Merge branch 'dev' into agent-master

Add tags

.gitignore

@@ -12,7 +12,7 @@ test/results*.json.*
 userspace/falco/lua/re.lua
 userspace/falco/lua/lpeg.so
 
-docker/event-generator/event-generator
+docker/event-generator/event_generator
 docker/event-generator/mysqld
 docker/event-generator/httpd
 docker/event-generator/sha1sum

.travis.yml

@@ -32,7 +32,7 @@ script:
     - cd ..
     - mkdir build
     - cd build
-    - cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE
+    - cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE -DDRAIOS_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
     - make VERBOSE=1
     - make package
     - cd ..

CMakeLists.txt

@@ -14,7 +14,9 @@ if(NOT CMAKE_BUILD_TYPE)
 	SET(CMAKE_BUILD_TYPE Release)
 endif()
 
-set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
+if(NOT DRAIOS_DEBUG_FLAGS)
+	set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
+endif()
 
 set(CMAKE_C_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
 set(CMAKE_CXX_FLAGS "-Wall -ggdb --std=c++0x ${DRAIOS_FEATURE_FLAGS}")
@@ -51,7 +53,7 @@ option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system
 
 #
 # zlib
-
+#
 option(USE_BUNDLED_ZLIB "Enable building of the bundled zlib" ${USE_BUNDLED_DEPS})
 
 if(NOT USE_BUNDLED_ZLIB)
@@ -99,6 +101,7 @@ else()
                 CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
                 BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
                 BUILD_IN_SOURCE 1
+		PATCH_COMMAND wget -O jq-1.5-fix-tokenadd.patch https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch && patch -i jq-1.5-fix-tokenadd.patch
                 INSTALL_COMMAND "")
 endif()
 
@@ -204,8 +207,8 @@ else()
 	message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
 
 	ExternalProject_Add(openssl
-		URL "http://download.draios.com/dependencies/openssl-1.0.2d.tar.gz"
-		URL_MD5 "38dd619b2e77cbac69b99f52a053d25a"
+		URL "http://download.draios.com/dependencies/openssl-1.0.2j.tar.gz"
+		URL_MD5 "96322138f0b69e61b7212bc53d5e912b"
 		CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
 		BUILD_COMMAND ${CMD_MAKE}
 		BUILD_IN_SOURCE 1
@@ -235,8 +238,8 @@ else()
 
 	ExternalProject_Add(curl
 		DEPENDS openssl
-		URL "http://download.draios.com/dependencies/curl-7.45.0.tar.bz2"
-		URL_MD5 "62c1a352b28558f25ba6209214beadc8"
+		URL "http://download.draios.com/dependencies/curl-7.52.1.tar.bz2"
+		URL_MD5 "dd014df06ff1d12e173de86873f9f77a"
 		CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2
 		BUILD_COMMAND ${CMD_MAKE}
 		BUILD_IN_SOURCE 1
@@ -318,6 +321,13 @@ if(NOT USE_BUNDLED_LIBYAML)
 		message(FATAL_ERROR "Couldn't find system libyaml")
 	endif()
 else()
+	find_path(AUTORECONF_BIN NAMES autoreconf)
+	if(AUTORECONF_BIN)
+		message(STATUS "Found autoreconf: ${AUTORECONF_BIN}")
+	else()
+		message(FATAL_ERROR "Couldn't find system autoreconf. Please install autoreconf before continuing or use system libyaml")
+	endif()
+
 	set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml/src")
 	set(LIBYAML_LIB "${LIBYAML_SRC}/.libs/libyaml.a")
 	ExternalProject_Add(libyaml
@@ -348,6 +358,7 @@ else()
 	set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
 	set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
 	ExternalProject_Add(lyaml
+		DEPENDS libyaml luajit
 		URL "http://download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
                 URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
                 BUILD_COMMAND ${CMD_MAKE}

docker/event-generator/event_generator.cpp

@@ -97,6 +97,8 @@ void exfiltration()
 
 	shadow.open("/etc/shadow");
 
+	printf("Reading /etc/shadow and sending to 10.5.2.6:8197...\n");
+
 	if(!shadow.is_open())
 	{
 		fprintf(stderr, "Could not open /etc/shadow for reading: %s", strerror(errno));
@@ -219,7 +221,7 @@ void write_rpm_database() {
 }
 
 void spawn_shell() {
-	printf("Spawning a shell using system()...\n");
+	printf("Spawning a shell to run \"ls > /dev/null\" using system()...\n");
 	int rc;
 
 	if ((rc = system("ls > /dev/null")) != 0)
@@ -259,6 +261,7 @@ void mkdir_binary_dirs() {
 
 void change_thread_namespace() {
 	printf("Calling setns() to change namespaces...\n");
+	printf("NOTE: does not result in a falco notification in containers, unless container run with --privileged or --security-opt seccomp=unconfined\n");
 	// It doesn't matter that the arguments to setns are
 	// bogus. It's the attempt to call it that will trigger the
 	// rule.
@@ -268,6 +271,7 @@ void change_thread_namespace() {
 void system_user_interactive() {
 	pid_t child;
 
+	printf("Forking a child that becomes user=daemon and then tries to run /bin/login...\n");
 	// Fork a child and do everything in the child.
 	if ((child = fork()) == 0)
 	{
@@ -313,6 +317,8 @@ void system_procs_network_activity() {
 void non_sudo_setuid() {
 	pid_t child;
 
+	printf("Forking a child that becomes \"daemon\" user and then \"root\"...\n");
+
 	// Fork a child and do everything in the child.
 	if ((child = fork()) == 0)
 	{
@@ -367,6 +373,9 @@ map<string, action_t> defined_actions = {{"write_binary_dir", write_binary_dir},
 					 {"user_mgmt_binaries", user_mgmt_binaries},
 					 {"exfiltration", exfiltration}};
 
+// Some actions don't directly result in suspicious behavior. These
+// actions are excluded from the ones run with -a all.
+set<string> exclude_from_all_actions = {"exec_ls", "network_activity"};
 
 void create_symlinks(const char *program)
 {
@@ -394,9 +403,9 @@ void run_actions(map<string, action_t> &actions, int interval, bool once)
 	{
 		for (auto action : actions)
 		{
-			sleep(interval);
 			printf("***Action %s\n", action.first.c_str());
 			action.second();
+			sleep(interval);
 		}
 		if(once)
 		{
@@ -428,7 +437,7 @@ int main(int argc, char **argv)
 	// Parse the args
 	//
 	while((op = getopt_long(argc, argv,
-				"ha:i:l:",
+				"ha:i:l:o",
 				long_options, &long_index)) != -1)
 	{
 		switch(op)
@@ -437,12 +446,16 @@ int main(int argc, char **argv)
 			usage(argv[0]);
 			exit(1);
 		case 'a':
-			if((it = defined_actions.find(optarg)) == defined_actions.end())
+			// "all" is already implied
+			if (strcmp(optarg, "all") != 0)
 			{
-				fprintf(stderr, "No action with name \"%s\" known, exiting.\n", optarg);
-				exit(1);
+				if((it = defined_actions.find(optarg)) == defined_actions.end())
+				{
+					fprintf(stderr, "No action with name \"%s\" known, exiting.\n", optarg);
+					exit(1);
+				}
+				actions.insert(*it);
 			}
-			actions.insert(*it);
 			break;
 		case 'i':
 			interval = atoi(optarg);
@@ -482,7 +495,13 @@ int main(int argc, char **argv)
 
 	if(actions.size() == 0)
 	{
-		actions = defined_actions;
+		for(auto &act : defined_actions)
+		{
+			if(exclude_from_all_actions.find(act.first) == exclude_from_all_actions.end())
+			{
+				actions.insert(act);
+			}
+		}
 	}
 
 	setvbuf(stdout, NULL, _IONBF, 0);

docker/local/Dockerfile

@@ -0,0 +1,50 @@
+FROM debian:unstable
+
+MAINTAINER Sysdig <support@sysdig.com>
+
+ENV FALCO_VERSION 0.1.1dev
+
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV SYSDIG_HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
+RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends \
+	bash-completion \
+	curl \
+	jq \
+	gnupg2 \
+	ca-certificates \
+	gcc \
+	gcc-5 \
+	gcc-4.9 \
+	sysdig && rm -rf /var/lib/apt/lists/*
+
+# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
+# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
+# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
+# by symlinking it to 4.9
+
+RUN rm -rf /usr/bin/gcc \
+ && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
+ && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
+ && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
+ && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+
+RUN ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
+
+ADD falco-${FALCO_VERSION}-x86_64.deb /
+RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/falco"]

docker/local/docker-entrypoint.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+#set -e
+
+# Set the SYSDIG_SKIP_LOAD variable to skip loading the sysdig kernel module
+
+if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
+    echo "* Setting up /usr/src links from host"
+
+    for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
+    do
+        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
+    done
+
+    /usr/bin/sysdig-probe-loader
+fi
+
+exec "$@"

examples/nodejs-bad-rest-api/demo.yml

@@ -20,5 +20,4 @@ falco:
     - /boot:/host/boot:ro
     - /lib/modules:/host/lib/modules:ro
     - /usr:/host/usr:ro
-    - ${PWD}/../../rules/falco_rules.yaml:/etc/falco_rules.yaml
   tty: true

rules/falco_rules.yaml

@@ -99,11 +99,14 @@
   items: [setup-backend, dragent, sdchecks]
 
 - list: docker_binaries
-  items: [docker, dockerd, exe]
+  items: [docker, dockerd, exe, docker-compose]
 
 - list: k8s_binaries
   items: [hyperkube, skydns, kube2sky, exechealthz]
 
+- list: lxd_binaries
+  items: [lxd, lxcfs]
+
 - list: http_server_binaries
   items: [nginx, httpd, httpd-foregroun, lighttpd]
 
@@ -116,7 +119,11 @@
 # The truncated dpkg-preconfigu is intentional, process names are
 # truncated at the sysdig level.
 - list: package_mgmt_binaries
-  items: [dpkg, dpkg-preconfigu, dnf, rpm, rpmkey, yum, frontend]
+  items: [
+    dpkg, dpkg-preconfigu, dnf, rpm, rpmkey, yum, frontend,
+    apt, apt-get, aptitude, add-apt-reposit, apt-auto-remova, apt-key,
+    preinst, update-alternat, unattended-upgr
+    ]
 
 - macro: package_mgmt_procs
   condition: proc.name in (package_mgmt_binaries)
@@ -135,11 +142,26 @@
 - list: user_mgmt_binaries
   items: [login_binaries, passwd_binaries, shadowutils_binaries]
 
+- list: dev_creation_binaries
+  items: [blkid]
+
+- list: aide_wrapper_binaries
+  items: [aide.wrapper, update-aide.con]
+
+- list: hids_binaries
+  items: [aide]
+
+- list: nids_binaries
+  items: [bro, broctl]
+
+- list: monitoring_binaries
+  items: [icinga2, nrpe, npcd, check_sar_perf.]
+
 - macro: system_procs
   condition: proc.name in (coreutils_binaries, user_mgmt_binaries)
 
 - list: mail_binaries
-  items: [sendmail, sendmail-msp, postfix, procmail, exim4]
+  items: [sendmail, sendmail-msp, postfix, procmail, exim4, pickup, showq]
 
 - macro: sensitive_files
   condition: fd.name startswith /etc and (fd.name in (/etc/shadow, /etc/sudoers, /etc/pam.conf) or fd.directory in (/etc/sudoers.d, /etc/pam.d))
@@ -190,6 +212,31 @@
 - macro: system_users
   condition: user.name in (bin, daemon, games, lp, mail, nobody, sshd, sync, uucp, www-data)
 
+# SPECIAL NOTE: This macro eliminates false positives that result from
+# running python scripts as a part of ansible. However, the condition
+# that the command line contains "ansible" is very
+# permissive. Ideally, you should change this macro to explicitly
+# scope the python scripts to a specific directory (namely, your
+# configured remote_tmp directory).
+- macro: parent_ansible_running_python
+  condition: (proc.pname in (python, pypy) and proc.pcmdline contains ansible)
+
+- macro: ansible_running_python
+  condition: (proc.name in (python, pypy) and proc.cmdline contains ansible)
+
+- macro: python_running_denyhosts
+  condition: (proc.name=python and (proc.cmdline contains /usr/sbin/denyhosts or proc.cmdline contains /usr/local/bin/denyhosts.py))
+
+- macro: parent_python_running_denyhosts
+  condition: (proc.pname=python and (proc.pcmdline contains /usr/sbin/denyhosts or proc.pcmdline contains /usr/local/bin/denyhosts.py))
+
+- macro: parent_bro_running_python
+  condition: (proc.pname=python and proc.cmdline contains /usr/share/broctl)
+
+# As a part of kernel upgrades, dpkg will spawn a perl script with the
+# name linux-image-N.N. This macro matches that.
+- macro: parent_linux_image_upgrade_script
+  condition: proc.pname startswith linux-image-
 
 ###############
 # General Rules
@@ -200,19 +247,27 @@
   condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs
   output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
   priority: WARNING
+  tags: [filesystem]
 
 - macro: write_etc_common
   condition: >
     etc_dir and evt.dir = < and open_write
-    and not proc.name in (shadowutils_binaries, sysdigcloud_binaries, package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries, ldconfig.real, ldconfig, confd)
+    and not proc.name in (passwd_binaries, shadowutils_binaries, sysdigcloud_binaries,
+                          package_mgmt_binaries, ssl_mgmt_binaries, dhcp_binaries,
+                          ldconfig.real, ldconfig, confd, gpg, insserv,
+                          apparmor_parser, update-mime, tzdata.config, tzdata.postinst,
+                          systemd-machine, debconf-show, rollerd, bind9.postinst)
     and not proc.pname in (sysdigcloud_binaries)
     and not fd.directory in (/etc/cassandra, /etc/ssl/certs/java)
+    and not ansible_running_python
+    and not python_running_denyhosts
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc, not in a pipe installer session
   condition: write_etc_common and not proc.sname=fbash
   output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
   priority: WARNING
+  tags: [filesystem]
 
 # Within a fbash session, the severity is lowered to INFO
 - rule: Write below etc in installer
@@ -220,43 +275,61 @@
   condition: write_etc_common and proc.sname=fbash
   output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name) within pipe installer session"
   priority: INFO
+  tags: [filesystem]
+
+- macro: cmp_cp_by_passwd
+  condition: proc.name in (cmp, cp) and proc.pname=passwd
 
 - rule: Read sensitive file trusted after startup
   desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. Trusted programs might read these files at startup to load initial state, but not afterwards.
   condition: sensitive_files and open_read and server_procs and not proc_is_new and proc.name!="sshd"
   output: "Sensitive file opened for reading by trusted program after startup (user=%user.name command=%proc.cmdline file=%fd.name)"
   priority: WARNING
+  tags: [filesystem]
+
+- list: read_sensitive_file_binaries
+  items: [iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, sshd, vsftpd, systemd]
 
 - rule: Read sensitive file untrusted
   desc: an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.
-  condition: sensitive_files and open_read and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, iptables, ps, lsb_release, check-new-relea, dumpe2fs, accounts-daemon, shell_binaries, sshd) and not proc.cmdline contains /usr/bin/mandb
+  condition: >
+    sensitive_files and open_read
+    and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries)
+    and not cmp_cp_by_passwd
+    and not ansible_running_python
+    and not proc.cmdline contains /usr/bin/mandb
   output: "Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name command=%proc.cmdline file=%fd.name)"
   priority: WARNING
+  tags: [filesystem]
 
 # Only let rpm-related programs write to the rpm database
 - rule: Write below rpm database
   desc: an attempt to write to the rpm database by any non-rpm related program
-  condition: fd.name startswith /var/lib/rpm and open_write and not proc.name in (dnf,rpm,rpmkey,yum)
+  condition: fd.name startswith /var/lib/rpm and open_write and not proc.name in (dnf,rpm,rpmkey,yum) and not ansible_running_python
   output: "Rpm database opened for writing by a non-rpm program (command=%proc.cmdline file=%fd.name)"
   priority: WARNING
+  tags: [filesystem, software_mgmt]
 
 - rule: DB program spawned process
   desc: a database-server related program spawned a new process other than itself. This shouldn\'t occur and is a follow on from some SQL injection attacks.
   condition: proc.pname in (db_server_binaries) and spawned_process and not proc.name in (db_server_binaries)
   output: "Database-related program spawned process other than itself (user=%user.name program=%proc.cmdline parent=%proc.pname)"
   priority: WARNING
+  tags: [process, database]
 
 - rule: Modify binary dirs
   desc: an attempt to modify any file below a set of binary directories.
   condition: bin_dir_rename and modify and not package_mgmt_procs
   output: "File below known binary directory renamed/removed (user=%user.name command=%proc.cmdline operation=%evt.type file=%fd.name %evt.args)"
   priority: WARNING
+  tags: [filesystem]
 
 - rule: Mkdir binary dirs
   desc: an attempt to create a directory below a set of binary directories.
   condition: mkdir and bin_dir_mkdir and not package_mgmt_procs
   output: "Directory below known binary directory created (user=%user.name command=%proc.cmdline directory=%evt.arg.path)"
   priority: WARNING
+  tags: [filesystem]
 
 # Don't load shared objects coming from unexpected places
 # Commenting this out for now--there are lots of shared library
@@ -276,29 +349,57 @@
 
 - rule: Change thread namespace
   desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.
-  condition: evt.type = setns and not proc.name in (docker_binaries, k8s_binaries, sysdigcloud_binaries, sysdig, nsenter) and not proc.pname in (sysdigcloud_binaries)
+  condition: >
+    evt.type = setns
+    and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries, sysdig, nsenter)
+    and not proc.pname in (sysdigcloud_binaries)
   output: "Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline parent=%proc.pname %container.info)"
   priority: WARNING
+  tags: [process]
+
+- list: known_shell_spawn_binaries
+  items: [
+    sshd, sudo, su, tmux, screen, emacs, systemd, login, flock, fbash,
+    nginx, monit, supervisord, dragent, aws, initdb, docker-compose,
+    make, configure, awk, falco, fail2ban-server, fleetctl,
+    logrotate, ansible, less, adduser, pycompile, py3compile,
+    pyclean, py3clean, pip, pip2, ansible-playboo, man-db,
+    init, pluto, mkinitramfs, unattended-upgr, watch, sysdig,
+    landscape-sysin, nessusd, PM2, syslog-summary
+    ]
 
 - rule: Run shell untrusted
   desc: an attempt to spawn a shell by a non-shell program. Exceptions are made for trusted binaries.
-  condition: spawned_process and not container and shell_procs and proc.pname exists and not proc.pname in (cron_binaries, shell_binaries, sshd, sudo, docker_binaries, k8s_binaries, su, tmux, screen, emacs, systemd, login, flock, fbash, nginx, monit, supervisord, dragent, aws, initdb, docker-compose, make, configure, awk, falco, fail2ban-server, apt-get, apt, fleetctl)
-  output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
+  condition: >
+    spawned_process and not container
+    and shell_procs
+    and proc.pname exists
+    and not proc.pname in (cron_binaries, shell_binaries, known_shell_spawn_binaries, docker_binaries,
+                           k8s_binaries, package_mgmt_binaries, aide_wrapper_binaries, nids_binaries,
+                           monitoring_binaries)
+    and not parent_ansible_running_python
+    and not parent_bro_running_python
+    and not parent_python_running_denyhosts
+    and not parent_linux_image_upgrade_script
+  output: "Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline pcmdline=%proc.pcmdline)"
   priority: WARNING
+  tags: [host, shell]
 
 - macro: trusted_containers
   condition: (container.image startswith sysdig/agent or
-              container.image startswith sysdig/falco or
+              (container.image startswith sysdig/falco and
+               not container.image startswith sysdig/falco-event-generator) or
               container.image startswith sysdig/sysdig or
               container.image startswith gcr.io/google_containers/hyperkube or
-              container.image startswith gcr.io/google_containers/kube-proxy or
-              container.image startswith cchh/sysdig)
+              container.image startswith quay.io/coreos/flannel or
+              container.image startswith gcr.io/google_containers/kube-proxy)
 
 - rule: File Open by Privileged Container
   desc: Any open by a privileged container. Exceptions are made for known trusted images.
   condition: (open_read or open_write) and container and container.privileged=true and not trusted_containers
   output: File opened for read/write by privileged container (user=%user.name command=%proc.cmdline %container.info file=%fd.name)
   priority: WARNING
+  tags: [container, cis]
 
 - macro: sensitive_mount
   condition: (container.mount.dest[/proc*] != "N/A")
@@ -308,6 +409,7 @@
   condition: (open_read or open_write) and container and sensitive_mount and not trusted_containers
   output: File opened for read/write by container mounting sensitive directory (user=%user.name command=%proc.cmdline %container.info file=%fd.name)
   priority: WARNING
+  tags: [container, cis]
 
 # Anything run interactively by root
 # - condition: evt.type != switch and user.name = root and proc.name != sshd and interactive
@@ -319,12 +421,20 @@
   condition: spawned_process and system_users and interactive
   output: "System user ran an interactive command (user=%user.name command=%proc.cmdline)"
   priority: WARNING
+  tags: [users]
 
 - rule: Run shell in container
   desc: a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.
-  condition: spawned_process and container and shell_procs and proc.pname exists and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, initdb, pg_ctl, awk, apache2, falco, cron)
+  condition: >
+    spawned_process and container
+    and shell_procs
+    and proc.pname exists
+    and not proc.pname in (shell_binaries, docker_binaries, k8s_binaries, lxd_binaries, aide_wrapper_binaries, nids_binaries,
+                           monitoring_binaries, initdb, pg_ctl, awk, apache2, falco, cron)
+    and not trusted_containers
   output: "Shell spawned in a container other than entrypoint (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)"
   priority: WARNING
+  tags: [container, shell]
 
 # sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
 - rule: System procs network activity
@@ -332,6 +442,7 @@
   condition: (fd.sockfamily = ip and system_procs) and (inbound or outbound)
   output: "Known system binary sent/received network traffic (user=%user.name command=%proc.cmdline connection=%fd.name)"
   priority: WARNING
+  tags: [network]
 
 # With the current restriction on system calls handled by falco
 # (e.g. excluding read/write/sendto/recvfrom/etc, this rule won't
@@ -345,22 +456,32 @@
 # sshd, mail programs attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs
 - rule: Non sudo setuid
   desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges.
-  condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, mail_binaries, sshd, dbus-daemon-lau)
-  output: "Unexpected setuid call by non-sudo, non-root program (user=%user.name command=%proc.cmdline uid=%evt.arg.uid)"
+  condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, mail_binaries, sshd, dbus-daemon-lau, ping, ping6, critical-stack-)
+  output: "Unexpected setuid call by non-sudo, non-root program (user=%user.name parent=%proc.pname command=%proc.cmdline uid=%evt.arg.uid)"
   priority: WARNING
+  tags: [users]
 
 - rule: User mgmt binaries
   desc: activity by any programs that can manage users, passwords, or permissions. sudo and su are excluded. Activity in containers is also excluded--some containers create custom users on top of a base linux distribution at startup.
   condition: spawned_process and proc.name in (user_mgmt_binaries) and not proc.name in (su, sudo) and not container and not proc.pname in (cron_binaries, systemd, run-parts)
   output: "User management binary command run outside of container (user=%user.name command=%proc.cmdline parent=%proc.pname)"
   priority: WARNING
+  tags: [host, users]
+
+- list: allowed_dev_files
+  items: [/dev/null, /dev/stdin, /dev/stdout, /dev/stderr, /dev/tty, /dev/random, /dev/urandom, /dev/console]
 
 # (we may need to add additional checks against false positives, see: https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)
 - rule: Create files below dev
   desc: creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.
-  condition: fd.directory = /dev and (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT)) and proc.name != blkid and not fd.name in (/dev/null,/dev/stdin,/dev/stdout,/dev/stderr,/dev/tty)
+  condition: >
+    fd.directory = /dev and
+    (evt.type = creat or (evt.type = open and evt.arg.flags contains O_CREAT))
+    and not proc.name in (dev_creation_binaries)
+    and not fd.name in (allowed_dev_files)
   output: "File created below /dev by untrusted program (user=%user.name command=%proc.cmdline file=%fd.name)"
   priority: WARNING
+  tags: [filesystem]
 
 # fbash is a small shell script that runs bash, and is suitable for use in curl <curl> | fbash installers.
 - rule: Installer bash starts network server
@@ -368,18 +489,21 @@
   condition: evt.type=listen and proc.sname=fbash
   output: "Unexpected listen call by a process in a fbash session (command=%proc.cmdline)"
   priority: WARNING
+  tags: [network]
 
 - rule: Installer bash starts session
   desc: an attempt by a program in a pipe installer session to start a new session
   condition: evt.type=setsid and proc.sname=fbash
   output: "Unexpected setsid call by a process in fbash session (command=%proc.cmdline)"
   priority: WARNING
+  tags: [process]
 
 - rule: Installer bash non https connection
   desc: an attempt by a program in a pipe installer session to make an outgoing connection on a non-http(s) port
   condition: proc.sname=fbash and outbound and not fd.sport in (80, 443, 53)
   output: "Outbound connection on non-http(s) port by a process in a fbash session (command=%proc.cmdline connection=%fd.name)"
   priority: WARNING
+  tags: [network]
 
 # It'd be nice if we could warn when processes in a fbash session try
 # to download from any nonstandard location? This is probably blocked
@@ -393,6 +517,7 @@
   condition: evt.type=execve and proc.name in (chkconfig, systemctl) and proc.sname=fbash
   output: "Service management program run by process in a fbash session (command=%proc.cmdline)"
   priority: INFO
+  tags: [software_mgmt]
 
 # Notice when processes try to run any package management binary within a fbash session.
 # Note: this is not a WARNING, as you'd expect some package management
@@ -402,6 +527,7 @@
   condition: evt.type=execve and package_mgmt_procs and proc.sname=fbash
   output: "Package management program run by process in a fbash session (command=%proc.cmdline)"
   priority: INFO
+  tags: [software_mgmt]
 
 ###########################
 # Application-Related Rules

test/falco_test.py

@@ -56,6 +56,16 @@ class FalcoTest(Test):
         for rule in self.disabled_rules:
             self.disabled_args = self.disabled_args + "-D " + rule + " "
 
+        self.detect_counts = self.params.get('detect_counts', '*', default=False)
+        if self.detect_counts == False:
+            self.detect_counts = {}
+        else:
+            detect_counts = {}
+            for item in self.detect_counts:
+                for item2 in item:
+                    detect_counts[item2[0]] = item2[1]
+            self.detect_counts = detect_counts
+
         self.rules_warning = self.params.get('rules_warning', '*', default=False)
         if self.rules_warning == False:
             self.rules_warning = sets.Set()
@@ -103,6 +113,16 @@ class FalcoTest(Test):
                     outputs.append(output)
             self.outputs = outputs
 
+        self.disable_tags = self.params.get('disable_tags', '*', default='')
+
+        if self.disable_tags == '':
+            self.disable_tags=[]
+
+        self.run_tags = self.params.get('run_tags', '*', default='')
+
+        if self.run_tags == '':
+            self.run_tags=[]
+
     def check_rules_warnings(self, res):
 
         found_warning = sets.Set()
@@ -161,6 +181,28 @@ class FalcoTest(Test):
                     if not events_detected > 0:
                         self.fail("Detected {} events at level {} when should have detected > 0".format(events_detected, level))
 
+    def check_detections_by_rule(self, res):
+        # Get the number of events detected for each rule. Must match the expected counts.
+        match = re.search('Triggered rules by rule name:(.*)', res.stdout, re.DOTALL)
+        if match is None:
+            self.fail("Could not find a block 'Triggered rules by rule name: ...' in falco output")
+
+        triggered_rules = match.group(1)
+
+        for rule, count in self.detect_counts.iteritems():
+            expected = '{}: (\d+)'.format(rule)
+            match = re.search(expected, triggered_rules)
+
+            if match is None:
+                actual_count = 0
+            else:
+                actual_count = int(match.group(1))
+
+            if actual_count != count:
+                self.fail("Different counts for rule {}: expected={}, actual={}".format(rule, count, actual_count))
+            else:
+                self.log.debug("Found expected count for rule {}: {}".format(rule, count))
+
     def check_outputs(self):
         for output in self.outputs:
             # Open the provided file and match each line against the
@@ -196,6 +238,12 @@ class FalcoTest(Test):
         cmd = '{}/userspace/falco/falco {} {} -c {} -e {} -o json_output={} -v'.format(
             self.falcodir, self.rules_args, self.disabled_args, self.conf_file, self.trace_file, self.json_output)
 
+        for tag in self.disable_tags:
+            cmd += ' -T {}'.format(tag)
+
+        for tag in self.run_tags:
+            cmd += ' -t {}'.format(tag)
+
         self.falco_proc = process.SubProcess(cmd)
 
         res = self.falco_proc.run(timeout=180, sig=9)
@@ -222,6 +270,8 @@ class FalcoTest(Test):
         if len(self.rules_events) > 0:
             self.check_rules_events(res)
         self.check_detections(res)
+        if len(self.detect_counts) > 0:
+            self.check_detections_by_rule(res)
         self.check_json_output(res)
         self.check_outputs()
         pass

test/falco_tests.yaml.in

@@ -154,6 +154,25 @@ trace_files: !mux
       - rules/single_rule_enabled_flag.yaml
     trace_file: trace_files/cat_write.scap
 
+  disabled_and_enabled_rules_1:
+    exit_status: 1
+    stderr_contains: "Runtime error: You can not specify both disabled .-D/-T. and enabled .-t. rules. Exiting."
+    disable_tags: [a]
+    run_tags: [a]
+    rules_file:
+      - rules/single_rule.yaml
+    trace_file: trace_files/cat_write.scap
+
+  disabled_and_enabled_rules_2:
+    exit_status: 1
+    stderr_contains: "Runtime error: You can not specify both disabled .-D/-T. and enabled .-t. rules. Exiting."
+    disabled_rules:
+      - "open.*"
+    run_tags: [a]
+    rules_file:
+      - rules/single_rule.yaml
+    trace_file: trace_files/cat_write.scap
+
   null_output_field:
     detect: True
     detect_level: WARNING
@@ -181,3 +200,286 @@ trace_files: !mux
     trace_file: trace_files/cat_write.scap
     outputs:
       - /tmp/falco_outputs/program_output.txt: Warning An open was seen
+
+  detect_counts:
+    detect: True
+    detect_level: WARNING
+    trace_file: traces-positive/falco-event-generator.scap
+    detect_counts:
+      - "Write below binary dir": 1
+      - "Read sensitive file untrusted": 3
+      - "Run shell in container": 1
+      - "Write below rpm database": 1
+      - "Write below etc": 1
+      - "System procs network activity": 1
+      - "Mkdir binary dirs": 1
+      - "System user interactive": 1
+      - "DB program spawned process": 1
+      - "Non sudo setuid": 1
+      - "Create files below dev": 1
+      - "Modify binary dirs": 2
+      - "Change thread namespace": 2
+
+  disabled_tags_a:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    disable_tags: [a]
+    detect_counts:
+      - open_1: 0
+      - open_2: 1
+      - open_3: 1
+      - open_4: 0
+      - open_5: 0
+      - open_6: 1
+      - open_7: 0
+      - open_8: 0
+      - open_9: 0
+      - open_10: 0
+      - open_11: 1
+      - open_12: 1
+      - open_13: 1
+
+  disabled_tags_b:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    disable_tags: [b]
+    detect_counts:
+      - open_1: 1
+      - open_2: 0
+      - open_3: 1
+      - open_4: 0
+      - open_5: 1
+      - open_6: 0
+      - open_7: 0
+      - open_8: 0
+      - open_9: 1
+      - open_10: 0
+      - open_11: 1
+      - open_12: 1
+      - open_13: 1
+
+  disabled_tags_c:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    disable_tags: [c]
+    detect_counts:
+      - open_1: 1
+      - open_2: 1
+      - open_3: 0
+      - open_4: 1
+      - open_5: 0
+      - open_6: 0
+      - open_7: 0
+      - open_8: 1
+      - open_9: 0
+      - open_10: 0
+      - open_11: 1
+      - open_12: 1
+      - open_13: 1
+
+  disabled_tags_ab:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    disable_tags: [a, b]
+    detect_counts:
+      - open_1: 0
+      - open_2: 0
+      - open_3: 1
+      - open_4: 0
+      - open_5: 0
+      - open_6: 0
+      - open_7: 0
+      - open_8: 0
+      - open_9: 0
+      - open_10: 0
+      - open_11: 1
+      - open_12: 1
+      - open_13: 1
+
+  disabled_tags_abc:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    disable_tags: [a, b, c]
+    detect_counts:
+      - open_1: 0
+      - open_2: 0
+      - open_3: 0
+      - open_4: 0
+      - open_5: 0
+      - open_6: 0
+      - open_7: 0
+      - open_8: 0
+      - open_9: 0
+      - open_10: 0
+      - open_11: 1
+      - open_12: 1
+      - open_13: 1
+
+  run_tags_a:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    run_tags: [a]
+    detect_counts:
+      - open_1: 1
+      - open_2: 0
+      - open_3: 0
+      - open_4: 1
+      - open_5: 1
+      - open_6: 0
+      - open_7: 1
+      - open_8: 1
+      - open_9: 1
+      - open_10: 1
+      - open_11: 0
+      - open_12: 0
+      - open_13: 0
+
+  run_tags_b:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    run_tags: [b]
+    detect_counts:
+      - open_1: 0
+      - open_2: 1
+      - open_3: 0
+      - open_4: 1
+      - open_5: 0
+      - open_6: 1
+      - open_7: 1
+      - open_8: 1
+      - open_9: 0
+      - open_10: 1
+      - open_11: 0
+      - open_12: 0
+      - open_13: 0
+
+  run_tags_c:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    run_tags: [c]
+    detect_counts:
+      - open_1: 0
+      - open_2: 0
+      - open_3: 1
+      - open_4: 0
+      - open_5: 1
+      - open_6: 1
+      - open_7: 1
+      - open_8: 0
+      - open_9: 1
+      - open_10: 1
+      - open_11: 0
+      - open_12: 0
+      - open_13: 0
+
+  run_tags_ab:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    run_tags: [a, b]
+    detect_counts:
+      - open_1: 1
+      - open_2: 1
+      - open_3: 0
+      - open_4: 1
+      - open_5: 1
+      - open_6: 1
+      - open_7: 1
+      - open_8: 1
+      - open_9: 1
+      - open_10: 1
+      - open_11: 0
+      - open_12: 0
+      - open_13: 0
+
+  run_tags_bc:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    run_tags: [b, c]
+    detect_counts:
+      - open_1: 0
+      - open_2: 1
+      - open_3: 1
+      - open_4: 1
+      - open_5: 1
+      - open_6: 1
+      - open_7: 1
+      - open_8: 1
+      - open_9: 1
+      - open_10: 1
+      - open_11: 0
+      - open_12: 0
+      - open_13: 0
+
+  run_tags_abc:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    run_tags: [a, b, c]
+    detect_counts:
+      - open_1: 1
+      - open_2: 1
+      - open_3: 1
+      - open_4: 1
+      - open_5: 1
+      - open_6: 1
+      - open_7: 1
+      - open_8: 1
+      - open_9: 1
+      - open_10: 1
+      - open_11: 0
+      - open_12: 0
+      - open_13: 0
+
+  run_tags_d:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/tagged_rules.yaml
+    trace_file: trace_files/open-multiple-files.scap
+    run_tags: [d]
+    detect_counts:
+      - open_1: 0
+      - open_2: 0
+      - open_3: 0
+      - open_4: 0
+      - open_5: 0
+      - open_6: 0
+      - open_7: 0
+      - open_8: 0
+      - open_9: 0
+      - open_10: 0
+      - open_11: 1
+      - open_12: 0
+      - open_13: 0

test/rules/tagged_rules.yaml

@@ -0,0 +1,93 @@
+- macro: open_read
+  condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='f'
+
+- rule: open_1
+  desc: open one
+  condition: open_read and fd.name=/tmp/file-1
+  output: Open one (file=%fd.name)
+  priority: WARNING
+  tags: [a]
+
+- rule: open_2
+  desc: open two
+  condition: open_read and fd.name=/tmp/file-2
+  output: Open two (file=%fd.name)
+  priority: WARNING
+  tags: [b]
+
+- rule: open_3
+  desc: open three
+  condition: open_read and fd.name=/tmp/file-3
+  output: Open three (file=%fd.name)
+  priority: WARNING
+  tags: [c]
+
+- rule: open_4
+  desc: open four
+  condition: open_read and fd.name=/tmp/file-4
+  output: Open four (file=%fd.name)
+  priority: WARNING
+  tags: [a, b]
+
+- rule: open_5
+  desc: open file
+  condition: open_read and fd.name=/tmp/file-5
+  output: Open file (file=%fd.name)
+  priority: WARNING
+  tags: [a, c]
+
+- rule: open_6
+  desc: open six
+  condition: open_read and fd.name=/tmp/file-6
+  output: Open six (file=%fd.name)
+  priority: WARNING
+  tags: [b, c]
+
+- rule: open_7
+  desc: open seven
+  condition: open_read and fd.name=/tmp/file-7
+  output: Open seven (file=%fd.name)
+  priority: WARNING
+  tags: [a, b, c]
+
+- rule: open_8
+  desc: open eight
+  condition: open_read and fd.name=/tmp/file-8
+  output: Open eight (file=%fd.name)
+  priority: WARNING
+  tags: [b, a]
+
+- rule: open_9
+  desc: open nine
+  condition: open_read and fd.name=/tmp/file-9
+  output: Open nine (file=%fd.name)
+  priority: WARNING
+  tags: [c, a]
+
+- rule: open_10
+  desc: open ten
+  condition: open_read and fd.name=/tmp/file-10
+  output: Open ten (file=%fd.name)
+  priority: WARNING
+  tags: [b, c, a]
+
+- rule: open_11
+  desc: open eleven
+  condition: open_read and fd.name=/tmp/file-11
+  output: Open eleven (file=%fd.name)
+  priority: WARNING
+  tags: [d]
+
+- rule: open_12
+  desc: open twelve
+  condition: open_read and fd.name=/tmp/file-12
+  output: Open twelve (file=%fd.name)
+  priority: WARNING
+  tags: []
+
+- rule: open_13
+  desc: open thirteen
+  condition: open_read and fd.name=/tmp/file-13
+  output: Open thirteen (file=%fd.name)
+  priority: WARNING
+

userspace/engine/falco_engine.cpp

@@ -40,7 +40,8 @@ string lua_print_stats = "print_stats";
 using namespace std;
 
 falco_engine::falco_engine(bool seed_rng)
-	: m_rules(NULL), m_sampling_ratio(1), m_sampling_multiplier(0),
+	: m_rules(NULL), m_next_ruleset_id(0),
+	  m_sampling_ratio(1), m_sampling_multiplier(0),
 	  m_replace_container_info(false)
 {
 	luaopen_lpeg(m_ls);
@@ -55,6 +56,8 @@ falco_engine::falco_engine(bool seed_rng)
 	{
 		srandom((unsigned) getpid());
 	}
+
+	m_default_ruleset_id = find_ruleset_id(m_default_ruleset);
 }
 
 falco_engine::~falco_engine()
@@ -107,20 +110,52 @@ void falco_engine::load_rules_file(const string &rules_filename, bool verbose, b
 	load_rules(rules_content, verbose, all_events);
 }
 
-void falco_engine::enable_rule(string &pattern, bool enabled)
+void falco_engine::enable_rule(const string &pattern, bool enabled, const string &ruleset)
 {
-	m_evttype_filter->enable(pattern, enabled);
+	uint16_t ruleset_id = find_ruleset_id(ruleset);
+
+	m_evttype_filter->enable(pattern, enabled, ruleset_id);
 }
 
-unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev)
+void falco_engine::enable_rule(const string &pattern, bool enabled)
 {
+	enable_rule(pattern, enabled, m_default_ruleset);
+}
 
+void falco_engine::enable_rule_by_tag(const set<string> &tags, bool enabled, const string &ruleset)
+{
+	uint16_t ruleset_id = find_ruleset_id(ruleset);
+
+	m_evttype_filter->enable_tags(tags, enabled, ruleset_id);
+}
+
+void falco_engine::enable_rule_by_tag(const set<string> &tags, bool enabled)
+{
+	enable_rule_by_tag(tags, enabled, m_default_ruleset);
+}
+
+uint16_t falco_engine::find_ruleset_id(const std::string &ruleset)
+{
+	auto it = m_known_rulesets.lower_bound(ruleset);
+
+	if(it == m_known_rulesets.end() ||
+	   it->first != ruleset)
+	{
+		it = m_known_rulesets.emplace_hint(it,
+						   std::make_pair(ruleset, m_next_ruleset_id++));
+	}
+
+	return it->second;
+}
+
+unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev, uint16_t ruleset_id)
+{
 	if(should_drop_evt())
 	{
 		return unique_ptr<struct rule_result>();
 	}
 
-	if(!m_evttype_filter->run(ev))
+	if(!m_evttype_filter->run(ev, ruleset_id))
 	{
 		return unique_ptr<struct rule_result>();
 	}
@@ -155,6 +190,11 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev)
 	return res;
 }
 
+unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev)
+{
+	return process_event(ev, m_default_ruleset_id);
+}
+
 void falco_engine::describe_rule(string *rule)
 {
 	return m_rules->describe_rule(rule);
@@ -182,10 +222,11 @@ void falco_engine::print_stats()
 }
 
 void falco_engine::add_evttype_filter(string &rule,
-				      list<uint32_t> &evttypes,
+				      set<uint32_t> &evttypes,
+				      set<string> &tags,
 				      sinsp_filter* filter)
 {
-	m_evttype_filter->add(rule, evttypes, filter);
+	m_evttype_filter->add(rule, evttypes, tags, filter);
 }
 
 void falco_engine::clear_filters()

userspace/engine/falco_engine.h

@@ -20,6 +20,7 @@ along with falco.  If not, see <http://www.gnu.org/licenses/>.
 
 #include <string>
 #include <memory>
+#include <set>
 
 #include "sinsp.h"
 #include "filter.h"
@@ -47,9 +48,24 @@ public:
 	void load_rules(const std::string &rules_content, bool verbose, bool all_events);
 
 	//
-	// Enable/Disable any rules matching the provided pattern (regex).
+	// Enable/Disable any rules matching the provided pattern
+	// (regex). When provided, enable/disable these rules in the
+	// context of the provided ruleset. The ruleset (id) can later
+	// be passed as an argument to process_event(). This allows
+	// for different sets of rules being active at once.
 	//
-	void enable_rule(std::string &pattern, bool enabled);
+	void enable_rule(const std::string &pattern, bool enabled, const std::string &ruleset);
+
+	// Wrapper that assumes the default ruleset
+	void enable_rule(const std::string &pattern, bool enabled);
+
+	//
+	// Enable/Disable any rules with any of the provided tags (set, exact matches only)
+	//
+	void enable_rule_by_tag(const std::set<std::string> &tags, bool enabled, const std::string &ruleset);
+
+	// Wrapper that assumes the default ruleset
+	void enable_rule_by_tag(const std::set<std::string> &tags, bool enabled);
 
 	struct rule_result {
 		sinsp_evt *evt;
@@ -58,12 +74,30 @@ public:
 		std::string format;
 	};
 
+	//
+	// Return the ruleset id corresponding to this ruleset name,
+	// creating a new one if necessary. If you provide any ruleset
+	// to enable_rule/enable_rule_by_tag(), you should look up the
+	// ruleset id and pass it to process_event().
+	//
+	uint16_t find_ruleset_id(const std::string &ruleset);
+
 	//
 	// Given an event, check it against the set of rules in the
 	// engine and if a matching rule is found, return details on
 	// the rule that matched. If no rule matched, returns NULL.
 	//
-	// the reutrned rule_result is allocated and must be delete()d.
+	// When ruleset_id is provided, use the enabled/disabled status
+	// associated with the provided ruleset. This is only useful
+	// when you have previously called enable_rule/enable_rule_by_tag
+	// with a ruleset string.
+	//
+	// the returned rule_result is allocated and must be delete()d.
+	std::unique_ptr<rule_result> process_event(sinsp_evt *ev, uint16_t ruleset_id);
+
+	//
+	// Wrapper assuming the default ruleset
+	//
 	std::unique_ptr<rule_result> process_event(sinsp_evt *ev);
 
 	//
@@ -78,11 +112,12 @@ public:
 	void print_stats();
 
 	//
-	// Add a filter, which is related to the specified list of
+	// Add a filter, which is related to the specified set of
 	// event types, to the engine.
 	//
 	void add_evttype_filter(std::string &rule,
-				list<uint32_t> &evttypes,
+				std::set<uint32_t> &evttypes,
+				std::set<std::string> &tags,
 				sinsp_filter* filter);
 
 	// Clear all existing filters.
@@ -120,6 +155,8 @@ private:
 	inline bool should_drop_evt();
 
 	falco_rules *m_rules;
+	uint16_t m_next_ruleset_id;
+	std::map<string, uint16_t> m_known_rulesets;
 	std::unique_ptr<sinsp_evttype_filter> m_evttype_filter;
 
 	//
@@ -146,6 +183,8 @@ private:
 	double m_sampling_multiplier;
 
 	std::string m_lua_main_filename = "rule_loader.lua";
+	std::string m_default_ruleset = "falco-default-ruleset";
+	uint32_t m_default_ruleset_id;
 
 	std::string m_extra;
 	bool m_replace_container_info;

userspace/engine/lua/rule_loader.lua

@@ -308,8 +308,12 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
 
 	 install_filter(filter_ast.filter.value)
 
+	 if (v['tags'] == nil) then
+	    v['tags'] = {}
+	 end
+
 	 -- Pass the filter and event types back up
-	 falco_rules.add_filter(rules_mgr, v['rule'], evttypes)
+	 falco_rules.add_filter(rules_mgr, v['rule'], evttypes, v['tags'])
 
 	 -- Rule ASTs are merged together into one big AST, with "OR" between each
 	 -- rule.

userspace/engine/rules.cpp

@@ -65,42 +65,55 @@ void falco_rules::clear_filters()
 
 int falco_rules::add_filter(lua_State *ls)
 {
-	if (! lua_islightuserdata(ls, -3) ||
-	    ! lua_isstring(ls, -2) ||
+	if (! lua_islightuserdata(ls, -4) ||
+	    ! lua_isstring(ls, -3) ||
+	    ! lua_istable(ls, -2) ||
 	    ! lua_istable(ls, -1))
 	{
 		throw falco_exception("Invalid arguments passed to add_filter()\n");
 	}
 
-	falco_rules *rules = (falco_rules *) lua_topointer(ls, -3);
-	const char *rulec = lua_tostring(ls, -2);
+	falco_rules *rules = (falco_rules *) lua_topointer(ls, -4);
+	const char *rulec = lua_tostring(ls, -3);
 
-	list<uint32_t> evttypes;
+	set<uint32_t> evttypes;
+
+	lua_pushnil(ls);  /* first key */
+	while (lua_next(ls, -3) != 0) {
+                // key is at index -2, value is at index
+                // -1. We want the keys.
+		evttypes.insert(luaL_checknumber(ls, -2));
+
+		// Remove value, keep key for next iteration
+		lua_pop(ls, 1);
+	}
+
+	set<string> tags;
 
 	lua_pushnil(ls);  /* first key */
 	while (lua_next(ls, -2) != 0) {
                 // key is at index -2, value is at index
                 // -1. We want the keys.
-		evttypes.push_back(luaL_checknumber(ls, -2));
+		tags.insert(lua_tostring(ls, -1));
 
 		// Remove value, keep key for next iteration
 		lua_pop(ls, 1);
 	}
 
 	std::string rule = rulec;
-	rules->add_filter(rule, evttypes);
+	rules->add_filter(rule, evttypes, tags);
 
 	return 0;
 }
 
-void falco_rules::add_filter(string &rule, list<uint32_t> &evttypes)
+void falco_rules::add_filter(string &rule, set<uint32_t> &evttypes, set<string> &tags)
 {
 	// While the current rule was being parsed, a sinsp_filter
 	// object was being populated by lua_parser. Grab that filter
 	// and pass it to the engine.
 	sinsp_filter *filter = m_lua_parser->get_filter(true);
 
-	m_engine->add_evttype_filter(rule, evttypes, filter);
+	m_engine->add_evttype_filter(rule, evttypes, tags, filter);
 }
 
 int falco_rules::enable_rule(lua_State *ls)

userspace/engine/rules.h

@@ -18,7 +18,7 @@ along with falco.  If not, see <http://www.gnu.org/licenses/>.
 
 #pragma once
 
-#include <list>
+#include <set>
 
 #include "sinsp.h"
 
@@ -42,7 +42,7 @@ class falco_rules
 
  private:
 	void clear_filters();
-	void add_filter(string &rule, list<uint32_t> &evttypes);
+	void add_filter(string &rule, std::set<uint32_t> &evttypes, std::set<string> &tags);
 	void enable_rule(string &rule, bool enabled);
 
 	lua_parser* m_lua_parser;

userspace/falco/falco.cpp

@@ -60,6 +60,7 @@ static void usage()
 	   " -A                            Monitor all events, including those with EF_DROP_FALCO flag.\n"
 	   " -d, --daemon                  Run as a daemon\n"
 	   " -D <pattern>                  Disable any rules matching the regex <pattern>. Can be specified multiple times.\n"
+	   "                               Can not be specified with -t.\n"
            " -e <events_file>              Read the events from <events_file> (in .scap format) instead of tapping into live.\n"
 	   " -k <url>, --k8s-api=<url>\n"
 	   "                               Enable Kubernetes support by connecting to the API server\n"
@@ -100,6 +101,10 @@ static void usage()
 	   "                               Can be specified multiple times to read from multiple files.\n"
 	   " -s <stats_file>               If specified, write statistics related to falco's reading/processing of events\n"
 	   "                               to this file. (Only useful in live mode).\n"
+	   " -T <tag>                      Disable any rules with a tag=<tag>. Can be specified multiple times.\n"
+	   "                               Can not be specified with -t.\n"
+	   " -t <tag>                      Only run those rules with a tag=<tag>. Can be specified multiple times.\n"
+	   "                               Can not be specified with -T/-D.\n"
 	   " -v                            Verbose output.\n"
 	   "\n"
     );
@@ -259,12 +264,15 @@ int falco_init(int argc, char **argv)
 	{
 		set<string> disabled_rule_patterns;
 		string pattern;
+		string all_rules = ".*";
+		set<string> disabled_rule_tags;
+		set<string> enabled_rule_tags;
 
 		//
 		// Parse the args
 		//
 		while((op = getopt_long(argc, argv,
-                                        "hc:AdD:e:k:K:Ll:m:o:P:p:r:s:vw:",
+                                        "hc:AdD:e:k:K:Ll:m:o:P:p:r:s:T:t:vw:",
                                         long_options, &long_index)) != -1)
 		{
 			switch(op)
@@ -339,6 +347,12 @@ int falco_init(int argc, char **argv)
 			case 's':
 				stats_filename = optarg;
 				break;
+			case 'T':
+				disabled_rule_tags.insert(optarg);
+				break;
+			case 't':
+				enabled_rule_tags.insert(optarg);
+				break;
 			case 'v':
 				verbose = true;
 				break;
@@ -421,12 +435,40 @@ int falco_init(int argc, char **argv)
 			falco_logger::log(LOG_INFO, "Parsed rules from file " + filename + "\n");
 		}
 
+		// You can't both disable and enable rules
+		if((disabled_rule_patterns.size() + disabled_rule_tags.size() > 0) &&
+		    enabled_rule_tags.size() > 0) {
+			throw std::invalid_argument("You can not specify both disabled (-D/-T) and enabled (-t) rules");
+		}
+
 		for (auto pattern : disabled_rule_patterns)
 		{
 			falco_logger::log(LOG_INFO, "Disabling rules matching pattern: " + pattern + "\n");
 			engine->enable_rule(pattern, false);
 		}
 
+		if(disabled_rule_tags.size() > 0)
+		{
+			for(auto tag : disabled_rule_tags)
+			{
+				falco_logger::log(LOG_INFO, "Disabling rules with tag: " + tag + "\n");
+			}
+			engine->enable_rule_by_tag(disabled_rule_tags, false);
+		}
+
+		if(enabled_rule_tags.size() > 0)
+		{
+
+			// Since we only want to enable specific
+			// rules, first disable all rules.
+			engine->enable_rule(all_rules, false);
+			for(auto tag : enabled_rule_tags)
+			{
+				falco_logger::log(LOG_INFO, "Enabling rules with tag: " + tag + "\n");
+			}
+			engine->enable_rule_by_tag(enabled_rule_tags, true);
+		}
+
 		outputs->init(config.m_json_output, config.m_notifications_rate, config.m_notifications_max_burst);
 
 		if(!all_events)