	(srv->*m_process_func)(m_srv_ctx.get(), m_req, res);
-
-	// Notify the gRPC runtime that this processing is done
-	m_state = request_context_base::FINISH;
-	// Using "this"- ie., the memory address of this context - to uniquely identify the event.
-	m_res_writer->Finish(res, ::grpc::Status::OK, this);
-}
-
-template<>
-void request_context<rules::service, rules::rules_files, rules::validate_response>::end(server* srv, bool error)
-{
-	// todo(leodido) > handle processing errors here
-
-	// Ask to start processing requests
-	start(srv);
-}
-
 template<>
 void request_bidi_context<outputs::service, outputs::request, outputs::response>::start(server* srv)
 {

userspace/falco/grpc_server.cpp

@@ -119,7 +119,7 @@ void falco::grpc::server::thread_process(int thread_index)
 			ctx->end(this, false);
 			break;
 		default:
-			// todo(leodido) > log error "unkown completion queue event: tag=tag, state=ctx->m_state"
+			// todo(leodido) > log error "unknown completion queue event: tag=tag, state=ctx->m_state"
 			break;
 		}
 
@@ -194,7 +194,6 @@ void falco::grpc::server::run()
 {
 	m_server_builder.RegisterService(&m_output_svc);
 	m_server_builder.RegisterService(&m_version_svc);
-	m_server_builder.RegisterService(&m_rules_svc);
 
 	m_completion_queue = m_server_builder.AddCompletionQueue();
 	m_server = m_server_builder.BuildAndStart();
@@ -214,8 +213,6 @@ void falco::grpc::server::run()
 	REGISTER_UNARY(version::request, version::response, version::service, version, version, context_num)
 	REGISTER_STREAM(outputs::request, outputs::response, outputs::service, get, get, context_num)
 	REGISTER_BIDI(outputs::request, outputs::response, outputs::service, sub, sub, context_num)
-	REGISTER_UNARY(rules::rules_files, rules::reload_response, rules::service, reload_rules, reload_rules, context_num)
-	REGISTER_UNARY(rules::rules_files, rules::validate_response, rules::service, validate_rules, validate_rules, context_num)
 
 	m_threads.resize(m_threadiness);
 	int thread_idx = 0;

userspace/falco/grpc_server.h

@@ -46,7 +46,6 @@ public:
 
 	outputs::service::AsyncService m_output_svc;
 	version::service::AsyncService m_version_svc;
-	rules::service::AsyncService m_rules_svc;
 
 	std::unique_ptr<::grpc::ServerCompletionQueue> m_completion_queue;
 

userspace/falco/grpc_server_impl.cpp

@@ -77,21 +77,13 @@ void falco::grpc::server_impl::version(const context& ctx, const version::reques
 	version = FALCO_VERSION;
 
 	res.set_engine_version(FALCO_ENGINE_VERSION);
-	res.set_engine_fields_checksum(FALCO_FIELDS_CHECKSUM);
+	res.set_engine_fields_checksum(FALCO_FIELDS_CHECKSUM); 
 
 	res.set_major(FALCO_VERSION_MAJOR);
 	res.set_minor(FALCO_VERSION_MINOR);
 	res.set_patch(FALCO_VERSION_PATCH);
 }
 
-void falco::grpc::server_impl::reload_rules(const context& ctx, const rules::rules_files& rules_files, rules::reload_response& res)
-{
-}
-
-void falco::grpc::server_impl::validate_rules(const context& ctx, const rules::rules_files& rules_files, rules::validate_response& res)
-{
-}
-
 void falco::grpc::server_impl::shutdown()
 {
 	m_stop = true;

userspace/falco/grpc_server_impl.h

@@ -19,7 +19,6 @@ limitations under the License.
 #include <atomic>
 #include "outputs.grpc.pb.h"
 #include "version.grpc.pb.h"
-#include "rules.grpc.pb.h"
 #include "grpc_context.h"
 
 namespace falco
@@ -44,10 +43,6 @@ protected:
 	// Version
 	void version(const context& ctx, const version::request& req, version::response& res);
 
-	// Rules
-	void reload_rules(const context& ctx, const rules::rules_files& rules_files, rules::reload_response& res);
-	void validate_rules(const context& ctx, const rules::rules_files& rules_files, rules::validate_response& res);
-
 private:
 	std::atomic<bool> m_stop{false};
 };

userspace/falco/logger.cpp

@@ -120,7 +120,7 @@ void falco_logger::log(int priority, const string msg)
 			if(atime)
 			{
 				tstr = atime;
-				tstr = tstr.substr(0, 24);// remove trailling newline
+				tstr = tstr.substr(0, 24);// remove trailing newline
 			}
 			else
 			{

userspace/falco/rules.proto

@@ -1,51 +0,0 @@
-/*
-Copyright (C) 2020 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-syntax = "proto3";
-
-package falco.rules;
-
-option go_package = "github.com/falcosecurity/client-go/pkg/api/rules";
-
-// Functions to reload a set of rules files (replacing any currently
-// loaded rules), or validate a set of candidate rules files.
-service service {
-  rpc reload_rules(rules_files) returns (reload_response);
-  rpc validate_rules(rules_files) returns (validate_response);
-}
-
-message rules_file
-{
-	string filename = 1;
-	string content = 2;
-}
-
-message rules_files
-{
-	repeated rules_file files = 1;
-}
-
-message reload_response
-{
-	bool successful = 1;
-	string error = 2;
-}
-
-message validate_response
-{
-	bool successful = 1;
-	string error = 2;
-}

userspace/falco/swappable_falco_engine.cpp

@@ -1,256 +0,0 @@
-/*
-Copyright (C) 2022 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include <fstream>
-
-#include "logger.h"
-#include "swappable_falco_engine.h"
-
-std::string swappable_falco_engine::syscall_source = "syscall";
-std::string swappable_falco_engine::k8s_audit_source = "k8s_audit";
-
-swappable_falco_engine::config::config()
-	: json_output(false), verbose(false), replace_container_info(false),
-	  event_sources{syscall_source, k8s_audit_source}
-{
-}
-
-swappable_falco_engine::config::~config()
-{
-}
-
-bool swappable_falco_engine::config::contains_event_source(const std::string &source)
-{
-	return (event_sources.find(source) != event_sources.end());
-}
-
-bool swappable_falco_engine::open_files(std::list<std::string> &filenames,
-					std::list<falco_engine::rulesfile> &rulesfiles,
-					std::string &errstr)
-{
-	rulesfiles.clear();
-
-	for(const auto &filename : filenames)
-	{
-		std::string errstr;
-
-		rulesfiles.emplace_back();
-
-		falco_engine::rulesfile &rf = rulesfiles.back();
-
-		if (!rf.load(filename, errstr))
-		{
-			return false;
-		}
-	}
-
-	errstr = "";
-	return true;
-}
-
-swappable_falco_engine::swappable_falco_engine()
-{
-}
-
-swappable_falco_engine::~swappable_falco_engine()
-{
-
-}
-
-bool swappable_falco_engine::init(swappable_falco_engine::config &cfg, sinsp *inspector, std::string &errstr)
-{
-	m_config = cfg;
-	m_inspector = inspector;
-
-	// Initialize some engine with no rules
-	std::list<falco_engine::rulesfile> empty;
-	return replace(empty, errstr);
-}
-
-std::shared_ptr<falco_engine> swappable_falco_engine::engine()
-{
-	std::shared_ptr<falco_engine> new_engine;
-
-	while(m_pending_falco_engine.try_pop(new_engine))
-	{
-		m_engine=new_engine;
-	}
-
-	if(m_engine == NULL)
-	{
-		throw falco_exception("No engine, must call replace() first");
-	}
-
-	return m_engine;
-}
-
-filter_check_list &swappable_falco_engine::plugin_filter_checks()
-{
-	return m_plugin_filter_checks;
-}
-
-bool swappable_falco_engine::replace(std::list<falco_engine::rulesfile> &rulesfiles,
-				     std::string &load_result)
-{
-	std::shared_ptr<falco_engine> new_engine;
-
-	new_engine = create_new(rulesfiles, load_result);
-
-	if (new_engine == NULL)
-	{
-		return false;
-	}
-
-	m_pending_falco_engine.push(new_engine);
-
-	return true;
-}
-
-bool swappable_falco_engine::validate(std::list<falco_engine::rulesfile> &rulesfiles,
-				      std::string &load_result)
-{
-	std::shared_ptr<falco_engine> new_engine;
-
-	new_engine = create_new(rulesfiles, load_result);
-
-	return (new_engine != NULL);
-}
-
-std::shared_ptr<falco_engine> swappable_falco_engine::create_new(std::list<falco_engine::rulesfile> &rulesfiles,
-								 std::string &load_result)
-{
-	std::shared_ptr<falco_engine> ret = make_shared<falco_engine>();
-
-	load_result = "";
-
-	if(!m_inspector)
-	{
-		load_result = "No inspector provided yet";
-		ret = NULL;
-		return ret;
-	}
-
-	ret->set_extra(m_config.output_format, m_config.replace_container_info);
-	ret->set_min_priority(m_config.min_priority);
-	ret->set_plugin_infos(m_config.plugin_infos);
-
-	// Create "factories" that can create filters/formatters for
-	// each supported source.
-	for(const auto &source : m_config.event_sources)
-	{
-		std::shared_ptr<gen_event_filter_factory> filter_factory;
-		std::shared_ptr<gen_event_formatter_factory> formatter_factory;
-
-		if(source == syscall_source)
-		{
-			// This use of m_inspector looks unsafe, as it
-			// may have been created on a different thread
-			// than the thread where create_new() was
-			// called. But the inspector is only *used*
-			// when evaluating filters, and that is only
-			// done on the thread processing events and
-			// calling engine().
-			filter_factory.reset(new sinsp_filter_factory(m_inspector));
-			formatter_factory.reset(new sinsp_evt_formatter_factory(m_inspector));
-		}
-		else if (source == k8s_audit_source)
-		{
-			filter_factory.reset(new json_event_filter_factory());
-			formatter_factory.reset(new json_event_formatter_factory(filter_factory));
-		}
-		else
-		{
-			// Assumed to be a source plugin
-			filter_factory.reset(new sinsp_filter_factory(m_inspector, m_plugin_filter_checks));
-			formatter_factory.reset(new sinsp_evt_formatter_factory(m_inspector, m_plugin_filter_checks));
-		}
-
-		if(m_config.json_output)
-		{
-			formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
-		}
-
-		ret->add_source(source, filter_factory, formatter_factory);
-	}
-
-	// Note that we load all rules files, even if one of them has an error.
-	bool successful = true;
-
-	// We include filenames if there is more than one file
-	bool include_filenames = (rulesfiles.size() > 1);
-
-	// We include warnings if verbose
-	bool include_warnings = m_config.verbose;
-
-	std::ostringstream os;
-	for(auto &rf : rulesfiles)
-	{
-		falco_engine::load_result res(rf);
-
-		// XXX/mstemm all_events is actually unused, remove it.
-		bool all_events = false;
-
-		ret->load_rules(rf,
-				m_config.verbose, all_events,
-				res);
-
-		os << res.as_string(include_filenames, include_warnings);
-
-		if(!res.successful)
-		{
-			successful = false;
-		}
-	}
-
-	load_result = os.str();
-
-	if(!successful)
-	{
-		ret = NULL;
-		return ret;
-	}
-
-	for (auto substring : m_config.disabled_rule_substrings)
-	{
-		falco_logger::log(LOG_INFO, "Disabling rules matching substring: " + substring + "\n");
-		ret->enable_rule(substring, false);
-	}
-
-	if(m_config.disabled_rule_tags.size() > 0)
-	{
-		for(auto tag : m_config.disabled_rule_tags)
-		{
-			falco_logger::log(LOG_INFO, "Disabling rules with tag: " + tag + "\n");
-		}
-		ret->enable_rule_by_tag(m_config.disabled_rule_tags, false);
-	}
-
-	if(m_config.enabled_rule_tags.size() > 0)
-	{
-		string all_rules = "";
-
-		// Since we only want to enable specific
-		// rules, first disable all rules.
-		ret->enable_rule(all_rules, false);
-		for(auto tag : m_config.enabled_rule_tags)
-		{
-			falco_logger::log(LOG_INFO, "Enabling rules with tag: " + tag + "\n");
-		}
-		ret->enable_rule_by_tag(m_config.enabled_rule_tags, true);
-	}
-
-	return ret;
-}

userspace/falco/swappable_falco_engine.h

@@ -1,119 +0,0 @@
-/*
-Copyright (C) 2022 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#pragma once
-
-#include <list>
-#include <memory>
-#include <string>
-#include <set>
-#include <utility>
-#include "tbb/concurrent_queue.h"
-
-#include <sinsp.h>
-#include <filter_check_list.h>
-
-#include <falco_engine.h>
-
-class swappable_falco_engine
-{
-public:
-	static std::string syscall_source;
-	static std::string k8s_audit_source;
-
-	class config {
-	public:
-		config();
-		virtual ~config();
-
-		bool contains_event_source(const std::string &source);
-
-		bool json_output;
-		bool verbose;
-		std::string output_format;
-		bool replace_container_info;
-		std::set<std::string> event_sources;
-		falco_common::priority_type min_priority;
-		std::list<sinsp_plugin::info> plugin_infos;
-		std::set<std::string> disabled_rule_substrings;
-		std::set<std::string> disabled_rule_tags;
-		std::set<std::string> enabled_rule_tags;
-	};
-
-	// Helper to load a set of files from filenames
-	static bool open_files(std::list<std::string> &filenames,
-			       std::list<falco_engine::rulesfile> &rulesfiles,
-			       std::string &errstr);
-
-	swappable_falco_engine();
-	virtual ~swappable_falco_engine();
-
-	bool init(config &cfg, sinsp *inspector, std::string &errstr);
-
-	std::shared_ptr<falco_engine> engine();
-
-	filter_check_list &plugin_filter_checks();
-
-	// Create a new engine, configure it using the saved config,
-	// load the provided set of rules files, and queue it to
-	// replace the current engine.
-	//
-	// This can be called from a different thread than the one
-	// calling engine().
-	//
-        // Returns true on success, false otherwise.
-	//
-	// load_result will be filled in with details on any errors (and warnings,
-	// if config.verbose is true).
-	bool replace(std::list<falco_engine::rulesfile> &rulesfiles,
-		     std::string &load_result);
-
-	// Create a new engine, configure it, load the provided set of
-	// rules files, but do *not* queue it to replace the current
-	// engine.
-	//
-	// This can be called from a different thread than the one
-	// calling engine().
-	//
-        // Returns true on success, false otherwise.
-	//
-	// load_result will be filled in with details on any errors (and warnings,
-	// if config.verbose is true).
-	bool validate(std::list<falco_engine::rulesfile> &rulesfiles,
-		      std::string &load_result);
-
-private:
-
-	// Does everything but enqueue the new engine. Returns a
-	// shared_ptr to a new falco_engine on success, an empty
-	// shared_ptr on failure.
-	//
-	// load_result will be filled in with details on any errors (and warnings,
-	// if config.verbose is true).
-	std::shared_ptr<falco_engine> create_new(std::list<falco_engine::rulesfile> &rulesfiles,
-						 std::string &load_result);
-
-	sinsp *m_inspector;
-	config m_config;
-	filter_check_list m_plugin_filter_checks;
-
-	std::shared_ptr<falco_engine> m_engine;
-
-	// If non-empty the head item will be moved to m_falco_engine
-	// with the next call to engine()
-	tbb::concurrent_queue<std::shared_ptr<falco_engine>> m_pending_falco_engine;
-};
-

userspace/falco/verify_engine_fields.sh

@@ -4,7 +4,7 @@ set -euo pipefail
 
 SOURCE_DIR=$1
 
-NEW_CHECKSUM=$(./falco --list -N | sha256sum | awk '{print $1}')
+NEW_CHECKSUM=$(./falco -c ${SOURCE_DIR}/falco.yaml --list -N | sha256sum | awk '{print $1}')
 CUR_CHECKSUM=$(grep FALCO_FIELDS_CHECKSUM "${SOURCE_DIR}/userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
 
 if [ "$NEW_CHECKSUM" != "$CUR_CHECKSUM" ]; then

userspace/falco/webserver.cpp

@@ -27,8 +27,8 @@ using namespace std;
 
 string k8s_audit_handler::m_k8s_audit_event_source = "k8s_audit";
 
-k8s_audit_handler::k8s_audit_handler(swappable_falco_engine &swengine, falco_outputs *outputs):
-	m_swengine(swengine), m_outputs(outputs)
+k8s_audit_handler::k8s_audit_handler(falco_engine *engine, falco_outputs *outputs):
+	m_engine(engine), m_outputs(outputs)
 {
 }
 
@@ -45,7 +45,7 @@ bool k8s_healthz_handler::handleGet(CivetServer *server, struct mg_connection *c
 	return true;
 }
 
-bool k8s_audit_handler::accept_data(swappable_falco_engine &swengine,
+bool k8s_audit_handler::accept_data(falco_engine *engine,
 				    falco_outputs *outputs,
 				    std::string &data,
 				    std::string &errstr)
@@ -89,11 +89,11 @@ bool k8s_audit_handler::accept_data(swappable_falco_engine &swengine,
 
 		try
 		{
-			res = swengine.engine()->process_event(m_k8s_audit_event_source, &jev);
+			res = engine->process_event(m_k8s_audit_event_source, &jev);
 		}
 		catch(...)
 		{
-			errstr = string("unkown error processing audit event");
+			errstr = string("unknown error processing audit event");
 			fprintf(stderr, "%s\n", errstr.c_str());
 			return false;
 		}
@@ -120,7 +120,7 @@ bool k8s_audit_handler::accept_data(swappable_falco_engine &swengine,
 
 bool k8s_audit_handler::accept_uploaded_data(std::string &post_data, std::string &errstr)
 {
-	return k8s_audit_handler::accept_data(m_swengine, m_outputs, post_data, errstr);
+	return k8s_audit_handler::accept_data(m_engine, m_outputs, post_data, errstr);
 }
 
 bool k8s_audit_handler::handleGet(CivetServer *server, struct mg_connection *conn)
@@ -130,7 +130,7 @@ bool k8s_audit_handler::handleGet(CivetServer *server, struct mg_connection *con
 	return true;
 }
 
-// The version in CivetServer.cpp has valgrind compliants due to
+// The version in CivetServer.cpp has valgrind complaints due to
 // unguarded initialization of c++ string from buffer.
 static void get_post_data(struct mg_connection *conn, std::string &postdata)
 {
@@ -177,8 +177,7 @@ bool k8s_audit_handler::handlePost(CivetServer *server, struct mg_connection *co
 	return true;
 }
 
-falco_webserver::falco_webserver(swappable_falco_engine &swengine):
-	m_swengine(swengine),
+falco_webserver::falco_webserver():
 	m_config(NULL)
 {
 }
@@ -189,9 +188,11 @@ falco_webserver::~falco_webserver()
 }
 
 void falco_webserver::init(falco_configuration *config,
+			   falco_engine *engine,
 			   falco_outputs *outputs)
 {
 	m_config = config;
+	m_engine = engine;
 	m_outputs = outputs;
 }
 
@@ -213,6 +214,11 @@ void falco_webserver::start()
 		throw falco_exception("No config provided to webserver");
 	}
 
+	if(!m_engine)
+	{
+		throw falco_exception("No engine provided to webserver");
+	}
+
 	if(!m_outputs)
 	{
 		throw falco_exception("No outputs provided to webserver");
@@ -247,7 +253,7 @@ void falco_webserver::start()
 		throw falco_exception("Could not create embedded webserver");
 	}
 
-	m_k8s_audit_handler = make_unique<k8s_audit_handler>(m_swengine, m_outputs);
+	m_k8s_audit_handler = make_unique<k8s_audit_handler>(m_engine, m_outputs);
 	m_server->addHandler(m_config->m_webserver_k8s_audit_endpoint, *m_k8s_audit_handler);
 	m_k8s_healthz_handler = make_unique<k8s_healthz_handler>();
 	m_server->addHandler(m_config->m_webserver_k8s_healthz_endpoint, *m_k8s_healthz_handler);

userspace/falco/webserver.h

@@ -19,26 +19,26 @@ limitations under the License.
 #include "CivetServer.h"
 
 #include "configuration.h"
-#include "swappable_falco_engine.h"
+#include "falco_engine.h"
 #include "falco_outputs.h"
 
 class k8s_audit_handler : public CivetHandler
 {
 public:
-	k8s_audit_handler(swappable_falco_engine &swengine, falco_outputs *outputs);
+	k8s_audit_handler(falco_engine *engine, falco_outputs *outputs);
 	virtual ~k8s_audit_handler();
 
 	bool handleGet(CivetServer *server, struct mg_connection *conn);
 	bool handlePost(CivetServer *server, struct mg_connection *conn);
 
-	static bool accept_data(swappable_falco_engine &swengine,
+	static bool accept_data(falco_engine *engine,
 				falco_outputs *outputs,
 				std::string &post_data, std::string &errstr);
 
 	static std::string m_k8s_audit_event_source;
 
 private:
-	swappable_falco_engine &m_swengine;
+	falco_engine *m_engine;
 	falco_outputs *m_outputs;
 	bool accept_uploaded_data(std::string &post_data, std::string &errstr);
 };
@@ -60,17 +60,18 @@ public:
 class falco_webserver
 {
 public:
-	falco_webserver(swappable_falco_engine &swengine);
+	falco_webserver();
 	virtual ~falco_webserver();
 
 	void init(falco_configuration *config,
+		  falco_engine *engine,
 		  falco_outputs *outputs);
 
 	void start();
 	void stop();
 
 private:
-	swappable_falco_engine &m_swengine;
+	falco_engine *m_engine;
 	falco_configuration *m_config;
 	falco_outputs *m_outputs;
 	unique_ptr<CivetServer> m_server;