Merge remote-tracking branch 'origin/dev'

sysdig-CLA-1.0-signed-off-by: David Archer <darcher@gmail.com>

.circleci/config.yml

@@ -1,95 +0,0 @@
-version: 2
-jobs:
-  # Build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-bionic":
-    docker:
-      - image: ubuntu:bionic
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
-  # Build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
-  "build/centos7":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "release"
-    steps:
-      - checkout:
-          path: /source/falco
-      - run:
-          name: Prepare project
-          command: /usr/bin/entrypoint cmake
-      - run:
-          name: Build
-          command: /usr/bin/entrypoint all
-      - run:
-          name: Run unit tests
-          command: /usr/bin/entrypoint tests
-      - run:
-          name: Build packages
-          command: /usr/bin/entrypoint package
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build/release
-            - source
-      - run:
-          name: Prepare artifacts
-          command: |
-            mkdir -p /tmp/packages
-            cp /build/release/*.deb /tmp/packages
-            cp /build/release/*.tar.gz /tmp/packages
-            cp /build/release/*.rpm /tmp/packages
-      - store_artifacts:
-          path: /tmp/packages
-          destination: /packages
-  # Execute integration tests based on the build results coming from the "build/centos7" job
-  "tests/integration":
-    docker:
-      - image: falcosecurity/falco-tester:latest
-        environment:
-          SOURCE_DIR: "/source"
-          BUILD_DIR: "/build"
-          BUILD_TYPE: "release"
-    steps:
-      - setup_remote_docker
-      - attach_workspace:
-          at: /
-      - run:
-          name: Execute integration tests
-          command: /usr/bin/entrypoint test
-workflows:
-  version: 2
-  build_and_test:
-    jobs:
-      - "build/ubuntu-bionic"
-      - "build/centos7"
-      - "tests/integration":
-          requires:
-            - "build/centos7"

.clang-format

@@ -1,16 +0,0 @@
----
-Language: Cpp
-BasedOnStyle: LLVM
-AccessModifierOffset: -8
-BreakBeforeBraces: Allman
-BreakConstructorInitializers: AfterColon
-ColumnLimit: 0
-ConstructorInitializerIndentWidth: 8
-ContinuationIndentWidth: 8
-DerivePointerAlignment: true
-IndentWidth: 8
-SortIncludes: false
-SpaceAfterTemplateKeyword: false
-SpaceBeforeCtorInitializerColon: false
-SpaceBeforeParens: Never
-UseTab: Always

.cmake-format

@@ -1,119 +0,0 @@
-# --------------------------
-# General Formatting Options
-# --------------------------
-# How wide to allow formatted cmake files
-line_width = 120
-
-# How many spaces to tab for indent
-tab_size = 2
-
-# If arglists are longer than this, break them always
-max_subargs_per_line = 3
-
-# If true, separate flow control names from their parentheses with a space
-separate_ctrl_name_with_space = False
-
-# If true, separate function names from parentheses with a space
-separate_fn_name_with_space = False
-
-# If a statement is wrapped to more than one line, than dangle the closing
-# parenthesis on it's own line
-dangle_parens = False
-
-# If the statement spelling length (including space and parenthesis is larger
-# than the tab width by more than this amoung, then force reject un-nested
-# layouts.
-max_prefix_chars = 2
-
-# If a candidate layout is wrapped horizontally but it exceeds this many lines,
-# then reject the layout.
-max_lines_hwrap = 2
-
-# What style line endings to use in the output.
-line_ending = 'unix'
-
-# Format command names consistently as 'lower' or 'upper' case
-command_case = 'canonical'
-
-# Format keywords consistently as 'lower' or 'upper' case
-keyword_case = 'unchanged'
-
-# Specify structure for custom cmake functions
-additional_commands = {
-  "pkg_find": {
-    "kwargs": {
-      "PKG": "*"
-    }
-  }
-}
-
-# A list of command names which should always be wrapped
-always_wrap = []
-
-# Specify the order of wrapping algorithms during successive reflow attempts
-algorithm_order = [0, 1, 2, 3, 4]
-
-# If true, the argument lists which are known to be sortable will be sorted
-# lexicographicall
-enable_sort = True
-
-# If true, the parsers may infer whether or not an argument list is sortable
-# (without annotation).
-autosort = False
-
-# If a comment line starts with at least this many consecutive hash characters,
-# then don't lstrip() them off. This allows for lazy hash rulers where the first
-# hash char is not separated by space
-hashruler_min_length = 10
-
-# A dictionary containing any per-command configuration overrides. Currently
-# only `command_case` is supported.
-per_command = {}
-
-
-# --------------------------
-# Comment Formatting Options
-# --------------------------
-# What character to use for bulleted lists
-bullet_char = '*'
-
-# What character to use as punctuation after numerals in an enumerated list
-enum_char = '.'
-
-# enable comment markup parsing and reflow
-enable_markup = True
-
-# If comment markup is enabled, don't reflow the first comment block in each
-# listfile. Use this to preserve formatting of your copyright/license
-# statements.
-first_comment_is_literal = False
-
-# If comment markup is enabled, don't reflow any comment block which matches
-# this (regex) pattern. Default is `None` (disabled).
-literal_comment_pattern = None
-
-# Regular expression to match preformat fences in comments
-# default=r'^\s*([`~]{3}[`~]*)(.*)$'
-fence_pattern = '^\\s*([`~]{3}[`~]*)(.*)$'
-
-# Regular expression to match rulers in comments
-# default=r'^\s*[^\w\s]{3}.*[^\w\s]{3}$'
-ruler_pattern = '^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$'
-
-# If true, then insert a space between the first hash char and remaining hash
-# chars in a hash ruler, and normalize it's length to fill the column
-canonicalize_hashrulers = True
-
-
-# ---------------------------------
-# Miscellaneous Options
-# ---------------------------------
-# If true, emit the unicode byte-order mark (BOM) at the start of the file
-emit_byteorder_mark = False
-
-# Specify the encoding of the input file. Defaults to utf-8.
-input_encoding = 'utf-8'
-
-# Specify the encoding of the output file. Defaults to utf-8. Note that cmake
-# only claims to support utf-8 so be careful when using anything else
-output_encoding = 'utf-8'

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,83 +0,0 @@
-<!--  Thanks for sending a pull request!  Here are some tips for you:
-
-1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
-2. Please label this pull request according to what type of issue you are addressing.
-3. . Please add a release note!
-4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
--->
-
-**What type of PR is this?**
-
-> Uncomment one (or more) `/kind <>` lines:
-
-> /kind bug
-
-> /kind cleanup
-
-> /kind design
-
-> /kind documentation
-
-> /kind failing-test
-
-> /kind feature
-
-> If contributing rules or changes to rules, please make sure to also uncomment one of the following line:
-
-> /kind rule-update
-
-> /kind rule-create
-
-<!--
-Please remove the leading whitespace before the `/kind <>` you uncommented.
--->
-
-**Any specific area of the project related to this PR?**
-
-> Uncomment one (or more) `/area <>` lines:
-
-> /area build
-
-> /area engine
-
-> /area examples
-
-> /area rules
-
-> /area integrations
-
-> /area tests
-
-> /area proposals
-
-<!--
-Please remove the leading whitespace before the `/area <>` you uncommented.
--->
-
-**What this PR does / why we need it**:
-
-**Which issue(s) this PR fixes**:
-
-<!--
-Automatically closes linked issue when PR is merged.
-Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
-If PR is `kind/failing-tests` or `kind/flaky-test`, please post the related issues/tests in a comment and do not use `Fixes`.
--->
-
-Fixes #
-
-**Special notes for your reviewer**:
-
-**Does this PR introduce a user-facing change?**:
-
-<!--
-If no, just write "NONE" in the release-note block below.
-If yes, a release note is required:
-Enter your extended release note in the block below.
-If the PR requires additional action from users switching to the new release, prepend the string "action required:".
-For example, `action required: change the API interface of the rule engine`.
--->
-
-```release-note
-
-```

.github/stale.yml

@@ -1,19 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 60
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 7
-# Issues with these labels will never be considered stale
-exemptLabels:
-  - cncf
-  - roadmap
-  - enhancement
-  - "help wanted"
-# Label to use when marking an issue as stale
-staleLabel: wontfix
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no further activity occurs. Thank you
-  for your contributions.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false

.gitignore

@@ -9,21 +9,12 @@ test/traces-info
 test/job-results
 test/.phoronix-test-suite
 test/results*.json.*
-test/build
 
 userspace/falco/lua/re.lua
 userspace/falco/lua/lpeg.so
-userspace/engine/lua/lyaml
-userspace/engine/lua/lyaml.lua
 
 docker/event-generator/event_generator
 docker/event-generator/mysqld
 docker/event-generator/httpd
 docker/event-generator/sha1sum
 docker/event-generator/vipw
-
-.vscode/*
-
-.luacheckcache
-
-*.idea*

.luacheckrc

@@ -1,9 +0,0 @@
-std = "min"
-cache = true
-include_files = {
-    "userspace/falco/lua/*.lua",
-    "userspace/engine/lua/*.lua",
-    "userspace/engine/lua/lyaml/*.lua",
-    "*.luacheckrc"
-}
-exclude_files = {"build"}

.travis.yml

@@ -0,0 +1,60 @@
+#
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+#
+# This file is part of falco .
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+language: cpp
+compiler: gcc
+env:
+    - BUILD_TYPE=Debug
+    - BUILD_TYPE=Release
+sudo: required
+services:
+    - docker
+before_install:
+    - sudo apt-get update
+install:
+    - sudo apt-get install rpm linux-headers-$(uname -r) libelf-dev
+    - git clone https://github.com/draios/sysdig.git ../sysdig
+    - sudo apt-get install -y python-pip libvirt-dev jq dkms
+    - cd ..
+    - curl -Lo avocado-36.0-tar.gz https://github.com/avocado-framework/avocado/archive/36.0lts.tar.gz
+    - tar -zxvf avocado-36.0-tar.gz
+    - cd avocado-36.0lts
+    - sed -e 's/libvirt-python>=1.2.9/libvirt-python>=1.2.9,<4.1.0/' < requirements.txt  > /tmp/requirements.txt && mv /tmp/requirements.txt ./requirements.txt
+    - sudo -H pip install -r requirements.txt
+    - sudo python setup.py install
+    - cd ../falco
+before_script:
+    - export KERNELDIR=/lib/modules/$(uname -r)/build
+script:
+    - set -e
+    - mkdir build
+    - cd build
+    - cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE -DDRAIOS_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
+    - make VERBOSE=1
+    - make package
+    - cp falco*.deb ../docker/local
+    - cd ../docker/local
+    - docker build -t sysdig/falco:test .
+    - cd ../..
+    - sudo test/run_regression_tests.sh $TRAVIS_BRANCH
+notifications:
+  webhooks:
+    urls:
+#      - https://webhooks.gitter.im/e/fdbc2356fb0ea2f15033
+    on_success: change
+    on_failure: always
+    on_start: never

.yamllint.conf

@@ -1,8 +0,0 @@
-extends: default
-
-rules:
-  indentation: disable
-  document-start: disable
-  comments: disable
-  line-length: disable
-  new-line-at-end-of-file: disable

ADOPTERS.md

@@ -1,25 +0,0 @@
-# Adopters
-
-This is a list of production adopters of Falco (in alphabetical order):
-
-* [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.
-
-* [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
-
-* [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.
-
-* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
-
-* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
-  * https://hipaa.preferral.com/01-preferral_hipaa_compliance/
-
-* [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
-
-* [Sight Machine](https://www.sightmachine.com) - Sight Machine is the category leader for manufacturing analytics and used by Global 500 companies to make better, faster decisions about their operations. Sight Machine uses Falco to help enforce SOC2 compliance as well as a tool for real time security monitoring and alerting in Kubernetes.
-
-* [Skyscanner](https://www.skyscanner.net) - Skyscanner is the world's travel search engine for flights, hotels and car rentals. Most of our infrastructure is based on Kubernetes, and our Security team is using Falco to monitor anomalies at runtime, integrating Falco's findings with our internal ChatOps tooling to provide insight on the behavior of our machines in production. We also postprocess and store Falco's results to generate dashboards for auditing purposes.
-
-* [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.
-
-*  [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-define infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
-

CHANGELOG.md

@@ -2,435 +2,14 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
-## v0.19.0
-
-Released on 2020-01-23
-
-### Major Changes
-
-* new: security audit [[#977](https://github.com/falcosecurity/falco/pull/977)]
-* instead of crashing, now falco will report the error when an internal error occurs while handling an event to be inspected. the log line will be of type error and will contain the string `error handling inspector event` [[#746](https://github.com/falcosecurity/falco/pull/746)]
-* build: bump grpc to 1.25.0 [[#939](https://github.com/falcosecurity/falco/pull/939)]
-* build: (most of) dependencies are bundled dynamically (by default) [[#968](https://github.com/falcosecurity/falco/pull/968)]
-* test: integration tests now can run on different distributions via docker containers, for now CentOS 7 and Ubuntu 18.04 with respective rpm and deb packages [[#1012](https://github.com/falcosecurity/falco/pull/1012)]
-
-### Minor Changes
-
-* proposal: rules naming convention [[#980](https://github.com/falcosecurity/falco/pull/980)]
-* update: also allow posting json arrays containing k8s audit events to the k8s_audit endpoint. [[#967](https://github.com/falcosecurity/falco/pull/967)]
-* update: add support for k8s audit events to the falco-event-generator container. [[#997](https://github.com/falcosecurity/falco/pull/997)]
-* update: falco-tester base image is fedora:31 now [[#968](https://github.com/falcosecurity/falco/pull/968)]
-* build: switch to circleci [[#968](https://github.com/falcosecurity/falco/pull/968)]
-* build: bundle openssl into falco-builder docker image [[#1004](https://github.com/falcosecurity/falco/pull/1004)]
-* build: falco-builder docker image revamp (centos:7 base image) [[#1004](https://github.com/falcosecurity/falco/pull/1004)]
-* update: puppet module had been renamed from "sysdig-falco" to "falco" [[#922](https://github.com/falcosecurity/falco/pull/922)]
-* update: adds a hostname field to grpc output [[#927](https://github.com/falcosecurity/falco/pull/927)]
-* build: download grpc from their github repo [[#933](https://github.com/falcosecurity/falco/pull/933)]
-* update: ef_drop_falco is now ef_drop_simple_cons [[#922](https://github.com/falcosecurity/falco/pull/922)]
-* update(docker): use host_root environment variable rather than sysdig_host_root [[#922](https://github.com/falcosecurity/falco/pull/922)]
-* update: ef_drop_falco is now ef_drop_simple_cons [[#922](https://github.com/falcosecurity/falco/pull/922)]
-
-### Bug Fixes
-
-* fix: providing clang into docker-builder [[#972](https://github.com/falcosecurity/falco/pull/972)]
-* fix: prevent throwing json type error c++ exceptions outside of the falco engine when procesing k8s audit events. [[#928](https://github.com/falcosecurity/falco/pull/928)]
-* fix(docker/kernel/linuxkit): correct from for falco minimal image [[#913](https://github.com/falcosecurity/falco/pull/913)]
-
-### Rule Changes
-
-* rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [[#973](https://github.com/falcosecurity/falco/pull/973)]
-* rules(write below etc): allow automount to write to /etc/mtab [[#957](https://github.com/falcosecurity/falco/pull/957)]
-* rules(macro user_known_k8s_client_container): when executing the docker client, exclude fluentd-gcp-scaler container running in the `kube-system` namespace to avoid false positives [[#962](https://github.com/falcosecurity/falco/pull/962)]
-* rules(the docker client is executed in a container): detect the execution of the docker client in a container and logs it with warning priority.  [[#915](https://github.com/falcosecurity/falco/pull/915)]
-* rules(list k8s_client_binaries): create and add docker, kubectl, crictl [[#915](https://github.com/falcosecurity/falco/pull/915)]
-* rules(macro container_entrypoint): add docker-runc-cur  [[#914](https://github.com/falcosecurity/falco/pull/914)]
-* rules(list user_known_chmod_applications): add hyperkube [[#914](https://github.com/falcosecurity/falco/pull/914)]
-* rules(list network_tool_binaries): add some network tools to detect suspicious network activity. [[#975](https://github.com/falcosecurity/falco/pull/975)]
-* rules(macro user_known_k8s_client_container): macro to match kube-system namespace [[#955](https://github.com/falcosecurity/falco/pull/955)]
-* rules(contact k8s api server from container): now it can automatically resolve the cluster ip address  [[#952](https://github.com/falcosecurity/falco/pull/952)]
-* rules(macro k8s_api_server): new macro to match the default k8s api server [[#952](https://github.com/falcosecurity/falco/pull/952)]
-* rules(macro sensitive_vol_mount): add more sensitive host paths [[#929](https://github.com/falcosecurity/falco/pull/929)]
-* rules(macro sensitive_mount): add more sensitive paths [[#929](https://github.com/falcosecurity/falco/pull/929)]
-* rules(macro consider_metadata_access): macro to decide whether to consider metadata or not (off by default) [[#943](https://github.com/falcosecurity/falco/pull/943)]
-* rules(contact cloud metadata service from container): add rules to detect access to gce instance metadata [[#943](https://github.com/falcosecurity/falco/pull/943)]
-* rules(macro sensitive_vol_mount): align sensitive mounts macro between k8s audit rules and syscall rules [[#950](https://github.com/falcosecurity/falco/pull/950)]
-* rules(macro consider_packet_socket_communication): macro to consider or not packet socket communication (off by default) [[#945](https://github.com/falcosecurity/falco/pull/945)]
-* rules(packet socket created in container): rule to detect raw packets creation [[#945](https://github.com/falcosecurity/falco/pull/945)]
-* rules(macro exe_running_docker_save): fixed false positives in multiple rules that were caused by the use of docker in docker [[#951](https://github.com/falcosecurity/falco/pull/951)]
-* rules(modify shell configuration file): fixed a false positive by excluding "exe_running_docker_save" [[#949](https://github.com/falcosecurity/falco/pull/949)]
-* rules(update package repository): fixed a false positive by excluding "exe_running_docker_save". [[#948](https://github.com/falcosecurity/falco/pull/948)]
-* rules(the docker client is executed in a container): when executing the docker client, exclude containers running in the `kube-system` namespace to avoid false positives [[#955](https://github.com/falcosecurity/falco/pull/955)]
-* rules(list user_known_chmod_applications): add kubelet [[#944](https://github.com/falcosecurity/falco/pull/944)]
-* rules(set setuid or setgid bit): fixed a false positive by excluding "exe_running_docker_save" [[#946](https://github.com/falcosecurity/falco/pull/946)]
-* rules(macro user_known_package_manager_in_container): allow users to specify conditions that match a legitimate use case for using a package management process in a container. [[#941](https://github.com/falcosecurity/falco/pull/941)]
-
-## v0.18.0
-
-Released 2019-10-28
-
-### Major Changes
-
-* falco grpc api server implementation, contains a subscribe method to subscribe to outputs from any grpc capable language [[#822](https://github.com/falcosecurity/falco/pull/822)]
-* add support for converting k8s pod security policies (psps) into set of falco rules that can be used to evaluate the conditions specified in the psp. [[#826](https://github.com/falcosecurity/falco/pull/826)]
-* initial redesign container images to remove build tools and leverage init containers for kernel module delivery. [[#776](https://github.com/falcosecurity/falco/pull/776)]
-* add flags to disable `syscall` event source or `k8s_audit` event source [[#779](https://github.com/falcosecurity/falco/pull/779)]
-
-### Minor Changes
-
-* allow for unique names for psp converted rules/macros/lists/rule names as generated by falcoctl 0.0.3 [[#895](https://github.com/falcosecurity/falco/pull/895)]
-* make it easier to run regression tests without necessarily using the falco-tester docker image. [[#808](https://github.com/falcosecurity/falco/pull/808)]
-* fix falco engine compatibility with older k8s audit rules files. [[#893](https://github.com/falcosecurity/falco/pull/893)]
-* add tests for psp conversions with names containing spaces/dashes. [[#899](https://github.com/falcosecurity/falco/pull/899)]
-
-### Bug Fixes
-
-* handle multi-document yaml files when reading rules files. [[#760](https://github.com/falcosecurity/falco/pull/760)]
-* improvements to how the webserver handles incoming invalid inputs [[#759](https://github.com/falcosecurity/falco/pull/759)]
-* fix: make lua state access thread-safe [[#867](https://github.com/falcosecurity/falco/pull/867)]
-* fix compilation on gcc 5.4 by working around gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56480 [[#873](https://github.com/falcosecurity/falco/pull/873)]
-* add explicit dependency between tests and catch2 header file. [[#879](https://github.com/falcosecurity/falco/pull/879)]
-* fix: stable dockerfile libgcc-6-dev dependencies [[#830](https://github.com/falcosecurity/falco/pull/830)]
-* fix: build dependencies for the local dockerfile [[#782](https://github.com/falcosecurity/falco/pull/782)]
-* fix: a crash bug that could result from reading more than ~6 rules files [[#906](https://github.com/falcosecurity/falco/issues/906)] [[#907](https://github.com/falcosecurity/falco/pull/907)]
-
-### Rule Changes
-
-* rules: add calico/node to trusted privileged container list [[#902](https://github.com/falcosecurity/falco/pull/902)]
-* rules: add macro `calico_node_write_envvars` to exception list of write below etc [[#902](https://github.com/falcosecurity/falco/pull/902)]
-* rules: add exception for rule write below rpm, this is a fp caused by amazon linux 2 yum. [[#755](https://github.com/falcosecurity/falco/pull/755)]
-* rules: ignore sensitive mounts from the ecs-agent [[#881](https://github.com/falcosecurity/falco/pull/881)]
-* rules: add rules to detect crypto mining activities [[#763](https://github.com/falcosecurity/falco/pull/763)]
-* rules: add back rule delete bash history for backport compatibility [[#864](https://github.com/falcosecurity/falco/pull/864)]
-* rule: syscalls are used to detect suid and sgid [[#765](https://github.com/falcosecurity/falco/pull/765)]
-* rules: delete bash history is renamed to delete or rename shell history [[#762](https://github.com/falcosecurity/falco/pull/762)]
-* rules: add image fluent/fluentd-kubernetes-daemonset to clear log trusted images [[#852](https://github.com/falcosecurity/falco/pull/852)]
-* rules: include default users created by `kops`. [[#898](https://github.com/falcosecurity/falco/pull/898)]
-* rules: delete or rename shell history: when deleting a shell history file now the syscalls are taken into account rather than just the commands deleting the files [[#762](https://github.com/falcosecurity/falco/pull/762)]
-* rules: delete or rename shell history: history deletion now supports fish and zsh in addition to bash [[#762](https://github.com/falcosecurity/falco/pull/762)]
-* rules: "create hidden files or directories" and "update package repository" now trigger also if the files are moved and not just if modified or created. [[#766](https://github.com/falcosecurity/falco/pull/766)]
-
-## v0.17.1
-
-Released 2019-09-26
-
-### Major Changes
-
-* Same as v0.17.0
-
-##
-
-* Same as v0.17.0
-
-### Bug Fixes
-
-* All in v0.17.0
-* Fix a build problem for pre-built kernel probes. [[draios/sysdig#1471](https://github.com/draios/sysdig/pull/1471)]
-
-### Rule Changes
-
-* Same as v0.17.0
-
-## v0.17.0
-
-Released 2019-07-31
-
-### Major Changes
-
-* **The set of supported platforms has changed**. Switch to a reorganized builder image that uses Centos 7 as a base. As a result, falco is no longer supported on Centos 6. The other supported platforms should remain the same [[#719](https://github.com/falcosecurity/falco/pull/719)]
-
-### Minor Changes
-
-* When enabling rules within the falco engine, use rule substrings instead of regexes. [[#743](https://github.com/falcosecurity/falco/pull/743)]
-
-* Additional improvements to the handling and display of rules validation errors [[#744](https://github.com/falcosecurity/falco/pull/744)] [[#747](https://github.com/falcosecurity/falco/pull/747)]
-
-### Bug Fixes
-
-* Fix a problem that would cause prevent container metadata lookups when falco was daemonized [[#731](https://github.com/falcosecurity/falco/pull/731)]
-
-* Allow rule priorites to be expressed as lowercase and a mix of lower/uppercase [[#737](https://github.com/falcosecurity/falco/pull/737)]
-
-### Rule Changes
-
-* Fix a parentheses bug with the `shell_procs` macro [[#728](https://github.com/falcosecurity/falco/pull/728)]
-
-* Allow additional containers to mount sensitive host paths [[#733](https://github.com/falcosecurity/falco/pull/733)] [[#736](https://github.com/falcosecurity/falco/pull/736)]
-
-* Allow additional containers to truncate log files [[#733](https://github.com/falcosecurity/falco/pull/733)]
-
-* Fix false positives with the `Write below root` rule on GKE [[#739](https://github.com/falcosecurity/falco/pull/739)]
-
-## v0.16.0
-
-Released 2019-07-12
-
-### Major Changes
-
-* Clean up error reporting to provide more meaningful error messages along with context when loading rules files. When run with -V, the results of the validation ("OK" or error message) are sent to standard output. [[#708](https://github.com/falcosecurity/falco/pull/708)]
-
-* Improve rule loading performance by optimizing lua parsing paths to avoid expensive pattern matches. [[#694](https://github.com/falcosecurity/falco/pull/694)]
-
-* Bump falco engine version to 4 to reflect new fields `ka.useragent`, others. [[#710](https://github.com/falcosecurity/falco/pull/710)] [[#681](https://github.com/falcosecurity/falco/pull/681)]
-
-* Add Catch2 as a unit testing framework. This will add additional coverage on top of the regression tests using Avocado. [[#687](https://github.com/falcosecurity/falco/pull/687)]
-
-### Minor Changes
-
-* Add SYSDIG_DIR Cmake option to specify location for sysdig source code when building falco. [[#677](https://github.com/falcosecurity/falco/pull/677)] [[#679](https://github.com/falcosecurity/falco/pull/679)] [[#702](https://github.com/falcosecurity/falco/pull/702)]
-
-* New field `ka.useragent` reports the useragent from k8s audit events. [[#709](https://github.com/falcosecurity/falco/pull/709)]
-
-* Add clang formatter for C++ syntax formatting. [[#701](https://github.com/falcosecurity/falco/pull/701)] [[#689](https://github.com/falcosecurity/falco/pull/689)]
-
-* Partial changes towards lua syntax formatting. No particular formatting enforced yet, though. [[#718](https://github.com/falcosecurity/falco/pull/718)]
-
-* Partial changes towards yaml syntax formatting. No particular formatting enforced yet, though. [[#714](https://github.com/falcosecurity/falco/pull/714)]
-
-* Add cmake syntax formatting. [[#703](https://github.com/falcosecurity/falco/pull/703)]
-
-* Token bucket unit tests and redesign. [[#692](https://github.com/falcosecurity/falco/pull/692)]
-
-* Update github PR template. [[#699](https://github.com/falcosecurity/falco/pull/699)]
-
-* Fix PR template for kind/rule-*. [[#697](https://github.com/falcosecurity/falco/pull/697)]
-
-### Bug Fixes
-
-* Remove an unused cmake file. [[#700](https://github.com/falcosecurity/falco/pull/700)]
-
-* Misc Cmake cleanups. [[#673](https://github.com/falcosecurity/falco/pull/673)]
-
-* Misc k8s install docs improvements. [[#671](https://github.com/falcosecurity/falco/pull/671)]
-
-### Rule Changes
-
-* Allow k8s.gcr.io/kube-proxy image to run privileged. [[#717](https://github.com/falcosecurity/falco/pull/717)]
-
-* Add runc to the list of possible container entrypoint parents. [[#712](https://github.com/falcosecurity/falco/pull/712)]
-
-* Skip Source RFC 1918 addresses when considering outbound connections. [[#685](https://github.com/falcosecurity/falco/pull/685)]
-
-* Add additional `user_XXX` placeholder macros to allow for easy customization of rule exceptions. [[#685](https://github.com/falcosecurity/falco/pull/685)]
-
-* Let weaveworks programs change namespaces. [[#685](https://github.com/falcosecurity/falco/pull/685)]
-
-* Add additional openshift images. [[#685](https://github.com/falcosecurity/falco/pull/685)]
-
-* Add openshift as a k8s binary. [[#678](https://github.com/falcosecurity/falco/pull/678)]
-
-* Add dzdo as a binary that can change users. [[#678](https://github.com/falcosecurity/falco/pull/678)]
-
-* Allow azure/calico binaries to change namespaces. [[#678](https://github.com/falcosecurity/falco/pull/678)]
-
-* Add back trusted_containers list for backport compatibility [[#675](https://github.com/falcosecurity/falco/pull/675)]
-
-* Add mkdirat as a syscall for mkdir operations. [[#667](https://github.com/falcosecurity/falco/pull/667)]
-
-* Add container id/repository to rules that can work with containers. [[#667](https://github.com/falcosecurity/falco/pull/667)]
-
-## v0.15.3
-
-Released 2019-06-12
-
-### Major Changes
-
-* None.
-
-### Minor Changes
-
-* None.
-
-### Bug Fixes
-
-* Fix kernel module compilation for kernels < 3.11 [[#sysdig/1436](https://github.com/draios/sysdig/pull/1436)]
-
-### Rule Changes
-
-* None.
-
-## v0.15.2
-
-Released 2019-06-12
-
-### Major Changes
-
-* New documentation and process handling around issues and pull requests. [[#644](https://github.com/falcosecurity/falco/pull/644)] [[#659](https://github.com/falcosecurity/falco/pull/659)] [[#664](https://github.com/falcosecurity/falco/pull/664)] [[#665](https://github.com/falcosecurity/falco/pull/665)]
-
-### Minor Changes
-
-* None.
-
-### Bug Fixes
-
-* Fix compilation of eBPF programs on COS (used by GKE) [[#sysdig/1431](https://github.com/draios/sysdig/pull/1431)]
-
-### Rule Changes
-
-* Rework exceptions lists for `Create Privileged Pod`, `Create Sensitive Mount Pod`, `Launch Sensitive Mount Container`, `Launch Privileged Container` rules to use separate specific lists rather than a single "Trusted Containers" list. [[#651](https://github.com/falcosecurity/falco/pull/651)]
-
-## v0.15.1
-
-Released 2019-06-07
-
-### Major Changes
-
-* Drop unnecessary events at the kernel level instead of userspace, which should improve performance [[#635](https://github.com/falcosecurity/falco/pull/635)]
-
-### Minor Changes
-
-* Add instructions for k8s audit support in >= 1.13 [[#608](https://github.com/falcosecurity/falco/pull/608)]
-
-* Fix security issues reported by GitHub on Anchore integration [[#592](https://github.com/falcosecurity/falco/pull/592)]
-
-* Several docs/readme improvements [[#620](https://github.com/falcosecurity/falco/pull/620)] [[#616](https://github.com/falcosecurity/falco/pull/616)] [[#631](https://github.com/falcosecurity/falco/pull/631)] [[#639](https://github.com/falcosecurity/falco/pull/639)] [[#642](https://github.com/falcosecurity/falco/pull/642)]
-
-* Better tracking of rule counts per ruleset [[#645](https://github.com/falcosecurity/falco/pull/645)]
-
-### Bug Fixes
-
-* Handle rule patterns that are invalid regexes [[#636](https://github.com/falcosecurity/falco/pull/636)]
-
-* Fix kernel module builds on newer kernels [[#646](https://github.com/falcosecurity/falco/pull/646)] [[#sysdig/1413](https://github.com/draios/sysdig/pull/1413)]
-
-### Rule Changes
-
-* New rule `Launch Remote File Copy Tools in Container` could be used to identify exfiltration attacks [[#600](https://github.com/falcosecurity/falco/pull/600)]
-
-* New rule `Create Symlink Over Sensitive Files` can help detect attacks like [[CVE-2018-15664](https://nvd.nist.gov/vuln/detail/CVE-2018-15664)] [[#613](https://github.com/falcosecurity/falco/pull/613)] [[#637](https://github.com/falcosecurity/falco/pull/637)]
-
-* Let etcd-manager write to /etc/hosts. [[#613](https://github.com/falcosecurity/falco/pull/613)]
-
-* Let additional processes spawned by google-accounts-daemon access sensitive files [[#593](https://github.com/falcosecurity/falco/pull/593)]
-
-* Add Sematext Monitoring & Logging agents to trusted k8s containers [[#594](https://github.com/falcosecurity/falco/pull/594/)]
-
-* Add additional coverage for `Netcat Remote Code Execution in Container` rule. [[#617](https://github.com/falcosecurity/falco/pull/617/)]
-
-* Fix `egrep` typo. [[#617](https://github.com/falcosecurity/falco/pull/617/)]
-
-* Allow Ansible to run using Python 3 [[#625](https://github.com/falcosecurity/falco/pull/625/)]
-
-* Additional `Write below etc` exceptions for nginx, rancher [[#637](https://github.com/falcosecurity/falco/pull/637)] [[#648](https://github.com/falcosecurity/falco/pull/648)] [[#652](https://github.com/falcosecurity/falco/pull/652)]
-
-* Add rules for running with IBM Cloud Kubernetes Service [[#634](https://github.com/falcosecurity/falco/pull/634)]
-
-## v0.15.0
-
-Released 2019-05-13
-
-### Major Changes
-
-* **Actions and alerts for dropped events**: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. Fixes CVE 2019-8339. [[#561](https://github.com/falcosecurity/falco/pull/561)] [[#571](https://github.com/falcosecurity/falco/pull/571)]
-
-* **Support for Containerd/CRI-O**: Falco now supports containerd/cri-o containers. [[#585](https://github.com/falcosecurity/falco/pull/585)] [[#591](https://github.com/falcosecurity/falco/pull/591)] [[#599](https://github.com/falcosecurity/falco/pull/599)] [[#sysdig/1376](https://github.com/draios/sysdig/pull/1376)] [[#sysdig/1310](https://github.com/draios/sysdig/pull/1310)] [[#sysdig/1399](https://github.com/draios/sysdig/pull/1399)]
-
-* **Perform docker metadata fetches asynchronously**: When new containers are discovered, fetch metadata about the container asynchronously, which should significantly reduce the likelihood of dropped system call events. [[#sysdig/1326](https://github.com/draios/sysdig/pull/1326)] [[#550](https://github.com/falcosecurity/falco/pull/550)] [[#570](https://github.com/falcosecurity/falco/pull/570)]
-
-* Better syscall event performance: improve algorithm for reading system call events from kernel module to handle busy event streams [[#sysdig/1372](https://github.com/draios/sysdig/pull/1372)]
-
-* HTTP Output: Falco can now send alerts to http endpoints directly without having to use curl. [[#523](https://github.com/falcosecurity/falco/pull/523)]
-
-* Move Kubernetes Response Engine to own repo: The Kubernetes Response Engine is now in its [own github repository](https://github.com/falcosecurity/kubernetes-response-engine). [[#539](https://github.com/falcosecurity/falco/pull/539)]
-
-* Updated Puppet Module: An all-new puppet module compatible with puppet 4 with a smoother installation process and updated package links. [[#537](https://github.com/falcosecurity/falco/pull/537)] [[#543](https://github.com/falcosecurity/falco/pull/543)] [[#546](https://github.com/falcosecurity/falco/pull/546)]
-
-* RHEL-based falco image: Provide dockerfiles that use RHEL 7 as the base image instead of debian:unstable. [[#544](https://github.com/falcosecurity/falco/pull/544)]
-
-
-### Minor Changes
-
-* ISO-8601 Timestamps: Add the ability to write timestamps in ISO-8601 w/ UTC, and use this format by default when running falco in a container [[#518](https://github.com/falcosecurity/falco/pull/518)]
-
-* Docker-based builder/tester: You can now build Falco using the [falco-builder](https://falco.org/docs/source/#build-using-falco-builder-container) docker image, and run regression tests using the [falco-tester](https://falco.org/docs/source/#test-using-falco-tester-container) docker image. [[#522](https://github.com/falcosecurity/falco/pull/522)] [[#584](https://github.com/falcosecurity/falco/pull/584)]
-
-* Several small docs changes to improve clarity and readibility [[#524](https://github.com/falcosecurity/falco/pull/524)] [[#540](https://github.com/falcosecurity/falco/pull/540)] [[#541](https://github.com/falcosecurity/falco/pull/541)] [[#542](https://github.com/falcosecurity/falco/pull/542)]
-
-* Add instructions on how to enable K8s Audit Logging for kops [[#535](https://github.com/falcosecurity/falco/pull/535)]
-
-* Add a "stale issue" bot that marks and eventually closes old issues with no activity [[#548](https://github.com/falcosecurity/falco/pull/548)]
-
-* Improvements to sample K8s daemonset/service/etc files [[#562](https://github.com/falcosecurity/falco/pull/562)]
-
-### Bug Fixes
-
-* Fix regression that broke json output [[#581](https://github.com/falcosecurity/falco/pull/581)]
-
-* Fix errors when building via docker from MacOS [[#582](https://github.com/falcosecurity/falco/pull/582)]
-
-### Rule Changes
-
-* **Tag rules using Mitre Attack Framework**: Add tags for all relevant rules linking them to the [MITRE Attack Framework](https://attack.mitre.org). We have an associated [blog post](https://sysdig.com/blog/mitre-attck-framework-for-container-runtime-security-with-sysdig-falco/). [[#575](https://github.com/falcosecurity/falco/pull/575)] [[#578](https://github.com/falcosecurity/falco/pull/578)]
-
-* New rules for additional use cases: New rules `Schedule Cron Jobs`, `Update Package Repository`, `Remove Bulk Data from Disk`, `Set Setuid or Setgid bit`, `Detect bash history deletion`, `Create Hidden Files or Directories` look for additional common follow-on activity you might see from an attacker. [[#578](https://github.com/falcosecurity/falco/pull/578)] [[#580](https://github.com/falcosecurity/falco/pull/580)]
-
-* Allow docker's "exe" (usually part of docker save/load) to write to many filesystem locations [[#552](https://github.com/falcosecurity/falco/pull/552)]
-
-* Let puppet write below /etc [[#563](https://github.com/falcosecurity/falco/pull/563)
-
-* Add new `user_known_write_root_conditions`, `user_known_non_sudo_setuid_conditions`, and `user_known_write_monitored_dir_conditions` macros to allow those rules to be easily customized in user rules files [[#563](https://github.com/falcosecurity/falco/pull/563)] [[#566](https://github.com/falcosecurity/falco/pull/566)]
-
-* Better coverage and exceptions for rancher [[#559](https://github.com/falcosecurity/falco/pull/559)]
-
-* Allow prometheus to write to its conf directory under etc [[#564](https://github.com/falcosecurity/falco/pull/564)]
-
-* Better coverage and exceptions for openshift/related tools [[#567](https://github.com/falcosecurity/falco/pull/567)] [[#573](https://github.com/falcosecurity/falco/pull/573)]
-
-* Better coverage for cassandra/kubelet/kops to reduce FPs [[#551](https://github.com/falcosecurity/falco/pull/551)]
-
-* Better coverage for docker, openscap to reduce FPs [[#573](https://github.com/falcosecurity/falco/pull/573)]
-
-* Better coverage for fluentd/jboss to reduce FPs [[#590](https://github.com/falcosecurity/falco/pull/590)]
-
-* Add `ash` (Alpine Linux-related shell) as a shell binary [[#597](https://github.com/falcosecurity/falco/pull/597)]
-
-## v0.14.0
-
-Released 2019-02-06
-
-### Major Changes
-
-* Rules versioning support: The falco engine and executable now have an *engine version* that represents the fields they support. Similarly, rules files have an optional *required_engine_version: NNN* object that names the minimum engine version required to read that rules file. Any time the engine adds new fields, event sources, etc, the engine version will be incremented, and any time a rules file starts using new fields, event sources, etc, the required engine version will be incremented. [[#492](https://github.com/falcosecurity/falco/pull/492)]
-
-* Allow SSL for K8s audit endpoint/embedded webserver [[#471](https://github.com/falcosecurity/falco/pull/471)]
-
-* Add stale issues bot that automatically flags old github issues as stale after 60 days of inactivity and closes issues after 67 days of inactivity. [[#500](https://github.com/falcosecurity/falco/pull/500)]
-
-* Support bundle: When run with `--support`, falco will print a json object containing necessary information like falco version, command line, operating system information, and falco rules files contents. This could be useful when reporting issues. [[#517](https://github.com/falcosecurity/falco/pull/517)]
-
-### Minor Changes
-
-* Support new third-party library dependencies from open source sysdig. [[#498](https://github.com/falcosecurity/falco/pull/498)]
-
-* Add CII best practices badge. [[#499](https://github.com/falcosecurity/falco/pull/499)]
-
-* Fix kernel module builds when running on centos as a container by installing gcc 5 by hand instead of directly from debian/unstable. [[#501](https://github.com/falcosecurity/falco/pull/501)]
-
-* Mount `/etc` when running as a container, which allows container to build kernel module/ebpf program on COS/Minikube. [[#475](https://github.com/falcosecurity/falco/pull/475)]
-
-* Improved way to specify the source of generic event objects [[#480](https://github.com/falcosecurity/falco/pull/480)]
-
-* Readability/clarity improvements to K8s Audit/K8s Daemonset READMEs. [[#503](https://github.com/falcosecurity/falco/pull/503)]
-
-* Add additional RBAC permissions to track deployments/daemonsets/replicasets. [[#514](https://github.com/falcosecurity/falco/pull/514)]
-
-### Bug Fixes
-
-* Fix formatting of nodejs examples README [[#502](https://github.com/falcosecurity/falco/pull/502)]
-
-### Rule Changes
-
-* Remove FPs for `Launch Sensitive Mount Container` rule [[#509](https://github.com/falcosecurity/falco/pull/509/files)]
-
-* Update Container rules/macros to use the more reliable `container.image.{repository,tag}` that always return the repository/tag of an image instead of `container.image`, which may not for some docker daemon versions. [[#513](https://github.com/falcosecurity/falco/pull/513)]
-
 ## v0.13.1
 
 Released 2019-01-16
 
-### Major Changes
+## Major Changes
 
 
-### Minor Changes
+## Minor Changes
 
 * Unbuffer outputs by default. This helps make output readable when used in environments like K8s. [[#494](https://github.com/falcosecurity/falco/pull/494)]
 
@@ -444,7 +23,7 @@ Released 2019-01-16
 
 * Remove kubernetes-response-engine from system:masters [[#488](https://github.com/falcosecurity/falco/pull/488)]
 
-### Bug Fixes
+## Bug Fixes
 
 * Ensure `-pc`/`-pk` only apply to syscall rules and not k8s_audit rules [[#495](https://github.com/falcosecurity/falco/pull/495)]
 
@@ -452,7 +31,7 @@ Released 2019-01-16
 
 * Fix a regression where format output options were mistakenly removed [[#485](https://github.com/falcosecurity/falco/pull/485)]
 
-### Rule Changes
+## Rule Changes
 
 * Fix FPs related to calico and writing files below etc [[#481](https://github.com/falcosecurity/falco/pull/481)]
 
@@ -469,25 +48,25 @@ Released 2019-01-16
 
 Released 2018-11-09
 
-### Major Changes
+## Major Changes
 
 * **Support for K8s Audit Events** : Falco now supports [K8s Audit Events](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-backends) as a second stream of events in addition to syscalls. For full details on the feature, see the [wiki](https://github.com/falcosecurity/falco/wiki/K8s-Audit-Event-Support).
 
 * Transparent Config/Rule Reloading: On SIGHUP, Falco will now reload all config files/rules files and start processing new events. Allows rules changes without having to restart falco [[#457](https://github.com/falcosecurity/falco/pull/457)] [[#432](https://github.com/falcosecurity/falco/issues/432)]
 
-### Minor Changes
+## Minor Changes
 
 * The reference integration of falco into a action engine now supports aws actions like lambda, etc. [[#460](https://github.com/falcosecurity/falco/pull/460)]
 
 * Add netcat to falco docker images, which allows easier integration of program outputs to external servers [[#456](https://github.com/falcosecurity/falco/pull/456)] [[#433](https://github.com/falcosecurity/falco/issues/433)]
 
-### Bug Fixes
+## Bug Fixes
 
 * Links cleanup related to the draios/falco -> falcosecurity/falco move [[#447](https://github.com/falcosecurity/falco/pull/447)]
 
 * Properly load/unload kernel module when the falco service is started/stopped [[#459](https://github.com/falcosecurity/falco/pull/459)] [[#418](https://github.com/falcosecurity/falco/issues/418)]
 
-### Rule Changes
+## Rule Changes
 
 * Better coverage (e.g. reduced FPs) for critical stack, hids systems, ufw, cloud-init, etc. [[#445](https://github.com/falcosecurity/falco/pull/445)]
 
@@ -499,7 +78,7 @@ Released 2018-11-09
 
 Released 2018-09-11
 
-### Bug Fixes
+## Bug Fixes
 
 * Fig regression in libcurl configure script [[#416](https://github.com/draios/falco/pull/416)]
 
@@ -507,7 +86,7 @@ Released 2018-09-11
 
 Released 2018-09-11
 
-### Major Changes
+## Major Changes
 
 * Improved IPv6 Support to fully support use of IPv6 addresses in events, connections and filters [[#sysdig/1204](https://github.com/draios/sysdig/pull/1204)]
 
@@ -515,16 +94,16 @@ Released 2018-09-11
 
 * New filterchecks `user.loginuid` and `user.loginname` can be used to match the login uid, which stays consistent across sudo/su. This can be used to find the actual user running a given process [[#sysdig/1189](https://github.com/draios/sysdig/pull/1189)]
 
-### Minor Changes
+## Minor Changes
 
 * Upgrade zlib to 1.2.11, openssl to 1.0.2n, and libcurl to 7.60.0 to address software vulnerabilities [[#402](https://github.com/draios/falco/pull/402)]
 * New `endswith` operator can be used for suffix matching on strings [[#sysdig/1209](https://github.com/draios/sysdig/pull/1209)]
 
-### Bug Fixes
+## Bug Fixes
 
 * Better control of specifying location of lua source code [[#406](https://github.com/draios/falco/pull/406)]
 
-### Rule Changes
+## Rule Changes
 
 * None for this release.
 
@@ -532,7 +111,7 @@ Released 2018-09-11
 
 Released 2018-07-31
 
-### Bug Fixes
+## Bug Fixes
 
 * Fix a problem that caused the kernel module to not load on certain kernel versions [[#397](https://github.com/draios/falco/pull/397)] [[#394](https://github.com/draios/falco/issues/394)]
 
@@ -540,25 +119,25 @@ Released 2018-07-31
 
 Released 2018-07-24
 
-### Major Changes
+## Major Changes
 
 * **EBPF Support** (Beta): Falco can now read events via an ebpf program loaded into the kernel instead of the `falco-probe` kernel module. Full docs [here](https://github.com/draios/sysdig/wiki/eBPF-(beta)). [[#365](https://github.com/draios/falco/pull/365)]
 
-### Minor Changes
+## Minor Changes
 
 * Rules may now have an `skip-if-unknown-filter` property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. `fd.some-new-attibute`) that is not present in the current falco version. [[#364](https://github.com/draios/falco/pull/364)] [[#345](https://github.com/draios/falco/issues/345)]
 * Small changes to Falco `COPYING` file so github automatically recognizes license [[#380](https://github.com/draios/falco/pull/380)]
 * New example integration showing how to connect Falco with Anchore to dynamically create falco rules based on negative scan results [[#390](https://github.com/draios/falco/pull/390)]
 * New example integration showing how to connect Falco, [nats](https://nats.io/), and K8s to run flexible "playbooks" based on Falco events [[#389](https://github.com/draios/falco/pull/389)]
 
-### Bug Fixes
+## Bug Fixes
 
 * Ensure all rules are enabled by default [[#379](https://github.com/draios/falco/pull/379)]
 * Fix libcurl compilation problems [[#374](https://github.com/draios/falco/pull/374)]
 * Add gcc-6 to docker container, which improves compatibility when building kernel module [[#382](https://github.com/draios/falco/pull/382)] [[#371](https://github.com/draios/falco/issues/371)]
 * Ensure the /lib/modules symlink to /host/lib/modules is set correctly [[#392](https://github.com/draios/falco/issues/392)]
 
-### Rule Changes
+## Rule Changes
 
 * Add additional binary writing programs [[#366](https://github.com/draios/falco/pull/366)]
 * Add additional package management programs [[#388](https://github.com/draios/falco/pull/388)] [[#366](https://github.com/draios/falco/pull/366)]
@@ -579,7 +158,7 @@ Released 2018-07-24
 
 Released 2018-04-24
 
-### Major Changes
+## Major Changes
 
 * **Rules Directory Support**: Falco will read rules files from `/etc/falco/rules.d` in addition to `/etc/falco/falco_rules.yaml` and `/etc/falco/falco_rules.local.yaml`. Also, when the argument to `-r`/falco.yaml `rules_file` is a directory, falco will read rules files from that directory. [[#348](https://github.com/draios/falco/pull/348)] [[#187](https://github.com/draios/falco/issues/187)]
 * Properly support all syscalls (e.g. those without parameter extraction by the kernel module) in falco conditions, so they can be included in `evt.type=<name>` conditions. [[#352](https://github.com/draios/falco/pull/352)]
@@ -588,7 +167,7 @@ Released 2018-04-24
 * When signaled with `USR1`, falco will close/reopen log files. Include a [logrotate](https://github.com/logrotate/logrotate) example that shows how to use this feature for log rotation. [[#347](https://github.com/draios/falco/pull/347)] [[#266](https://github.com/draios/falco/issues/266)]
 * To improve resource usage, further restrict the set of system calls available to falco [[#351](https://github.com/draios/falco/pull/351)] [[draios/sysdig#1105](https://github.com/draios/sysdig/pull/1105)]
 
-### Minor Changes
+## Minor Changes
 
 * Add gdb to the development Docker image (sysdig/falco:dev) to aid in debugging. [[#323](https://github.com/draios/falco/pull/323)]
 * You can now specify -V multiple times on the command line to validate multiple rules files at once. [[#329](https://github.com/draios/falco/pull/329)]
@@ -599,7 +178,7 @@ Released 2018-04-24
 * If a rule has an attribute `warn_evttypes`, falco will not complain about `evt.type` restrictions on that rule [[#355](https://github.com/draios/falco/pull/355)]
 * When run with `-i`, print all ignored events/syscalls and exit. [[#359](https://github.com/draios/falco/pull/359)]
 
-### Bug Fixes
+## Bug Fixes
 
 * Minor bug fixes to k8s daemonset configuration. [[#325](https://github.com/draios/falco/pull/325)] [[#296](https://github.com/draios/falco/pull/296)] [[#295](https://github.com/draios/falco/pull/295)]
 * Ensure `--validate` can be used interchangeably with `-V`. [[#334](https://github.com/draios/falco/pull/334)] [[#322](https://github.com/draios/falco/issues/322)]
@@ -608,7 +187,7 @@ Released 2018-04-24
 * Make it possible to append to a skipped macro/rule without falco complaining [[#346](https://github.com/draios/falco/pull/346)] [[#305](https://github.com/draios/falco/issues/305)]
 * Ensure rule order is preserved even when rules do not contain any `evt.type` restriction. [[#354](https://github.com/draios/falco/issues/354)] [[#355](https://github.com/draios/falco/pull/355)]
 
-### Rule Changes
+## Rule Changes
 
 * Make it easier to extend the `Change thread namespace` rule via a `user_known_change_thread_namespace_binaries` list. [[#324](https://github.com/draios/falco/pull/324)]
 * Various FP fixes from users. [[#321](https://github.com/draios/falco/pull/321)] [[#326](https://github.com/draios/falco/pull/326)] [[#344](https://github.com/draios/falco/pull/344)] [[#350](https://github.com/draios/falco/pull/350)]
@@ -863,13 +442,13 @@ All of these changes result in dramatically reduced CPU usage. Here are some com
 * Sysdig Cloud Kubernetes Demo: Starts a kubernetes environment using docker with apache and wordpress instances + synthetic workloads.
 * [Juttle-engine examples](https://github.com/juttle/juttle-engine/blob/master/examples/README.md) : Several elasticsearch, node.js, logstash, mysql, postgres, influxdb instances run under docker-compose.
 
-| Workload                          | 0.2.0 CPU Usage | 0.3.0 CPU Usage |
-| --------------------------------- | --------------- | --------------- |
-| pts/apache                        | 24%             | 7%              |
-| pts/dbench                        | 70%             | 5%              |
-| Kubernetes-Demo (Running)         | 6%              | 2%              |
-| Kubernetes-Demo (During Teardown) | 15%             | 3%              |
-| Juttle-examples                   | 3%              | 1%              |
+| Workload | 0.2.0 CPU Usage | 0.3.0 CPU Usage |
+|----------| --------------- | ----------------|
+| pts/apache | 24% | 7% |
+| pts/dbench | 70% | 5% |
+| Kubernetes-Demo (Running) | 6% | 2% |
+| Kubernetes-Demo (During Teardown) | 15% | 3% |
+| Juttle-examples | 3% | 1% |
 
 As a part of these changes, falco now prefers rule conditions that have at least one `evt.type=` operator, at the beginning of the condition, before any negative operators (i.e. `not` or `!=`). If a condition does not have any `evt.type=` operator, falco will log a warning like:
 

CMakeCPackOptions.cmake

@@ -1,3 +1,20 @@
+#
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+#
+# This file is part of falco .
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
 if(CPACK_GENERATOR MATCHES "DEB")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d/")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d")

CMakeLists.txt

@@ -1,65 +1,51 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
 #
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
+# This file is part of falco .
 #
-# http://www.apache.org/licenses/LICENSE-2.0
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
+#     http://www.apache.org/licenses/LICENSE-2.0
 #
-cmake_minimum_required(VERSION 3.5.1)
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+cmake_minimum_required(VERSION 2.8.2)
 
 project(falco)
 
-option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
-option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
+option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags")
 
-# Elapsed time
-# set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
-
-# Make flag for parallel processing
-include(ProcessorCount)
-processorcount(PROCESSOR_COUNT)
-if(NOT PROCESSOR_COUNT EQUAL 0)
-  set(PROCESSOUR_COUNT_MAKE_FLAG -j${PROCESSOR_COUNT})
+if(NOT DEFINED FALCO_VERSION)
+	set(FALCO_VERSION "0.1.1dev")
 endif()
 
-# Custom CMake modules
-list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
-
-# GNU standard installation directories' definitions
-include(GNUInstallDirs)
-
 if(NOT DEFINED FALCO_ETC_DIR)
-  set(FALCO_ETC_DIR "${CMAKE_INSTALL_FULL_SYSCONFDIR}/falco")
+	set(FALCO_ETC_DIR "/etc/falco")
+endif()
+
+if(NOT CMAKE_BUILD_TYPE)
+	SET(CMAKE_BUILD_TYPE Release)
 endif()
 
 if(NOT DRAIOS_DEBUG_FLAGS)
-  set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
-endif()
-
-string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE)
-if(CMAKE_BUILD_TYPE STREQUAL "debug")
-  set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
-else()
-  set(CMAKE_BUILD_TYPE "release")
-  set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
+	set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
 endif()
 
 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
 
 if(BUILD_WARNINGS_AS_ERRORS)
-  set(CMAKE_SUPPRESSED_WARNINGS
-      "-Wno-unused-parameter -Wno-unused-variable -Wno-unused-but-set-variable -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation -Wno-stringop-truncation -Wno-stringop-overflow -Wno-restrict"
-  )
-  set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}")
+	set(CMAKE_SUPPRESSED_WARNINGS "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-implicit-fallthrough -Wno-format-truncation")
+	set(CMAKE_COMMON_FLAGS "${CMAKE_COMMON_FLAGS} -Wextra -Werror ${CMAKE_SUPPRESSED_WARNINGS}")
 endif()
 
 set(CMAKE_C_FLAGS "${CMAKE_COMMON_FLAGS}")
-set(CMAKE_CXX_FLAGS "--std=c++0x ${CMAKE_COMMON_FLAGS} -Wno-class-memaccess")
+set(CMAKE_CXX_FLAGS "--std=c++0x ${CMAKE_COMMON_FLAGS}")
 
 set(CMAKE_C_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
 set(CMAKE_CXX_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
@@ -67,187 +53,505 @@ set(CMAKE_CXX_FLAGS_DEBUG "${DRAIOS_DEBUG_FLAGS}")
 set(CMAKE_C_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 
-include(GetFalcoVersion)
+add_definitions(-DPLATFORM_NAME="${CMAKE_SYSTEM_NAME}")
+add_definitions(-DK8S_DISABLE_THREAD)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	add_definitions(-DHAS_CAPTURE)
+endif()
+
+if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+	set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
+else()
+	set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
+endif()
 
 set(PACKAGE_NAME "falco")
 set(PROBE_VERSION "${FALCO_VERSION}")
 set(PROBE_NAME "falco-probe")
 set(PROBE_DEVICE_NAME "falco")
-if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
-  set(CMAKE_INSTALL_PREFIX
-      /usr
-      CACHE PATH "Default install path" FORCE)
+if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+	set(CMAKE_INSTALL_PREFIX /usr CACHE PATH "Default install path" FORCE)
 endif()
 
 set(CMD_MAKE make)
 
-include(ExternalProject)
-
-# jq
-include(jq)
-
-# nlohmann-json
-set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
-message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
-set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
-ExternalProject_Add(
-  njson
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/njson-3.3.0.tar.gz"
-  URL_MD5 "e26760e848656a5da400662e6c5d999a"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND "")
-
-# curses
-# We pull this in because libsinsp won't build without it
-set(CURSES_NEED_NCURSES TRUE)
-find_package(Curses REQUIRED)
-message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
-
-# libb64
-set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
-message(STATUS "Using bundled b64 in '${B64_SRC}'")
-set(B64_INCLUDE "${B64_SRC}/include")
-set(B64_LIB "${B64_SRC}/src/libb64.a")
-ExternalProject_Add(
-  b64
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
-  URL_MD5 "a609809408327117e2c643bed91b76c5"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
-
-# yaml-cpp
-include(yaml-cpp)
-
-# OpenSSL
-include(OpenSSL)
-
-# libcurl
-include(cURL)
-
-# LuaJIT
-set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
-message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
-set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
-set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
-ExternalProject_Add(
-  luajit
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
-  URL_MD5 "f14e9104be513913810cd59c8c658dc0"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
-
-# Lpeg
-set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
-set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
-message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
-set(LPEG_DEPENDENCIES "")
-list(APPEND LPEG_DEPENDENCIES "luajit")
-ExternalProject_Add(
-  lpeg
-  DEPENDS ${LPEG_DEPENDENCIES}
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
-  URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
-  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ""
-  INSTALL_COMMAND "")
-
-# libyaml
-find_library(LIBYAML_LIB NAMES libyaml.so)
-if(LIBYAML_LIB)
-  message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
-else()
-  message(FATAL_ERROR "Couldn't find system libyaml")
+set(SYSDIG_DIR "${PROJECT_SOURCE_DIR}/../sysdig")
+# make luaJIT work on OS X
+if(APPLE)
+	set(CMAKE_EXE_LINKER_FLAGS "-pagezero_size 10000 -image_base 100000000")
 endif()
 
+include(ExternalProject)
+
+option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON)
+
+#
+# zlib
+#
+option(USE_BUNDLED_ZLIB "Enable building of the bundled zlib" ${USE_BUNDLED_DEPS})
+
+if(NOT USE_BUNDLED_ZLIB)
+	find_path(ZLIB_INCLUDE zlib.h PATH_SUFFIXES zlib)
+	find_library(ZLIB_LIB NAMES z)
+	if(ZLIB_INCLUDE AND ZLIB_LIB)
+		message(STATUS "Found zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system zlib")
+	endif()
+else()
+        set(ZLIB_SRC "${PROJECT_BINARY_DIR}/zlib-prefix/src/zlib")
+        message(STATUS "Using bundled zlib in '${ZLIB_SRC}'")
+        set(ZLIB_INCLUDE "${ZLIB_SRC}")
+        set(ZLIB_LIB "${ZLIB_SRC}/libz.a")
+        ExternalProject_Add(zlib
+		# START CHANGE for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.11.tar.gz"
+                URL_MD5 "1c9f62f0778697a09d36121ead88e08e"
+		# END CHANGE for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
+		CONFIGURE_COMMAND "./configure"
+		BUILD_COMMAND ${CMD_MAKE}
+		BUILD_IN_SOURCE 1
+		INSTALL_COMMAND "")
+endif()
+
+#
+# jq
+#
+option(USE_BUNDLED_JQ "Enable building of the bundled jq" ${USE_BUNDLED_DEPS})
+if(NOT USE_BUNDLED_JQ)
+	find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
+	find_library(JQ_LIB NAMES jq)
+	if(JQ_INCLUDE AND JQ_LIB)
+		message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system jq")
+	endif()
+else()
+        set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
+        message(STATUS "Using bundled jq in '${JQ_SRC}'")
+        set(JQ_INCLUDE "${JQ_SRC}")
+        set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
+        ExternalProject_Add(jq
+                URL "http://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
+                URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
+                CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
+                BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
+                BUILD_IN_SOURCE 1
+		PATCH_COMMAND wget -O jq-1.5-fix-tokenadd.patch https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch && patch -i jq-1.5-fix-tokenadd.patch
+                INSTALL_COMMAND "")
+endif()
+
+set(JSONCPP_SRC "${SYSDIG_DIR}/userspace/libsinsp/third-party/jsoncpp")
+set(JSONCPP_INCLUDE "${JSONCPP_SRC}")
+set(JSONCPP_LIB_SRC "${JSONCPP_SRC}/jsoncpp.cpp")
+
+#
+# nlohmann-json
+#
+option(USE_BUNDLED_NJSON "Enable building of the bundled nlohmann-json" ${USE_BUNDLED_DEPS})
+
+if(NOT USE_BUNDLED_NJSON)
+	find_path(NJSON_INCLUDE json.hpp PATH_SUFFIXES nlohmann)
+	if(NJSON_INCLUDE)
+		message(STATUS "Found nlohmann-json: include: ${NJSON_INCLUDE}")
+	else()
+		message(FATAL_ERROR "Couldn't find system nlohmann-json")
+	endif()
+else()
+	# No distinction needed for windows. The implementation is
+	# solely in json.hpp.
+	set(NJSON_SRC "${PROJECT_BINARY_DIR}/njson-prefix/src/njson")
+	message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
+	set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
+	ExternalProject_Add(njson
+		URL "http://download.draios.com/dependencies/njson-3.3.0.tar.gz"
+		URL_MD5 "e26760e848656a5da400662e6c5d999a"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ""
+		INSTALL_COMMAND "")
+endif()
+
+#
+# curses
+#
+# we pull this in because libsinsp won't build without it
+
+option(USE_BUNDLED_NCURSES "Enable building of the bundled ncurses" ${USE_BUNDLED_DEPS})
+
+if(NOT USE_BUNDLED_NCURSES)
+	set(CURSES_NEED_NCURSES TRUE)
+	find_package(Curses REQUIRED)
+	message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")
+else()
+	set(CURSES_BUNDLE_DIR "${PROJECT_BINARY_DIR}/ncurses-prefix/src/ncurses")
+	set(CURSES_INCLUDE_DIR "${CURSES_BUNDLE_DIR}/include/")
+	set(CURSES_LIBRARIES "${CURSES_BUNDLE_DIR}/lib/libncurses.a")
+	message(STATUS "Using bundled ncurses in '${CURSES_BUNDLE_DIR}'")
+	ExternalProject_Add(ncurses
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
+		URL_MD5 "32b8913312e738d707ae68da439ca1f4"
+		CONFIGURE_COMMAND ./configure --without-cxx --without-cxx-binding --without-ada --without-manpages --without-progs --without-tests --with-terminfo-dirs=/etc/terminfo:/lib/terminfo:/usr/share/terminfo
+		BUILD_COMMAND ${CMD_MAKE}
+		BUILD_IN_SOURCE 1
+		INSTALL_COMMAND "")
+endif()
+
+#
+# libb64
+#
+option(USE_BUNDLED_B64 "Enable building of the bundled b64" ${USE_BUNDLED_DEPS})
+
+if(NOT USE_BUNDLED_B64)
+	find_path(B64_INCLUDE NAMES b64/encode.h)
+	find_library(B64_LIB NAMES b64)
+	if(B64_INCLUDE AND B64_LIB)
+		message(STATUS "Found b64: include: ${B64_INCLUDE}, lib: ${B64_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system b64")
+	endif()
+else()
+	set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
+	message(STATUS "Using bundled b64 in '${B64_SRC}'")
+	set(B64_INCLUDE "${B64_SRC}/include")
+	set(B64_LIB "${B64_SRC}/src/libb64.a")
+	ExternalProject_Add(b64
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
+		URL_MD5 "a609809408327117e2c643bed91b76c5"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ${CMD_MAKE}
+		BUILD_IN_SOURCE 1
+		INSTALL_COMMAND "")
+endif()
+
+#
+# yamlcpp
+#
+option(USE_BUNDLED_YAMLCPP "Enable building of the bundled yamlcpp" ${USE_BUNDLED_DEPS})
+
+if(NOT USE_BUNDLED_YAMLCPP)
+	find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
+	find_library(YAMLCPP_LIB NAMES yaml-cpp)
+	if(YAMLCPP_INCLUDE_DIR AND YAMLCPP_LIB)
+		message(STATUS "Found yamlcpp: include: ${YAMLCPP_INCLUDE_DIR}, lib: ${YAMLCPP_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system yamlcpp")
+	endif()
+else()
+	set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
+	message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
+	set(YAMLCPP_LIB "${YAMLCPP_SRC}/libyaml-cpp.a")
+	set(YAMLCPP_INCLUDE_DIR "${YAMLCPP_SRC}/include")
+	# Once the next version of yaml-cpp is released (first version not requiring
+	# boost), we can switch to that and no longer pull from github.
+	ExternalProject_Add(yamlcpp
+		GIT_REPOSITORY "https://github.com/jbeder/yaml-cpp.git"
+		GIT_TAG "7d2873ce9f2202ea21b6a8c5ecbc9fe38032c229"
+		BUILD_IN_SOURCE 1
+		INSTALL_COMMAND "")
+endif()
+
+#
+# OpenSSL
+#
+option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS})
+
+if(NOT USE_BUNDLED_OPENSSL)
+	find_package(OpenSSL REQUIRED)
+	message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
+else()
+
+	set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
+	set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
+	set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
+	set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl.a")
+	set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto.a")
+
+	message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
+
+	ExternalProject_Add(openssl
+		# START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
+                URL_MD5 "13bdc1b1d1ff39b6fd42a255e74676a4"
+		# END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
+		CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
+		BUILD_COMMAND ${CMD_MAKE}
+		BUILD_IN_SOURCE 1
+		INSTALL_COMMAND ${CMD_MAKE} install)
+endif()
+
+#
+# libcurl
+#
+option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS})
+
+if(NOT USE_BUNDLED_CURL)
+	find_package(CURL REQUIRED)
+	message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIR}, lib: ${CURL_LIBRARIES}")
+else()
+	set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
+	set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
+	set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
+
+	if(NOT USE_BUNDLED_OPENSSL)
+		set(CURL_SSL_OPTION "--with-ssl")
+	else()
+		set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+                message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+                message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
+	endif()
+
+	ExternalProject_Add(curl
+		DEPENDS openssl
+		# START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
+		URL_MD5 "31d0a9f48dc796a7db351898a1e5058a"
+		# END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
+		CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2 --disable-threaded-resolver
+		BUILD_COMMAND ${CMD_MAKE}
+		BUILD_IN_SOURCE 1
+		INSTALL_COMMAND "")
+endif()
+
+#
+# LuaJIT
+#
+option(USE_BUNDLED_LUAJIT "Enable building of the bundled LuaJIT" ${USE_BUNDLED_DEPS})
+
+if(NOT USE_BUNDLED_LUAJIT)
+	find_path(LUAJIT_INCLUDE luajit.h PATH_SUFFIXES luajit-2.0 luajit)
+	find_library(LUAJIT_LIB NAMES luajit luajit-5.1)
+	if(LUAJIT_INCLUDE AND LUAJIT_LIB)
+		message(STATUS "Found LuaJIT: include: ${LUAJIT_INCLUDE}, lib: ${LUAJIT_LIB}")
+	else()
+		# alternatively try stock Lua
+		find_package(Lua51)
+		set(LUAJIT_LIB ${LUA_LIBRARY})
+		set(LUAJIT_INCLUDE ${LUA_INCLUDE_DIR})
+
+		if(NOT ${LUA51_FOUND})
+			message(FATAL_ERROR "Couldn't find system LuaJIT or Lua")
+		endif()
+	endif()
+else()
+	set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
+	message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
+	set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
+	set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
+	ExternalProject_Add(luajit
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
+		URL_MD5 "f14e9104be513913810cd59c8c658dc0"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ${CMD_MAKE}
+		BUILD_IN_SOURCE 1
+		INSTALL_COMMAND "")
+endif()
+
+#
+# Lpeg
+#
+option(USE_BUNDLED_LPEG "Enable building of the bundled lpeg" ${USE_BUNDLED_DEPS})
+
+if(NOT USE_BUNDLED_LPEG)
+	find_library(LPEG_LIB NAMES lpeg.a)
+	if(LPEG_LIB)
+		message(STATUS "Found lpeg: lib: ${LPEG_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system lpeg")
+	endif()
+else()
+	set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
+	set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
+	message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
+	set(LPEG_DEPENDENCIES "")
+	if(USE_BUNDLED_LUAJIT)
+		list(APPEND LPEG_DEPENDENCIES "luajit")
+	endif()
+	ExternalProject_Add(lpeg
+		DEPENDS ${LPEG_DEPENDENCIES}
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
+		URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
+		BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
+		BUILD_IN_SOURCE 1
+		CONFIGURE_COMMAND ""
+		INSTALL_COMMAND "")
+endif()
+
+#
+# Libyaml
+#
+option(USE_BUNDLED_LIBYAML "Enable building of the bundled libyaml" ${USE_BUNDLED_DEPS})
+
+if(NOT USE_BUNDLED_LIBYAML)
+	# Note: to distinguish libyaml.a and yaml.a we specify a full
+	# file name here, so you'll have to arrange for static
+	# libraries being available.
+	find_library(LIBYAML_LIB NAMES libyaml.a)
+	if(LIBYAML_LIB)
+		message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system libyaml")
+	endif()
+else()
+	find_path(AUTORECONF_BIN NAMES autoreconf)
+	if(AUTORECONF_BIN)
+		message(STATUS "Found autoreconf: ${AUTORECONF_BIN}")
+	else()
+		message(FATAL_ERROR "Couldn't find system autoreconf. Please install autoreconf before continuing or use system libyaml")
+	endif()
+
+	set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml/src")
+	set(LIBYAML_LIB "${LIBYAML_SRC}/.libs/libyaml.a")
+	message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
+	ExternalProject_Add(libyaml
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
+		URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
+		BUILD_COMMAND ${CMD_MAKE}
+		BUILD_IN_SOURCE 1
+		CONFIGURE_COMMAND ./bootstrap && ./configure
+		INSTALL_COMMAND "")
+endif()
+
+#
 # lyaml
-set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
-set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
-message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
-set(LYAML_DEPENDENCIES "")
-list(APPEND LYAML_DEPENDENCIES "luajit")
-ExternalProject_Add(
-  lyaml
-  DEPENDS ${LYAML_DEPENDENCIES}
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
-  URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
-  INSTALL_COMMAND sh -c
-                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
+#
+option(USE_BUNDLED_LYAML "Enable building of the bundled lyaml" ${USE_BUNDLED_DEPS})
 
-# Intel TBB
-set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
+if(NOT USE_BUNDLED_LYAML)
+	# Note: to distinguish libyaml.a and yaml.a we specify a full
+	# file name here, so you'll have to arrange for static
+	# libraries being available.
+	find_library(LYAML_LIB NAMES yaml.a)
+	if(LYAML_LIB)
+		message(STATUS "Found lyaml: lib: ${LYAML_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system lyaml")
+	endif()
+else()
+	set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
+	set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
+	message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
+	set(LYAML_DEPENDENCIES "")
+	if(USE_BUNDLED_LUAJIT)
+		list(APPEND LYAML_DEPENDENCIES "luajit")
+	endif()
+	if(USE_BUNDLED_LIBYAML)
+		list(APPEND LYAML_DEPENDENCIES "libyaml")
+	endif()
+	ExternalProject_Add(lyaml
+		DEPENDS ${LYAML_DEPENDENCIES}
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
+                URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
+                BUILD_COMMAND ${CMD_MAKE}
+                BUILD_IN_SOURCE 1
+		CONFIGURE_COMMAND ./configure --enable-static LIBS=-L../../../libyaml-prefix/src/libyaml/src/.libs CFLAGS=-I../../../libyaml-prefix/src/libyaml/include CPPFLAGS=-I../../../libyaml-prefix/src/libyaml/include LUA_INCLUDE=-I../../../luajit-prefix/src/luajit/src LUA=../../../luajit-prefix/src/luajit/src/luajit
+                INSTALL_COMMAND sh -c "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
+endif()
 
-message(STATUS "Using bundled tbb in '${TBB_SRC}'")
+option(USE_BUNDLED_TBB "Enable building of the bundled tbb" ${USE_BUNDLED_DEPS})
+if(NOT USE_BUNDLED_TBB)
+	find_path(TBB_INCLUDE tbb.h PATH_SUFFIXES tbb)
+	find_library(TBB_LIB NAMES tbb)
+	if(TBB_INCLUDE AND TBB_LIB)
+		message(STATUS "Found tbb: include: ${TBB_INCLUDE}, lib: ${TBB_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system tbb")
+	endif()
+else()
+	set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
 
-set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
-set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
-ExternalProject_Add(
-  tbb
-  URL "https://github.com/intel/tbb/archive/2018_U5.tar.gz"
-  URL_MD5 "ff3ae09f8c23892fbc3008c39f78288f"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
-  BUILD_IN_SOURCE 1
-  BUILD_BYPRODUCTS ${TBB_LIB}
-  INSTALL_COMMAND "")
+	message(STATUS "Using bundled tbb in '${TBB_SRC}'")
 
+	set(TBB_INCLUDE "${TBB_SRC}/include/")
+	set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
+	ExternalProject_Add(tbb
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/tbb-2018_U5.tar.gz"
+		URL_MD5 "ff3ae09f8c23892fbc3008c39f78288f"
+		CONFIGURE_COMMAND ""
+		BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
+		BUILD_IN_SOURCE 1
+		BUILD_BYPRODUCTS ${TBB_LIB}
+		INSTALL_COMMAND "")
+endif()
+
+#
 # civetweb
-set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-ExternalProject_Add(
-  civetweb
-  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-  URL_MD5 "b6d2175650a27924bccb747cbe084cd4"
-  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
-  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
-  BUILD_IN_SOURCE 1
-  BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
-  INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
+#
+option(USE_BUNDLED_CIVETWEB "Enable building of the bundled civetweb" ${USE_BUNDLED_DEPS})
 
-# gRPC
-include(gRPC)
+if(NOT USE_BUNDLED_CIVETWEB)
+	find_library(CIVETWEB_LIB NAMES civetweb)
+	if(CIVETWEB_LIB)
+		message(STATUS "Found civetweb: lib: ${CIVETWEB_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system civetweb")
+	endif()
+else()
+	set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
+	set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
+	set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
+	message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
+	set(CIVETWEB_DEPENDENCIES "")
+	if(USE_BUNDLED_OPENSSL)
+	 	list(APPEND CIVETWEB_DEPENDENCIES "openssl")
+	endif()
+	ExternalProject_Add(civetweb
+		DEPENDS ${CIVETWEB_DEPENDENCIES}
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/civetweb-1.11.tar.gz"
+                URL_MD5 "b6d2175650a27924bccb747cbe084cd4"
+		CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
+		          COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
+                BUILD_IN_SOURCE 1
+                BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+		INSTALL_COMMAND ${CMD_MAKE} install-lib install-headers PREFIX=${CIVETWEB_SRC}/install WITH_CPP=1)
+endif()
 
-# sysdig
-include(sysdig)
 
-# Installation
-install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")
 
-# Coverage
-include(Coverage)
+install(FILES falco.yaml
+	DESTINATION "${FALCO_ETC_DIR}")
 
-# Tests
-add_subdirectory(test)
-
-# Rules
 add_subdirectory(rules)
 
-# Dockerfiles
-add_subdirectory(docker)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	add_subdirectory("${SYSDIG_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
+endif()
+add_subdirectory("${SYSDIG_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
+add_subdirectory("${SYSDIG_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")
 
-# Clang format
-# add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
-
-# Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
 set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
 set(FALCO_BIN_DIR bin)
-
 add_subdirectory(scripts)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
-add_subdirectory(tests)
 
-# Packages configuration
-include(CPackConfig)
+
+set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
+set(CPACK_PACKAGE_VENDOR "Sysdig Inc.")
+set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "falco, a system-level activity monitoring tool")
+set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
+set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
+set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
+set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/CMakeCPackOptions.cmake")
+set(CPACK_STRIP_FILES "ON")
+set(CPACK_PACKAGE_RELOCATABLE "OFF")
+
+set(CPACK_GENERATOR DEB RPM TGZ)
+
+set(CPACK_DEBIAN_PACKAGE_MAINTAINER "Sysdig <support@sysdig.com>")
+set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
+set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "http://www.sysdig.org")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
+set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cpack/debian/conffiles")
+
+set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
+set(CPACK_RPM_PACKAGE_URL "http://www.sysdig.org")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, gcc, make, kernel-devel, perl")
+set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postinstall")
+set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/preuninstall")
+set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postuninstall")
+set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION /usr/src /usr/share/man /usr/share/man/man8 /etc /usr /usr/bin /usr/share /etc/rc.d /etc/rc.d/init.d )
+set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
+
+include(CPack)

CODE_OF_CONDUCT

@@ -1,6 +1,6 @@
-# CNCF Community Code of Conduct v1.0
+## CNCF Community Code of Conduct v1.0
 
-## Contributor Code of Conduct
+### Contributor Code of Conduct
 
 As contributors and maintainers of this project, and in the interest of fostering
 an open and welcoming community, we pledge to respect all people who contribute
@@ -32,7 +32,8 @@ Conduct may be permanently removed from the project team.
 This code of conduct applies both within project spaces and in public spaces
 when an individual is representing the project or its community.
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, [Sarah Novotny](mailto:sarahnovotny@google.com), and/or [Dan Kohn](mailto:dan@linuxfoundation.org).
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, Sarah Novotny <sarahnovotny@google.com>, and/or Dan Kohn <dan@linuxfoundation.org>.
 
-This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at
+This Code of Conduct is adapted from the Contributor Covenant
+(http://contributor-covenant.org), version 1.2.0, available at
 http://contributor-covenant.org/version/1/2/0/

CONTRIBUTING.md

@@ -1,149 +0,0 @@
-# Contributing to Falco
-
-- [Contributing to Falco](#contributing-to-falco)
-  - [Code of Conduct](#code-of-conduct)
-  - [Issues](#issues)
-    - [Triage issues](#triage-issues)
-      - [More about labels](#more-about-labels)
-    - [Slack](#slack)
-  - [Pull Requests](#pull-requests)
-    - [Commit convention](#commit-convention)
-      - [Rule type](#rule-type)
-  - [Coding Guidelines](#coding-guidelines)
-    - [C++](#c)
-  - [Developer Certificate Of Origin](#developer-certificate-of-origin)
-
-## Code of Conduct
-
-Falco has a
-[Code of Conduct](CODE_OF_CONDUCT.md)
-to which all contributors must adhere, please read it before interacting with the repository or the community in any way.
-
-## Issues
-
-Issues are the heartbeat ❤️ of the Falco project, there are mainly three kinds of issues you can open:
-
-- Bug report: you believe you found a problem in Falco and you want to discuss and get it fixed,
-creating an issue with the **bug report template** is the best way to do so.
-- Enhancement: any kind of new feature need to be discussed in this kind of issue, do you want a new rule or a new feature? This is the kind of issue you want to open. Be very good at explaining your intent, it's always important that others can understand what you mean in order to discuss, be open and collaborative in letting others help you getting this done!
-- Failing tests: you noticed a flaky test or a problem with a build? This is the kind of issue to triage that!
-
-The best way to get **involved** in the project is through issues, you can help in many ways:
-
-- Issues triaging: participating in the discussion and adding details to open issues is always a good thing,
-sometimes issues need to be verified, you could be the one writing a test case to fix a bug!
-- Helping to resolve the issue: you can help in getting it fixed in many ways, more often by opening a pull request.
-
-### Triage issues
-
-We need help in categorizing issues. Thus any help is welcome!
-
-When you triage an issue, you:
-
-* assess whether it has merit or not
-
-* quickly close it by correctly answering a question
-
-* point the reporter to a resource or documentation answering the issue
-
-* tag it via labels, projects, or milestones
-
-* take ownership submitting a PR for it, in case you want 😇
-
-#### More about labels
-
-These guidelines are not set in stone and are subject to change.
-
-Anyway a `kind/*` label for any issue is mandatory.
-
-This is the current [label set](https://github.com/falcosecurity/falco/labels) we have.
-
-You can use commands - eg., `/label <some-label>` to add (or remove) labels or manually do it.
-
-The commands available are the following ones:
-
-```
-/[remove-](area|kind|priority|triage|label)
-```
-
-Some examples:
-
-* `/area rules`
-* `/remove-area rules`
-* `/kind kernel-module`
-* `/label good-first-issue`
-* `/triage duplicate`
-* `/triage unresolved`
-* `/triage not-reproducible`
-* `/triage support`
-* ...
-
-### Slack
-
-Other discussion, and **support requests** should go through the `#falco` channel in the open source slack, please join [here](https://slack.sysdig.com).
-
-## Pull Requests
-
-Thanks for taking time to make a [pull request](https://help.github.com/articles/about-pull-requests) (hereafter PR).
-
-In the PR body, feel free to add an area label if appropriate by typing `/area <AREA>`, PRs will also
-need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.
-
-The list of labels is [here](https://github.com/falcosecurity/falco/labels).
-
-Also feel free to suggest a reviewer with `/cc @theirname`, or to assign an assignee using `/assign @nickname`.
-
-Once your reviewer is happy, they will say `/lgtm` which will apply the
-`lgtm` label, and will apply the `approved` label if they are an
-[owner](/OWNERS).
-
-Your PR will be automatically merged once it has the `lgtm` and `approved`
-labels, does not have any `do-not-merge/*` labels, and all status checks (eg., rebase, tests, DCO) are positive.
-
-### Commit convention
-
-As commit convention, we adopt [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/), we have an history
-of commits that do not adopt the convention but any new commit must follow it to be eligible for merge.
-
-#### Rule type
-
-Besides the classic types, we adopt a type for rules, `rule(<scope>):`.
-Example:
-
-```
-rule(Write below monitored dir): make sure monitored dirs are monitored.
-```
-
-Each rule change must be on its own commit, if a change to a macro is done while changing a rule they can go together but only one rule per commit must happen.
-
-If you are changing only a macro, the commit will look like this:
-
-```
-rule(macro user_known_write_monitored_dir_conditions): make sure conditions are great
-```
-
-## Coding Guidelines
-
-### C++
-
-* File `userspace/engine/banned.h` defines some functions as invalid tokens. These functions are not allowed to be used in the codebase. Whenever creating a new cpp file, include the `"banned.h"` headers. This ensures that the banned functions are not compiled.
-
-  A complete list of banned functions can be found [here](./userspace/engine/banned.h).
-
-## Developer Certificate Of Origin
-
-The [Developer Certificate of Origin (DCO)](https://developercertificate.org/) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
-
-Contributors to the Falco project sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages.
-
-```
-This is my commit message
-
-Signed-off-by: John Poiana <jpoiana@falco.org>
-```
-
-Git even has a `-s` command line option to append this automatically to your commit message:
-
-```
-$ git commit -s -m 'This is my commit message'
-```

COPYING

@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2019 The Falco Authors
+   Copyright [yyyy] [name of copyright owner]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

GOVERNANCE

@@ -22,11 +22,11 @@
 * Triage GitHub issues and perform pull request reviews for other maintainers and the community.
 * During GitHub issue triage, apply all applicable [labels](https://github.com/falcosecurity/falco/labels)
   to each new issue. Labels are extremely useful for future issue follow up. Which labels to apply
-  is somewhat subjective so just use your best judgment.
+  is somewhat subjective so just use your best judgment. 
 * Make sure that ongoing PRs are moving forward at the right pace or closing them.
-* Participate when called upon in the security releases. Note that although this should be a rare
+* Participate when called upon in the security releases. Note that although this should be a rare 
   occurrence, if a serious vulnerability is found, the process may take up to several full days of
-  work to implement. This reality should be taken into account when discussing time commitment
+  work to implement. This reality should be taken into account when discussing time commitment 
   obligations with employers.
 * In general continue to be willing to spend at least 25% of ones time working on Falco (~1.25
   business days per week).

MAINTAINERS

@@ -0,0 +1,9 @@
+Current maintainers:
+@mstemm - Mark Stemm <mark.stemm@sysdig.com>
+@ldegio - Loris Degioanni <loris@sysdig.com>
+
+Community Mangement:
+@mfdii - Michael Ducy <michael@sysdig.com>
+
+Emeritus maintainers:
+@henridf - Henri Dubois-Ferriere <henri.dubois-ferriere@sysdig.com>

OWNERS

@@ -1,12 +0,0 @@
-approvers:
-  - fntlnz
-  - kris-nova
-  - leodido
-  - mstemm
-reviewers:
-  - fntlnz
-  - kaizhe
-  - kris-nova
-  - leodido
-  - mfdii
-  - mstemm

README.md

@@ -1,70 +1,88 @@
-<p align="center"><img src="https://raw.githubusercontent.com/falcosecurity/community/master/logo/primary-logo.png" width="360"></p>
-<p align="center"><b>Cloud Native Runtime Security.</b></p>
-
-<hr>
-
-# The Falco Project
+# Falco
 
 #### Latest release
 
-**v0.19.0**
-Read the [change log](CHANGELOG.md)
+**v0.13.1**
+Read the [change log](https://github.com/falcosecurity/falco/blob/dev/CHANGELOG.md)
 
-[![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
+Dev Branch: [![Build Status](https://travis-ci.org/falcosecurity/falco.svg?branch=dev)](https://travis-ci.org/falcosecurity/falco)<br />
+Master Branch: [![Build Status](https://travis-ci.org/falcosecurity/falco.svg?branch=master)](https://travis-ci.org/falcosecurity/falco)
 
----
-
-Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
+## Overview
+Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by [sysdig’s](https://github.com/draios/sysdig) system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of rules.
 
 Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the [Falco CNCF project proposal](https://github.com/cncf/toc/tree/master/proposals/falco.adoc).
 
 #### What kind of behaviors can Falco detect?
 
-Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
+Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:
 
-- A shell is running inside a container.
-- A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
-- A server process is spawning a child process of an unexpected type.
-- Unexpected read of a sensitive file, such as `/etc/shadow`.
-- A non-device file is written to `/dev`.
-- A standard system binary, such as `ls`, is making an outbound network connection.
+- A shell is run inside a container
+- A container is running in privileged mode, or is mounting a sensitive path like `/proc` from the host.
+- A server process spawns a child process of an unexpected type
+- Unexpected read of a sensitive file (like `/etc/shadow`)
+- A non-device file is written to `/dev`
+- A standard system binary (like `ls`) makes an outbound network connection
 
+#### How Falco Compares to Other Security Tools like SELinux, Auditd, etc.
 
-### Installing Falco
-
-A comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
-
-#### How do you compare Falco with other security tools?
-
-One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco with other tools.
+One of the questions we often get when we talk about Falco is “How does it compare to other tools like SELinux, AppArmor, Auditd, etc. that also have security policies?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco to other tools.
 
 
 Documentation
 ---
-
-See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.
+[Visit the wiki](https://github.com/falcosecurity/falco/wiki) for full documentation on falco.
 
 Join the Community
 ---
-
-To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.
+* [Website](https://falco.org) for Falco.
+* We are working on a blog for the Falco project. In the meantime you can find [Falco](https://sysdig.com/blog/tag/falco/) posts over on the Sysdig blog.
+* Join our [Public Slack](https://slack.sysdig.com) channel for open source sysdig and Falco announcements and discussions.
 
 License Terms
 ---
-
 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 
-Contributing
+Contributor License Agreements
 ---
+### Background
+ We are formalizing the way that we accept contributions of code from the contributing community. We must now ask that contributions to falco be provided subject to the terms and conditions of a [Contributor License Agreement (CLA)](./cla). The CLA comes in two forms, applicable to contributions by individuals, or by legal entities such as corporations and their employees. We recognize that entering into a CLA with us involves real consideration on your part, and we’ve tried to make this process as clear and simple as possible.
 
-See the [CONTRIBUTING.md](./CONTRIBUTING.md).
+ We’ve modeled our CLA off of industry standards, such as [the CLA used by Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md). Note that this agreement is not a transfer of copyright ownership, this simply is a license agreement for contributions, intended to clarify the intellectual property license granted with contributions from any person or entity. It is for your protection as a contributor as well as the protection of falco; it does not change your rights to use your own contributions for any other purpose.
 
-Security
----
+ For some background on why contributor license agreements are necessary, you can read FAQs from many other open source projects:
 
-### Security Audit
+- [Django’s excellent CLA FAQ](https://www.djangoproject.com/foundation/cla/faq/)
+- [A well-written chapter from Karl Fogel’s Producing Open Source Software on CLAs](http://producingoss.com/en/copyright-assignment.html)
+- [The Wikipedia article on CLAs](http://en.wikipedia.org/wiki/Contributor_license_agreement)
 
-A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).
+As always, we are grateful for your past and present contributions to falco.
 
-### Reporting security vulnerabilities
-Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
+### What do I need to do in order to contribute code?
+
+**Individual contributions**: Individuals who wish to make contributions must review the [Individual Contributor License Agreement](./cla/falco_contributor_agreement.txt) and indicate agreement by adding the following line to every GIT commit message:
+
+```
+falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
+```
+
+Use your real name; pseudonyms or anonymous contributions are not allowed.
+
+**Corporate contributions**: Employees of corporations, members of LLCs or LLPs, or others acting on behalf of a contributing entity, must review the [Corporate Contributor License Agreement](./cla/falco_corp_contributor_agreement.txt), must be an authorized representative of the contributing entity, and indicate agreement to it on behalf of the contributing entity by adding the following lines to every GIT commit message:
+
+```
+falco-CLA-1.0-contributing-entity: Full Legal Name of Entity
+falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
+```
+
+Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.
+
+**Government contributions**: Employees or officers of the United States Government, must review the [Government Contributor License Agreement](https://github.com/falcosecurity/falco/blob/dev/cla/falco_govt_contributor_agreement.txt), must be an authorized representative of the contributing entity, and indicate agreement to it on behalf of the contributing entity by adding the following lines to every GIT commit message:
+
+```
+falco-CLA-1.0-contributing-govt-entity: Full Legal Name of Entity
+falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
+This file is a work of authorship of an employee or officer of the United States Government and is not subject to copyright in the United States under 17 USC 105.
+```
+
+Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.

brand/README.md

@@ -1,142 +0,0 @@
-<p align="center"><img src="primary-logo.png" width="360"></p>
-<p align="center"><b>Cloud Native Runtime Security.</b></p>
-
-# Falco Branding Guidelines
-
-This document describes The Falco Project's branding guidelines, language, and message.
-
-Content in this document can be used to publically share about Falco.
-
-
-
-### Logo
-
-There are 3 logos available for use in this directory. Use the primary logo unless required otherwise due to background issues, or printing.
-
-The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
-
-### Slogan
-
-> Cloud Native Runtime Security
-
-### What is Falco?
-
-Falco is a runtime security project originally created by Sysdig, Inc.
-Falco was contributed to the CNCF in October 2018.
-The CNCF now owns The Falco Project.
-
-### What is Runtime Security?
-
-Runtime security refers to an approach to preventing unwanted activity on a computer system. 
-With runtime security an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
-Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
-Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
-
-### What does Falco do?
-
-Falco consumes signals from the Linux kernel, and container management tools such as Docker and Kubernetes.
-Falco parses the signals and asserts them against security rules.
-If a rule has been violated, Falco triggers an alert. 
-
-### How does Falco work?
-
-Falco traces kernel events and reports information about the system calls being executed at runtime.
-Falco leverages the extended berkley packet filter (eBPF) which is a kernel feature implemented for dynamic crash-resilient and secure code execution in the kernel. 
-Falco enriches these kernel events with information about containers running on the system.
-Falco also can consume signals from other input streams such as the containerd socket, the Kubernetes API server and the Kubernetes audit log.
-At runtime, Falco will reason about these events and assert them against configured security rules.
-Based on the severity of a violation an alert is triggered.
-These alerts are configurable and extensible, for instance sending a notification or [plumbing through to other projects like Prometheus](https://github.com/falcosecurity/falco-exporter). 
-
-### Benefits of using Falco
-
- - **Strengthen Security** Create security rules driven by a context-rich and flexible engine to define unexpected application behavior.
- - **Reduce Risk** Immediately respond to policy violation alerts by plugging Falco into your current security response workflows and processes.
- - **Leverage up-to-date Rules** Alert using community-sourced detections of malicious activity and CVE exploits.
-    
-### Falco and securing Kubernetes
-
-Securing Kubernetes requires putting controls in place to detect unexpected behavior that could be malicious or harmful to a cluster or application(s). 
-
-Examples of malicious behavior include: 
-
- - Exploits of unpatched and new vulnerabilities in applications or Kubernetes itself. 
- - Insecure configurations in applications or Kubernetes itself. 
- - Leaked or weak credentials or secret material.
- - Insider threats from adjacent applications running at the same layer. 
-
-Falco is capable of [consuming the Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/falco/#use-falco-to-collect-audit-events).
-By adding Kubernetes application context, and Kubernetes audit logs teams can understand who did what.
-                                 
-### Writing about Falco
-
-##### Yes
-
-Notice the capitalization of the following terms.
-
- - The Falco Project
- - Falco
-
-##### No
-
- - falco
- - the falco project
- - the Falco project
-
-### Encouraged Phrasing
-
-Below are phrases that the project has reviewed, and found to be effective ways of messaging Falco's value add.
-Even when processes are in place for vulnerability scanning and implementing pod security and network policies, not every risk will be addressed. You still need mechanisms to confirm these security barriers are effective, help configure them, and provide with a last line of defense when they fail.
-
-##### Falco as a factory
-
-This term refers to the concept that Falco is a stateless processing engine. A large amount of data comes into the engine, but meticulously crafted security alerts come out.
-
-##### The engine that powers...
-
-Falco ultimately is a security engine. It reasons about signals coming from a system at runtime, and can alert if an anomaly is detected.
-
-##### Anomaly detection
-
-This refers to an event that occurs with something unsual, concerning, or odd occurs.
-We can associate anomalies with unwanted behavior, and alert in their presence.
-
-##### Detection tooling
-
-Falco does not prevent unwanted behavior.
-Falco however alerts when unusual behavior occurs.
-This is commonly referred to as **detection** or **forensics**.
-
-
----
-
-# Glossary 
-
-#### Probe
-
-Used to describe the `.o` object that would be dynamically loaded into the kernel as a secure and stable (e)BPF probe. 
-This is one option used to pass kernel events up to userspace for Falco to consume.
-Sometimes this word is incorrectly used to refer to a `module`.
-
-#### Module
-
-Used to describe the `.ko` object that would be loaded into the kernel as a potentially risky kernel module.
-This is one option used to pass kernel events up to userspace for Falco to consume.
-Sometimes this word is incorrectly used to refer to a `probe`.
-
-#### Driver (deprecated)
-
-An older, more generalized term for a `module` or `probe`. We discourage the use of this word as a project.
-
-#### Falco
-
-The name of the project, and also the name of [the main engine](https://github.com/falcosecurity/falco) that the rest of the project is built on.
-
-#### Sysdig, Inc
-
-The name of the company that originally created The Falco Project, and later donated to the CNCF.
-
-#### sysdig 
-
-A [CLI tool](https://github.com/draios/sysdig) used to evaluate kernel system events at runtime. 
-

brand/teal-logo.png

@@ -1 +0,0 @@
-<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 708.41 374.92"><defs><style>.cls-1{fill:#00b4c8;}</style></defs><title>Falco horizontal logo_teal2</title><g id="fqqZXT"><path class="cls-1" d="M204.69,154.4Q151.5,208,98,261.25a48.42,48.42,0,0,1-5.27,4.87c-2.55,1.89-5.34,2-7.65-.45s-1.51-5,.41-7.06c4.6-4.94,9.35-9.74,14.13-14.5q52.56-52.31,105.14-104.59c3.35-3.34,18.05,7.52,21.58,11.1"/><path class="cls-1" d="M215.06,171.36c-.15,2.14-1.54,3.55-2.93,4.94l-87.82,87.79c-2.75,2.74-6,5.42-9.46,1.68-3.15-3.39-.5-6.44,2.06-9q43.44-43.44,86.89-86.87c2.21-2.22,4.58-4.23,8-3A4.61,4.61,0,0,1,215.06,171.36Z"/><path class="cls-1" d="M70.93,71c2.42-.09,4.09,1.31,5.64,2.87q41.82,41.79,83.61,83.59c2.6,2.61,5,5.74,1.69,9s-6.41,1-9-1.66Q111,123,69.25,81.2c-2.09-2.1-3.72-4.39-2.45-7.53A4.34,4.34,0,0,1,70.93,71Z"/><path class="cls-1" d="M203.42,268c-5,1-8.9-1.34-12.45-5-6.35-6.61-12.87-13-19.41-19.46-3.85-3.8-4-7.41-.14-11.28,11.14-11.07,22.21-22.21,33.35-33.29,2.45-2.44,5.43-4.49,8.55-1.55,3.48,3.29,1.19,6.41-1.39,9-8.74,8.84-17.44,17.73-26.4,26.35-3.4,3.27-3.93,5.72-.19,9.06,4.22,3.78,8.13,7.91,12,12,2.54,2.68,5.35,4.25,9.18,4.11s8.28-.12,8.16,5.09c-.12,5-4.74,4.8-8.4,5.14A21,21,0,0,1,203.42,268Z"/><path class="cls-1" d="M148.7,178.36c-.75,3.49-2.68,5.6-6.43,4.36a13,13,0,0,1-4.74-3.31q-30.11-30-60.1-60a23.14,23.14,0,0,1-2.56-3c-1.72-2.42-1.88-5,.3-7.11s4.84-1.76,7,.26c3.65,3.42,7.17,7,10.71,10.53q25.65,25.64,51.28,51.3C146.12,173.37,148.49,175.13,148.7,178.36Z"/><path class="cls-1" d="M133.74,192.93a4.9,4.9,0,0,1-2.53,4.29,5.37,5.37,0,0,1-6.63-.95c-3.35-3.1-6.57-6.34-9.8-9.57q-14.34-14.3-28.61-28.63a34.27,34.27,0,0,1-4.17-5,4.57,4.57,0,0,1,.36-6,5,5,0,0,1,6-1.12,11.65,11.65,0,0,1,3.7,2.58q19.44,19.33,38.79,38.76C132.4,188.85,133.77,190.54,133.74,192.93Z"/></g><path class="cls-1" d="M413.15,190.86a25.57,25.57,0,0,0-10.35-6.63,46.78,46.78,0,0,0-16-2.37A83.35,83.35,0,0,0,372,183.12a75.16,75.16,0,0,0-10.58,2.53l2.37,15.48a53.47,53.47,0,0,1,9-2.21A72.44,72.44,0,0,1,385,198a22.61,22.61,0,0,1,8.13,1.26,13,13,0,0,1,5.22,3.56,13.23,13.23,0,0,1,2.76,5.29,24.6,24.6,0,0,1,.79,6.32v3.16a61.65,61.65,0,0,0-7.42-1.34,57.43,57.43,0,0,0-6.64-.4,61.45,61.45,0,0,0-13,1.35,32.26,32.26,0,0,0-11,4.42,22.7,22.7,0,0,0-7.51,8,24.09,24.09,0,0,0-2.76,12A28.39,28.39,0,0,0,356,254.05a21.6,21.6,0,0,0,6.79,8.22,28.56,28.56,0,0,0,10.51,4.58,60.24,60.24,0,0,0,13.58,1.42A137.25,137.25,0,0,0,407,266.93c5.94-.9,10.4-1.66,13.35-2.29V214.56a50.84,50.84,0,0,0-1.66-13.35A24.93,24.93,0,0,0,413.15,190.86Zm-11.3,61.3a71.4,71.4,0,0,1-13.43.94q-7.26,0-11.53-2.6t-4.26-9.4a10,10,0,0,1,1.57-5.77,10.67,10.67,0,0,1,4.19-3.55,20.18,20.18,0,0,1,5.85-1.74,43.43,43.43,0,0,1,6.39-.47,42.23,42.23,0,0,1,6.64.47,37,37,0,0,1,4.58,1Z"/><path class="cls-1" d="M461.38,248.44a9.27,9.27,0,0,1-2-4,26.17,26.17,0,0,1-.55-5.85V143.94l-19.12,3.16v95.1a40.74,40.74,0,0,0,1.35,11,17.57,17.57,0,0,0,4.66,8.06,21.71,21.71,0,0,0,8.92,5,52,52,0,0,0,14.14,1.89l2.69-15.8a29.78,29.78,0,0,1-6.24-1.34A8.76,8.76,0,0,1,461.38,248.44Z"/><path class="cls-1" d="M532.2,251.05a49.24,49.24,0,0,1-9.64.95q-13.11,0-18.64-7.19t-5.53-19.51q0-12.8,5.85-19.83t17.06-7a40.4,40.4,0,0,1,8.92.95,43.38,43.38,0,0,1,7.51,2.37l4.1-15.64a57.88,57.88,0,0,0-22.11-4.26,42.15,42.15,0,0,0-17.06,3.31,37.35,37.35,0,0,0-12.88,9.17,40.64,40.64,0,0,0-8.14,13.82,50.82,50.82,0,0,0-2.84,17.14,56.83,56.83,0,0,0,2.53,17.3A37.22,37.22,0,0,0,489,256.34a34.82,34.82,0,0,0,13,9,47.83,47.83,0,0,0,18.4,3.24,68.05,68.05,0,0,0,13.19-1.27,39.84,39.84,0,0,0,9.56-2.84l-2.69-15.8A45,45,0,0,1,532.2,251.05Z"/><path class="cls-1" d="M625.77,207.37a40.7,40.7,0,0,0-8.14-13.67,35.23,35.23,0,0,0-12.56-8.76,40.93,40.93,0,0,0-16-3.08,40.34,40.34,0,0,0-16,3.08,36.32,36.32,0,0,0-12.56,8.76,39.88,39.88,0,0,0-8.21,13.67,51.31,51.31,0,0,0-2.93,17.77A52,52,0,0,0,552.31,243a40.47,40.47,0,0,0,8.13,13.75,36.57,36.57,0,0,0,12.48,8.85A40.14,40.14,0,0,0,589,268.74a40.69,40.69,0,0,0,16.19-3.15,36.32,36.32,0,0,0,12.56-8.85A39.7,39.7,0,0,0,625.85,243a53.47,53.47,0,0,0,2.84-17.85A51.55,51.55,0,0,0,625.77,207.37Zm-22,37.52q-5.29,7.28-14.77,7.27t-14.77-7.27q-5.29-7.26-5.3-19.75,0-12.31,5.3-19.51T589,198.44q9.48,0,14.77,7.19t5.29,19.51Q609.1,237.62,603.81,244.89Z"/><path class="cls-1" d="M347.24,218h-47.8v50.57H279.65V150h75.89v15.88h-56.1v36.23h47.8Z"/></svg>

cla/falco_contributor_agreement.txt

@@ -0,0 +1,30 @@
+DRAIOS, INC. – OPEN SOURCE CONTRIBUTION LICENSE AGREEMENT (“Agreement”)
+
+Draios, Inc. dba Sysdig (“Draios” or “Sysdig”) welcomes you to work on our open source software projects. In order to clarify the intellectual property license granted with Contributions from any person or entity, you must agree to the license terms below in order to contribute code back to our repositories. This license is for your protection as a Contributor as well as the protection of Sysdig; it does not change your rights to use your own Contributions for any other purpose. To indicate your Agreement, follow the procedure set forth below under TO AGREE, after reading this Agreement.
+
+You accept and agree to the following terms and conditions for Your present and future Contributions submitted to Draios/Sysdig. Except for the license granted herein to Draios/Sysdig and recipients of software distributed by Draios/Sysdig, You reserve all right, title, and interest in and to Your Contributions.
+
+1. Definitions.  "You" (or "Your") shall mean the individual natural person and copyright owner who is making this Agreement with Draios/Sysdig. “You” excludes legal entities such as corporations, and Draios/Sysdig provides a separate CLA for corporations or other entities. "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Draios/Sysdig for inclusion in, or documentation of, any of the products owned or managed by Draios/Sysdig (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Draios/Sysdig or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Draios/Sysdig for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
+
+2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
+
+3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims that You have the right to license and that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity other than Draios/Sysdig institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
+
+4. You represent to Draios/Sysdig that You are legally entitled to grant the licenses set forth above.
+
+5. You represent that each of Your Contributions is Your original creation unless you act according to section 7 below. You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which You are personally aware and which are associated with any part of Your Contributions. You represent that Your sign-off indicating assent to this Agreement includes your real name and not a pseudonym, and that you shall not attempt or make an anonymous Contribution.
+
+6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions to Draios/Sysdig on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
+
+7. If You wish to submit work that is not Your original creation, You may submit it to Draios/Sysdig separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
+
+8. You agree to notify Draios/Sysdig of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
+
+9. You understand and agree that this project and Your Contribution are public and that a record of the contribution, including all personal information that I submit with it, including my sign-off, may be stored by Draios/Sysdig indefinitely and may be redistributed to others. You understand and agree that Draios/Sysdig has no obligation to use any Contribution in any Draios/Sysdig project or product, and Draios/Sysdig may decline to accept Your Contributions or Draios/Sysdig may remove Your Contributions from Draios/Sysdig projects or products at any time without notice. You understand and agree that Draios/Sysdig is not and will not pay you any form of compensation, in currency, equity or otherwise, in exchange for Your Contributions or for Your assent to this Agreement. You understand and agree that you are independent of Draios/Sysdig and you are not, by entering into this Agreement or providing Your Contributions, becoming employed, hired as an independent contractor, or forming any other relationship with Draios/Sysdig relating to employment, compensation or ownership or involving any fiduciary obligation.
+
+TO AGREE:
+Add the following line to every GIT commit message:
+
+falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
+
+Use your real name; pseudonyms or anonymous contributions are not allowed.

cla/falco_corp_contributor_agreement.txt

@@ -0,0 +1,33 @@
+DRAIOS, INC. – OPEN SOURCE CONTRIBUTION LICENSE AGREEMENT FOR CONTRIBUTING ENTITIES (SUCH AS CORPORATIONS) (“Agreement”)
+
+Draios, Inc. dba Sysdig (“Draios” or “Sysdig”) welcomes you to work on our open source software projects. In order to clarify the intellectual property license granted with Contributions from any person or entity, you must agree to the license terms below in order to contribute code back to our repositories. This license is for your protection as a Contributor as well as the protection of Sysdig; it does not change your rights to use your own Contributions for any other purpose. To indicate your Agreement, follow the procedure set forth below under TO AGREE, after reading this Agreement.
+
+A “contributing entity” means a corporation, limited liability company, partnership, or other entity that is organized and recognized under the laws of a state of the United States or another country (a “contributing entity”). We provide a separate CLA for individual contributors.
+
+You accept and agree to the following terms and conditions for Your present and future Contributions that are submitted to Draios/Sysdig. Except for the license granted herein to Draios/Sysdig and recipients of software distributed by Draios/Sysdig, You reserve all right, title, and interest in and to Your Contributions.
+
+1. Definitions.  "You" (or "Your") shall mean the contributing entity that owns for copyright purposes or otherwise has the right to contribute the Contribution, and that is making this Agreement with Draios/Sysdig, and all other entities that control, are controlled by, or are under common control with the contributing entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Draios/Sysdig for inclusion in, or documentation of, any of the products owned or managed by Draios/Sysdig (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Draios/Sysdig or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Draios/Sysdig for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
+
+2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
+
+3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims that You have the right to license and that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity other than Draios/Sysdig institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
+
+4. You represent to Draios/Sysdig that You own or have the right to contribute Your Contributions to Draios/Sysdig, and that You are legally entitled to grant the licenses set forth above.
+
+5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others). You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which You are personally aware and which are associated with any part of Your Contributions. You represent that Your sign-off indicating assent to this Agreement includes the real name of a natural person who is an authorized representative of You, and not a pseudonym, and that You are not attempting or making an anonymous Contribution.
+
+6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions to Draios/Sysdig on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
+
+7. If You wish to submit work that is not Your original creation, You may submit it to Draios/Sysdig separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which You are aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
+
+8. You agree to notify Draios/Sysdig of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
+
+9. You understand and agree that this project and Your Contribution are public and that a record of the contribution, including all personal information that You submit with it, including the sign-off of Your authorized representative, may be stored by Draios/Sysdig indefinitely and may be redistributed to others. You understand and agree that Draios/Sysdig has no obligation to use any Contribution in any Draios/Sysdig project or product, and Draios/Sysdig may decline to accept Your Contributions or Draios/Sysdig may remove Your Contributions from Draios/Sysdig projects or products at any time without notice. You understand and agree that Draios/Sysdig is not and will not pay You any form of compensation, in currency, equity or otherwise, in exchange for Your Contributions or for Your assent to this Agreement. You understand and agree that You are independent of Draios/Sysdig and You are not, by entering into this Agreement or providing Your Contributions, becoming employed, hired as an independent contractor, or forming any other relationship with Draios/Sysdig relating to employment, compensation or ownership or involving any fiduciary obligation.
+
+TO AGREE:
+Add the following lines to every GIT commit message:
+
+falco-CLA-1.0-contributing-entity: Full Legal Name of Entity
+falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
+
+Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.

cla/falco_govt_contributor_agreement.txt

@@ -0,0 +1,33 @@
+DRAIOS, INC. <20> OPEN SOURCE CONTRIBUTION AGREEMENT FOR UNITED STATES GOVERNMENT CONTRIBUTING ENTITIES (<28>Agreement<6E>)
+
+Draios, Inc. (<28>Draios<6F> or <20>Sysdig<69>) welcomes the work of others on our open source software projects.  To contribute code back to our repositories, we require a contributing entity that is a United States Government agency to complete, and agree to, the Government Contributor Agreement (GCA) set forth here, by and through a designated authorized representative. This agreement clarifies the ability for us to use and incorporate the contributions of a government contributing entity in our projects and products. After agreeing to these terms, a contributing entity may contribute to our projects. To indicate the agreement of the contributing entity, an authorized representative shall follow the procedure set forth below under TO AGREE, after reading this Agreement. A <20>contributing entity<74> means any agency or unit of the United States government. We provide a separate CLA for individual contributors. 
+
+You accept and agree to the following terms and conditions for Your present and future Contributions that are submitted to Draios/Sysdig.
+
+1. Definitions.  "You" (or "Your") shall mean the contributing entity that has authored or otherwise has the right to contribute the Contribution, and that is making this Agreement with Draios/Sysdig. "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Draios/Sysdig for inclusion in, or documentation of, any of the products owned or managed by Draios/Sysdig (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Draios/Sysdig or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Draios/Sysdig for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
+
+2. Contributions Not Subject to Copyright. Each Contribution is a work authored by the United States Government or an employee or officer thereof and is not subject to copyright under 17 U.S.C. 105.
+
+3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims that You have the right to license and that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity other than Draios/Sysdig institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
+
+4. You represent to Draios/Sysdig that You own or have the right to contribute Your Contributions to Draios/Sysdig, and that You are legally entitled to grant the license set forth above.
+
+5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others). You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which You are personally aware and which are associated with any part of Your Contributions. You represent that Your sign-off indicating assent to this Agreement includes the real name of a natural person who is an authorized representative of You, and not a pseudonym, and that You are not attempting or making an anonymous Contribution.
+
+6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions to Draios/Sysdig on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
+
+7. If You wish to submit work that is not Your original creation, You may submit it to Draios/Sysdig separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which You are aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
+
+8. You agree to notify Draios/Sysdig of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
+
+9. You understand and agree that this project and Your Contribution are public and that a record of the contribution, including all personal information that You submit with it, including the sign-off of Your authorized representative, may be stored by Draios/Sysdig indefinitely and may be redistributed to others. You understand and agree that Draios/Sysdig has no obligation to use any Contribution in any Draios/Sysdig project or product, and Draios/Sysdig may decline to accept Your Contributions or Draios/Sysdig may remove Your Contributions from Draios/Sysdig projects or products at any time without notice. You understand and agree that Draios/Sysdig is not and will not pay You any form of compensation, in currency, equity or otherwise, in exchange for Your Contributions or for Your assent to this Agreement. You understand and agree that You are independent of Draios/Sysdig and You are not, by entering into this Agreement or providing Your Contributions, becoming employed, hired as an independent contractor, or forming any other relationship with Draios/Sysdig relating to employment, compensation or ownership or involving any fiduciary obligation.
+
+TO AGREE:
+Add the following lines to every GIT commit message:
+
+falco-CLA-1.0-contributing-govt-entity: Full Legal Name of Entity
+falco-CLA-1.0-signed-off-by: Joe Smith joe.smith@email.com
+This file is a work of authorship of an employee or officer of the United States Government and is not subject to copyright in the United States under 17 USC 105.
+
+Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.
+

cmake/modules/CPackConfig.cmake

@@ -1,41 +0,0 @@
-set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
-set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
-set(CPACK_PACKAGE_CONTACT "opensource@sysdig.com") # todo: change this once we've got @falco.org addresses
-set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
-set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
-set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
-set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
-set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
-set(CPACK_STRIP_FILES "ON")
-set(CPACK_PACKAGE_RELOCATABLE "OFF")
-
-set(CPACK_GENERATOR DEB RPM TGZ)
-
-set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
-set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
-set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
-set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
-    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
-)
-
-set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
-set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
-set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postinstall")
-set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/preuninstall")
-set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postuninstall")
-set(CPACK_RPM_PACKAGE_VERSION "${FALCO_VERSION}")
-set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
-    /usr/src
-    /usr/share/man
-    /usr/share/man/man8
-    /etc
-    /usr
-    /usr/bin
-    /usr/share
-    /etc/rc.d
-    /etc/rc.d/init.d)
-set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
-
-include(CPack)

cmake/modules/Catch.cmake

@@ -1,159 +0,0 @@
-# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
-# https://cmake.org/licensing for details.
-
-#[=======================================================================[.rst:
-Catch
------
-
-This module defines a function to help use the Catch test framework.
-
-The :command:`catch_discover_tests` discovers tests by asking the compiled test
-executable to enumerate its tests.  This does not require CMake to be re-run
-when tests change.  However, it may not work in a cross-compiling environment,
-and setting test properties is less convenient.
-
-This command is intended to replace use of :command:`add_test` to register
-tests, and will create a separate CTest test for each Catch test case.  Note
-that this is in some cases less efficient, as common set-up and tear-down logic
-cannot be shared by multiple test cases executing in the same instance.
-However, it provides more fine-grained pass/fail information to CTest, which is
-usually considered as more beneficial.  By default, the CTest test name is the
-same as the Catch name; see also ``TEST_PREFIX`` and ``TEST_SUFFIX``.
-
-.. command:: catch_discover_tests
-
-  Automatically add tests with CTest by querying the compiled test executable
-  for available tests::
-
-    catch_discover_tests(target
-                         [TEST_SPEC arg1...]
-                         [EXTRA_ARGS arg1...]
-                         [WORKING_DIRECTORY dir]
-                         [TEST_PREFIX prefix]
-                         [TEST_SUFFIX suffix]
-                         [PROPERTIES name1 value1...]
-                         [TEST_LIST var]
-    )
-
-  ``catch_discover_tests`` sets up a post-build command on the test executable
-  that generates the list of tests by parsing the output from running the test
-  with the ``--list-test-names-only`` argument.  This ensures that the full
-  list of tests is obtained.  Since test discovery occurs at build time, it is
-  not necessary to re-run CMake when the list of tests changes.
-  However, it requires that :prop_tgt:`CROSSCOMPILING_EMULATOR` is properly set
-  in order to function in a cross-compiling environment.
-
-  Additionally, setting properties on tests is somewhat less convenient, since
-  the tests are not available at CMake time.  Additional test properties may be
-  assigned to the set of tests as a whole using the ``PROPERTIES`` option.  If
-  more fine-grained test control is needed, custom content may be provided
-  through an external CTest script using the :prop_dir:`TEST_INCLUDE_FILES`
-  directory property.  The set of discovered tests is made accessible to such a
-  script via the ``<target>_TESTS`` variable.
-
-  The options are:
-
-  ``target``
-    Specifies the Catch executable, which must be a known CMake executable
-    target.  CMake will substitute the location of the built executable when
-    running the test.
-
-  ``TEST_SPEC arg1...``
-    Specifies test cases, wildcarded test cases, tags and tag expressions to
-    pass to the Catch executable with the ``--list-test-names-only`` argument.
-
-  ``EXTRA_ARGS arg1...``
-    Any extra arguments to pass on the command line to each test case.
-
-  ``WORKING_DIRECTORY dir``
-    Specifies the directory in which to run the discovered test cases.  If this
-    option is not provided, the current binary directory is used.
-
-  ``TEST_PREFIX prefix``
-    Specifies a ``prefix`` to be prepended to the name of each discovered test
-    case.  This can be useful when the same test executable is being used in
-    multiple calls to ``catch_discover_tests()`` but with different
-    ``TEST_SPEC`` or ``EXTRA_ARGS``.
-
-  ``TEST_SUFFIX suffix``
-    Similar to ``TEST_PREFIX`` except the ``suffix`` is appended to the name of
-    every discovered test case.  Both ``TEST_PREFIX`` and ``TEST_SUFFIX`` may
-    be specified.
-
-  ``PROPERTIES name1 value1...``
-    Specifies additional properties to be set on all tests discovered by this
-    invocation of ``catch_discover_tests``.
-
-  ``TEST_LIST var``
-    Make the list of tests available in the variable ``var``, rather than the
-    default ``<target>_TESTS``.  This can be useful when the same test
-    executable is being used in multiple calls to ``catch_discover_tests()``.
-    Note that this variable is only available in CTest.
-
-#]=======================================================================]
-
-# ------------------------------------------------------------------------------
-function(catch_discover_tests TARGET)
-  cmake_parse_arguments("" "" "TEST_PREFIX;TEST_SUFFIX;WORKING_DIRECTORY;TEST_LIST" "TEST_SPEC;EXTRA_ARGS;PROPERTIES"
-                        ${ARGN})
-
-  if(NOT _WORKING_DIRECTORY)
-    set(_WORKING_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}")
-  endif()
-  if(NOT _TEST_LIST)
-    set(_TEST_LIST ${TARGET}_TESTS)
-  endif()
-
-  # Generate a unique name based on the extra arguments
-  string(SHA1 args_hash "${_TEST_SPEC} ${_EXTRA_ARGS}")
-  string(SUBSTRING ${args_hash} 0 7 args_hash)
-
-  # Define rule to generate test list for aforementioned test executable
-  set(ctest_include_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_include-${args_hash}.cmake")
-  set(ctest_tests_file "${CMAKE_CURRENT_BINARY_DIR}/${TARGET}_tests-${args_hash}.cmake")
-  get_property(
-    crosscompiling_emulator
-    TARGET ${TARGET}
-    PROPERTY CROSSCOMPILING_EMULATOR)
-  add_custom_command(
-    TARGET ${TARGET}
-    POST_BUILD
-    BYPRODUCTS "${ctest_tests_file}"
-    COMMAND
-      "${CMAKE_COMMAND}" -D "TEST_TARGET=${TARGET}" -D "TEST_EXECUTABLE=$<TARGET_FILE:${TARGET}>" -D
-      "TEST_EXECUTOR=${crosscompiling_emulator}" -D "TEST_WORKING_DIR=${_WORKING_DIRECTORY}" -D
-      "TEST_SPEC=${_TEST_SPEC}" -D "TEST_EXTRA_ARGS=${_EXTRA_ARGS}" -D "TEST_PROPERTIES=${_PROPERTIES}" -D
-      "TEST_PREFIX=${_TEST_PREFIX}" -D "TEST_SUFFIX=${_TEST_SUFFIX}" -D "TEST_LIST=${_TEST_LIST}" -D
-      "CTEST_FILE=${ctest_tests_file}" -P "${_CATCH_DISCOVER_TESTS_SCRIPT}"
-    VERBATIM)
-
-  file(
-    WRITE "${ctest_include_file}"
-    "if(EXISTS \"${ctest_tests_file}\")\n" "  include(\"${ctest_tests_file}\")\n" "else()\n"
-    "  add_test(${TARGET}_NOT_BUILT-${args_hash} ${TARGET}_NOT_BUILT-${args_hash})\n" "endif()\n")
-
-  if(NOT ${CMAKE_VERSION} VERSION_LESS "3.10.0")
-    # Add discovered tests to directory TEST_INCLUDE_FILES
-    set_property(
-      DIRECTORY
-      APPEND
-      PROPERTY TEST_INCLUDE_FILES "${ctest_include_file}")
-  else()
-    # Add discovered tests as directory TEST_INCLUDE_FILE if possible
-    get_property(
-      test_include_file_set
-      DIRECTORY
-      PROPERTY TEST_INCLUDE_FILE
-      SET)
-    if(NOT ${test_include_file_set})
-      set_property(DIRECTORY PROPERTY TEST_INCLUDE_FILE "${ctest_include_file}")
-    else()
-      message(FATAL_ERROR "Cannot set more than one TEST_INCLUDE_FILE")
-    endif()
-  endif()
-
-endfunction()
-
-# ######################################################################################################################
-
-set(_CATCH_DISCOVER_TESTS_SCRIPT ${CMAKE_CURRENT_LIST_DIR}/CatchAddTests.cmake)

cmake/modules/CatchAddTests.cmake

@@ -1,61 +0,0 @@
-# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying file Copyright.txt or
-# https://cmake.org/licensing for details.
-
-set(prefix "${TEST_PREFIX}")
-set(suffix "${TEST_SUFFIX}")
-set(spec ${TEST_SPEC})
-set(extra_args ${TEST_EXTRA_ARGS})
-set(properties ${TEST_PROPERTIES})
-set(script)
-set(suite)
-set(tests)
-
-function(add_command NAME)
-  set(_args "")
-  foreach(_arg ${ARGN})
-    if(_arg MATCHES "[^-./:a-zA-Z0-9_]")
-      set(_args "${_args} [==[${_arg}]==]") # form a bracket_argument
-    else()
-      set(_args "${_args} ${_arg}")
-    endif()
-  endforeach()
-  set(script
-      "${script}${NAME}(${_args})\n"
-      PARENT_SCOPE)
-endfunction()
-
-# Run test executable to get list of available tests
-if(NOT EXISTS "${TEST_EXECUTABLE}")
-  message(FATAL_ERROR "Specified test executable '${TEST_EXECUTABLE}' does not exist")
-endif()
-execute_process(
-  COMMAND ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" ${spec} --list-test-names-only
-  OUTPUT_VARIABLE output
-  RESULT_VARIABLE result)
-# Catch --list-test-names-only reports the number of tests, so 0 is... surprising
-if(${result} EQUAL 0)
-  message(WARNING "Test executable '${TEST_EXECUTABLE}' contains no tests!\n")
-elseif(${result} LESS 0)
-  message(FATAL_ERROR "Error running test executable '${TEST_EXECUTABLE}':\n" "  Result: ${result}\n"
-                      "  Output: ${output}\n")
-endif()
-
-string(REPLACE "\n" ";" output "${output}")
-
-# Parse output
-foreach(line ${output})
-  set(test ${line})
-  # use escape commas to handle properly test cases with commans inside the name
-  string(REPLACE "," "\\," test_name ${test})
-  # ...and add to script
-  add_command(add_test "${prefix}${test}${suffix}" ${TEST_EXECUTOR} "${TEST_EXECUTABLE}" "${test_name}" ${extra_args})
-  add_command(set_tests_properties "${prefix}${test}${suffix}" PROPERTIES WORKING_DIRECTORY "${TEST_WORKING_DIR}"
-              ${properties})
-  list(APPEND tests "${prefix}${test}${suffix}")
-endforeach()
-
-# Create a list of all discovered tests, which users may use to e.g. set properties on the tests
-add_command(set ${TEST_LIST} ${tests})
-
-# Write CTest script
-file(WRITE "${CTEST_FILE}" "${script}")

cmake/modules/Coverage.cmake

@@ -1,25 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-# Tests coverage
-option(FALCO_COVERAGE "Build test suite with coverage information" OFF)
-if(FALCO_COVERAGE)
-  if(NOT (("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU") OR ("${CMAKE_CXX_COMPILER_ID}" MATCHES "Clang")))
-    message(FATAL_ERROR "FALCO_COVERAGE requires GCC or Clang.")
-  endif()
-
-  message(STATUS "Building with coverage information")
-  add_compile_options(-g --coverage)
-  set(CMAKE_SHARED_LINKER_FLAGS "--coverage ${CMAKE_SHARED_LINKER_FLAGS}")
-  set(CMAKE_EXE_LINKER_FLAGS "--coverage ${CMAKE_EXE_LINKER_FLAGS}")
-endif()

cmake/modules/DownloadCatch.cmake

@@ -1,27 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-include(ExternalProject)
-
-set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)
-
-set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.9.1.tar.gz URL_HASH
-                       MD5=4980778888fed635bf191d8a86f9f89c)
-
-ExternalProject_Add(
-  catch2
-  PREFIX ${CMAKE_BINARY_DIR}/catch2-prefix
-  ${CATCH_EXTERNAL_URL}
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/catch2-prefix/src/catch2/single_include/catch2/catch.hpp
-                  ${CATCH2_INCLUDE}/catch.hpp)

cmake/modules/DownloadFakeIt.cmake

@@ -1,28 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-include(ExternalProject)
-
-set(FAKEIT_INCLUDE ${CMAKE_BINARY_DIR}/fakeit-prefix/include)
-
-set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.5.tar.gz URL_HASH
-                        MD5=d3d21b909cebaea5b780af5500bf384e)
-
-ExternalProject_Add(
-  fakeit-external
-  PREFIX ${CMAKE_BINARY_DIR}/fakeit-prefix
-  ${FAKEIT_EXTERNAL_URL}
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND
-    ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/fakeit-prefix/src/fakeit-external/single_header/catch/fakeit.hpp
-    ${FAKEIT_INCLUDE}/fakeit.hpp)

cmake/modules/FindMakedev.cmake

@@ -1,31 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-# This module is used to understand where the makedev function is defined in the glibc in use. see 'man 3 makedev'
-# Usage: In your CMakeLists.txt include(FindMakedev)
-#
-# In your source code:
-#
-# #if HAVE_SYS_MKDEV_H #include <sys/mkdev.h> #endif #ifdef HAVE_SYS_SYSMACROS_H #include <sys/sysmacros.h> #endif
-#
-include(${CMAKE_ROOT}/Modules/CheckIncludeFile.cmake)
-
-check_include_file("sys/mkdev.h" HAVE_SYS_MKDEV_H)
-check_include_file("sys/sysmacros.h" HAVE_SYS_SYSMACROS_H)
-
-if(HAVE_SYS_MKDEV_H)
-  add_definitions(-DHAVE_SYS_MKDEV_H)
-endif()
-if(HAVE_SYS_SYSMACROS_H)
-  add_definitions(-DHAVE_SYS_SYSMACROS_H)
-endif()

cmake/modules/GetFalcoVersion.cmake

@@ -1,59 +0,0 @@
-# Retrieve git ref and commit hash
-include(GetGitRevisionDescription)
-get_git_head_revision(FALCO_REF FALCO_HASH)
-
-# Create the falco version variable according to git index
-if(NOT FALCO_VERSION)
-  string(STRIP "${FALCO_HASH}" FALCO_HASH)
-  # Try to obtain the exact git tag
-  git_get_exact_tag(FALCO_TAG)
-  if(NOT FALCO_TAG)
-    # Obtain the closest tag
-    git_describe(FALCO_VERSION "--abbrev=0" "--tags") # suppress the long format
-    # Fallback version
-    if(FALCO_VERSION MATCHES "NOTFOUND$")
-      set(FALCO_VERSION "0.0.0")
-    endif()
-    # TODO(leodido) > Construct the prerelease part (semver 2) Construct the Build metadata part (semver 2)
-    if(NOT FALCO_HASH MATCHES "NOTFOUND$")
-      string(SUBSTRING "${FALCO_HASH}" 0 7 FALCO_VERSION_BUILD)
-      # Check whether there are uncommitted changes or not
-      git_local_changes(FALCO_CHANGES)
-      if(FALCO_CHANGES STREQUAL "DIRTY")
-        string(TOLOWER "${FALCO_CHANGES}" FALCO_CHANGES)
-        set(FALCO_VERSION_BUILD "${FALCO_VERSION_BUILD}.${FALCO_CHANGES}")
-      endif()
-    endif()
-    # Append the build metadata part (semver 2)
-    if(FALCO_VERSION_BUILD)
-      set(FALCO_VERSION "${FALCO_VERSION}+${FALCO_VERSION_BUILD}")
-    endif()
-  else()
-    # A tag has been found: use it as the Falco version
-    set(FALCO_VERSION "${FALCO_TAG}")
-    # Remove the starting "v" in case there is one
-    string(REGEX REPLACE "^v(.*)" "\\1" FALCO_VERSION "${FALCO_TAG}")
-  endif()
-  # TODO(leodido) > ensure Falco version is semver before extracting parts Populate partial version variables
-  string(REGEX MATCH "^(0|[1-9][0-9]*)" FALCO_VERSION_MAJOR "${FALCO_VERSION}")
-  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\..*" "\\2" FALCO_VERSION_MINOR "${FALCO_VERSION}")
-  string(REGEX REPLACE "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*).*" "\\3" FALCO_VERSION_PATCH
-                       "${FALCO_VERSION}")
-  string(
-    REGEX
-    REPLACE
-      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)*).*"
-      "\\4"
-      FALCO_VERSION_PRERELEASE
-      "${FALCO_VERSION}")
-  if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")
-    set(FALCO_VERSION_PRERELEASE "")
-  endif()
-  if(NOT FALCO_VERSION_BUILD)
-    string(REGEX REPLACE ".*\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)" "\\1" FALCO_VERSION_BUILD "${FALCO_VERSION}")
-  endif()
-  if(FALCO_VERSION_BUILD STREQUAL "${FALCO_VERSION}")
-    set(FALCO_VERSION_BUILD "")
-  endif()
-endif()
-message(STATUS "Falco version: ${FALCO_VERSION}")

cmake/modules/GetGitRevisionDescription.cmake

@@ -1,169 +0,0 @@
-# * Returns a version string from Git
-#
-# These functions force a re-configure on each git commit so that you can trust the values of the variables in your
-# build system.
-#
-# get_git_head_revision(<refspecvar> <hashvar> [<additional arguments to git describe> ...])
-#
-# Returns the refspec and sha hash of the current head revision
-#
-# git_describe(<var> [<additional arguments to git describe> ...])
-#
-# Returns the results of git describe on the source tree, and adjusting the output so that it tests false if an error
-# occurs.
-#
-# git_get_exact_tag(<var> [<additional arguments to git describe> ...])
-#
-# Returns the results of git describe --exact-match on the source tree, and adjusting the output so that it tests false
-# if there was no exact matching tag.
-#
-# git_local_changes(<var>)
-#
-# Returns either "CLEAN" or "DIRTY" with respect to uncommitted changes. Uses the return code of "git diff-index --quiet
-# HEAD --". Does not regard untracked files.
-#
-# Requires CMake 2.6 or newer (uses the 'function' command)
-#
-# Original Author: 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net> http://academic.cleardefinition.com
-# Iowa State University HCI Graduate Program/VRAC
-#
-# Copyright Iowa State University 2009-2010. Distributed under the Boost Software License, Version 1.0. (See
-# accompanying file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
-
-if(__get_git_revision_description)
-  return()
-endif()
-set(__get_git_revision_description YES)
-
-# We must run the following at "include" time, not at function call time, to find the path to this module rather than
-# the path to a calling list file
-get_filename_component(_gitdescmoddir ${CMAKE_CURRENT_LIST_FILE} PATH)
-
-function(get_git_head_revision _refspecvar _hashvar)
-  set(GIT_PARENT_DIR "${CMAKE_CURRENT_SOURCE_DIR}")
-  set(GIT_DIR "${GIT_PARENT_DIR}/.git")
-  while(NOT EXISTS "${GIT_DIR}") # .git dir not found, search parent directories
-    set(GIT_PREVIOUS_PARENT "${GIT_PARENT_DIR}")
-    get_filename_component(GIT_PARENT_DIR ${GIT_PARENT_DIR} PATH)
-    if(GIT_PARENT_DIR STREQUAL GIT_PREVIOUS_PARENT)
-      # We have reached the root directory, we are not in git
-      set(${_refspecvar}
-          "GITDIR-NOTFOUND"
-          PARENT_SCOPE)
-      set(${_hashvar}
-          "GITDIR-NOTFOUND"
-          PARENT_SCOPE)
-      return()
-    endif()
-    set(GIT_DIR "${GIT_PARENT_DIR}/.git")
-  endwhile()
-  # check if this is a submodule
-  if(NOT IS_DIRECTORY ${GIT_DIR})
-    file(READ ${GIT_DIR} submodule)
-    string(REGEX REPLACE "gitdir: (.*)\n$" "\\1" GIT_DIR_RELATIVE ${submodule})
-    get_filename_component(SUBMODULE_DIR ${GIT_DIR} PATH)
-    get_filename_component(GIT_DIR ${SUBMODULE_DIR}/${GIT_DIR_RELATIVE} ABSOLUTE)
-  endif()
-  set(GIT_DATA "${CMAKE_CURRENT_BINARY_DIR}/CMakeFiles/git-data")
-  if(NOT EXISTS "${GIT_DATA}")
-    file(MAKE_DIRECTORY "${GIT_DATA}")
-  endif()
-
-  if(NOT EXISTS "${GIT_DIR}/HEAD")
-    return()
-  endif()
-  set(HEAD_FILE "${GIT_DATA}/HEAD")
-  configure_file("${GIT_DIR}/HEAD" "${HEAD_FILE}" COPYONLY)
-
-  configure_file("${_gitdescmoddir}/GetGitRevisionDescription.cmake.in" "${GIT_DATA}/grabRef.cmake" @ONLY)
-  include("${GIT_DATA}/grabRef.cmake")
-
-  set(${_refspecvar}
-      "${HEAD_REF}"
-      PARENT_SCOPE)
-  set(${_hashvar}
-      "${HEAD_HASH}"
-      PARENT_SCOPE)
-endfunction()
-
-function(git_describe _var)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-        "GIT-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-        "HEAD-HASH-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(COMMAND
-    "${GIT_EXECUTABLE}"
-    describe
-    ${hash}
-    ${ARGN}
-    WORKING_DIRECTORY
-    "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE
-    res
-    OUTPUT_VARIABLE
-    out
-    ERROR_QUIET
-    OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(NOT res EQUAL 0)
-    set(out "${out}-${res}-NOTFOUND")
-  endif()
-
-  set(${_var}
-      "${out}"
-      PARENT_SCOPE)
-endfunction()
-
-function(git_get_exact_tag _var)
-  git_describe(out --exact-match ${ARGN})
-  set(${_var}
-      "${out}"
-      PARENT_SCOPE)
-endfunction()
-
-function(git_local_changes _var)
-  if(NOT GIT_FOUND)
-    find_package(Git QUIET)
-  endif()
-  get_git_head_revision(refspec hash)
-  if(NOT GIT_FOUND)
-    set(${_var}
-        "GIT-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-  if(NOT hash)
-    set(${_var}
-        "HEAD-HASH-NOTFOUND"
-        PARENT_SCOPE)
-    return()
-  endif()
-
-  execute_process(
-    COMMAND "${GIT_EXECUTABLE}" diff-index --quiet HEAD --
-    WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
-    RESULT_VARIABLE res
-    OUTPUT_VARIABLE out
-    ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE)
-  if(res EQUAL 0)
-    set(${_var}
-        "CLEAN"
-        PARENT_SCOPE)
-  else()
-    set(${_var}
-        "DIRTY"
-        PARENT_SCOPE)
-  endif()
-endfunction()

cmake/modules/GetGitRevisionDescription.cmake.in

@@ -1,41 +0,0 @@
-#
-# Internal file for GetGitRevisionDescription.cmake
-#
-# Requires CMake 2.6 or newer (uses the 'function' command)
-#
-# Original Author:
-# 2009-2010 Ryan Pavlik <rpavlik@iastate.edu> <abiryan@ryand.net>
-# http://academic.cleardefinition.com
-# Iowa State University HCI Graduate Program/VRAC
-#
-# Copyright Iowa State University 2009-2010.
-# Distributed under the Boost Software License, Version 1.0.
-# (See accompanying file LICENSE_1_0.txt or copy at
-# http://www.boost.org/LICENSE_1_0.txt)
-
-set(HEAD_HASH)
-
-file(READ "@HEAD_FILE@" HEAD_CONTENTS LIMIT 1024)
-
-string(STRIP "${HEAD_CONTENTS}" HEAD_CONTENTS)
-if(HEAD_CONTENTS MATCHES "ref")
-	# named branch
-	string(REPLACE "ref: " "" HEAD_REF "${HEAD_CONTENTS}")
-	if(EXISTS "@GIT_DIR@/${HEAD_REF}")
-		configure_file("@GIT_DIR@/${HEAD_REF}" "@GIT_DATA@/head-ref" COPYONLY)
-	else()
-		configure_file("@GIT_DIR@/packed-refs" "@GIT_DATA@/packed-refs" COPYONLY)
-		file(READ "@GIT_DATA@/packed-refs" PACKED_REFS)
-		if(${PACKED_REFS} MATCHES "([0-9a-z]*) ${HEAD_REF}")
-			set(HEAD_HASH "${CMAKE_MATCH_1}")
-		endif()
-	endif()
-else()
-	# detached HEAD
-	configure_file("@GIT_DIR@/HEAD" "@GIT_DATA@/head-ref" COPYONLY)
-endif()
-
-if(NOT HEAD_HASH)
-	file(READ "@GIT_DATA@/head-ref" HEAD_HASH LIMIT 1024)
-	string(STRIP "${HEAD_HASH}" HEAD_HASH)
-endif()

cmake/modules/OpenSSL.cmake

@@ -1,30 +0,0 @@
-if(NOT USE_BUNDLED_DEPS)
-  find_package(OpenSSL REQUIRED)
-  message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
-  find_program(OPENSSL_BINARY openssl)
-  if(NOT OPENSSL_BINARY)
-    message(FATAL_ERROR "Couldn't find the openssl command line in PATH")
-  else()
-    message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
-  endif()
-else()
-  set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
-  set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
-  set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
-  set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl.a")
-  set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto.a")
-  set(OPENSSL_BINARY "${OPENSSL_INSTALL_DIR}/bin/openssl")
-
-  message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
-
-  ExternalProject_Add(
-    openssl
-    # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
-    URL_MD5 "13bdc1b1d1ff39b6fd42a255e74676a4"
-    # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
-    BUILD_COMMAND ${CMD_MAKE}
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND ${CMD_MAKE} install)
-endif()

cmake/modules/cURL.cmake

@@ -1,80 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-if(NOT USE_BUNDLED_DEPS)
-  find_package(CURL REQUIRED)
-  message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIR}, lib: ${CURL_LIBRARIES}")
-else()
-  set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl")
-  set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
-  set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")
-
-  if(NOT USE_BUNDLED_OPENSSL)
-    set(CURL_SSL_OPTION "--with-ssl")
-  else()
-    set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-    message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-    message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
-  endif()
-
-  externalproject_add(
-    curl
-    DEPENDS openssl
-    # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-    URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
-    URL_MD5 "31d0a9f48dc796a7db351898a1e5058a"
-    # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-    CONFIGURE_COMMAND
-      ./configure
-      ${CURL_SSL_OPTION}
-      --disable-shared
-      --enable-optimize
-      --disable-curldebug
-      --disable-rt
-      --enable-http
-      --disable-ftp
-      --disable-file
-      --disable-ldap
-      --disable-ldaps
-      --disable-rtsp
-      --disable-telnet
-      --disable-tftp
-      --disable-pop3
-      --disable-imap
-      --disable-smb
-      --disable-smtp
-      --disable-gopher
-      --disable-sspi
-      --disable-ntlm-wb
-      --disable-tls-srp
-      --without-winssl
-      --without-darwinssl
-      --without-polarssl
-      --without-cyassl
-      --without-nss
-      --without-axtls
-      --without-ca-path
-      --without-ca-bundle
-      --without-libmetalink
-      --without-librtmp
-      --without-winidn
-      --without-libidn2
-      --without-libpsl
-      --without-nghttp2
-      --without-libssh2
-      --disable-threaded-resolver
-      --without-brotli
-    BUILD_COMMAND ${CMD_MAKE}
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND "")
-endif()

cmake/modules/gRPC.cmake

@@ -1,122 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-if(NOT USE_BUNDLED_DEPS)
-  # zlib
-  include(FindZLIB)
-  set(ZLIB_INCLUDE "${ZLIB_INCLUDE_DIRS}")
-  set(ZLIB_LIB "${ZLIB_LIBRARIES}")
-
-  if(ZLIB_INCLUDE AND ZLIB_LIB)
-    message(STATUS "Found zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}")
-  endif()
-
-  # c-ares
-  find_path(CARES_INCLUDE NAMES ares.h)
-  find_library(CARES_LIB NAMES libcares.so)
-  if(CARES_INCLUDE AND CARES_LIB)
-    message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system c-ares")
-  endif()
-
-  # protobuf
-  find_program(PROTOC NAMES protoc)
-  find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
-  find_library(PROTOBUF_LIB NAMES libprotobuf.so)
-  if(PROTOC
-     AND PROTOBUF_INCLUDE
-     AND PROTOBUF_LIB)
-    message(STATUS "Found protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system protobuf")
-  endif()
-
-  # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
-  find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
-  if(GRPCXX_INCLUDE)
-    set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
-  else()
-    find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
-    set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
-    add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
-  endif()
-  find_library(GRPC_LIB NAMES grpc)
-  find_library(GRPCPP_LIB NAMES grpc++)
-  if(GRPC_INCLUDE
-     AND GRPC_LIB
-     AND GRPCPP_LIB)
-    message(STATUS "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system grpc")
-  endif()
-  find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin)
-  if(NOT GRPC_CPP_PLUGIN)
-    message(FATAL_ERROR "System grpc_cpp_plugin not found")
-  endif()
-
-else()
-  find_package(PkgConfig)
-    if(NOT PKG_CONFIG_FOUND)
-      message(FATAL_ERROR "pkg-config binary not found")
-  endif()
-  message(STATUS "Found pkg-config executable: ${PKG_CONFIG_EXECUTABLE}")
-  set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
-  set(GRPC_INCLUDE "${GRPC_SRC}/include")
-  set(GRPC_LIBS_ABSOLUTE "${GRPC_SRC}/libs/opt")
-  set(GRPC_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc.a")
-  set(GRPCPP_LIB "${GRPC_LIBS_ABSOLUTE}/libgrpc++.a")
-  set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
-
-  # we tell gRPC to compile protobuf for us because when a gRPC package is not available, like on CentOS, it's very
-  # likely that protobuf will be very outdated
-  set(PROTOBUF_INCLUDE "${GRPC_SRC}/third_party/protobuf/src")
-  set(PROTOC "${PROTOBUF_INCLUDE}/protoc")
-  set(PROTOBUF_LIB "${GRPC_LIBS_ABSOLUTE}/protobuf/libprotobuf.a")
-  # we tell gRPC to compile zlib for us because when a gRPC package is not available, like on CentOS, it's very likely
-  # that zlib will be very outdated
-  set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
-  set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
-
-  message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
-  message(
-    STATUS
-      "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
-  message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
-  message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")
-
-  get_filename_component(PROTOC_DIR ${PROTOC} PATH)
-
-  ExternalProject_Add(
-    grpc
-    DEPENDS openssl
-    GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.25.0
-    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares"
-    BUILD_IN_SOURCE 1
-    BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
-    INSTALL_COMMAND ""
-    CONFIGURE_COMMAND ""
-    BUILD_COMMAND
-      CFLAGS=-Wno-implicit-fallthrough
-      HAS_SYSTEM_ZLIB=false
-      HAS_SYSTEM_PROTOBUF=false
-      HAS_SYSTEM_CARES=false
-      PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
-      PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
-      PATH=${PROTOC_DIR}:$ENV{PATH}
-      make
-      static_cxx
-      static_c
-      grpc_cpp_plugin)
-endif()

cmake/modules/jq.cmake

@@ -1,35 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-if(NOT USE_BUNDLED_DEPS)
-  find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-  find_library(JQ_LIB NAMES jq)
-  if(JQ_INCLUDE AND JQ_LIB)
-    message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system jq")
-  endif()
-else()
-  set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-  message(STATUS "Using bundled jq in '${JQ_SRC}'")
-  set(JQ_INCLUDE "${JQ_SRC}")
-  set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
-  ExternalProject_Add(
-    jq
-    URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
-    URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
-    CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
-    BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
-    BUILD_IN_SOURCE 1
-    PATCH_COMMAND curl -L https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch | patch
-    INSTALL_COMMAND "")
-endif()

cmake/modules/sysdig-repo/CMakeLists.txt

@@ -1,34 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-cmake_minimum_required(VERSION 3.5.1)
-
-project(sysdig-repo NONE)
-
-include(ExternalProject)
-
-# The sysdig git reference (branch name, commit hash, or tag)
-
-# To update sysdig version for the next release, change the default below
-# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
-if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "146a431edf95829ac11bfd9c85ba3ef08789bffe")
-endif()
-
-ExternalProject_Add(
-  sysdig
-  URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
-  # URL_HASH SHA256=bd09607aa8beb863db07e695863f7dc543e2d39e7153005759d26a340ff66fa5
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ""
-  INSTALL_COMMAND ""
-  TEST_COMMAND "")

cmake/modules/sysdig.cmake

@@ -1,57 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-set(SYSDIG_CMAKE_SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules/sysdig-repo")
-set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")
-
-# this needs to be here at the top
-if(USE_BUNDLED_DEPS)
-  # explicitly force this dependency to use the system OpenSSL
-  set(USE_BUNDLED_OPENSSL ON)
-endif()
-
-file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-# cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
-# todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
-
-# execute_process(COMMAND "${CMAKE_COMMAND}" -B ${SYSDIG_CMAKE_WORKING_DIR} WORKING_DIRECTORY
-# "${SYSDIG_CMAKE_SOURCE_DIR}")
-
-execute_process(COMMAND "${CMAKE_COMMAND}" --build . WORKING_DIRECTORY "${SYSDIG_CMAKE_WORKING_DIR}")
-set(SYSDIG_SOURCE_DIR "${SYSDIG_CMAKE_WORKING_DIR}/sysdig-prefix/src/sysdig")
-
-# jsoncpp
-set(JSONCPP_SRC "${SYSDIG_SOURCE_DIR}/userspace/libsinsp/third-party/jsoncpp")
-set(JSONCPP_INCLUDE "${JSONCPP_SRC}")
-set(JSONCPP_LIB_SRC "${JSONCPP_SRC}/jsoncpp.cpp")
-
-# Add driver directory
-add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
-
-# Add libscap directory
-add_definitions(-D_GNU_SOURCE)
-add_definitions(-DHAS_CAPTURE)
-add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
-
-# Add libsinsp directory
-add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")
-add_dependencies(sinsp tbb b64 luajit)
-
-# explicitly disable the tests of this dependency
-set(CREATE_TEST_TARGETS OFF)
-
-if(USE_BUNDLED_DEPS)
-  add_dependencies(scap grpc curl jq)
-endif()

cmake/modules/yaml-cpp.cmake

@@ -1,32 +0,0 @@
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-if(NOT USE_BUNDLED_DEPS)
-  find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
-  find_library(YAMLCPP_LIB NAMES yaml-cpp)
-  if(YAMLCPP_INCLUDE_DIR AND YAMLCPP_LIB)
-    message(STATUS "Found yamlcpp: include: ${YAMLCPP_INCLUDE_DIR}, lib: ${YAMLCPP_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system yamlcpp")
-  endif()
-else()
-  set(YAMLCPP_SRC "${PROJECT_BINARY_DIR}/yamlcpp-prefix/src/yamlcpp")
-  message(STATUS "Using bundled yaml-cpp in '${YAMLCPP_SRC}'")
-  set(YAMLCPP_LIB "${YAMLCPP_SRC}/libyaml-cpp.a")
-  set(YAMLCPP_INCLUDE_DIR "${YAMLCPP_SRC}/include")
-  ExternalProject_Add(
-    yamlcpp
-    URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
-    URL_MD5 "5b943e9af0060d0811148b037449ef82"
-    BUILD_IN_SOURCE 1
-    INSTALL_COMMAND "")
-endif()

docker/CMakeLists.txt

@@ -1 +0,0 @@
-add_subdirectory(local)

docker/OWNERS

@@ -1,2 +0,0 @@
-labels:
-  - area/integration

docker/README.md

@@ -1,30 +0,0 @@
-# Falco Dockerfiles
-
-This directory contains the various ways to package Falco as a container. 
-
-## Currently Supported Containers
-
-### `falcosecurity/falco` Dockerfiles
- - `./dev`: Builds a container image from the `dev` apt repo.
- - `./stable`: Builds a container image from the `stable` apt repo.
- - `./local`: Builds a container image from a locally provided Falco `dpkg` package.
-
-### Build & Testing Dockerfiles
- - `./builder`: `falcosecurity/falco-builder` - The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source.
- - `./tester`: `falcosecurity/falco-tester` - Container image for running the Falco test suite.
-
-## Alpha Release Containers
-
-These Dockerfiles (and resulting container images) are currently in `alpha`. We'd love for you to test these images and [report any feedback](https://github.com/falcosecurity/falco/issues/new/choose).
-
-### Slim and Minimal Dockerfiles
-The goal of these container images is to reduce the size of the underlying Falco container. 
- - `./slim-dev`: Like `./dev` above but removes build tools for older kernels.
- - `./slim-stable`: Like `./stable` above but removes build tools for older kernels.
- - `./minimal`: A minimal container image (~20mb), containing only the files required to run Falco.
-
-### Init Containers
-These container images allow for the delivery of the kernel module or eBPF probe either via HTTP or via a container image.
- - `kernel/linuxkit`: Multistage Dockerfile to build a Falco kernel module for Linuxkit (Docker Desktop). Generates an alpine based container image with the kernel module, and `insmod` as the container `CMD`.  
- - `kernel/probeloader`: Multistage Dockerfile to build a Go based application to download (via HTTPS) and load a Falco kernel module. The resulting container image can be ran as an `initContainer` to load the Falco module before Falco starts.
-

docker/builder/Dockerfile

@@ -1,45 +0,0 @@
-FROM centos:7
-
-LABEL name="falcosecurity/falco-builder"
-LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
-LABEL maintainer="opensource@sysdig.com"
-
-ARG BUILD_TYPE=release
-ARG BUILD_DRIVER=OFF
-ARG BUILD_BPF=OFF
-ARG BUILD_WARNINGS_AS_ERRORS=ON
-ARG MAKE_JOBS=4
-ARG FALCO_VERSION
-
-ENV BUILD_TYPE=${BUILD_TYPE}
-ENV BUILD_DRIVER=${BUILD_DRIVER}
-ENV BUILD_BPF=${BUILD_BPF}
-ENV BUILD_WARNINGS_AS_ERRORS=${BUILD_WARNINGS_AS_ERRORS}
-ENV MAKE_JOBS=${MAKE_JOBS}
-ENV FALCO_VERSION=${FALCO_VERSION}
-
-# build toolchain
-RUN yum -y install centos-release-scl && \
-    INSTALL_PKGS="devtoolset-7-gcc devtoolset-7-gcc-c++ devtoolset-7-toolchain devtoolset-7-libstdc++-devel devtoolset-7-elfutils-libelf-devel llvm-toolset-7 glibc-static autoconf automake libtool createrepo expect git which libcurl-devel zlib-devel ncurses-devel rpm-build libyaml-devel" && \
-    yum -y install --setopt=tsflags=nodocs $INSTALL_PKGS && \
-    rpm -V $INSTALL_PKGS
-
-ARG CMAKE_VERSION=3.5.1
-RUN source scl_source enable devtoolset-7 llvm-toolset-7 && \
-    cd /tmp && \
-    curl -L https://github.com/kitware/cmake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz | tar xz; \
-    cd cmake-${CMAKE_VERSION} && \
-    ./bootstrap --system-curl && \
-    make -j${MAKE_JOBS} && \
-    make install && \
-    rm -rf /tmp/cmake-${CMAKE_VERSION}
-
-COPY ./root /
-
-# DTS
-ENV BASH_ENV=/usr/bin/scl_enable \
-    ENV=/usr/bin/scl_enable \
-    PROMPT_COMMAND=". /usr/bin/scl_enable"
-
-ENTRYPOINT ["entrypoint"]
-CMD ["usage"]

docker/builder/root/usr/bin/entrypoint

@@ -1,59 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu -o pipefail
-
-SOURCE_DIR=/source
-BUILD_DIR=/build
-CMD=${1:-usage}
-shift
-
-# Build type can be "debug" or "release", fallbacks to "release" by default
-BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
-DRAIOS_DEBUG_FLAGS=
-case "$BUILD_TYPE" in
-"debug")
-    DRAIOS_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
-    ;;
-*)
-    BUILD_TYPE="release"
-    ;;
-esac
-
-case "$CMD" in
-"cmake")
-    # Check that source directory contains Falco
-    if [ ! -d "$SOURCE_DIR/falco" ]; then
-        echo "Missing falco source." >&2
-        exit 1
-    fi
-    # Prepare build directory
-    mkdir -p "$BUILD_DIR/$BUILD_TYPE"
-    cd "$BUILD_DIR/$BUILD_TYPE"
-
-    cmake \
-    -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
-    -DCMAKE_INSTALL_PREFIX=/usr \
-    -DBUILD_DRIVER="$BUILD_DRIVER" \
-    -DBUILD_BPF="$BUILD_BPF" \
-    -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
-    -DFALCO_VERSION="$FALCO_VERSION" \
-    -DDRAIOS_DEBUG_FLAGS="$DRAIOS_DEBUG_FLAGS" \
-    -DUSE_BUNDLED_DEPS=ON \
-    "$SOURCE_DIR/falco"
-    exit "$(printf '%d\n' $?)"
-    ;;
-"bash")
-    CMD=/bin/bash
-    ;& # fallthrough
-"usage")
-    exec "$CMD" "$@"
-    ;;
-*)
-    if [ ! -d "$BUILD_DIR/$BUILD_TYPE" ]; then
-        echo "Missing $BUILD_DIR/$BUILD_TYPE directory: run cmake."
-        exit 1
-    fi
-    cd "$BUILD_DIR/$BUILD_TYPE"
-    make -j"$MAKE_JOBS" "$CMD"
-    ;;
-esac

docker/builder/root/usr/bin/scl_enable

@@ -1,6 +0,0 @@
-# IMPORTANT: Do not add more content to this file unless you know what you are doing.
-#            This file is sourced everytime the shell session is opened.
-#
-# This will make scl collection binaries work out of box.
-unset BASH_ENV PROMPT_COMMAND ENV
-source scl_source enable devtoolset-7 llvm-toolset-7

docker/builder/root/usr/bin/usage

@@ -1,53 +0,0 @@
-#!/usr/bin/env bash
-
-gccversion=$(gcc --version | head -n1)
-cppversion=$(g++ -dM -E -x c++ /dev/null | grep -F __cplusplus | cut -d' ' -f3)
-cmakeversion=$(cmake --version | head -n1)
-clangversion=$(clang --version | head -n1)
-
-cat <<EOF
-Hello, this is the Falco builder container.
-
-How to use.
-
-    The default commands for the Falco builder image reports usage and environment info.
-    * docker run falcosecurity/falco-builder
-    * docker run falcosecurity/falco-builder usage
-
-    It supports bash.
-    * docker run -ti falcosecurity/falco-builder bash
-
-    To build Falco it needs:
-    - a bind-mount on the source directory (ie., the directory containing Falco and sysdig source as siblings)
-
-    Optionally, you can also bind-mount the build directory.
-    So, you can execute it from the Falco root directory as follows.
-
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder [<cmake-target-x>, ..., <cmake-target-y>]
-
-    Eg.,
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder tests
-    * docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder install
-
-How to build.
-
-    * cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-builder .
-
-    In case you want to customise the builder at build time the following build arguments are provided:
-    - BUILD_TYPE                whether you want a "release" or "debug" build (defaults to "release").
-    - BUILD_DRIVER              whether to build the driver or not (defaults to "OFF")
-    - BUILD_BPF                 whether to build the BPF driver or not (defaults to "OFF")
-    - BUILD_WARNINGS_AS_ERRORS  whether to intend warnings as errors or not (defaults to "ON")
-    - MAKE_JOBS                 the number of jobs to use during make (defaults to "4")
-    - FALCO_VERSION             the version to label the build (built from git index in case it is missing)
-
-    It is possible to change these at runtime (in the container) since environment variables with the same names are provided, too.
-
-Environment.
-
-    * ${gccversion}
-    * cplusplus ${cppversion}
-    * ${cmakeversion}
-    * ${clangversion}
-EOF

docker/dev/Dockerfile

@@ -1,12 +1,12 @@
 FROM debian:unstable
 
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="Sysdig <support@sysdig.com>"
 
 ENV FALCO_REPOSITORY dev
 
 LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 
-ENV HOST_ROOT /host
+ENV SYSDIG_HOST_ROOT /host
 
 ENV HOME /root
 
@@ -15,7 +15,7 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
 RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
+ && apt-get install -y --no-install-recommends \
 	bash-completion \
 	bc \
 	clang-7 \
@@ -24,6 +24,8 @@ RUN apt-get update \
 	dkms \
 	gnupg2 \
 	gcc \
+	gcc-5 \
+	gcc-6 \
 	gdb \
 	jq \
 	libc6-dev \
@@ -31,80 +33,41 @@ RUN apt-get update \
 	llvm-7 \
 	netcat \
 	xz-utils \
-	&& rm -rf /var/lib/apt/lists/*
-
-# gcc 6 is no longer included in debian unstable, but we need it to
-# build kernel modules on the default debian-based ami used by
-# kops. So grab copies we've saved from debian snapshots with the
-# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
-# or so.
-
-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
-
-# gcc 5 is no longer included in debian unstable, but we need it to
-# build centos kernels, which are 3.x based and explicitly want a gcc
-# version 3, 4, or 5 compiler. So grab copies we've saved from debian
-# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-
-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+ && rm -rf /var/lib/apt/lists/*
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+ && rm -rf /usr/bin/llc \
+ && ln -s /usr/bin/clang-7 /usr/bin/clang \
+ && ln -s /usr/bin/llc-7 /usr/bin/llc
 
 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-	&& apt-get update \
-	&& apt-get install -y --no-install-recommends falco \
-	&& apt-get clean \
-	&& rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+ && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends falco \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
 
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+ && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
 
 # debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
-	&& dpkg -i *binutils*.deb \
-	&& rm -f *binutils*.deb
+RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb
 
 COPY ./docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
+CMD ["/usr/bin/falco"]

docker/dev/docker-entrypoint.sh

@@ -1,7 +1,8 @@
-#!/usr/bin/env bash
+#!/bin/bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
 #
+# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,19 +17,19 @@
 # limitations under the License.
 #
 
-# set -e
+#set -e
 
-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+# Set the SYSDIG_SKIP_LOAD variable to skip loading the sysdig kernel module
 
-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
     echo "* Setting up /usr/src links from host"
 
-    for i in "$HOST_ROOT/usr/src"/*
+    for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
     do
-        ln -s "$i" "/usr/src/$i"
+        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
     done
 
     /usr/bin/falco-probe-loader
 fi
 
-exec "$@"
+exec "$@"

docker/event-generator/Dockerfile

@@ -1,10 +1,6 @@
 FROM alpine:latest
-LABEL maintainer="opensource@sysdig.com"
-RUN apk add --no-cache bash g++ curl
+RUN apk add --no-cache bash g++
 COPY ./event_generator.cpp /usr/local/bin
-COPY ./docker-entrypoint.sh ./k8s_event_generator.sh /
-COPY ./yaml /yaml
 RUN mkdir -p /var/lib/rpm
 RUN g++ --std=c++0x /usr/local/bin/event_generator.cpp -o /usr/local/bin/event_generator
-RUN curl -o /usr/local/bin/kubectl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl
-ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["/usr/local/bin/event_generator"]

docker/event-generator/Makefile

@@ -1,6 +1,7 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
 #
+# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

docker/event-generator/docker-entrypoint.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-
-CMD=${1:-syscall}
-
-shift
-
-set -euo pipefail
-
-if [[ "$CMD" == "syscall" ]]; then
-    /usr/local/bin/event_generator
-elif [[ "$CMD" == "k8s_audit" ]]; then
-    . k8s_event_generator.sh
-elif [[ "$CMD" == "bash" ]]; then
-    bash
-else
-    echo "Unknown command. Can be one of"
-    echo "   \"syscall\": generate falco syscall-related activity"
-    echo "   \"k8s_audit\": generate falco k8s audit-related activity"
-    echo "   \"bash\": spawn a shell"
-    exit 1
-fi

docker/event-generator/event_generator.cpp

@@ -1,5 +1,7 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+
+This file is part of falco.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -12,6 +14,7 @@ distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
+
 */
 
 #include <cstdio>
@@ -25,7 +28,7 @@ limitations under the License.
 #include <cstdlib>
 #include <unistd.h>
 #include <getopt.h>
-#include <errno.h>
+#include <sys/errno.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
@@ -88,6 +91,7 @@ void open_file(const char *filename, const char *flags)
 	{
 		fprintf(stderr, "Could not open %s for writing: %s\n", filename, strerror(errno));
 	}
+
 }
 
 void exfiltration()
@@ -106,7 +110,7 @@ void exfiltration()
 
 	string line;
 	string shadow_contents;
-	while(getline(shadow, line))
+	while (getline(shadow, line))
 	{
 		shadow_contents += line;
 		shadow_contents += "\n";
@@ -121,13 +125,13 @@ void exfiltration()
 	dest.sin_port = htons(8197);
 	inet_aton("10.5.2.6", &(dest.sin_addr));
 
-	if((rc = connect(sock, (struct sockaddr *)&dest, sizeof(dest))) != 0)
+	if((rc = connect(sock, (struct sockaddr *) &dest, sizeof(dest))) != 0)
 	{
 		fprintf(stderr, "Could not bind listening socket to dest: %s\n", strerror(errno));
 		return;
 	}
 
-	if((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
+	if ((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
 	{
 		fprintf(stderr, "Could not send shadow contents via udp datagram: %s\n", strerror(errno));
 		return;
@@ -146,7 +150,7 @@ void read(const char *filename)
 	open_file(filename, "r");
 }
 
-void become_user(const char *user)
+uid_t become_user(const char *user)
 {
 	struct passwd *pw;
 	pw = getpwnam(user);
@@ -170,7 +174,7 @@ void spawn(const char *cmd, char **argv, char **env)
 	pid_t child;
 
 	// Fork a process, that way proc.duration is reset
-	if((child = fork()) == 0)
+	if ((child = fork()) == 0)
 	{
 		execve(cmd, argv, env);
 		fprintf(stderr, "Could not exec to spawn %s: %s\n", cmd, strerror(errno));
@@ -184,97 +188,86 @@ void spawn(const char *cmd, char **argv, char **env)
 
 void respawn(const char *cmd, const char *action, const char *interval)
 {
-	char *argv[] = {(char *)cmd,
-			(char *)"--action", (char *)action,
-			(char *)"--interval", (char *)interval,
-			(char *)"--once", NULL};
+	char *argv[] = {(char *) cmd,
+			(char *) "--action", (char *) action,
+			(char *) "--interval", (char *) interval,
+			(char *) "--once", NULL};
 
 	char *env[] = {NULL};
 
 	spawn(cmd, argv, env);
 }
 
-void write_binary_dir()
-{
+void write_binary_dir() {
 	printf("Writing to /bin/created-by-event-generator-sh...\n");
 	touch("/bin/created-by-event-generator-sh");
 }
 
-void write_etc()
-{
+void write_etc() {
 	printf("Writing to /etc/created-by-event-generator-sh...\n");
 	touch("/etc/created-by-event-generator-sh");
 }
 
-void read_sensitive_file()
-{
+void read_sensitive_file() {
 	printf("Reading /etc/shadow...\n");
 	read("/etc/shadow");
 }
 
-void read_sensitive_file_after_startup()
-{
+void read_sensitive_file_after_startup() {
 	printf("Becoming the program \"httpd\", sleeping 6 seconds and reading /etc/shadow...\n");
 	respawn("./httpd", "read_sensitive_file", "6");
 }
 
-void write_rpm_database()
-{
+void write_rpm_database() {
 	printf("Writing to /var/lib/rpm/created-by-event-generator-sh...\n");
 	touch("/var/lib/rpm/created-by-event-generator-sh");
 }
 
-void spawn_shell()
-{
+void spawn_shell() {
 	printf("Spawning a shell to run \"ls > /dev/null\" using system()...\n");
 	int rc;
 
-	if((rc = system("ls > /dev/null")) != 0)
+	if ((rc = system("ls > /dev/null")) != 0)
 	{
 		fprintf(stderr, "Could not run ls > /dev/null in a shell: %s\n", strerror(errno));
 	}
 }
 
-void spawn_shell_under_httpd()
-{
+void spawn_shell_under_httpd() {
 	printf("Becoming the program \"httpd\" and then spawning a shell\n");
 	respawn("./httpd", "spawn_shell", "0");
 }
 
-void db_program_spawn_process()
-{
+void db_program_spawn_process() {
 	printf("Becoming the program \"mysql\" and then running ls\n");
 	respawn("./mysqld", "exec_ls", "0");
 }
 
-void modify_binary_dirs()
-{
+void modify_binary_dirs() {
 	printf("Moving /bin/true to /bin/true.event-generator-sh and back...\n");
 
-	if(rename("/bin/true", "/bin/true.event-generator-sh") != 0)
+	if (rename("/bin/true", "/bin/true.event-generator-sh") != 0)
 	{
 		fprintf(stderr, "Could not rename \"/bin/true\" to \"/bin/true.event-generator-sh\": %s\n", strerror(errno));
 	}
 	else
 	{
-		if(rename("/bin/true.event-generator-sh", "/bin/true") != 0)
+		if (rename("/bin/true.event-generator-sh", "/bin/true") != 0)
 		{
 			fprintf(stderr, "Could not rename \"/bin/true.event-generator-sh\" to \"/bin/true\": %s\n", strerror(errno));
 		}
 	}
 }
 
-void mkdir_binary_dirs()
-{
+void mkdir_binary_dirs() {
 	printf("Creating directory /bin/directory-created-by-event-generator-sh...\n");
-	if(mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
+	if (mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
 	{
 		fprintf(stderr, "Could not create directory \"/bin/directory-created-by-event-generator-sh\": %s\n", strerror(errno));
 	}
 }
 
-void change_thread_namespace()
-{
+void change_thread_namespace() {
 	printf("Calling setns() to change namespaces...\n");
 	printf("NOTE: does not result in a falco notification in containers, unless container run with --privileged or --security-opt seccomp=unconfined\n");
 	// It doesn't matter that the arguments to setns are
@@ -283,13 +276,12 @@ void change_thread_namespace()
 	setns(0, 0);
 }
 
-void system_user_interactive()
-{
+void system_user_interactive() {
 	pid_t child;
 
 	printf("Forking a child that becomes user=daemon and then tries to run /bin/login...\n");
 	// Fork a child and do everything in the child.
-	if((child = fork()) == 0)
+	if ((child = fork()) == 0)
 	{
 		become_user("daemon");
 		char *argv[] = {(char *)"/bin/login", NULL};
@@ -304,8 +296,7 @@ void system_user_interactive()
 	}
 }
 
-void network_activity()
-{
+void network_activity() {
 	printf("Connecting a udp socket to 10.2.3.4:8192...\n");
 	int rc;
 	int sock = socket(PF_INET, SOCK_DGRAM, 0);
@@ -315,7 +306,7 @@ void network_activity()
 	localhost.sin_port = htons(8192);
 	inet_aton("10.2.3.4", &(localhost.sin_addr));
 
-	if((rc = connect(sock, (struct sockaddr *)&localhost, sizeof(localhost))) != 0)
+	if((rc = connect(sock, (struct sockaddr *) &localhost, sizeof(localhost))) != 0)
 	{
 		fprintf(stderr, "Could not bind listening socket to localhost: %s\n", strerror(errno));
 		return;
@@ -324,20 +315,18 @@ void network_activity()
 	close(sock);
 }
 
-void system_procs_network_activity()
-{
+void system_procs_network_activity() {
 	printf("Becoming the program \"sha1sum\" and then performing network activity\n");
 	respawn("./sha1sum", "network_activity", "0");
 }
 
-void non_sudo_setuid()
-{
+void non_sudo_setuid() {
 	pid_t child;
 
 	printf("Forking a child that becomes \"daemon\" user and then \"root\"...\n");
 
 	// Fork a child and do everything in the child.
-	if((child = fork()) == 0)
+	if ((child = fork()) == 0)
 	{
 		// First setuid to something non-root. Then try to setuid back to root.
 		become_user("daemon");
@@ -351,8 +340,7 @@ void non_sudo_setuid()
 	}
 }
 
-void create_files_below_dev()
-{
+void create_files_below_dev() {
 	printf("Creating /dev/created-by-event-generator-sh...\n");
 	touch("/dev/created-by-event-generator-sh");
 }
@@ -364,8 +352,7 @@ void exec_ls()
 	spawn("/bin/ls", argv, env);
 }
 
-void user_mgmt_binaries()
-{
+void user_mgmt_binaries() {
 	printf("Becoming the program \"vipw\" and then running the program /bin/ls\n");
 	printf("NOTE: does not result in a falco notification in containers\n");
 	respawn("./vipw", "exec_ls", "0");
@@ -406,11 +393,11 @@ void create_symlinks(const char *program)
 	// sets up all the required symlinks.
 	const char *progs[] = {"./httpd", "./mysqld", "./sha1sum", "./vipw", NULL};
 
-	for(unsigned int i = 0; progs[i] != NULL; i++)
+	for (unsigned int i=0; progs[i] != NULL; i++)
 	{
 		unlink(progs[i]);
 
-		if((rc = symlink(program, progs[i])) != 0)
+		if ((rc = symlink(program, progs[i])) != 0)
 		{
 			fprintf(stderr, "Could not link \"./event_generator\" to \"%s\": %s\n", progs[i], strerror(errno));
 		}
@@ -419,9 +406,9 @@ void create_symlinks(const char *program)
 
 void run_actions(map<string, action_t> &actions, int interval, bool once)
 {
-	while(true)
+	while (true)
 	{
-		for(auto action : actions)
+		for (auto action : actions)
 		{
 			printf("***Action %s\n", action.first.c_str());
 			action.second();
@@ -444,13 +431,14 @@ int main(int argc, char **argv)
 	map<string, action_t>::iterator it;
 
 	static struct option long_options[] =
-		{
-			{"help", no_argument, 0, 'h'},
-			{"action", required_argument, 0, 'a'},
-			{"interval", required_argument, 0, 'i'},
-			{"once", no_argument, 0, 'o'},
+	{
+		{"help", no_argument, 0, 'h' },
+		{"action", required_argument, 0, 'a' },
+		{"interval", required_argument, 0, 'i' },
+		{"once", no_argument, 0, 'o' },
 
-			{0, 0}};
+		{0, 0}
+	};
 
 	//
 	// Parse the args
@@ -466,7 +454,7 @@ int main(int argc, char **argv)
 			exit(1);
 		case 'a':
 			// "all" is already implied
-			if(strcmp(optarg, "all") != 0)
+			if (strcmp(optarg, "all") != 0)
 			{
 				if((it = defined_actions.find(optarg)) == defined_actions.end())
 				{
@@ -489,8 +477,8 @@ int main(int argc, char **argv)
 	}
 
 	//
-	// Also look for actions in the environment. If specified, they
-	// override any specified on the command line.
+        // Also look for actions in the environment. If specified, they
+        // override any specified on the command line.
 	//
 	char *env_action = getenv("EVENT_GENERATOR_ACTIONS");
 
@@ -501,7 +489,7 @@ int main(int argc, char **argv)
 		string envs(env_action);
 		istringstream ss(envs);
 		string item;
-		while(std::getline(ss, item, ':'))
+		while (std::getline(ss, item, ':'))
 		{
 			if((it = defined_actions.find(item)) == defined_actions.end())
 			{
@@ -526,7 +514,7 @@ int main(int argc, char **argv)
 	setvbuf(stdout, NULL, _IONBF, 0);
 	setvbuf(stderr, NULL, _IONBF, 0);
 	// Only create symlinks when running as the program event_generator
-	if(strstr(argv[0], "generator"))
+	if (strstr(argv[0], "generator"))
 	{
 		create_symlinks(argv[0]);
 	}

docker/event-generator/k8s_event_generator.sh

@@ -1,57 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-# You can pass a specific falco rule name and only yaml files matching
-# that rule will be considered. The default is "all", meaning all yaml
-# files will be applied.
-
-RULE=${1:-all}
-
-# Replace any '/' in RULES with a '.' and any space with a dash. (K8s
-# label values can not contain slashes/spaces)
-RULE=$(echo "$RULE" | tr '/ ' '.-')
-
-echo "***Testing kubectl configuration..."
-kubectl version --short
-
-while true; do
-
-    RET=$(kubectl get namespaces --output=name | grep falco-event-generator || true)
-
-    if [[ "$RET" == *falco-event-generator* ]]; then
-	echo "***Deleting existing falco-event-generator namespace..."
-	kubectl delete namespace falco-event-generator
-    fi
-
-    echo "***Creating falco-event-generator namespace..."
-    kubectl create namespace falco-event-generator
-
-    for file in yaml/*.yaml; do
-
-	MATCH=0
-	if [[ "${RULE}" == "all" ]]; then
-	    MATCH=1
-	else
-	    RET=$(grep -E "falco.rules:.*${RULE}" $file || true)
-	    if [[ "$RET" != "" ]]; then
-		MATCH=1
-	    fi
-	fi
-
-	if [[ $MATCH == 1 ]]; then
-	    MESSAGES=$(grep -E 'message' $file | cut -d: -f2 | tr '\n' ',')
-	    RULES=$(grep -E 'falco.rules' $file | cut -d: -f2 | tr '\n' ',')
-
-	    # The message uses dashes in place of spaces, convert them back to spaces
-	    MESSAGES=$(echo "$MESSAGES" | tr '-' ' ' | sed -e 's/ *//' | sed  -e 's/,$//')
-	    RULES=$(echo "$RULES" | tr '-' ' '| tr '.' '/' | sed -e 's/ *//' | sed  -e 's/,$//')
-
-	    echo "***$MESSAGES (Rule(s) $RULES)..."
-	    kubectl apply -f $file
-	    sleep 2
-	fi
-    done
-
-    sleep 10
-done

docker/event-generator/yaml/configmap-private-creds.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: private-creds-configmap
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: private-creds-configmap
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create.Modify-Configmap-With-Private-Credentials
-    message: Creating-configmap-with-private-credentials
-data:
-  ui.properties: |
-    color.good=purple
-    color.bad=yellow
-    allow.textmode=true
-    password=some_secret_password

docker/event-generator/yaml/disallowed-pod-deployment.yaml

@@ -1,25 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: disallowed-pod-deployment
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: disallowed-pod-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-Disallowed-Pod
-    message: Creating-pod-with-image-outside-of-allowed-images
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: disallowed-pod-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: disallowed-pod-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/hostnetwork-deployment.yaml

@@ -1,26 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: hostnetwork-deployment
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: hostnetwork-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-HostNetwork-Pod
-    message: Creating-deployment-with-hostNetwork-true-pod
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: hostnetwork-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: hostnetwork-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      hostNetwork: true
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/nodeport-service.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: nodeport-service
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: nodeport-service
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-NodePort-Service
-    message: Creating-service-of-type-NodePort
-spec:
-  type: NodePort
-  ports:
-    - port: 80
-  selector:
-    app: busybox

docker/event-generator/yaml/privileged-deployment.yaml

@@ -1,27 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: privileged-deployment
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: privileged-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-Privileged-Pod
-    message: Creating-deployment-with-privileged-true-pod
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: privileged-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: privileged-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - securityContext:
-            privileged: true
-          name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/role-pod-exec.yaml

@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: pod-exec-role
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: pod-exec-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: ClusterRole-With-Pod-Exec-Created
-    message: Creating-role-that-can-exec-to-pods
-rules:
-- apiGroups:
-    - ""
-  resources:
-    - "pods/exec"
-  verbs:
-    - get

docker/event-generator/yaml/role-wildcard-resources.yaml

@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: wildcard-resources-role
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: wildcard-resources-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: ClusterRole-With-Write-Privileges-Created
-    message: Creating-role-with-wildcard-resources
-rules:
-- apiGroups:
-    - ""
-  resources:
-    - "*"
-  verbs:
-    - get

docker/event-generator/yaml/role-write-privileges.yaml

@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: write-privileges-role
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: write-privileges-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: ClusterRole-With-Write-Privileges-Created
-    message: Creating-role-with-write-privileges
-rules:
-- apiGroups:
-    - ""
-  resources:
-    - "pods"
-  verbs:
-    - create

docker/event-generator/yaml/sensitive-mount-deployment.yaml

@@ -1,32 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: sensitive-mount-deployment
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: sensitive-mount-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-Sensitive-Mount-Pod
-    message: Creating-deployment-with-pod-mounting-sensitive-path-from-host
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: sensitive-mount-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: sensitive-mount-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]
-          volumeMounts:
-            - mountPath: /host/etc
-              name: etc
-      volumes:
-        - name: etc
-          hostPath:
-            path: /etc

docker/event-generator/yaml/vanilla-configmap.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: vanilla-configmap
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: vanilla-configmap
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-ConfigMap-Created
-    message: Creating-configmap
-data:
-  ui.properties: |
-    color.good=purple
-    color.bad=yellow
-    allow.textmode=true

docker/event-generator/yaml/vanilla-deployment.yaml

@@ -1,25 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: vanilla-deployment
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: vanilla-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Deployment-Created
-    message: Creating-deployment
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vanilla-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: vanilla-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml

@@ -1,46 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: vanilla-role
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: vanilla-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Role.Clusterrole-Created
-    message: Creating-role
-rules:
-- apiGroups:
-    - ""
-  resources:
-    - "pods"
-  verbs:
-    - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: vanilla-role-binding
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: vanilla-role-binding
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Role.Clusterrolebinding-Created
-    message: Creating-rolebinding
-roleRef:
-  kind: Role
-  name: vanilla-role
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: vanilla-service-account
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vanilla-serviceaccount
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: vanilla-serviceaccount
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Serviceaccount-Created
-    message: Creating-serviceaccount

docker/event-generator/yaml/vanilla-service.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: vanilla-service
-  namespace: falco-event-generator
-  labels:
-    app.kubernetes.io/name: vanilla-service
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Service-Created
-    message: Creating-service
-spec:
-  type: ClusterIP
-  ports:
-    - port: 80
-  selector:
-    app: busybox

docker/kernel/linuxkit/Dockerfile

@@ -1,38 +0,0 @@
-ARG ALPINE_VERSION=3.10
-ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.19.0
-
-FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc
-FROM falcosecurity/falco:${FALCO_VERSION}-minimal as falco
-FROM alpine:${ALPINE_VERSION} AS probe-build
-LABEL maintainer="opensource@sysdig.com"
-ARG KERNEL_VERSION=4.9.184
-ARG FALCO_VERSION=0.19.0
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV KERNEL_VERSION=${KERNEL_VERSION}
-
-COPY --from=ksrc /kernel-dev.tar /
-COPY --from=falco /usr/src/falco-${FALCO_VERSION} /usr/src/falco-${FALCO_VERSION}
-
-RUN apk add --no-cache --update \
-  build-base gcc abuild binutils \
-  bc \
-  autoconf && \
-  export KERNELVER=`uname -r  | cut -d '-' -f 1`  && \
-  export KERNELDIR=/usr/src/linux-headers-${KERNEL_VERSION}-linuxkit/ && \
-  tar xf /kernel-dev.tar && \
-  cd $KERNELDIR && \
-  zcat /proc/1/root/proc/config.gz > .config && \
-  make olddefconfig && \
-  cd /usr/src/falco-${FALCO_VERSION} && \
-  make && \
-  apk del \
-  build-base gcc abuild binutils \
-  bc \
-  autoconf
-
-FROM alpine:${ALPINE_VERSION}
-ARG FALCO_VERSION=0.19.0
-ENV FALCO_VERSION=${FALCO_VERSION}
-COPY --from=probe-build /usr/src/falco-${FALCO_VERSION}/falco-probe.ko /
-CMD ["insmod","/falco-probe.ko"]

docker/kernel/probeloader/Dockerfile

@@ -1,18 +0,0 @@
-FROM golang:1.13-alpine AS build
-ARG FALCOCTL_REF=2be3df92edbac668284fe5c165ccb5bd6bf4e869
-
-RUN apk --no-cache add build-base git gcc ca-certificates
-
-RUN git clone https://github.com/falcosecurity/falcoctl.git /falcoctl
-
-WORKDIR /falcoctl
-
-RUN git checkout ${FALCOCTL_REF}
-RUN go mod vendor
-RUN CGO_ENABLED=0 GOOS=linux go build -a -o falcoctl -ldflags '-extldflags "-static"' .
-
-FROM scratch
-LABEL maintainer="opensource@sysdig.com"
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY --from=build /falcoctl/falcoctl /falcoctl
-CMD ["/falcoctl", "install", "probe"]

docker/local/CMakeLists.txt

@@ -1,17 +0,0 @@
-add_subdirectory(traces)
-add_subdirectory(rules)
-
-add_custom_target(local-Dockerfile ALL
-	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile)
-
-add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
-	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile ${CMAKE_CURRENT_BINARY_DIR}/Dockerfile
-	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/Dockerfile)
-
-add_custom_target(local-docker-entrypoint ALL
-	DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint)
-
-add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint
-	COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh ${CMAKE_CURRENT_BINARY_DIR}/docker-entrypoint.sh
-	DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/docker-entrypoint.sh)
-

docker/local/Dockerfile

@@ -1,13 +1,12 @@
 FROM debian:unstable
 
-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="Sysdig <support@sysdig.com>"
 
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
+ENV FALCO_VERSION 0.1.1dev
 
-ENV HOST_ROOT /host
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV SYSDIG_HOST_ROOT /host
 
 ENV HOME /root
 
@@ -16,104 +15,51 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    bash-completion \
-    bc \
-    clang-7 \
-    ca-certificates \
-    curl \
-    dkms \
-    gnupg2 \
-    gcc \
-    jq \
-    libc6-dev \
-    libelf-dev \
-    libyaml-0-2 \
-    llvm-7 \
-    netcat \
-    xz-utils \
-    libmpc3 \
-    binutils \
-    libgomp1 \
-    libitm1 \
-    libatomic1 \
-    liblsan0 \
-    libtsan0 \
-    libmpx2 \
-    libquadmath0 \
-    libcc1-0 \
-    && rm -rf /var/lib/apt/lists/*
-
-# gcc 6 is no longer included in debian unstable, but we need it to
-# build kernel modules on the default debian-based ami used by
-# kops. So grab copies we've saved from debian snapshots with the
-# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
-# or so.
-
-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
-    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
-
-# gcc 5 is no longer included in debian unstable, but we need it to
-# build centos kernels, which are 3.x based and explicitly want a gcc
-# version 3, 4, or 5 compiler. So grab copies we've saved from debian
-# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-
-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
-    && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-    && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
-    && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
-    && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-    && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
-    && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
-    && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-    && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+ && apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	clang-7 \
+	ca-certificates \
+	curl \
+	dkms \
+	gnupg2 \
+	gcc \
+	gcc-5 \
+	gcc-6 \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	llvm-7 \
+	netcat \
+	xz-utils \
+ && rm -rf /var/lib/apt/lists/*
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN rm -rf /usr/bin/clang \
-    && rm -rf /usr/bin/llc \
-    && ln -s /usr/bin/clang-7 /usr/bin/clang \
-    && ln -s /usr/bin/llc-7 /usr/bin/llc
+ && rm -rf /usr/bin/llc \
+ && ln -s /usr/bin/clang-7 /usr/bin/clang \
+ && ln -s /usr/bin/llc-7 /usr/bin/llc
 
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
-    && ln -s $HOST_ROOT/lib/modules /lib/modules
+ && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
 
 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
 # debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
-    && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
-    && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-    && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
-    && dpkg -i *binutils*.deb \
-    && rm -f *binutils*.deb
-
-# The local container also copies some test trace files and
-# corresponding rules that are used when running regression tests.
-COPY rules/*.yaml /rules/
-COPY traces/*.scap /traces/
+RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb
 
 COPY ./docker-entrypoint.sh /
 

docker/local/docker-entrypoint.sh

@@ -1,7 +1,8 @@
-#!/usr/bin/env bash
+#!/bin/bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
 #
+# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,19 +17,19 @@
 # limitations under the License.
 #
 
-# set -e
+#set -e
 
-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+# Set the SYSDIG_SKIP_LOAD variable to skip loading the sysdig kernel module
 
-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
     echo "* Setting up /usr/src links from host"
 
-    for i in "$HOST_ROOT/usr/src"/*
+    for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
     do
-        ln -s "$i" "/usr/src/$i"
+        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
     done
 
     /usr/bin/falco-probe-loader
 fi
 
-exec "$@"
+exec "$@"

docker/local/rules/CMakeLists.txt

@@ -1,13 +0,0 @@
-# Note: list of rules is created at cmake time, not build time
-file(GLOB test_rule_files
-	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/rules/*.yaml")
-
-foreach(rule_file_path ${test_rule_files})
-	get_filename_component(rule_file ${rule_file_path} NAME)
-	add_custom_target(docker-local-rule-${rule_file} ALL
-		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${rule_file})
-	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
-		COMMAND ${CMAKE_COMMAND} -E copy ${rule_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${rule_file}
-		DEPENDS ${rule_file_path})
-endforeach()
-

docker/local/traces/CMakeLists.txt

@@ -1,13 +0,0 @@
-# Note: list of traces is created at cmake time, not build time
-file(GLOB test_trace_files
-	"${CMAKE_CURRENT_SOURCE_DIR}/../../../test/trace_files/*.scap")
-
-foreach(trace_file_path ${test_trace_files})
-	get_filename_component(trace_file ${trace_file_path} NAME)
-	add_custom_target(docker-local-trace-${trace_file} ALL
-		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
-	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
-		DEPENDS ${trace_file_path})
-endforeach()
-

docker/minimal/Dockerfile

@@ -1,58 +0,0 @@
-FROM ubuntu:18.04 as ubuntu
-
-LABEL maintainer="opensource@sysdig.com"
-
-ARG FALCO_VERSION=0.19.0
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-
-WORKDIR /
-
-ADD https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
-
-# ADD will download from URL and unntar
-RUN apt-get update && \
-    apt-get install -y libyaml-0-2 binutils && \
-    # curl -O https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    tar xfzv falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    mv falco-${FALCO_VERSION}-x86_64 falco && \
-    strip falco/usr/bin/falco && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-FROM scratch
-
-COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
-    /lib/x86_64-linux-gnu/libc.so.6 \
-    /lib/x86_64-linux-gnu/libdl.so.2 \
-    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
-    /lib/x86_64-linux-gnu/libm.so.6 \
-    /lib/x86_64-linux-gnu/libnsl.so.1 \
-    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
-    /lib/x86_64-linux-gnu/libnss_files.so.2 \
-    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
-    /lib/x86_64-linux-gnu/libpthread.so.0 \
-    /lib/x86_64-linux-gnu/librt.so.1 \
-    /lib/x86_64-linux-gnu/libz.so.1 \
-    /lib/x86_64-linux-gnu/
-
-COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
-    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
-
-COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.5 \
-    /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
-
-COPY --from=ubuntu /etc/ld.so.cache \
-    /etc/nsswitch.conf \
-    /etc/ld.so.cache \
-    /etc/passwd \
-    /etc/group \
-    /etc/
-
-COPY --from=ubuntu /etc/default/nss /etc/default/nss
-COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
-
-COPY --from=ubuntu /falco /
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/rhel/Dockerfile

@@ -1,38 +0,0 @@
-FROM registry.access.redhat.com/rhel7
-
-LABEL maintainer="opensource@sysdig.com"
-
-### Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
-LABEL name="falco" \
-    vendor="falcosecurity" \
-    url="http://falco.org/" \
-    summary="Container native runtime security" \
-    description="Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms." \
-    run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco'
-
-COPY help.md /tmp/
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-ADD http://download.draios.com/stable/rpm/draios.repo /etc/yum.repos.d/draios.repo
-RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public && \
-    rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
-    yum clean all && \
-    REPOLIST=rhel-7-server-rpms,rhel-7-server-optional-rpms,epel,draios \
-    INSTALL_PKGS="gcc dkms kernel-devel kernel-headers python golang-github-cpuguy83-go-md2man falco" && \
-    yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \
-    --security --sec-severity=Important --sec-severity=Critical && \
-    yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
-    ### help file markdown to man conversion
-    go-md2man -in /tmp/help.md -out /help.1 && \
-    ### we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
-    rm -fr /usr/src/kernels && \
-    rm -df /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules && \
-    yum clean all
-
-COPY ./docker-entrypoint.sh /
-
-ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco"]

docker/rhel/docker-entrypoint.sh

@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# set -e
-
-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
-
-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
-    echo "* Setting up /usr/src links from host"
-
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        ln -s "$i" "/usr/src/$i"
-    done
-
-    /usr/bin/falco-probe-loader
-fi
-
-exec "$@"

docker/rhel/help.md

@@ -1,15 +0,0 @@
-% falco (1) Container Image Pages
-% Falco Team
-% June, 2017
-
-# NAME
-falco \- Container Native runtime security
-
-# DESCRIPTION
-Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms. See Falco website for more information: http://falco.org/
-
-# EXAMPLE
-    docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco
-
-# AUTHORS
-Falco Team

docker/slim-dev/Dockerfile

@@ -1,50 +0,0 @@
-FROM ubuntu:18.04
-
-LABEL maintainer="opensource@sysdig.com"
-
-ENV FALCO_REPOSITORY dev
-
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-
-ENV HOST_ROOT /host
-
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
-RUN apt-get update \
-  && apt-get install -y --no-install-recommends \
-  # 	bash-completion \
-  # 	bc \
-  ca-certificates \
-  curl \
-  gnupg2 \
-  jq \
-  # 	netcat \
-  # 	xz-utils \
-  && rm -rf /var/lib/apt/lists/*
-
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-  && apt-get update \
-  && apt-get install -y --no-install-recommends falco \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-  && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-  && ln -s $HOST_ROOT/lib/modules /lib/modules
-
-#COPY ./entrypoint.sh /
-# ENTRYPOINT ["/entrypoint.sh"]
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/slim-stable/Dockerfile

@@ -1,50 +0,0 @@
-FROM ubuntu:18.04
-
-LABEL maintainer="opensource@sysdig.com"
-
-ENV FALCO_REPOSITORY stable
-
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-
-ENV HOST_ROOT /host
-
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
-
-RUN apt-get update \
-  && apt-get install -y --no-install-recommends \
-  # 	bash-completion \
-  # 	bc \
-  ca-certificates \
-  curl \
-  gnupg2 \
-  jq \
-  # 	netcat \
-  # 	xz-utils \
-  && rm -rf /var/lib/apt/lists/*
-
-RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-  && apt-get update \
-  && apt-get install -y --no-install-recommends falco \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-  && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-  && ln -s $HOST_ROOT/lib/modules /lib/modules
-
-#COPY ./entrypoint.sh /
-# ENTRYPOINT ["/entrypoint.sh"]
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/stable/Dockerfile

@@ -1,12 +1,12 @@
 FROM debian:unstable
 
-LABEL maintainer="opensource@sysdig.com"
+LABEL maintainer="Sysdig <support@sysdig.com>"
 
 ENV FALCO_REPOSITORY stable
 
 LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 
-ENV HOST_ROOT /host
+ENV SYSDIG_HOST_ROOT /host
 
 ENV HOME /root
 
@@ -15,7 +15,7 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
 RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
+ && apt-get install -y --no-install-recommends \
 	bash-completion \
 	bc \
 	clang-7 \
@@ -24,84 +24,46 @@ RUN apt-get update \
 	dkms \
 	gnupg2 \
 	gcc \
+	gcc-5 \
+	gcc-6 \
 	jq \
 	libc6-dev \
 	libelf-dev \
-	libmpx2 \
 	llvm-7 \
 	netcat \
 	xz-utils \
-	&& rm -rf /var/lib/apt/lists/*
-
-# gcc 6 is no longer included in debian unstable, but we need it to
-# build kernel modules on the default debian-based ami used by
-# kops. So grab copies we've saved from debian snapshots with the
-# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
-# or so.
-
-RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
-	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
-
-# gcc 5 is no longer included in debian unstable, but we need it to
-# build centos kernels, which are 3.x based and explicitly want a gcc
-# version 3, 4, or 5 compiler. So grab copies we've saved from debian
-# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
-
-RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+ && rm -rf /var/lib/apt/lists/*
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+ && rm -rf /usr/bin/llc \
+ && ln -s /usr/bin/clang-7 /usr/bin/clang \
+ && ln -s /usr/bin/llc-7 /usr/bin/llc
 
 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
-	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
-	&& apt-get update \
-	&& apt-get install -y --no-install-recommends falco \
-	&& apt-get clean \
-	&& rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+ && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends falco \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
 
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+ && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
 
 # debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
-	&& dpkg -i *binutils*.deb \
-	&& rm -f *binutils*.deb
+RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb
 
 COPY ./docker-entrypoint.sh /
 

docker/stable/docker-entrypoint.sh

@@ -1,7 +1,8 @@
-#!/usr/bin/env bash
+#!/bin/bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
 #
+# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,19 +17,19 @@
 # limitations under the License.
 #
 
-# set -e
+#set -e
 
-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+# Set the SYSDIG_SKIP_LOAD variable to skip loading the sysdig kernel module
 
-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
     echo "* Setting up /usr/src links from host"
 
-    for i in "$HOST_ROOT/usr/src"/*
+    for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
     do
-        ln -s "$i" "/usr/src/$i"
+        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
     done
 
     /usr/bin/falco-probe-loader
 fi
 
-exec "$@"
+exec "$@"

docker/tester/Dockerfile

@@ -1,18 +0,0 @@
-FROM fedora:31
-
-LABEL name="falcosecurity/falco-tester"
-LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
-LABEL maintainer="opensource@sysdig.com"
-
-ENV FALCO_VERSION=
-ENV BUILD_TYPE=release
-
-RUN dnf install -y python2-pip python2 docker findutils jq unzip && dnf clean all
-ENV PATH="/root/.local/bin/:${PATH}"
-RUN pip2 install --user avocado-framework==69.0
-RUN pip2 install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
-
-COPY ./root /
-
-ENTRYPOINT ["entrypoint"]
-CMD ["usage"]

docker/tester/root/runners/deb.Dockerfile

@@ -1,21 +0,0 @@
-FROM ubuntu:18.04
-LABEL maintainer="opensource@sysdig.com"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN apt update -y
-RUN apt install dkms libyaml-0-2 -y
-
-ADD falco-${FALCO_VERSION}-x86_64.deb /
-RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]

docker/tester/root/runners/rpm.Dockerfile

@@ -1,22 +0,0 @@
-FROM centos:7
-
-LABEL maintainer="opensource@sysdig.com"
-
-ARG FALCO_VERSION=
-RUN test -n FALCO_VERSION
-ENV FALCO_VERSION ${FALCO_VERSION}
-
-RUN yum update -y
-RUN yum install epel-release -y
-
-ADD falco-${FALCO_VERSION}-x86_64.rpm /
-RUN yum install -y /falco-${FALCO_VERSION}-x86_64.rpm
-
-# Change the falco config within the container to enable ISO 8601 output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-COPY rules/*.yaml /rules/
-COPY trace_files/*.scap /traces/
-
-CMD ["/usr/bin/falco"]

docker/tester/root/usr/bin/entrypoint

@@ -1,83 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu -o pipefail
-
-SOURCE_DIR=/source
-BUILD_DIR=/build
-CMD=${1:-test}
-shift
-
-# build type can be "debug" or "release", fallbacks to "release" by default
-BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
-case "$BUILD_TYPE" in
-"debug")
-    ;;
-*)
-    BUILD_TYPE="release"
-    ;;
-esac
-
-build_image() {
-    BUILD_DIR=$1
-    BUILD_TYPE=$2
-    FALCO_VERSION=$3
-    PACKAGE_TYPE=$4
-    PACKAGE="$BUILD_DIR/$BUILD_TYPE/falco-$FALCO_VERSION-x86_64.${PACKAGE_TYPE}"
-    if [ ! -f "$PACKAGE" ]; then
-        echo "Package not found: ${PACKAGE}." >&2
-        exit 1
-    fi
-    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
-    echo "Building local docker image $DOCKER_IMAGE_NAME from latest ${PACKAGE_TYPE} package..."
-
-    mkdir -p /runner-rootfs
-    cp "$PACKAGE" /runner-rootfs
-    cp -R "$SOURCE_DIR/falco/test/rules" /runner-rootfs
-    cp -R "$SOURCE_DIR/falco/test/trace_files" /runner-rootfs
-    docker build -f "/runners/$PACKAGE_TYPE.Dockerfile" --build-arg FALCO_VERSION="$FALCO_VERSION" -t "$DOCKER_IMAGE_NAME" /runner-rootfs
-}
-
-clean_image() {
-    PACKAGE_TYPE=$1
-    DOCKER_IMAGE_NAME="falcosecurity/falco:test-${PACKAGE_TYPE}"
-    docker rmi -f "$DOCKER_IMAGE_NAME"
-}
-
-case "$CMD" in
-"test")
-    if [ -z "$FALCO_VERSION" ]; then
-        echo "Automatically figuring out Falco version."
-        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | cut -d' ' -f3 | tr -d '\r')
-        echo "Falco version: $FALCO_VERSION"
-    fi
-    if [ -z "$FALCO_VERSION" ]; then
-        echo "Falco version cannot be guessed, please provide it with the FALCO_VERSION environment variable." >&2
-        exit 1
-    fi
-
-    # build docker images
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
-
-    # check that source directory contains Falco
-    if [ ! -d "$SOURCE_DIR/falco/test" ]; then
-        echo "Missing $SOURCE_DIR/falco/test directory." >&2
-        exit 1
-    fi
-
-    # run tests
-    echo "Running regression tests ..."
-    cd "$SOURCE_DIR/falco/test"
-    ./run_regression_tests.sh "$BUILD_DIR/$BUILD_TYPE"
-
-    # clean docker images
-    clean_image "deb"
-    clean_image "rpm"
-    ;;
-"bash")
-    CMD=/bin/bash
-    ;& # fallthrough
-"usage")
-    exec "$CMD" "$@"
-    ;;
-esac

docker/tester/root/usr/bin/usage

@@ -1,41 +0,0 @@
-#!/usr/bin/env bash
-
-pythonversion=$(python2 -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
-pipversion=$(pip2 --version | cut -d' ' -f 1,2,5,6)
-dockerversion=$(docker --version)
-avocadoversion=$(pip2 show avocado-framework | grep Version)
-avocadoversion=${avocadoversion#"Version: "}
-
-cat <<EOF
-Hello, this is the Falco tester container.
-
-How to use.
-
-    The default commands for the Falco tester image reports usage and environment info.
-    * docker run falcosecurity/falco-tester
-    * docker run falcosecurity/falco-tester usage
-
-    It supports bash.
-    * docker run -ti falcosecurity/falco-tester bash
-
-    To run Falco regression tests you need to provide:
-    - the docker socket
-    - the boot directory
-    - the source directory
-    - the directory where Falco has been built
-    - the environment variable FALCO_VARIABLE set to the value obtained during the Falco's build
-
-    Assuming you are running it from the Falco root directory, you can run it as follows.
-    * docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> falcosecurity/falco-tester test
-
-How to build.
-
-    * cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .
-
-Environment.
-
-    * python ${pythonversion}
-    * ${pipversion}
-    * avocado ${avocadoversion}
-    * ${dockerversion}
-EOF

examples/OWNERS

@@ -1,2 +0,0 @@
-labels:
-  - area/examples

examples/bad-mount-cryptomining/README.md

@@ -2,7 +2,7 @@
 
 ## Introduction
 
-Based on a [blog post](https://sysdig.com/blog/detecting-cryptojacking/) we wrote, this example shows how an overly permissive container environment can be exploited to install cryptomining software and how use of the exploit can be detected using Falco.
+Based on a [blog post](https://sysdig.com/blog/detecting-cryptojacking/) we wrote, this example shows how an overly permissive container environment can be exploited to install cryptomining software and how use of the exploit can be detected using Sysdig Falco.
 
 Although the exploit in the blog post involved modifying the cron configuration on the host filesystem, in this example we keep the host filesystem untouched. Instead, we have a container play the role of the "host", and set up everything using [docker-compose](https://docs.docker.com/compose/) and [docker-in-docker](https://hub.docker.com/_/docker/).
 

examples/bad-mount-cryptomining/attacker_files/minerd

@@ -5,3 +5,4 @@ while true; do
       sleep 60
 done
 
+      

examples/bad-mount-cryptomining/demo.yml

@@ -26,10 +26,10 @@ services:
       - ${PWD}/attacker_files:/usr/share/nginx/html
       - ${PWD}/attacker-nginx.conf:/etc/nginx/conf.d/default.conf
     depends_on:
-      - "falco"
-
+      - "falco"      
+  
   falco:
-    image: falcosecurity/falco:latest
+    image: sysdig/falco:latest
     privileged: true
     volumes:
       - docker-socket:/host/var/run

examples/k8s_audit_config/README.md

@@ -1,136 +1,38 @@
-This page describes how to get [Kubernetes Auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit) working with Falco.
-Either using static audit backends in Kubernetes 1.11, or in Kubernetes 1.13 with dynamic sink which configures webhook backends through an AuditSink API object.
+# Introduction
 
-<!-- toc -->
+The files in this directory can be used to configure k8s audit logging. The relevant files are:
 
-- [Instructions for Kubernetes 1.11](#instructions-for-kubernetes-111)
-  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster)
-  * [Define your audit policy and webhook configuration](#define-your-audit-policy-and-webhook-configuration)
-  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging)
-  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco)
-- [Instructions for Kubernetes 1.13](#instructions-for-kubernetes-113)
-  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster-1)
-  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging-1)
-  * [Deploy AuditSink objects](#deploy-auditsink-objects)
-  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco-1)
-- [Instructions for Kubernetes 1.13 with dynamic webhook and local log file](#instructions-for-kubernetes-113-with-dynamic-webhook-and-local-log-file)
+* [audit-policy.yaml](./audit-policy.yaml): The k8s audit log configuration we used to create the rules in [k8s_audit_rules.yaml](../../rules/k8s_audit_rules.yaml). You may find it useful as a reference when creating your own K8s Audit Log configuration.
+* [webhook-config.yaml.in](./webhook-config.yaml.in): A (templated) webhook configuration that sends audit events to an ip associated with the falco service, port 8765. It is templated in that the *actual* ip is defined in an environment variable `FALCO_SERVICE_CLUSTERIP`, which can be plugged in using a program like `envsubst`. You may find it useful as a starting point when deciding how to route audit events to the embedded webserver within falco.
 
-<!-- tocstop -->
+These files are only needed when using Minikube, which doesn't currently
+have the ability to provide an audit config/webhook config directly
+from the minikube commandline. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.
 
-## Instructions for Kubernetes 1.11
+* [apiserver-config.patch.sh](./apiserver-config.patch.sh): A script that changes the configuration file `/etc/kubernetes/manifests/kube-apiserver.yaml` to add necessary config options and mounts for the kube-apiserver container that runs within the minikube vm.
 
-The main steps are:
+A way to use these files with minikube to run falco and enable audit logging would be the following:
 
-1. Deploy Falco to your Kubernetes cluster
-1. Define your audit policy and webhook configuration
-1. Restart the API Server to enable Audit Logging
-1. Observe Kubernetes audit events at falco
+#### Start Minikube with Audit Logging Enabled
 
-### Deploy Falco to your Kubernetes cluster
+Run the following to start minikube with Audit Logging Enabled:
 
-Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a falco service account, service, configmap, and daemonset.
+```
+minikube start --kubernetes-version v1.11.0 --mount --mount-string $PWD:/tmp/k8s_audit_config --feature-gates AdvancedAuditing=true
+```
 
-### Define your audit policy and webhook configuration
+#### Create a Falco DaemonSet and Supporting Accounts/Services
 
-The files in this directory can be used to configure Kubernetes audit logging. The relevant files are:
+Follow the [K8s Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a falco service account, service, configmap, and daemonset.
 
-* [audit-policy.yaml](./audit-policy.yaml): The Kubernetes audit log configuration we used to create the rules in [k8s_audit_rules.yaml](../../rules/k8s_audit_rules.yaml).
-* [webhook-config.yaml.in](./webhook-config.yaml.in): A (templated) webhook configuration that sends audit events to an ip associated with the falco service, port 8765. It is templated in that the *actual* IP is defined in an environment variable `FALCO_SERVICE_CLUSTERIP`, which can be plugged in using a program like `envsubst`.
+#### Configure Audit Logging with a Policy and Webhook
 
-Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the `ClusterIP`s associated with those services are routable.
+Run the following commands to fill in the template file with the ClusterIP ip address you created with the `falco-service` service above, and configure audit logging to use a policy and webhook that directs the right events to the falco daemonset. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the ClusterIPs associated with those services are routable.
 
 ```
 FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < webhook-config.yaml.in > webhook-config.yaml
+ssh -i $(minikube ssh-key) docker@$(minikube ip) sudo bash /tmp/k8s_audit_config/apiserver-config.patch.sh
 ```
 
-### Restart the API Server to enable Audit Logging
+K8s audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
 
-A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling audit log support for the apiserver, including copying the audit policy/webhook files to the apiserver machine, modifying the apiserver command line to add `--audit-log-path`, `--audit-policy-file`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
-
-It is run as `bash ./enable-k8s-audit.sh <variant> static`. `<variant>` can be one of the following:
-
-* `minikube`
-* `kops`
-
-When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
-
-Its output looks like this:
-
-```
-$ bash enable-k8s-audit.sh minikube static
-***Copying apiserver config patch script to apiserver...
-apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
-***Copying audit policy/webhook files to apiserver...
-audit-policy.yaml                                                                           100% 2519     1.2MB/s   00:00
-webhook-config.yaml                                                                         100%  248   362.0KB/s   00:00
-***Modifying k8s apiserver config (will result in apiserver restarting)...
-***Done!
-$
-```
-### Observe Kubernetes audit events at falco
-
-Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
-
-## Instructions for Kubernetes 1.13
-
-The main steps are:
-
-1. Deploy Falco to your Kubernetes cluster
-2. Restart the API Server to enable Audit Logging
-3. Deploy the AuditSink object for your audit policy and webhook configuration
-4. Observe Kubernetes audit events at falco
-
-### Deploy Falco to your Kubernetes cluster
-
-Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a Falco service account, service, configmap, and daemonset.
-
-### Restart the API Server to enable Audit Logging
-
-A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling dynamic audit support for the apiserver by modifying the apiserver command line to add `--audit-dynamic-configuration`, `--feature-gates=DynamicAuditing=true`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
-
-It is run as `bash ./enable-k8s-audit.sh <variant> dynamic`. `<variant>` can be one of the following:
-
-* `minikube`
-* `kops`
-
-When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
-
-Its output looks like this:
-
-```
-$ bash enable-k8s-audit.sh minikube dynamic
-***Copying apiserver config patch script to apiserver...
-apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
-***Modifying k8s apiserver config (will result in apiserver restarting)...
-***Done!
-$
-```
-
-### Deploy AuditSink objects
-
-[audit-sink.yaml.in](./audit-sink.yaml.in), in this directory, is a template audit sink configuration that defines the dynamic audit policy and webhook to route Kubernetes audit events to Falco.
-
-Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the ClusterIPs associated with those services are routable.
-
-```
-FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < audit-sink.yaml.in > audit-sink.yaml
-```
-
-### Observe Kubernetes audit events at falco
-
-Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
-
-## Instructions for Kubernetes 1.13 with dynamic webhook and local log file
-
-If you want to use a mix of `AuditSink` for remote audit events as well as a local audit log file, you can run `enable-k8s-audit.sh` with the `"dynamic+log"` argument e.g. `bash ./enable-k8s-audit.sh <variant> dynamic+log`. This will enable dynamic audit logs as well as a static audit log to a local file. Its output looks like this:
-
-```
-***Copying apiserver config patch script to apiserver...
-apiserver-config.patch.sh                                                                          100% 2211   662.9KB/s   00:00
-***Copying audit policy file to apiserver...
-audit-policy.yaml                                                                                  100% 2519   847.7KB/s   00:00
-***Modifying k8s apiserver config (will result in apiserver restarting)...
-***Done!
-```
-
-The audit log will be available on the apiserver host at `/var/lib/k8s_audit/audit.log`.

examples/k8s_audit_config/apiserver-config.patch.sh

@@ -1,67 +1,35 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
+#!/bin/sh
 
 IFS=''
 
-FILENAME=${1:-/etc/kubernetes/manifests/kube-apiserver.yaml}
-VARIANT=${2:-minikube}
-AUDIT_TYPE=${3:-static}
+FILENAME="/etc/kubernetes/manifests/kube-apiserver.yaml"
 
-if [ "$AUDIT_TYPE" == "static" ]; then
-    if grep audit-webhook-config-file "$FILENAME" ; then
-	echo audit-webhook patch already applied
-	exit 0
-    fi
-else
-    if grep audit-dynamic-configuration "$FILENAME" ; then
-	echo audit-dynamic-configuration patch already applied
-	exit 0
-    fi
+if grep audit-webhook-config-file $FILENAME ; then
+    echo audit-webhook patch already applied
+    exit 0
 fi
 
 TMPFILE="/tmp/kube-apiserver.yaml.patched"
 rm -f "$TMPFILE"
 
-APISERVER_PREFIX="    -"
-APISERVER_LINE="- kube-apiserver"
-
-if [ "$VARIANT" == "kops" ]; then
-    APISERVER_PREFIX="     "
-    APISERVER_LINE="/usr/local/bin/kube-apiserver"
-fi
-
-while read -r LINE
+while read LINE
 do
     echo "$LINE" >> "$TMPFILE"
     case "$LINE" in
-        *$APISERVER_LINE*)
-	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "$APISERVER_PREFIX --audit-log-path=/var/lib/k8s_audit/audit.log" >> "$TMPFILE"
-		echo "$APISERVER_PREFIX --audit-policy-file=/var/lib/k8s_audit/audit-policy.yaml" >> "$TMPFILE"
-		if [[ $AUDIT_TYPE == "static" ]]; then
-		    echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE"
-		    echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
-		fi
-	    fi
-	    if [[ ($AUDIT_TYPE == "dynamic" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "$APISERVER_PREFIX --audit-dynamic-configuration" >> "$TMPFILE"
-		echo "$APISERVER_PREFIX --feature-gates=DynamicAuditing=true" >> "$TMPFILE"
-		echo "$APISERVER_PREFIX --runtime-config=auditregistration.k8s.io/v1alpha1=true" >> "$TMPFILE"
-	    fi
+        *"- kube-apiserver"*)
+            echo "    - --audit-log-path=/tmp/k8s_audit_config/audit.log" >> "$TMPFILE"
+            echo "    - --audit-policy-file=/tmp/k8s_audit_config/audit-policy.yaml" >> "$TMPFILE"
+            echo "    - --audit-webhook-config-file=/tmp/k8s_audit_config/webhook-config.yaml" >> "$TMPFILE"
+            echo "    - --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
             ;;
         *"volumeMounts:"*)
-	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "    - mountPath: /var/lib/k8s_audit/" >> "$TMPFILE"
-		echo "      name: data" >> "$TMPFILE"
-	    fi
+            echo "    - mountPath: /tmp/k8s_audit_config/" >> "$TMPFILE"
+            echo "      name: data" >> "$TMPFILE"
             ;;
         *"volumes:"*)
-	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "  - hostPath:" >> "$TMPFILE"
-		echo "      path: /var/lib/k8s_audit" >> "$TMPFILE"
-		echo "    name: data" >> "$TMPFILE"
-	    fi
+            echo "  - hostPath:" >> "$TMPFILE"
+            echo "      path: /tmp/k8s_audit_config" >> "$TMPFILE"
+            echo "    name: data" >> "$TMPFILE"
             ;;
 
     esac

examples/k8s_audit_config/audit-sink.yaml.in

@@ -1,16 +0,0 @@
-apiVersion: auditregistration.k8s.io/v1alpha1
-kind: AuditSink
-metadata:
-  name: falco-audit-sink
-spec:
-  policy:
-    level: RequestResponse
-    stages:
-      - ResponseComplete
-      - ResponseStarted
-  webhook:
-    throttle:
-      qps: 10
-      burst: 15
-    clientConfig:
-      url: "http://$FALCO_SERVICE_CLUSTERIP:8765/k8s_audit"