fix(.circleci): remove --labels flag from circleci

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>

.circleci/config.yml

@@ -32,6 +32,38 @@ jobs:
             pushd build
             make tests
             popd
+  # Debug build using ubuntu LTS
+  # This build is dynamic, most dependencies are taken from the OS
+  "build/ubuntu-bionic-debug":
+    docker:
+      - image: ubuntu:bionic
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DCMAKE_BUILD_TYPE=debug ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
   # Build using our own builder base image using centos 7
   # This build is static, dependencies are bundled in the falco binary
   "build/centos7":
@@ -69,6 +101,28 @@ jobs:
       - store_artifacts:
           path: /tmp/packages
           destination: /packages
+  # Debug build using our own builder base image using centos 7
+  # This build is static, dependencies are bundled in the falco binary
+  "build/centos7-debug":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "debug"
+    steps:
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
+      - run:
+          name: Build
+          command: /usr/bin/entrypoint all
+      - run:
+          name: Run unit tests
+          command: /usr/bin/entrypoint tests
+      - run:
+          name: Build packages
+          command: /usr/bin/entrypoint package
   # Execute integration tests based on the build results coming from the "build/centos7" job
   "tests/integration":
     docker:
@@ -84,12 +138,224 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
+  # Sign rpm packages
+  "rpm/sign":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Install rpmsign
+          command: |
+            yum update -y
+            yum install rpm-sign -y
+      - run:
+          name: Sign rpm
+          command: |
+            echo "%_signature gpg" > ~/.rpmmacros
+            echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
+            cd /build/release/
+            echo '#!/usr/bin/expect -f' > sign
+            echo 'spawn rpmsign --addsign {*}$argv' >> sign
+            echo 'expect -exact "Enter pass phrase: "' >> sign
+            echo 'send -- "\n"' >> sign
+            echo 'expect eof' >> sign
+            chmod +x sign
+            echo $GPG_KEY | base64 -d | gpg --import
+            ./sign *.rpm
+            test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0
+      - persist_to_workspace:
+          root: /
+          paths:
+            - build/release/*.rpm
+  # Publish the packages
+  "publish/packages-dev":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Create versions
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
+      - run:
+          name: Publish deb-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish
+      - run:
+          name: Publish rpm-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish
+      - run:
+          name: Publish tgz-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish
+  # Publish docker packages
+  "publish/docker-dev":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish slim-dev
+          command: |
+            docker build --build-arg VERSION_BUCKET=deb-dev -t falcosecurity/falco:master-slim docker/slim
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco:master-slim
+      - run:
+          name: Build and publish minimal-dev
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-minimal docker/minimal
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco:master-minimal
+      - run:
+          name: Build and publish dev
+          command: |
+            docker build --build-arg VERSION_BUCKET=deb-dev -t falcosecurity/falco:master docker/stable
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco:master
+  # Publish the packages
+  "publish/packages":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Create versions
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+            jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
+      - run:
+          name: Publish deb
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish
+      - run:
+          name: Publish rpm
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish
+      - run:
+          name: Publish tgz
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish
+  # Publish docker packages
+  "publish/docker":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish slim
+          command: |
+            docker build --build-arg VERSION_BUCKET=deb -t "falcosecurity/falco:${CIRCLE_TAG}-slim" docker/slim
+            docker tag "falcosecurity/falco:${CIRCLE_TAG}-slim" falcosecurity/falco:latest-slim
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker push "falcosecurity/falco:latest-slim"
+      - run:
+          name: Build and publish minimal
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${FALCO_VERSION} -t "falcosecurity/falco:${CIRCLE_TAG}-minimal" docker/minimal
+            docker tag "falcosecurity/falco:${CIRCLE_TAG}-minimal" falcosecurity/falco:latest-minimal
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco:${CIRCLE_TAG}-minimal"
+            docker push "falcosecurity/falco:latest-minimal"
+      - run:
+          name: Build and publish stable
+          command: |
+            docker build --build-arg VERSION_BUCKET=deb -t "falcosecurity/falco:${CIRCLE_TAG}" docker/stable
+            docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco:${CIRCLE_TAG}"
+            docker push "falcosecurity/falco:latest"
 workflows:
   version: 2
   build_and_test:
     jobs:
       - "build/ubuntu-bionic"
+      - "build/ubuntu-bionic-debug"
       - "build/centos7"
+      - "build/centos7-debug"
       - "tests/integration":
           requires:
             - "build/centos7"
+      - "rpm/sign":
+          context: falco
+          filters:
+            branches:
+              only:
+                - master
+          requires:
+            - "tests/integration"
+      - "publish/packages-dev":
+          context: falco
+          filters:
+            branches:
+              only:
+                - master
+          requires:
+            - "rpm/sign"
+      - "publish/docker-dev":
+          context: falco
+          filters:
+            branches:
+              only:
+                - master
+          requires:
+            - "publish/packages-dev"
+  release:
+    jobs:
+      - "build/centos7":
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "rpm/sign":
+          context: falco
+          requires:
+            - "build/centos7"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "publish/packages":
+          context: falco
+          requires:
+            - "rpm/sign"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
+      - "publish/docker":
+          context: falco
+          requires:
+            - "publish/packages"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/

CHANGELOG.md

@@ -2,6 +2,71 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
+## v0.21.0
+
+Released on 2020-03-17
+
+### Major Changes
+
+* BREAKING CHANGE: the SYSDIG_BPF_PROBE environment variable is now just FALCO_BPF_PROBE (please update your systemd scripts or kubernetes deployments. [[#1050](https://github.com/falcosecurity/falco/pull/1050)]
+* new: automatically publish deb packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically publish rpm packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically release deb packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically release rpm packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically publish docker images from master (master, master-slim, master-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: automatically publish docker images from git tag (tag, tag-slim, tag-master, latest, latest-slim, latest-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* new: sign packages with falcosecurity gpg key [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+
+### Minor Changes
+
+* new: falco_version_prerelease contains the number of commits since last tag on the master [[#1086](https://github.com/falcosecurity/falco/pull/1086)]
+* docs: update branding [[#1074](https://github.com/falcosecurity/falco/pull/1074)]
+* new(docker/event-generator): add example k8s resource files that allow running the event generator in a k8s cluster. [[#1088](https://github.com/falcosecurity/falco/pull/1088)]
+* update: creating *-dev docker images using build arguments at build time [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* update: docker images use packages from the new repositories [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* update: docker image downloads old deb dependencies (gcc-6, gcc-5, binutils-2.30) from a new open repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+
+### Bug Fixes
+
+* fix(docker): updating `stable` and `local` images to run from `debian:stable` [[#1018](https://github.com/falcosecurity/falco/pull/1018)]
+* fix(event-generator): the image used by the event generator deployment to `latest`. [[#1091](https://github.com/falcosecurity/falco/pull/1091)]
+* fix: -t (to disable rules by certain tag) or -t (to only run rules with a certain tag) work now [[#1081](https://github.com/falcosecurity/falco/pull/1081)]
+* fix: the falco driver now compiles on >= 5.4 kernels [[#1080](https://github.com/falcosecurity/falco/pull/1080)]
+* fix: download falco packages which url contains character to encode - eg, `+` [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
+* fix(docker): use base name in docker-entrypoint.sh [[#981](https://github.com/falcosecurity/falco/pull/981)]
+
+### Rule Changes
+
+* rule(detect outbound connections to common miner pool ports): disabled by default [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
+* rule(macro net_miner_pool): add localhost and rfc1918 addresses as exception in the rule. [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
+* rule(change thread namespace): modify condition to detect suspicious container activity [[#974](https://github.com/falcosecurity/falco/pull/974)]
+
+## v0.20.0
+
+Released on 2020-02-24
+
+### Major Changes
+
+* fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [[#1041](https://github.com/falcosecurity/falco/pull/1041)]
+* new: grpc version api [[#872](https://github.com/falcosecurity/falco/pull/872)]
+
+
+### Bug Fixes
+
+* fix: the base64 output format (-b) now works with both json and normal output. [[#1033](https://github.com/falcosecurity/falco/pull/1033)]
+* fix: version follows semver 2 bnf [[#872](https://github.com/falcosecurity/falco/pull/872)]
+
+### Rule Changes
+
+* rule(write below etc): add "dsc_host" as a ms oms program [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below etc): let mcafee write to /etc/cma.d  [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below etc): let avinetworks supervisor write some ssh cfg [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below etc): alow writes to /etc/pki from openshift secrets dir [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(write below root): let runc write to /exec.fifo [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(change thread namespace): let cilium-cni change namespaces [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+* rule(run shell untrusted): let puma reactor spawn shells [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
+
+
 ## v0.19.0
 
 Released on 2020-01-23

CMakeLists.txt

@@ -48,6 +48,7 @@ else()
   set(CMAKE_BUILD_TYPE "release")
   set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
 endif()
+message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
 
 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
 
@@ -70,7 +71,6 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 include(GetFalcoVersion)
 
 set(PACKAGE_NAME "falco")
-set(PROBE_VERSION "${FALCO_VERSION}")
 set(PROBE_NAME "falco-probe")
 set(PROBE_DEVICE_NAME "falco")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)

README.md

@@ -7,7 +7,7 @@
 
 #### Latest release
 
-**v0.19.0**
+**v0.21.0**
 Read the [change log](CHANGELOG.md)
 
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)

brand/README.md

@@ -28,7 +28,7 @@ The CNCF now owns The Falco Project.
 ### What is Runtime Security?
 
 Runtime security refers to an approach to preventing unwanted activity on a computer system. 
-With runtime security an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
+With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
 Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
 Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
 
@@ -124,9 +124,9 @@ Used to describe the `.ko` object that would be loaded into the kernel as a pote
 This is one option used to pass kernel events up to userspace for Falco to consume.
 Sometimes this word is incorrectly used to refer to a `probe`.
 
-#### Driver (deprecated)
+#### Driver 
 
-An older, more generalized term for a `module` or `probe`. We discourage the use of this word as a project.
+The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
 
 #### Falco
 

cmake/modules/CPackConfig.cmake

@@ -1,9 +1,12 @@
 set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
 set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
-set(CPACK_PACKAGE_CONTACT "opensource@sysdig.com") # todo: change this once we've got @falco.org addresses
+set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
 set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
 set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
+set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
+set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
+set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
 set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
 set(CPACK_STRIP_FILES "ON")

cmake/modules/GetFalcoVersion.cmake

@@ -1,6 +1,5 @@
 # Retrieve git ref and commit hash
 include(GetGitRevisionDescription)
-get_git_head_revision(FALCO_REF FALCO_HASH)
 
 # Create the falco version variable according to git index
 if(NOT FALCO_VERSION)
@@ -9,25 +8,13 @@ if(NOT FALCO_VERSION)
   git_get_exact_tag(FALCO_TAG)
   if(NOT FALCO_TAG)
     # Obtain the closest tag
-    git_describe(FALCO_VERSION "--abbrev=0" "--tags") # suppress the long format
+    git_describe(FALCO_VERSION "--always" "--tags")
     # Fallback version
     if(FALCO_VERSION MATCHES "NOTFOUND$")
       set(FALCO_VERSION "0.0.0")
     endif()
-    # TODO(leodido) > Construct the prerelease part (semver 2) Construct the Build metadata part (semver 2)
-    if(NOT FALCO_HASH MATCHES "NOTFOUND$")
-      string(SUBSTRING "${FALCO_HASH}" 0 7 FALCO_VERSION_BUILD)
-      # Check whether there are uncommitted changes or not
-      git_local_changes(FALCO_CHANGES)
-      if(FALCO_CHANGES STREQUAL "DIRTY")
-        string(TOLOWER "${FALCO_CHANGES}" FALCO_CHANGES)
-        set(FALCO_VERSION_BUILD "${FALCO_VERSION_BUILD}.${FALCO_CHANGES}")
-      endif()
-    endif()
-    # Append the build metadata part (semver 2)
-    if(FALCO_VERSION_BUILD)
-      set(FALCO_VERSION "${FALCO_VERSION}+${FALCO_VERSION_BUILD}")
-    endif()
+    # Format FALCO_VERSION to be semver with prerelease and build part
+    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
   else()
     # A tag has been found: use it as the Falco version
     set(FALCO_VERSION "${FALCO_TAG}")
@@ -42,8 +29,8 @@ if(NOT FALCO_VERSION)
   string(
     REGEX
     REPLACE
-      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)*).*"
-      "\\4"
+      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
+      "\\5"
       FALCO_VERSION_PRERELEASE
       "${FALCO_VERSION}")
   if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")

cmake/modules/sysdig-repo/CMakeLists.txt

@@ -15,20 +15,14 @@ cmake_minimum_required(VERSION 3.5.1)
 project(sysdig-repo NONE)
 
 include(ExternalProject)
-
-# The sysdig git reference (branch name, commit hash, or tag)
-
-# To update sysdig version for the next release, change the default below
-# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
-if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "146a431edf95829ac11bfd9c85ba3ef08789bffe")
-endif()
+message(STATUS "Driver version: ${SYSDIG_VERSION}")
 
 ExternalProject_Add(
   sysdig
   URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
-  # URL_HASH SHA256=bd09607aa8beb863db07e695863f7dc543e2d39e7153005759d26a340ff66fa5
+  URL_HASH "${SYSDIG_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND ""
-  TEST_COMMAND "")
+  TEST_COMMAND ""
+  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)

cmake/modules/sysdig-repo/patch/libscap.patch

@@ -0,0 +1,22 @@
+diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
+index 59b04e0a..bdc311cb 100644
+--- a/userspace/libscap/scap.c
++++ b/userspace/libscap/scap.c
+@@ -52,7 +52,7 @@ limitations under the License.
+ //#define NDEBUG
+ #include <assert.h>
+ 
+-static const char *SYSDIG_BPF_PROBE_ENV = "SYSDIG_BPF_PROBE";
++static const char *SYSDIG_BPF_PROBE_ENV = "FALCO_BPF_PROBE";
+ 
+ //
+ // Probe version string size
+@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+ 				return NULL;
+ 			}
+ 
+-			snprintf(buf, sizeof(buf), "%s/.sysdig/%s-bpf.o", home, PROBE_NAME);
++			snprintf(buf, sizeof(buf), "%s/.falco/%s-bpf.o", home, PROBE_NAME);
+ 			bpf_probe = buf;
+ 		}
+ 	}

cmake/modules/sysdig.cmake

@@ -21,8 +21,19 @@ if(USE_BUNDLED_DEPS)
 endif()
 
 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+
+# The sysdig git reference (branch name, commit hash, or tag)
+# To update sysdig version for the next release, change the default below
+# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
+if(NOT SYSDIG_VERSION)
+  set(SYSDIG_VERSION "be1ea2d9482d0e6e2cb14a0fd7e08cbecf517f94")
+  set(SYSDIG_CHECKSUM "SHA256=1c69363e4c36cdaeed413c2ef557af53bfc4bf1109fbcb6d6e18dc40fe6ddec8")
+endif()
+set(PROBE_VERSION "${SYSDIG_VERSION}")
+
 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
+
 
 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
 

docker/builder/Dockerfile

@@ -2,7 +2,7 @@ FROM centos:7
 
 LABEL name="falcosecurity/falco-builder"
 LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
 ARG BUILD_TYPE=release
 ARG BUILD_DRIVER=OFF

docker/dev/Dockerfile

@@ -1,110 +0,0 @@
-FROM debian:unstable
-
-LABEL maintainer="opensource@sysdig.com"
-
-ENV FALCO_REPOSITORY dev
-
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-
-ENV HOST_ROOT /host
-
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
-RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
-	bash-completion \
-	bc \
-	clang-7 \
-	ca-certificates \
-	curl \
-	dkms \
-	gnupg2 \
-	gcc \
-	gdb \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	llvm-7 \
-	netcat \
-	xz-utils \
-	&& rm -rf /var/lib/apt/lists/*
-
-# gcc 6 is no longer included in debian unstable, but we need it to
-# build kernel modules on the default debian-based ami used by
-# kops. So grab copies we've saved from debian snapshots with the
-# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
-# or so.
-
-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
-
-# gcc 5 is no longer included in debian unstable, but we need it to
-# build centos kernels, which are 3.x based and explicitly want a gcc
-# version 3, 4, or 5 compiler. So grab copies we've saved from debian
-# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-
-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
-
-# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
-# default to gcc-5.
-RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
-
-RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
-
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-	&& apt-get update \
-	&& apt-get install -y --no-install-recommends falco \
-	&& apt-get clean \
-	&& rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
-
-# debian:unstable head contains binutils 2.31, which generates
-# binaries that are incompatible with kernels < 4.16. So manually
-# forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
-	&& dpkg -i *binutils*.deb \
-	&& rm -f *binutils*.deb
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/dev/docker-entrypoint.sh

@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# set -e
-
-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
-
-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        ln -s "$i" "/usr/src/$i"
-    done
-
-    /usr/bin/falco-probe-loader
-fi
-
-exec "$@"

docker/event-generator/Dockerfile

@@ -1,5 +1,5 @@
 FROM alpine:latest
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 RUN apk add --no-cache bash g++ curl
 COPY ./event_generator.cpp /usr/local/bin
 COPY ./docker-entrypoint.sh ./k8s_event_generator.sh /

docker/event-generator/event-generator-k8saudit-deployment.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: falco-event-generator-k8saudit
+  labels:
+    app: falco-event-generator-k8saudit
+  namespace: falco-event-generator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: falco-event-generator-k8saudit
+  template:
+    metadata:
+      labels:
+        app: falco-event-generator-k8saudit
+    spec:
+      serviceAccount: falco-event-generator
+      containers:
+      - name: falco-event-generator
+        image: falcosecurity/falco-event-generator
+        imagePullPolicy: Always
+        args: ["k8s_audit"]

docker/event-generator/event-generator-role-rolebinding-serviceaccount.yaml

@@ -0,0 +1,71 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: falco-event-generator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - services
+  - serviceaccounts
+  - pods
+  verbs:
+  - list
+  - get
+  - create
+  - delete
+- apiGroups:
+  - apps
+  - extensions
+  resources:
+  - deployments
+  verbs:
+  - list
+  - get
+  - create
+  - delete
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
+  - get
+  - list
+  - create
+  - delete
+# These are only so the event generator can create roles that have these properties.
+# It will result in a falco alert for the rules "ClusterRole With Wildcard Created", "ClusterRole With Pod Exec Created"
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - '*'
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: falco-event-generator
+  namespace: falco-eg-sandbox
+subjects:
+  - kind: ServiceAccount
+    name: falco-event-generator
+    namespace: falco-event-generator
+roleRef:
+  kind: ClusterRole
+  name: falco-event-generator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: falco-event-generator
+  namespace: falco-event-generator

docker/event-generator/event-generator-syscall-daemonset.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: falco-event-generator-syscall
+  labels:
+    app: falco-event-generator-syscall
+  namespace: falco-event-generator
+spec:
+  selector:
+    matchLabels:
+      name: falco-event-generator-syscall
+  template:
+    metadata:
+      labels:
+        name: falco-event-generator-syscall
+    spec:
+      containers:
+      - name: falco-event-generator
+        image: falcosecurity/falco-event-generator
+        args: ["syscall"]

docker/event-generator/k8s_event_generator.sh

@@ -17,15 +17,18 @@ kubectl version --short
 
 while true; do
 
-    RET=$(kubectl get namespaces --output=name | grep falco-event-generator || true)
+    # Delete all resources in the falco-eg-sandbox namespace
+    echo "***Deleting all resources in falco-eg-sandbox namespace..."
+    kubectl delete --all configmaps -n falco-eg-sandbox
+    kubectl delete --all deployments -n falco-eg-sandbox
+    kubectl delete --all services -n falco-eg-sandbox
+    kubectl delete --all roles -n falco-eg-sandbox
+    kubectl delete --all serviceaccounts -n falco-eg-sandbox
 
-    if [[ "$RET" == *falco-event-generator* ]]; then
-	echo "***Deleting existing falco-event-generator namespace..."
-	kubectl delete namespace falco-event-generator
-    fi
-
-    echo "***Creating falco-event-generator namespace..."
-    kubectl create namespace falco-event-generator
+    # We don't delete all rolebindings in the falco-eg-sandbox
+    # namespace, as that would also delete the rolebinding for the
+    # event generator itself.
+    kubectl delete rolebinding vanilla-role-binding -n falco-eg-sandbox || true
 
     for file in yaml/*.yaml; do
 
@@ -48,7 +51,7 @@ while true; do
 	    RULES=$(echo "$RULES" | tr '-' ' '| tr '.' '/' | sed -e 's/ *//' | sed  -e 's/,$//')
 
 	    echo "***$MESSAGES (Rule(s) $RULES)..."
-	    kubectl apply -f $file
+	    kubectl apply -f $file -n falco-eg-sandbox
 	    sleep 2
 	fi
     done

docker/event-generator/yaml/configmap-private-creds.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: private-creds-configmap
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: private-creds-configmap
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/disallowed-pod-deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: disallowed-pod-deployment
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: disallowed-pod-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/hostnetwork-deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: hostnetwork-deployment
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: hostnetwork-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/nodeport-service.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: nodeport-service
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: nodeport-service
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/privileged-deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: privileged-deployment
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: privileged-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/role-pod-exec.yaml

@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: pod-exec-role
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: pod-exec-role
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/role-wildcard-resources.yaml

@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: wildcard-resources-role
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: wildcard-resources-role
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/role-write-privileges.yaml

@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: write-privileges-role
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: write-privileges-role
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/sensitive-mount-deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: sensitive-mount-deployment
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: sensitive-mount-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-configmap.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: vanilla-configmap
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-configmap
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: vanilla-deployment
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml

@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: vanilla-role
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-role
     app.kubernetes.io/part-of: falco-event-generator
@@ -20,7 +19,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: vanilla-role-binding
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-role-binding
     app.kubernetes.io/part-of: falco-event-generator
@@ -38,7 +36,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: vanilla-serviceaccount
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-serviceaccount
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-service.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: vanilla-service
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-service
     app.kubernetes.io/part-of: falco-event-generator

docker/kernel/linuxkit/Dockerfile

@@ -1,13 +1,13 @@
 ARG ALPINE_VERSION=3.10
 ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.19.0
+ARG FALCO_VERSION=0.21.0
 
 FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc
 FROM falcosecurity/falco:${FALCO_VERSION}-minimal as falco
 FROM alpine:${ALPINE_VERSION} AS probe-build
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.19.0
+ARG FALCO_VERSION=0.21.0
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV KERNEL_VERSION=${KERNEL_VERSION}
 
@@ -32,7 +32,7 @@ RUN apk add --no-cache --update \
   autoconf
 
 FROM alpine:${ALPINE_VERSION}
-ARG FALCO_VERSION=0.19.0
+ARG FALCO_VERSION=0.21.0
 ENV FALCO_VERSION=${FALCO_VERSION}
 COPY --from=probe-build /usr/src/falco-${FALCO_VERSION}/falco-probe.ko /
 CMD ["insmod","/falco-probe.ko"]

docker/kernel/probeloader/Dockerfile

@@ -12,7 +12,7 @@ RUN go mod vendor
 RUN CGO_ENABLED=0 GOOS=linux go build -a -o falcoctl -ldflags '-extldflags "-static"' .
 
 FROM scratch
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=build /falcoctl/falcoctl /falcoctl
 CMD ["/falcoctl", "install", "probe"]

docker/local/Dockerfile

@@ -1,7 +1,7 @@
-FROM debian:unstable
+FROM debian:stable
 
 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
@@ -13,84 +13,82 @@ ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    bash-completion \
-    bc \
-    clang-7 \
-    ca-certificates \
-    curl \
-    dkms \
-    gnupg2 \
-    gcc \
-    jq \
-    libc6-dev \
-    libelf-dev \
-    libyaml-0-2 \
-    llvm-7 \
-    netcat \
-    xz-utils \
-    libmpc3 \
-    binutils \
-    libgomp1 \
-    libitm1 \
-    libatomic1 \
-    liblsan0 \
-    libtsan0 \
-    libmpx2 \
-    libquadmath0 \
-    libcc1-0 \
-    && rm -rf /var/lib/apt/lists/*
+	&& apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	clang-7 \
+	ca-certificates \
+	curl \
+	dkms \
+	gnupg2 \
+	gcc \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	libyaml-0-2 \
+	llvm-7 \
+	netcat \
+	xz-utils \
+	libmpc3 \
+	binutils \
+	libgomp1 \
+	libitm1 \
+	libatomic1 \
+	liblsan0 \
+	libtsan0 \
+	libmpx2 \
+	libquadmath0 \
+	libcc1-0 \
+	&& rm -rf /var/lib/apt/lists/*
 
-# gcc 6 is no longer included in debian unstable, but we need it to
+# gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
-    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
 
-# gcc 5 is no longer included in debian unstable, but we need it to
+# gcc 5 is no longer included in debian stable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
-    && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-    && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
-    && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
-    && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-    && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
-    && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
-    && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-    && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN rm -rf /usr/bin/clang \
-    && rm -rf /usr/bin/llc \
-    && ln -s /usr/bin/clang-7 /usr/bin/clang \
-    && ln -s /usr/bin/llc-7 /usr/bin/llc
+	&& rm -rf /usr/bin/llc \
+	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
+	&& ln -s /usr/bin/llc-7 /usr/bin/llc
 
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
-    && ln -s $HOST_ROOT/lib/modules /lib/modules
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
@@ -100,15 +98,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
     && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
 
-# debian:unstable head contains binutils 2.31, which generates
+# debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
-    && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
-    && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-    && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
-    && dpkg -i *binutils*.deb \
-    && rm -f *binutils*.deb
+RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+	&& dpkg -i *binutils*.deb \
+	&& rm -f *binutils*.deb
 
 # The local container also copies some test trace files and
 # corresponding rules that are used when running regression tests.

docker/local/docker-entrypoint.sh

@@ -25,10 +25,11 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
 
     for i in "$HOST_ROOT/usr/src"/*
     do
-        ln -s "$i" "/usr/src/$i"
+        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$base"
     done
 
     /usr/bin/falco-probe-loader
 fi
 
-exec "$@"
+exec "$@"

docker/minimal/Dockerfile

@@ -1,20 +1,20 @@
 FROM ubuntu:18.04 as ubuntu
 
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
-ARG FALCO_VERSION=0.19.0
+ARG FALCO_VERSION
+ARG VERSION_BUCKET=bin
 
 ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
 
 WORKDIR /
 
-ADD https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
+ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
 
-# ADD will download from URL and unntar
-RUN apt-get update && \
+RUN apt-get update -y && \
     apt-get install -y libyaml-0-2 binutils && \
-    # curl -O https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    tar xfzv falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
     rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
     mv falco-${FALCO_VERSION}-x86_64 falco && \
     strip falco/usr/bin/falco && \

docker/rhel/Dockerfile

@@ -1,22 +1,22 @@
 FROM registry.access.redhat.com/rhel7
 
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
-### Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
-LABEL name="falco" \
-    vendor="falcosecurity" \
-    url="http://falco.org/" \
-    summary="Container native runtime security" \
-    description="Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms." \
-    run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco'
+## Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
+LABEL name="falco"
+LABEL vendor="falcosecurity"
+LABEL url="http://falco.org"
+LABEL summary="Cloud Native Runtime Security"
+LABEL description="Falco is an open-source project for intrusion and abnormality detection for Cloud Native platforms."
+LABEL run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m <image>'
 
 COPY help.md /tmp/
 
 ENV HOST_ROOT /host
 ENV HOME /root
 
-ADD http://download.draios.com/stable/rpm/draios.repo /etc/yum.repos.d/draios.repo
-RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public && \
+ADD https://falco.org/repo/falcosecurity-rpm.repo /etc/yum.repos.d/falcosecurity.repo
+RUN rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc && \
     rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
     yum clean all && \
     REPOLIST=rhel-7-server-rpms,rhel-7-server-optional-rpms,epel,draios \
@@ -24,9 +24,9 @@ RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.pub
     yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \
     --security --sec-severity=Important --sec-severity=Critical && \
     yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    ### help file markdown to man conversion
+    ## help file markdown to man conversion
     go-md2man -in /tmp/help.md -out /help.1 && \
-    ### we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
+    ## we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
     rm -fr /usr/src/kernels && \
     rm -df /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules && \
     yum clean all

docker/rhel/docker-entrypoint.sh

@@ -25,7 +25,8 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
 
     for i in "$HOST_ROOT/usr/src"/*
     do
-        ln -s "$i" "/usr/src/$i"
+        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$base"
     done
 
     /usr/bin/falco-probe-loader

docker/slim-stable/Dockerfile

@@ -1,50 +0,0 @@
-FROM ubuntu:18.04
-
-LABEL maintainer="opensource@sysdig.com"
-
-ENV FALCO_REPOSITORY stable
-
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-
-ENV HOST_ROOT /host
-
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
-RUN apt-get update \
-  && apt-get install -y --no-install-recommends \
-  # 	bash-completion \
-  # 	bc \
-  ca-certificates \
-  curl \
-  gnupg2 \
-  jq \
-  # 	netcat \
-  # 	xz-utils \
-  && rm -rf /var/lib/apt/lists/*
-
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-  && apt-get update \
-  && apt-get install -y --no-install-recommends falco \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-  && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-  && ln -s $HOST_ROOT/lib/modules /lib/modules
-
-#COPY ./entrypoint.sh /
-# ENTRYPOINT ["/entrypoint.sh"]
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/slim/Dockerfile

@@ -1,35 +1,36 @@
 FROM ubuntu:18.04
 
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
-ENV FALCO_REPOSITORY dev
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name <name> <image>"
 
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+ARG FALCO_VERSION=latest
+ARG VERSION_BUCKET=deb
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
 
 ENV HOST_ROOT /host
-
 ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
-  # 	bash-completion \
-  # 	bc \
+  # bash-completion \
+  # bc \
   ca-certificates \
   curl \
   gnupg2 \
   jq \
-  # 	netcat \
-  # 	xz-utils \
+  # netcat \
+  # xz-utils \
   && rm -rf /var/lib/apt/lists/*
 
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-  && apt-get update \
-  && apt-get install -y --no-install-recommends falco \
+RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
+  && echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+  && apt-get update -y \
+  && if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
@@ -44,7 +45,4 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
   && ln -s $HOST_ROOT/lib/modules /lib/modules
 
-#COPY ./entrypoint.sh /
-# ENTRYPOINT ["/entrypoint.sh"]
-
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/stable/Dockerfile

@@ -1,19 +1,19 @@
-FROM debian:unstable
+FROM debian:stable
 
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
-ENV FALCO_REPOSITORY stable
+LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+ARG FALCO_VERSION=latest
+ARG VERSION_BUCKET=deb
+ENV VERSION_BUCKET=${VERSION_BUCKET}
 
+ENV FALCO_VERSION=${FALCO_VERSION}
 ENV HOST_ROOT /host
-
 ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
@@ -33,36 +33,36 @@ RUN apt-get update \
 	xz-utils \
 	&& rm -rf /var/lib/apt/lists/*
 
-# gcc 6 is no longer included in debian unstable, but we need it to
+# gcc 6 is no longer included in debian stable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
 
-# gcc 5 is no longer included in debian unstable, but we need it to
+# gcc 5 is no longer included in debian stable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
 
@@ -75,10 +75,10 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc
 
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-	&& apt-get update \
-	&& apt-get install -y --no-install-recommends falco \
+RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
+	&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& apt-get update -y \
+	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 
@@ -93,13 +93,13 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
-# debian:unstable head contains binutils 2.31, which generates
+# debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/stable/docker-entrypoint.sh

@@ -25,7 +25,8 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
 
     for i in "$HOST_ROOT/usr/src"/*
     do
-        ln -s "$i" "/usr/src/$i"
+        base=$(basename "$i")
+        ln -s "$i" "/usr/src/$base"
     done
 
     /usr/bin/falco-probe-loader

docker/tester/Dockerfile

@@ -2,7 +2,7 @@ FROM fedora:31
 
 LABEL name="falcosecurity/falco-tester"
 LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release

docker/tester/root/runners/deb.Dockerfile

@@ -1,5 +1,5 @@
 FROM ubuntu:18.04
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION

docker/tester/root/runners/rpm.Dockerfile

@@ -1,6 +1,6 @@
 FROM centos:7
 
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION

integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml

@@ -20,7 +20,7 @@ spec:
             privileged: true
           #env:
           #  - name: FALCOCTL_FALCO_VERSION
-          #    value: 0.19.0
+          #    value: 0.21.0
           #  - name: FALCOCTL_FALCO_PROBE_URL
           #    value:
           #  - name: FALCOCTL_FALCO_PROBE_REPO
@@ -31,7 +31,7 @@ spec:
               readOnly: true
       containers:
         - name: falco
-          image: falcosecurity/falco:0.19.0-slim
+          image: falcosecurity/falco:0.21.0-slim
           securityContext:
             privileged: true
 # Uncomment the 3 lines below to enable eBPF support for Falco.
@@ -39,7 +39,7 @@ spec:
 # Leave blank for the default probe location, or set to the path
 # of a precompiled probe.
 #          env:
-#          - name: BPF_PROBE
+#          - name: FALCO_BPF_PROBE
 #            value: ""
           args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
           volumeMounts:

integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml

@@ -23,7 +23,7 @@ spec:
 # Leave blank for the default probe location, or set to the path
 # of a precompiled probe.
 #          env:
-#          - name: BPF_PROBE
+#          - name: FALCO_BPF_PROBE
 #            value: ""
           args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
           volumeMounts:

rules/falco_rules.yaml

@@ -450,7 +450,7 @@
     a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
-  tag: [file, mitre_persistence]
+  tags: [file, mitre_persistence]
 
 # This rule is not enabled by default, as there are many legitimate
 # readers of shell config files. If you want to enable it, modify the
@@ -472,7 +472,7 @@
     a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
-  tag: [file, mitre_discovery]
+  tags: [file, mitre_discovery]
 
 - macro: consider_all_cron_jobs
   condition: (never_true)
@@ -488,7 +488,7 @@
     file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tag: [file, mitre_persistence]
+  tags: [file, mitre_persistence]
 
 # Use this to test whether the event occurred within a container.
 
@@ -1544,13 +1544,13 @@
     an attempt to change a program/thread\'s namespace (commonly done
     as a part of creating a container) by calling setns.
   condition: >
-    evt.type = setns
-    and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries,
-                          sysdig, nsenter, calico, oci-umount, cilium-cni, network_plugin_binaries)
+    evt.type=setns and evt.dir=<
+    and not (container.id=host and proc.name in (docker_binaries, k8s_binaries, lxd_binaries, nsenter))
+    and not proc.name in (sysdigcloud_binaries, sysdig, calico, oci-umount, cilium-cni, network_plugin_binaries)
     and not proc.name in (user_known_change_thread_namespace_binaries)
     and not proc.name startswith "runc"
     and not proc.cmdline startswith "containerd"
-    and not proc.pname in (sysdigcloud_binaries)
+    and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet)
     and not python_running_sdchecks
     and not java_running_sdjagent
     and not kubelet_running_loopback
@@ -1561,9 +1561,9 @@
     and not user_known_change_thread_namespace_activities
   output: >
     Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
-    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository)
+    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
   priority: NOTICE
-  tags: [process]
+  tags: [process, mitre_privilege_escalation, mitre_lateral_movement]
 
 # The binaries in this list and their descendents are *not* allowed
 # spawn shells. This includes the binaries spawning shells directly as
@@ -2480,7 +2480,7 @@
     Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
-  tag: [process, mitre_defense_evation]
+  tags: [process, mitre_defense_evation]
 
 # This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
 # Rule Delete or rename shell history is the preferred rule to use now.
@@ -2493,7 +2493,7 @@
     Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
-  tag: [process, mitre_defense_evation]
+  tags: [process, mitre_defense_evation]
 
 - macro: consider_all_chmods
   condition: (always_true)
@@ -2515,7 +2515,7 @@
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tag: [process, mitre_persistence]
+  tags: [process, mitre_persistence]
 
 - list: exclude_hidden_directories
   items: [/root/.cassandra]
@@ -2537,7 +2537,7 @@
     file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tag: [file, mitre_persistence]
+  tags: [file, mitre_persistence]
 
 - list: remote_file_copy_binaries
   items: [rsync, scp, sftp, dcp]
@@ -2645,11 +2645,14 @@
   condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))
 
 - macro: net_miner_pool
-  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
+  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 
+# The rule is disabled by default. 
+# Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment.
 - rule: Detect outbound connections to common miner pool ports
   desc: Miners typically connect to miner pools on common ports.
   condition: net_miner_pool
+  enabled: false
   output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
   priority: CRITICAL
   tags: [network, mitre_execution]

scripts/debian/falco

@@ -26,7 +26,7 @@
 #                    driven by system calls with support for containers.
 ### END INIT INFO
 
-# Author: The Falco Authors <opensource@sysdig.com>
+# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>
 
 # Do NOT "set -e"
 

scripts/falco-probe-loader

@@ -350,7 +350,7 @@ load_bpf_probe() {
 			echo "**********************************************************"
 		fi
 
-		echo "* BPF probe located, it's now possible to start sysdig"
+		echo "* BPF probe located, it's now possible to start falco"
 
 		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${BPF_PROBE_NAME}.o"
 		exit $?
@@ -402,7 +402,7 @@ if ! hash curl > /dev/null 2>&1; then
 	exit 1
 fi
 
-if [ -v BPF_PROBE ] || [ "${1}" = "bpf" ]; then
+if [ -v FALCO_BPF_PROBE ] || [ "${1}" = "bpf" ]; then
 	load_bpf_probe
 else
 	load_kernel_probe

test/falco_tests.yaml

@@ -689,7 +689,7 @@ trace_files: !mux
       - "Non sudo setuid": 1
       - "Create files below dev": 1
       - "Modify binary dirs": 2
-      - "Change thread namespace": 2
+      - "Change thread namespace": 1
 
   disabled_tags_a:
     detect: True

test/falco_traces.yaml.in

@@ -26,7 +26,7 @@ traces: !mux
     detect: True
     detect_level: NOTICE
     detect_counts:
-      - "Change thread namespace": 2
+      - "Change thread namespace": 1
 
   container-privileged:
     trace_file: traces-positive/container-privileged.scap
@@ -73,7 +73,7 @@ traces: !mux
       - "Non sudo setuid": 1
       - "Create files below dev": 1
       - "Modify binary dirs": 2
-      - "Change thread namespace": 2
+      - "Change thread namespace": 1
 
   mkdir-binary-dirs:
     trace_file: traces-positive/mkdir-binary-dirs.scap