docs: update CHANGELOG

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>

.circleci/config.yml

@@ -368,59 +368,49 @@ jobs:
           root: /
           paths:
             - build/release/*.rpm
-  # Publish the packages
+  # Publish the dev packages
   "publish/packages-dev":
     docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+      - image: docker.io/centos:7
     steps:
       - attach_workspace:
           at: /
       - run:
-          name: Create versions
+          name: Setup
           command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
+            yum install epel-release -y
+            yum update -y
+            yum install createrepo gpg python python-pip -y
+            pip install awscli==1.19.47
+            echo $GPG_KEY | base64 -d | gpg --import
       - run:
           name: Publish rpm-dev
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
+            /source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm-dev
       - run:
           name: Publish bin-dev
           command: |
             FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
-  # Clenup the Falco development release packages
-  "cleanup/packages-dev":
+            /source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin-dev -a x86_64
+  "publish/packages-deb-dev":
     docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+      - image: docker.io/debian:stable
     steps:
-      - checkout:
-          path: /source/falco
+      - attach_workspace:
+          at: /
       - run:
-          name: Prepare env
+          name: Setup
           command: |
-            apk add --no-cache --update
-            apk add curl jq
+            apt update -y
+            apt-get install apt-utils bzip2 gpg python python-pip -y
+            pip install awscli
+            echo $GPG_KEY | base64 -d | gpg --import
       - run:
-          name: Only keep the 10 most recent Falco development release tarballs
+          name: Publish deb-dev
           command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
-      - run:
-          name: Only keep the 50 most recent Falco development release RPMs
-          command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
-      - run:
-          name: Only keep the 50 most recent Falco development release DEBs
-          command: |
-            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            /source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb-dev
   # Publish docker packages
   "publish/docker-dev":
     docker:
@@ -462,7 +452,19 @@ jobs:
       - checkout
       - setup_remote_docker
       - run:
-          name: Build and publish falco to AWS
+          name: Build and publish no-driver (dev) to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco-no-driver:master" docker/no-driver
+            docker tag public.ecr.aws/falcosecurity/falco-no-driver:master public.ecr.aws/falcosecurity/falco:master-slim
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:master"
+            docker push "public.ecr.aws/falcosecurity/falco:master-slim"
+      - run:
+          name: Build and publish falco (dev) to AWS
           command: |
             apk update
             apk add --update groff less py-pip
@@ -471,35 +473,58 @@ jobs:
             docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
             aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
             docker push "public.ecr.aws/falcosecurity/falco:master"
+      - run:
+          name: Build and publish driver-loader (dev) to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg FALCO_IMAGE_TAG=master -t "public.ecr.aws/falcosecurity/falco-driver-loader:master" docker/driver-loader
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:master"
   # Publish the packages
   "publish/packages":
     docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+      - image: docker.io/centos:7
     steps:
       - attach_workspace:
           at: /
       - run:
-          name: Create versions
+          name: Setup
           command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
+            yum install epel-release -y
+            yum update -y
+            yum install createrepo gpg python python-pip -y
+            pip install awscli==1.19.47
+            echo $GPG_KEY | base64 -d | gpg --import
       - run:
           name: Publish rpm
           command: |
             FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
+            /source/falco/scripts/publish-rpm -f /build/release/falco-${FALCO_VERSION}-x86_64.rpm -r rpm
       - run:
           name: Publish bin
           command: |
             FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            /source/falco/scripts/publish-bin -f /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz -r bin -a x86_64
+  "publish/packages-deb":
+    docker:
+      - image: docker.io/debian:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - run:
+          name: Setup
+          command: |
+            apt update -y
+            apt-get install apt-utils bzip2 gpg python python-pip -y
+            pip install awscli
+            echo $GPG_KEY | base64 -d | gpg --import
+      - run:
+          name: Publish deb
+          command: |
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            /source/falco/scripts/publish-deb -f /build/release/falco-${FALCO_VERSION}-x86_64.deb -r deb
   # Publish docker packages
   "publish/docker":
     docker:
@@ -546,6 +571,21 @@ jobs:
           at: /
       - checkout
       - setup_remote_docker
+      - run:
+          name: Build and publish no-driver to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-no-driver:latest
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker tag "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}" "public.ecr.aws/falcosecurity/falco:latest-slim"
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker push "public.ecr.aws/falcosecurity/falco:latest-slim"
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco-no-driver:latest"
       - run:
           name: Build and publish falco to AWS
           command: |
@@ -557,6 +597,17 @@ jobs:
             aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
             docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
             docker push "public.ecr.aws/falcosecurity/falco:latest"
+      - run:
+          name: Build and publish falco-driver-loader to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
+            docker tag "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco-driver-loader:latest
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco-driver-loader:latest"
 workflows:
   version: 2
   build_and_test:
@@ -588,7 +639,9 @@ workflows:
           requires:
             - "tests/integration"
       - "publish/packages-dev":
-          context: falco
+          context:
+            - falco
+            - test-infra
           filters:
             tags:
               ignore: /.*/
@@ -597,15 +650,17 @@ workflows:
           requires:
             - "rpm/sign"
             - "tests/integration-static"
-      - "cleanup/packages-dev":
-          context: falco
+      - "publish/packages-deb-dev":
+          context:
+            - falco
+            - test-infra
           filters:
             tags:
               ignore: /.*/
             branches:
               only: master
           requires:
-            - "publish/packages-dev"
+            - "tests/integration"
       - "publish/docker-dev":
           context: falco
           filters:
@@ -615,6 +670,7 @@ workflows:
               only: master
           requires:
             - "publish/packages-dev"
+            - "publish/packages-deb-dev"
             - "tests/driver-loader/integration"
       - "publish/container-images-aws-dev":
           context: test-infra # contains Falco AWS credentials
@@ -650,7 +706,9 @@ workflows:
             branches:
               ignore: /.*/
       - "publish/packages":
-          context: falco
+          context:
+            - falco
+            - test-infra
           requires:
             - "build/musl"
             - "rpm/sign"
@@ -659,10 +717,24 @@ workflows:
               only: /.*/
             branches:
               ignore: /.*/
+      - "publish/packages-deb":
+          context:
+            - falco
+            - test-infra
+          requires:
+            - "build/centos7"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
       - "publish/docker":
-          context: falco
+          context:
+            - falco
+            - test-infra
           requires:
             - "publish/packages"
+            - "publish/packages-deb"
           filters:
             tags:
               only: /.*/

ADOPTERS.md

@@ -2,6 +2,8 @@
 
 This is a list of production adopters of Falco (in alphabetical order):
 
+* [ASAPP](https://www.asapp.com/) - ASAPP is a pushing the boundaries of fundamental artificial intelligence research. We apply our research into AI-Native® products that make organizations, in the customer experience industry, highly productive, efficient, and effective—by augmenting human activity and automating workflows. We constantly monitor our workloads against different hazards and FALCO helps us extend our threat monitoring boundaries.
+
 * [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.
 
 * [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
@@ -15,6 +17,8 @@ This is a list of production adopters of Falco (in alphabetical order):
 * [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
   * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
 
+* [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
+
 * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
   * https://hipaa.preferral.com/01-preferral_hipaa_compliance/
 
@@ -28,4 +32,6 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Swissblock Technologies](https://swissblock.net/) At Swissblock we connect the dots by combining cutting-edge algorithmic trading strategies with in-depth market analysis. We route all Falco events to our control systems, both monitoring and logging. Being able to deeply analyse alerts, we can understand what is running on our Kubernetes clusters and check against security policies, specifically defined for each workload. A set of alarms notifies us in case of critical events, letting us react fast. In the near future we plan to build a little application to route Kubernetes internal events directly to Falco, fully leveraging Falco PodSecurityPolicies analyses.
 
+* [Shapesecurity/F5] (https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
+
 * [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.

CHANGELOG.md

@@ -1,5 +1,103 @@
 # Change Log
 
+## v0.28.0
+
+Released on 2021-04-12
+
+### Major Changes
+
+* BREAKING CHANGE: Bintray is deprecated, no new packages will be published at https://dl.bintray.com/falcosecurity/ [[#1577](https://github.com/falcosecurity/falco/pull/1577)] - [@leogr](https://github.com/leogr)
+* BREAKING CHANGE: SKIP_MODULE_LOAD env variable no more disables the driver loading (use SKIP_DRIVER_LOADER env variable introduced in Falco 0.24) [[#1599](https://github.com/falcosecurity/falco/pull/1599)] - [@leodido](https://github.com/leodido)
+* BREAKING CHANGE: the init.d service unit is not shipped anymore in deb/rpm packages in favor of a systemd service file [[#1448](https://github.com/falcosecurity/falco/pull/1448)] - [@jenting](https://github.com/jenting)
+* new: add support for exceptions as rule attributes to provide a compact way to add exceptions to Falco rules [[#1427](https://github.com/falcosecurity/falco/pull/1427)] - [@mstemm](https://github.com/mstemm)
+* new: falco-no-driver container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-no-driver) [[#1519](https://github.com/falcosecurity/falco/pull/1519)] - [@jonahjon](https://github.com/jonahjon)
+* new: falco-driver-loader container images on AWS ECR gallery (https://gallery.ecr.aws/falcosecurity/falco-driver-loader) [[#1519](https://github.com/falcosecurity/falco/pull/1519)] - [@jonahjon](https://github.com/jonahjon)
+* new: add healthz endpoint to the webserver [[#1546](https://github.com/falcosecurity/falco/pull/1546)] - [@cpanato](https://github.com/cpanato)
+* new: introduce a new configuration field `syscall_event_drops.threshold` to tune the drop noisiness [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
+* new: falco-driver-loader script can get a custom driver name from DRIVER_NAME env variable [[#1488](https://github.com/falcosecurity/falco/pull/1488)] - [@leodido](https://github.com/leodido)
+* new: falco-driver-loader know the Falco version [[#1488](https://github.com/falcosecurity/falco/pull/1488)] - [@leodido](https://github.com/leodido)
+
+
+### Minor Changes
+
+* docs(proposals): libraries and drivers donation [[#1530](https://github.com/falcosecurity/falco/pull/1530)] - [@leodido](https://github.com/leodido)
+* docs(docker): update links to the new Falco website URLs [[#1545](https://github.com/falcosecurity/falco/pull/1545)] - [@cpanato](https://github.com/cpanato)
+* docs(test): update links to new Falco website URLs [[#1563](https://github.com/falcosecurity/falco/pull/1563)] - [@shane-lawrence](https://github.com/shane-lawrence)
+* build: now Falco packages are published at https://download.falco.org [[#1577](https://github.com/falcosecurity/falco/pull/1577)] - [@leogr](https://github.com/leogr)
+* update: lower the `syscall_event_drops.max_burst` default value to 1 [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
+* update: falco-driver-loader tries to download a Falco driver before then compiling it on the fly for the host [[#1599](https://github.com/falcosecurity/falco/pull/1599)] - [@leodido](https://github.com/leodido)
+* docs(test): document the prerequisites for running the integration test suite locally [[#1609](https://github.com/falcosecurity/falco/pull/1609)] - [@fntlnz](https://github.com/fntlnz)
+* update: Debian/RPM package migrated from init to systemd [[#1448](https://github.com/falcosecurity/falco/pull/1448)] - [@jenting](https://github.com/jenting)
+
+
+### Bug Fixes
+
+* fix(userspace/engine): properly handle field extraction over lists of containers when not all containers match the specified sub-properties [[#1601](https://github.com/falcosecurity/falco/pull/1601)] - [@mstemm](https://github.com/mstemm)
+* fix(docker/falco): add flex and bison dependency to container image [[#1562](https://github.com/falcosecurity/falco/pull/1562)] - [@schans](https://github.com/schans)
+* fix: ignore action can not be used with log and alert ones (`syscall_event_drops` config) [[#1586](https://github.com/falcosecurity/falco/pull/1586)] - [@leodido](https://github.com/leodido)
+* fix(userspace/engine): allows fields starting with numbers to be parsed properly [[#1598](https://github.com/falcosecurity/falco/pull/1598)] - [@mstemm](https://github.com/mstemm)
+
+
+### Rule Changes
+
+* rule(Write below monitored dir): improve rule description [[#1588](https://github.com/falcosecurity/falco/pull/1588)] - [@stevenshuang](https://github.com/stevenshuang)
+* rule(macro allowed_aws_eks_registry_root): macro to match the official eks registry [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(macro aws_eks_image): match aws image repository for eks [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(macro aws_eks_image_sensitive_mount): match aws cni images [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(macro k8s_containers): include fluent/fluentd-kubernetes-daemonset and prom/prometheus [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(Launch Privileged Container): exclude aws_eks_image [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(Launch Sensitive Mount Container): exclude aws_eks_image_sensitive_mount [[#1555](https://github.com/falcosecurity/falco/pull/1555)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(Debugfs Launched in Privileged Container): new rule [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Mount Launched in Privileged Container): new rule [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Set Setuid or Setgid bit): add k3s-agent in the whitelist [[#1583](https://github.com/falcosecurity/falco/pull/1583)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_ssh_directory): using glob operator [[#1560](https://github.com/falcosecurity/falco/pull/1560)] - [@shane-lawrence](https://github.com/shane-lawrence)
+* rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud [[#1337](https://github.com/falcosecurity/falco/pull/1337)] - [@nibalizer](https://github.com/nibalizer)
+* rule(list rpm_binaries): add rhsmcertd [[#1385](https://github.com/falcosecurity/falco/pull/1385)] - [@epcim](https://github.com/epcim)
+* rule(list deb_binaries): add apt.systemd.daily [[#1385](https://github.com/falcosecurity/falco/pull/1385)] - [@epcim](https://github.com/epcim)
+* rule(Sudo Potential Privilege Escalation): new rule created to detect CVE-2021-3156 [[#1543](https://github.com/falcosecurity/falco/pull/1543)] - [@darryk10](https://github.com/darryk10)
+* rule(list allowed_k8s_users): add `eks:node-manager` [[#1536](https://github.com/falcosecurity/falco/pull/1536)] - [@ismailyenigul](https://github.com/ismailyenigul)
+* rule(list mysql_mgmt_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list db_mgmt_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_ansible_running_python): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_bro_running_python): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_python_running_denyhosts): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_linux_image_upgrade_script): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_java_running_echo): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_scripting_running_builds): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_Xvfb_running_xkbcomp): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_nginx_running_serf): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_node_running_npm): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_java_running_sbt): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list known_container_shell_spawn_cmdlines): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list known_shell_spawn_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro run_by_puppet): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro user_privileged_containers): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list rancher_images): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list images_allow_network_outside_subnet): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro parent_python_running_sdchecks): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(macro trusted_containers): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+* rule(list authorized_server_binaries): removed [[#1602](https://github.com/falcosecurity/falco/pull/1602)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Non user-facing changes
+
+* chore(test): replace bucket url with official distribution url [[#1608](https://github.com/falcosecurity/falco/pull/1608)] - [@fntlnz](https://github.com/fntlnz)
+* adding asapp as an adopter [[#1611](https://github.com/falcosecurity/falco/pull/1611)] - [@Stuxend](https://github.com/Stuxend)
+* update: fixtures URLs [[#1603](https://github.com/falcosecurity/falco/pull/1603)] - [@leogr](https://github.com/leogr)
+* cleanup publishing jobs [[#1596](https://github.com/falcosecurity/falco/pull/1596)] - [@leogr](https://github.com/leogr)
+* fix(falco/test): bump pyyaml from 5.3.1 to 5.4 [[#1595](https://github.com/falcosecurity/falco/pull/1595)] - [@leodido](https://github.com/leodido)
+* fix(.circleci): tar must be present in the image [[#1594](https://github.com/falcosecurity/falco/pull/1594)] - [@leogr](https://github.com/leogr)
+* fix: publishing jobs [[#1591](https://github.com/falcosecurity/falco/pull/1591)] - [@leogr](https://github.com/leogr)
+* Pocteo as an adopter [[#1574](https://github.com/falcosecurity/falco/pull/1574)] - [@pocteo-labs](https://github.com/pocteo-labs)
+* build: fetch build deps from download.falco.org [[#1572](https://github.com/falcosecurity/falco/pull/1572)] - [@leogr](https://github.com/leogr)
+* adding shapesecurity to adopters [[#1566](https://github.com/falcosecurity/falco/pull/1566)] - [@irivera007](https://github.com/irivera007)
+* Use default pip version to get avocado version [[#1565](https://github.com/falcosecurity/falco/pull/1565)] - [@shane-lawrence](https://github.com/shane-lawrence)
+* Added Swissblock to list of adopters [[#1551](https://github.com/falcosecurity/falco/pull/1551)] - [@bygui86](https://github.com/bygui86)
+* Fix various typos in markdown files. [[#1514](https://github.com/falcosecurity/falco/pull/1514)] - [@didier-durand](https://github.com/didier-durand)
+* docs: move governance to falcosecurity/.github [[#1524](https://github.com/falcosecurity/falco/pull/1524)] - [@leogr](https://github.com/leogr)
+* ci: fix missing infra context to publish stable Falco packages [[#1615](https://github.com/falcosecurity/falco/pull/1615)] - [@leodido](https://github.com/leodido)
+
+
 ## v0.27.0
 
 Released on 2021-01-18

README.md

@@ -11,11 +11,49 @@ Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH
 
 Read the [change log](CHANGELOG.md).
 
+<!-- 
+Badges in the following table are constructed by using the
+https://img.shields.io/badge/dynamic/xml endpoint.
+
+Parameters are configured for fetching packages from S3 before 
+(filtered by prefix, sorted in ascending order) and for picking 
+the latest package by using an XPath selector after.
+
+- Common query parameters:
+
+color=#300aec7
+style=flat-square
+label=Falco
+
+- DEB packages parameters:
+
+url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/deb/stable/falco-
+query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
+
+- RPM packages parameters:
+
+url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/rpm/falco-
+query=substring-before(substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'],"falco-"),".asc")
+
+- BIN packages parameters:
+
+url=https://falco-distribution.s3-eu-west-1.amazonaws.com/?prefix=packages/bin/x86_64/falco-
+query=substring-after((/*[name()='ListBucketResult']/*[name()='Contents'])[last()]/*[name()='Key'], "falco-")
+
+Notes:
+ - if more than 1000 items are present under as S3 prefix, 
+   the actual latest package will be not picked;
+   see https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
+ - for `-dev` packages, the S3 prefix is modified accordingly
+ - finally, all parameters are URL encoded and appended to the badge endpoint
+
+-->
+
 |        | development                                                                                                                 | stable                                                                                                              |
 |--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
-| rpm    | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
-| deb    | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
-| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |
+| rpm    | [![rpm-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm-dev%2Ffalco-)][1] | [![rpm](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Frpm%2Ffalco-)][2] |
+| deb    | [![deb-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb-dev%2Fstable%2Ffalco-)][3] | [![deb](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-before%28substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%22falco-%22%29%2C%22.asc%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fdeb%2Fstable%2Ffalco-)][4] |
+| binary | [![bin-dev](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin-dev%2Fx86_64%2Ffalco-)][5] | [![bin](https://img.shields.io/badge/dynamic/xml?color=%2300aec7&style=flat-square&label=Falco&query=substring-after%28%28%2F%2A%5Bname%28%29%3D%27ListBucketResult%27%5D%2F%2A%5Bname%28%29%3D%27Contents%27%5D%29%5Blast%28%29%5D%2F%2A%5Bname%28%29%3D%27Key%27%5D%2C%20%22falco-%22%29&url=https%3A%2F%2Ffalco-distribution.s3-eu-west-1.amazonaws.com%2F%3Fprefix%3Dpackages%2Fbin%2Fx86_64%2Ffalco-)][6] |
 
 ---
 
@@ -99,9 +137,9 @@ Please report security vulnerabilities following the community process documente
 Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
 
 
-[1]: https://dl.bintray.com/falcosecurity/rpm-dev
-[2]: https://dl.bintray.com/falcosecurity/rpm
-[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
-[4]: https://dl.bintray.com/falcosecurity/deb/stable
-[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
-[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
+[1]: https://download.falco.org/?prefix=packages/rpm-dev/
+[2]: https://download.falco.org/?prefix=packages/rpm/
+[3]: https://download.falco.org/?prefix=packages/deb-dev/stable/
+[4]: https://download.falco.org/?prefix=packages/deb/stable/
+[5]: https://download.falco.org/?prefix=packages/bin-dev/x86_64/
+[6]: https://download.falco.org/?prefix=packages/bin/x86_64/

RELEASE.md

@@ -13,7 +13,7 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
 Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
 
 ### 1. Release notes
-- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
     - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
     - If the PR has no milestone, assign it to the milestone currently undergoing release
@@ -29,8 +29,9 @@ Before cutting a release we need to do some homework in the Falco repository. Th
 - Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
     - If any, manually correct it then open an issue to automate version number bumping later
     - Versions table in the `README.md` updates itself automatically
-- Generate the change log https://github.com/leodido/rn2md:
-    - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
+- Generate the change log using [rn2md](https://github.com/leodido/rn2md):
+    - Execute `rn2md -o falcosecurity -m <version> -r falco` 
+    - In case `rn2md` emits error try to generate an GitHub OAuth access token and provide it with the `-t` flag
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
@@ -65,9 +66,9 @@ Now assume `x.y.z` is the new version.
 
     | Packages | Download                                                                                                                                               |
     | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm)        |
-    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
-    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
+    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-x.y.z-x86_64.rpm)        |
+    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-x.y.z-x86_64.deb) |
+    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-x.y.z-x86_64.tar.gz) |
 
     | Images                                                                      |
     | --------------------------------------------------------------------------- |

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,11 +1,11 @@
 if(CPACK_GENERATOR MATCHES "DEB")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d/")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d")
+	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "RPM")
-	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d/")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d")
+	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 endif()
 
 if(CPACK_GENERATOR MATCHES "TGZ")

cmake/modules/CPackConfig.cmake

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -46,8 +46,9 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
 )
 
 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
+set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses, systemd")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
@@ -59,9 +60,7 @@ set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
     /etc
     /usr
     /usr/bin
-    /usr/share
-    /etc/rc.d
-    /etc/rc.d/init.d)
+    /usr/share)
 set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
 
 include(CPack)

cmake/modules/jq.cmake

@@ -45,7 +45,7 @@ else ()
     #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
     ExternalProject_Add(
             jq
-            URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
+            URL "https://download.falco.org/dependencies/jq-1.6.tar.gz"
             URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
             CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
             BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static

docker/falco/Dockerfile

@@ -18,10 +18,12 @@ RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
 	bc \
+	bison \
 	clang-7 \
 	ca-certificates \
 	curl \
 	dkms \
+	flex \
 	gnupg2 \
 	gcc \
 	jq \
@@ -39,15 +41,15 @@ RUN apt-get update \
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
 
@@ -56,13 +58,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dep
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
 
@@ -76,7 +78,7 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc
 
 RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
-	&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
+	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
 	&& apt-get update -y \
 	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
 	&& apt-get clean \
@@ -96,10 +98,10 @@ RUN rm -df /lib/modules \
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/falco/docker-entrypoint.sh

@@ -16,14 +16,9 @@
 # limitations under the License.
 #
 
-# todo(leogr): remove deprecation notice within a couple of releases
-if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
-    echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
-fi
-
 # Set the SKIP_DRIVER_LOADER variable to skip loading the driver
 
-if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
     echo "* Setting up /usr/src links from host"
 
     for i in "$HOST_ROOT/usr/src"/*

docker/local/Dockerfile

@@ -48,15 +48,15 @@ RUN apt-get update \
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://download.falco.org/dependencies/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libasan3_6.3.0-18_amd64.deb \
+	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://download.falco.org/dependencies/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://download.falco.org/dependencies/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -L -o libisl15_0.18-1_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
 
@@ -65,13 +65,13 @@ RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dep
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://download.falco.org/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://download.falco.org/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -L -o libisl15_0.18-4_amd64.deb https://download.falco.org/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://download.falco.org/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
 
@@ -96,15 +96,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 # Change the falco config within the container to enable ISO 8601
 # output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
 
 # debian:stable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -L -o binutils_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -L -o libbinutils_2.30-22_amd64.deb https://download.falco.org/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -L -o binutils-common_2.30-22_amd64.deb https://download.falco.org/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/no-driver/Dockerfile

@@ -6,14 +6,16 @@ ARG VERSION_BUCKET=bin
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 
+RUN apt-get -y update && apt-get -y install gridsite-clients curl
+
 WORKDIR /
 
-ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
-
-RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
+RUN curl -L -o falco.tar.gz \
+    https://download.falco.org/packages/${VERSION_BUCKET}/x86_64/falco-$(urlencode ${FALCO_VERSION})-x86_64.tar.gz && \
+    tar -xvf falco.tar.gz && \
+    rm -f falco.tar.gz && \
     mv falco-${FALCO_VERSION}-x86_64 falco && \
-    rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader
+    rm -rf /falco/usr/src/falco-* /falco/usr/bin/falco-driver-loader
 
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
     && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml

docker/tester/root/usr/bin/usage

@@ -3,7 +3,7 @@
 pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
 pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
 dockerversion=$(docker --version)
-avocadoversion=$(pip2 show avocado-framework | grep Version)
+avocadoversion=$(pip show avocado-framework | grep Version)
 avocadoversion=${avocadoversion#"Version: "}
 
 cat <<EOF

falco.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -68,24 +68,34 @@ priority: debug
 buffered_outputs: false
 
 # Falco uses a shared buffer between the kernel and userspace to pass
-# system call information. When falco detects that this buffer is
+# system call information. When Falco detects that this buffer is
 # full and system calls have been dropped, it can take one or more of
 # the following actions:
-#   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
-#   - "log": log a CRITICAL message noting that the buffer was full.
-#   - "alert": emit a falco alert noting that the buffer was full.
-#   - "exit": exit falco with a non-zero rc.
+#   - ignore: do nothing (default when list of actions is empty)
+#   - log: log a DEBUG message noting that the buffer was full
+#   - alert: emit a Falco alert noting that the buffer was full
+#   - exit: exit Falco with a non-zero rc
+#
+# Notice it is not possible to ignore and log/alert messages at the same time.
 #
 # The rate at which log/alert messages are emitted is governed by a
 # token bucket. The rate corresponds to one message every 30 seconds
-# with a burst of 10 messages.
+# with a burst of one message (by default).
+#
+# The messages are emitted when the percentage of dropped system calls
+# with respect the number of events in the last second
+# is greater than the given threshold (a double in the range [0, 1]).
+#
+# For debugging/testing it is possible to simulate the drops using
+# the `simulate_drops: true`. In this case the threshold does not apply.
 
 syscall_event_drops:
+  threshold: .1
   actions:
     - log
     - alert
   rate: .03333
-  max_burst: 10
+  max_burst: 1
 
 # Falco continuously monitors outputs performance. When an output channel does not allow
 # to deliver an alert within a given deadline, an error is reported indicating
@@ -152,11 +162,14 @@ stdout_output:
 # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
 # $ cat certificate.pem key.pem > falco.pem
 # $ sudo cp falco.pem /etc/falco/falco.pem
-
+#
+# It also exposes a healthy endpoint that can be used to check if Falco is up and running
+# By default the endpoint is /healthz
 webserver:
   enabled: true
   listen_port: 8765
   k8s_audit_endpoint: /k8s-audit
+  k8s_healthz_endpoint: /healthz
   ssl_enabled: false
   ssl_certificate: /etc/falco/falco.pem
 

rules/k8s_audit_rules.yaml

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-- required_engine_version: 8
+- required_engine_version: 2
 
 # Like always_true/always_false, but works with k8s audit events
 - macro: k8s_audit_always_true
@@ -51,17 +51,13 @@
     cluster-autoscaler,
     "system:addon-manager",
     "cloud-controller-manager",
-    "eks:node-manager"
+    "eks:node-manager",
+    "system:kube-controller-manager"
     ]
 
 - rule: Disallowed K8s User
   desc: Detect any k8s operation by users outside of an allowed set of users.
-  condition: kevt and non_system_user
-  exceptions:
-    - name: user_names
-      fields: ka.user.name
-      comps: in
-      values: [allowed_k8s_users]
+  condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users)
   output: K8s Operation performed by user not in allowed list of users (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
   priority: WARNING
   source: k8s_audit
@@ -128,10 +124,6 @@
   desc: >
     Detect an attempt to start a pod with a container image outside of a list of allowed images.
   condition: kevt and pod and kcreate and not allowed_k8s_containers
-  exceptions:
-    - name: image_repos
-      fields: ka.req.pod.containers.image.repository
-      comps: in
   output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
@@ -140,12 +132,7 @@
 - rule: Create Privileged Pod
   desc: >
     Detect an attempt to start a pod with a privileged container
-  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true)
-  exceptions:
-    - name: image_repos
-      fields: ka.req.pod.containers.image.repository
-      comps: in
-      values: [falco_privileged_images]
+  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
   output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
@@ -159,12 +146,7 @@
   desc: >
     Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
     Exceptions are made for known trusted images.
-  condition: kevt and pod and kcreate and sensitive_vol_mount
-  exceptions:
-    - name: image_repos
-      fields: ka.req.pod.containers.image.repository
-      comps: in
-      values: [falco_sensitive_mount_images]
+  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
   output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
   priority: WARNING
   source: k8s_audit
@@ -173,12 +155,7 @@
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
   desc: Detect an attempt to start a pod using the host network.
-  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true)
-  exceptions:
-    - name: image_repos
-      fields: ka.req.pod.containers.image.repository
-      comps: in
-      values: [falco_hostnetwork_images]
+  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
   output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
@@ -191,9 +168,6 @@
   desc: >
     Detect an attempt to start a service with a NodePort service type
   condition: kevt and service and kcreate and ka.req.service.type=NodePort and not user_known_node_port_service
-  exceptions:
-    - name: services
-      fields: [ka.target.namespace, ka.target.name]
   output: NodePort Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace ports=%ka.req.service.ports)
   priority: WARNING
   source: k8s_audit
@@ -212,9 +186,6 @@
   desc: >
      Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
   condition: kevt and configmap and kmodify and contains_private_credentials
-  exceptions:
-    - name: configmaps
-      fields: [ka.target.namespace, ka.req.configmap.name]
   output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
   priority: WARNING
   source: k8s_audit
@@ -225,10 +196,6 @@
   desc: >
     Detect any request made by the anonymous user that was allowed
   condition: kevt and ka.user.name=system:anonymous and ka.auth.decision="allow" and not health_endpoint
-  exceptions:
-    - name: user_names
-      fields: ka.user.name
-      comps: in
   output: Request by anonymous user allowed (user=%ka.user.name verb=%ka.verb uri=%ka.uri reason=%ka.auth.reason))
   priority: WARNING
   source: k8s_audit
@@ -254,10 +221,6 @@
   desc: >
     Detect any attempt to attach/exec to a pod
   condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
-  exceptions:
-    - name: user_names
-      fields: ka.user.name
-      comps: in
   output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
   priority: NOTICE
   source: k8s_audit
@@ -267,14 +230,10 @@
   condition: (k8s_audit_never_true)
 
 # Only works when feature gate EphemeralContainers is enabled
-# Definining empty exceptions just to avoid warnings. There isn't any
-#  great exception for this kind of object, as you'd expect the images
-#  to vary wildly.
 - rule: EphemeralContainers Created
   desc: >
     Detect any ephemeral container created
   condition: kevt and pod_subresource and kmodify and ka.target.subresource in (ephemeralcontainers) and not user_known_pod_debug_activities
-  exceptions:
   output: Ephemeral container is created in pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace ephemeral_container_name=%jevt.value[/requestObject/ephemeralContainers/0/name] ephemeral_container_image=%jevt.value[/requestObject/ephemeralContainers/0/image])
   priority: NOTICE
   source: k8s_audit
@@ -286,12 +245,7 @@
 
 - rule: Create Disallowed Namespace
   desc: Detect any attempt to create a namespace outside of a set of known namespaces
-  condition: kevt and namespace and kcreate
-  exceptions:
-    - name: services
-      fields: ka.target.name
-      comps: in
-      values: [allowed_namespaces]
+  condition: kevt and namespace and kcreate and not ka.target.name in (allowed_namespaces)
   output: Disallowed namespace created (user=%ka.user.name ns=%ka.target.name)
   priority: WARNING
   source: k8s_audit
@@ -331,16 +285,15 @@
     k8s_image_list
     ]
 
+- macro: allowed_kube_namespace_pods
+  condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
+              ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
+
 # Detect any new pod created in the kube-system namespace
 - rule: Pod Created in Kube Namespace
   desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
-  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
+  condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public) and not allowed_kube_namespace_pods
   output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
-  exceptions:
-    - name: images
-      fields: ka.req.pod.containers.image.repository
-      comps: in
-      values: [user_allowed_kube_namespace_image_list, allowed_kube_namespace_image_list]
   priority: WARNING
   source: k8s_audit
   tags: [k8s]
@@ -348,16 +301,18 @@
 - list: user_known_sa_list
   items: []
 
+- list: known_sa_list
+  items: ["pod-garbage-collector","resourcequota-controller","cronjob-controller","generic-garbage-collector",
+          "daemon-set-controller","endpointslice-controller","deployment-controller", "replicaset-controller",
+          "endpoint-controller"]
+
 - macro: trusted_sa
-  condition: (ka.target.name in (user_known_sa_list))
+  condition: (ka.target.name in (known_sa_list, user_known_sa_list))
 
 # Detect creating a service account in the kube-system/kube-public namespace
 - rule: Service Account Created in Kube Namespace
   desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
   condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful and not trusted_sa
-  exceptions:
-    - name: accounts
-      fields: [ka.target.namespace, ka.target.name]
   output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
   priority: WARNING
   source: k8s_audit
@@ -370,9 +325,6 @@
   desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
   condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
              not ka.target.name in (system:coredns, system:managed-certificate-controller)
-  exceptions:
-    - name: roles
-      fields: [ka.target.namespace, ka.target.name]
   output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace action=%ka.verb)
   priority: WARNING
   source: k8s_audit
@@ -383,10 +335,6 @@
 - rule: Attach to cluster-admin Role
   desc: Detect any attempt to create a ClusterRoleBinding to the cluster-admin user
   condition: kevt and clusterrolebinding and kcreate and ka.req.binding.role=cluster-admin
-  exceptions:
-    - name: subjects
-      fields: ka.req.binding.subjects
-      comps: in
   output: Cluster Role Binding to cluster-admin role (user=%ka.user.name subject=%ka.req.binding.subjects)
   priority: WARNING
   source: k8s_audit
@@ -395,10 +343,6 @@
 - rule: ClusterRole With Wildcard Created
   desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
   condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
-  exceptions:
-    - name: roles
-      fields: ka.target.name
-      comps: in
   output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
   priority: WARNING
   source: k8s_audit
@@ -411,10 +355,6 @@
 - rule: ClusterRole With Write Privileges Created
   desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
   condition: kevt and (role or clusterrole) and kcreate and writable_verbs
-  exceptions:
-    - name: roles
-      fields: ka.target.name
-      comps: in
   output: Created Role/ClusterRole with write privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
   priority: NOTICE
   source: k8s_audit
@@ -423,10 +363,6 @@
 - rule: ClusterRole With Pod Exec Created
   desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
   condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
-  exceptions:
-    - name: roles
-      fields: ka.target.name
-      comps: in
   output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
   priority: WARNING
   source: k8s_audit
@@ -438,16 +374,12 @@
 - macro: consider_activity_events
   condition: (k8s_audit_always_true)
 
-# Activity events don't have exceptions. They do define an empty
-# exceptions property just to avoid warnings when loading rules.
-
 - macro: kactivity
   condition: (kevt and consider_activity_events)
 
 - rule: K8s Deployment Created
   desc: Detect any attempt to create a deployment
   condition: (kactivity and kcreate and deployment and response_successful)
-  exceptions:
   output: K8s Deployment Created (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -456,7 +388,6 @@
 - rule: K8s Deployment Deleted
   desc: Detect any attempt to delete a deployment
   condition: (kactivity and kdelete and deployment and response_successful)
-  exceptions:
   output: K8s Deployment Deleted (user=%ka.user.name deployment=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -465,7 +396,6 @@
 - rule: K8s Service Created
   desc: Detect any attempt to create a service
   condition: (kactivity and kcreate and service and response_successful)
-  exceptions:
   output: K8s Service Created (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -474,7 +404,6 @@
 - rule: K8s Service Deleted
   desc: Detect any attempt to delete a service
   condition: (kactivity and kdelete and service and response_successful)
-  exceptions:
   output: K8s Service Deleted (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -483,7 +412,6 @@
 - rule: K8s ConfigMap Created
   desc: Detect any attempt to create a configmap
   condition: (kactivity and kcreate and configmap and response_successful)
-  exceptions:
   output: K8s ConfigMap Created (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -492,7 +420,6 @@
 - rule: K8s ConfigMap Deleted
   desc: Detect any attempt to delete a configmap
   condition: (kactivity and kdelete and configmap and response_successful)
-  exceptions:
   output: K8s ConfigMap Deleted (user=%ka.user.name configmap=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -501,7 +428,6 @@
 - rule: K8s Namespace Created
   desc: Detect any attempt to create a namespace
   condition: (kactivity and kcreate and namespace and response_successful)
-  exceptions:
   output: K8s Namespace Created (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -510,7 +436,6 @@
 - rule: K8s Namespace Deleted
   desc: Detect any attempt to delete a namespace
   condition: (kactivity and non_system_user and kdelete and namespace and response_successful)
-  exceptions:
   output: K8s Namespace Deleted (user=%ka.user.name namespace=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -519,7 +444,6 @@
 - rule: K8s Serviceaccount Created
   desc: Detect any attempt to create a service account
   condition: (kactivity and kcreate and serviceaccount and response_successful)
-  exceptions:
   output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -528,7 +452,6 @@
 - rule: K8s Serviceaccount Deleted
   desc: Detect any attempt to delete a service account
   condition: (kactivity and kdelete and serviceaccount and response_successful)
-  exceptions:
   output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -537,7 +460,6 @@
 - rule: K8s Role/Clusterrole Created
   desc: Detect any attempt to create a cluster role/role
   condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
-  exceptions:
   output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -546,7 +468,6 @@
 - rule: K8s Role/Clusterrole Deleted
   desc: Detect any attempt to delete a cluster role/role
   condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
-  exceptions:
   output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -555,7 +476,6 @@
 - rule: K8s Role/Clusterrolebinding Created
   desc: Detect any attempt to create a clusterrolebinding
   condition: (kactivity and kcreate and clusterrolebinding and response_successful)
-  exceptions:
   output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -564,7 +484,6 @@
 - rule: K8s Role/Clusterrolebinding Deleted
   desc: Detect any attempt to delete a clusterrolebinding
   condition: (kactivity and kdelete and clusterrolebinding and response_successful)
-  exceptions:
   output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -573,7 +492,6 @@
 - rule: K8s Secret Created
   desc: Detect any attempt to create a secret. Service account tokens are excluded.
   condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
-  exceptions:
   output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -582,7 +500,6 @@
 - rule: K8s Secret Deleted
   desc: Detect any attempt to delete a secret Service account tokens are excluded.
   condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
-  exceptions:
   output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
@@ -601,7 +518,6 @@
 - rule: All K8s Audit Events
   desc: Match all K8s Audit Events
   condition: kall
-  exceptions:
   output: K8s Audit Event received (user=%ka.user.name verb=%ka.verb uri=%ka.uri obj=%jevt.obj)
   priority: DEBUG
   source: k8s_audit
@@ -634,10 +550,6 @@
     and non_system_user
     and ka.user.name in (full_admin_k8s_users)
     and not allowed_full_admin_users
-  exceptions:
-    - name: user_names
-      fields: ka.user.name
-      comps: in
   output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
   priority: WARNING
   source: k8s_audit
@@ -671,9 +583,6 @@
   desc: Detect any attempt to create an ingress without TLS certification.
   condition: >
     (kactivity and kcreate and ingress and response_successful and not ingress_tls)
-  exceptions:
-    - name: ingresses
-      fields: [ka.target.namespace, ka.target.name]
   output: >
     K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
     namespace=%ka.target.namespace)
@@ -704,11 +613,7 @@
     and kcreate
     and response_successful
     and not allow_all_k8s_nodes
-  exceptions:
-    - name: nodes
-      fields: ka.target.name
-      comps: in
-      values: [allowed_k8s_nodes]
+    and not ka.target.name in (allowed_k8s_nodes)
   output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
   priority: ERROR
   source: k8s_audit
@@ -722,11 +627,7 @@
     and kcreate
     and not response_successful
     and not allow_all_k8s_nodes
-  exceptions:
-    - name: nodes
-      fields: ka.target.name
-      comps: in
-      values: [allowed_k8s_nodes]
+    and not ka.target.name in (allowed_k8s_nodes)
   output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
   priority: WARNING
   source: k8s_audit

scripts/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,14 +19,14 @@ configure_file(debian/postinst.in debian/postinst)
 configure_file(debian/postrm.in debian/postrm)
 configure_file(debian/prerm.in debian/prerm)
 
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco"
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
 
 configure_file(rpm/postinstall.in rpm/postinstall)
 configure_file(rpm/postuninstall.in rpm/postuninstall)
 configure_file(rpm/preuninstall.in rpm/preuninstall)
 
-file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
 
 configure_file(falco-driver-loader falco-driver-loader @ONLY)

scripts/cleanup

@@ -1,61 +0,0 @@
-#!/usr/bin/env bash
-
-usage() {
-    echo "usage: $0 -p 0987654321 -r <deb-dev|rpm-dev|bin-dev>"
-    exit 1
-}
-
-user=poiana
-
-# Get the versions to delete.
-#
-# $1: repository to lookup
-# $2: number of versions to skip.
-get_versions() {
-    # The API endpoint returns the Falco package versions sort by most recent.
-    IFS=$'\n' read -r -d '' -a all < <(curl -s --header "Content-Type: application/json" "https://api.bintray.com/packages/falcosecurity/$1/falco" | jq -r '.versions | .[]' | tail -n "+$2")
-}
-
-# Remove all the versions (${all[@]} array).
-#
-# $1: repository containing the versions.
-rem_versions() {
-    for i in "${!all[@]}";
-    do
-        JFROG_CLI_LOG_LEVEL=DEBUG jfrog bt vd --quiet --user "${user}" --key "${pass}" "falcosecurity/$1/falco/${all[$i]}"
-    done
-}
-
-while getopts ":p::r:" opt; do
-    case "${opt}" in
-        p )
-          pass=${OPTARG}
-          ;;
-        r )
-          repo="${OPTARG}"
-          [[ "${repo}" == "deb-dev" || "${repo}" == "rpm-dev" || "${repo}" == "bin-dev" ]] || usage
-          ;;
-        : )
-          echo "invalid option: ${OPTARG} requires an argument" 1>&2
-          exit 1
-          ;;
-        \?)
-          echo "invalid option: ${OPTARG}" 1>&2
-          exit 1
-          ;;
-    esac
-done
-shift $((OPTIND-1))
-
-if [ -z "${pass}" ] || [ -z "${repo}" ]; then
-    usage
-fi
-
-skip=51
-if [[ "${repo}" == "bin-dev" ]]; then
-    skip=11
-fi
-
-get_versions "${repo}" ${skip}
-echo "number of versions to delete: ${#all[@]}"
-rem_versions "${repo}"

scripts/debian/falco

@@ -1,176 +0,0 @@
-#! /bin/sh
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-### BEGIN INIT INFO
-# Provides:          falco
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: Falco syscall activity monitoring agent
-# Description:       Falco is a system activity monitoring agent
-#                    driven by system calls with support for containers.
-### END INIT INFO
-
-# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>
-
-# Do NOT "set -e"
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/usr/sbin:/bin:/usr/bin
-DESC="Falco"
-NAME=falco
-DAEMON=/usr/bin/$NAME
-PIDFILE=/var/run/$NAME.pid
-DAEMON_ARGS="--daemon --pidfile=$PIDFILE"
-SCRIPTNAME=/etc/init.d/$NAME
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-# Load the VERBOSE setting and other rcS variables
-. /lib/init/vars.sh
-
-# Define LSB log_* functions.
-# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
-# and status_of_proc is working.
-. /lib/lsb/init-functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-	# Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
-	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
-		|| return 1
-	if [ ! -d /sys/module/falco ]; then
-		/sbin/modprobe falco || exit 1
-	fi
-	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
-		$DAEMON_ARGS \
-		|| return 2
-	# Add code here, if necessary, that waits for the process to be ready
-	# to handle requests from services started subsequently which depend
-	# on this one.  As a last resort, sleep for some time.
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
-	RETVAL="$?"
-	[ "$RETVAL" = 2 ] && return 2
-	# Wait for children to finish too if this is a daemon that forks
-	# and if the daemon is only ever run from this initscript.
-	# If the above conditions are not satisfied then add some other code
-	# that waits for the process to drop all resources that could be
-	# needed by services started subsequently.  A last resort is to
-	# sleep for some time.
-	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
-	[ "$?" = 2 ] && return 2
-	/sbin/rmmod falco
-	# Many daemons don't delete their pidfiles when they exit.
-	rm -f $PIDFILE
-	return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-	#
-	# If the daemon can reload its configuration without
-	# restarting (for example, when it is sent a SIGHUP),
-	# then implement that here.
-	#
-	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
-	return 0
-}
-
-case "$1" in
-  start)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
-	do_start
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  stop)
-	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
-	do_stop
-	case "$?" in
-		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
-		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
-	esac
-	;;
-  status)
-	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
-	;;
-  #reload|force-reload)
-	#
-	# If do_reload() is not implemented then leave this commented out
-	# and leave 'force-reload' as an alias for 'restart'.
-	#
-	#log_daemon_msg "Reloading $DESC" "$NAME"
-	#do_reload
-	#log_end_msg $?
-	#;;
-  restart|force-reload)
-	#
-	# If the "reload" option is implemented then remove the
-	# 'force-reload' alias
-	#
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	do_stop
-	case "$?" in
-	  0|1)
-		do_start
-		case "$?" in
-			0) log_end_msg 0 ;;
-			1) log_end_msg 1 ;; # Old process is still running
-			*) log_end_msg 1 ;; # Failed to start
-		esac
-		;;
-	  *)
-		# Failed to stop
-		log_end_msg 1
-		;;
-	esac
-	;;
-  *)
-	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
-	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
-	exit 3
-	;;
-esac
-
-:

scripts/debian/falco.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+
+[Service]
+Type=simple
+User=root
+ExecStartPre=/sbin/modprobe falco
+ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+ExecStopPost=/sbin/rmmod falco
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+
+[Install]
+WantedBy=multi-user.target

scripts/debian/postinst.in

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -41,8 +41,3 @@ case "$1" in
 		fi
 	;;
 esac
-
-if [ -x "/etc/init.d/$NAME" ]; then
-		update-rc.d $NAME defaults >/dev/null
-fi
-

scripts/debian/postrm.in

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,10 +15,3 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-set -e
-
-NAME=falco
-
-if [ "$1" = "purge" ] ; then
-	update-rc.d $NAME remove >/dev/null
-fi

scripts/debian/prerm.in

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,16 +17,6 @@
 #
 set -e
 
-NAME="@PACKAGE_NAME@"
-
-if [ -x "/etc/init.d/$NAME" ]; then
-		if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
-				invoke-rc.d $NAME stop || exit $?
-		else
-				/etc/init.d/$NAME stop || exit $?
-		fi
-fi
-
 DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
 DKMS_VERSION="@PROBE_VERSION@"
 

scripts/falco-driver-loader

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,7 +16,7 @@
 # limitations under the License.
 #
 # Simple script that desperately tries to load the kernel instrumentation by
-# looking for it in a bunch of ways. Convenient when running falco inside
+# looking for it in a bunch of ways. Convenient when running Falco inside
 # a container or in other weird environments.
 #
 
@@ -82,7 +82,7 @@ get_kernel_config() {
 		echo "* Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
 		KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
 	elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
-		# this code works both for native host and agent container assuming that
+		# This code works both for native host and containers assuming that
 		# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
 		echo "* Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
 		KERNEL_CONFIG_PATH="/lib/modules/${KERNEL_RELEASE}/config"
@@ -107,12 +107,14 @@ get_target_id() {
 		source "${HOST_ROOT}/etc/os-release"
 		OS_ID=$ID
 	elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then
-		# Older Debian
-		# fixme > can this happen on older Ubuntu?
+		# Older debian distros
+		# fixme > Can this happen on older Ubuntu?
 		OS_ID=debian
 	elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
-		# Older CentOS
+		# Older CentOS distros
 		OS_ID=centos
+	elif [ -f "${HOST_ROOT}/etc/VERSION" ]; then
+		OS_ID=minikube
 	else
 		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
 		exit 1
@@ -140,25 +142,25 @@ get_target_id() {
 }
 
 load_kernel_module_compile() {
-	# skip dkms on UEK hosts because it will always fail
+	# Skip dkms on UEK hosts because it will always fail
 	if [[ $(uname -r) == *uek* ]]; then
-		echo "* Skipping dkms install for UEK host"
+		>&2 echo "Skipping because the dkms install always fail (on UEK hosts)"
 		return
 	fi
 
-	if ! hash dkms &>/dev/null; then
-		echo "* Skipping dkms install (dkms not found)"
+	if ! hash dkms >/dev/null 2>&1; then
+		>&2 echo "This program requires dkms"
 		return
 	fi
 
-	# try to compile using all the available gcc versions
+	# Try to compile using all the available gcc versions
 	for CURRENT_GCC in $(which gcc) $(ls "$(dirname "$(which gcc)")"/gcc-* | grep 'gcc-[0-9]\+' | sort -r); do
 		echo "* Trying to dkms install ${DRIVER_NAME} module with GCC ${CURRENT_GCC}"
 		echo "#!/usr/bin/env bash" > /tmp/falco-dkms-make
 		echo "make CC=${CURRENT_GCC} \$@" >> /tmp/falco-dkms-make
 		chmod +x /tmp/falco-dkms-make
 		if dkms install --directive="MAKE='/tmp/falco-dkms-make'" -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
-			echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"				
+			echo "* ${DRIVER_NAME} module installed in dkms, trying to insmod"
 			if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
 				echo "* Success: ${DRIVER_NAME} module found and loaded in dkms"
 				exit 0
@@ -181,7 +183,6 @@ load_kernel_module_compile() {
 }
 
 load_kernel_module_download() {
-
 	get_target_id
 
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
@@ -189,14 +190,14 @@ load_kernel_module_download() {
 	local URL
 	URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
 
-	echo "* Trying to download prebuilt module from ${URL}"
+	echo "* Trying to download a prebuilt ${DRIVER_NAME} module from ${URL}"
 	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
 		echo "* Download succeeded"
-		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
+		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
 		exit $?
 	else
-		>&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} module and loading it or getting in touch with the Falco community"
-		exit 1
+		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} module"
+		return
 	fi
 }
 
@@ -220,7 +221,7 @@ load_kernel_module() {
 	rmmod "${DRIVER_NAME}" 2>/dev/null
 	WAIT_TIME=0
 	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do 
+	while lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}" && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
 		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
 			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
 			break
@@ -237,33 +238,77 @@ load_kernel_module() {
 		exit 0
 	fi
 
-	if [ -n "$ENABLE_COMPILE" ]; then
-		load_kernel_module_compile
-	fi
-
-
-	echo "* Trying to load a system ${DRIVER_NAME} driver, if present"
+	echo "* Trying to load a system ${DRIVER_NAME} module, if present"
 	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
 		echo "* Success: ${DRIVER_NAME} module found and loaded with modprobe"
 		exit 0
-	fi		
+	fi
 
-
-	echo "* Trying to find locally a prebuilt ${DRIVER_NAME} module for kernel ${KERNEL_RELEASE}, if present"
+	echo "* Looking for a ${DRIVER_NAME} module locally (kernel ${KERNEL_RELEASE})"
 
 	get_target_id
 
 	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
 
 	if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
-		echo "* Found a prebuilt module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
-		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module loaded"
+		echo "* Found a prebuilt ${DRIVER_NAME} module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
+		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" && echo "* Success: ${DRIVER_NAME} module found and inserted"
 		exit $?
 	fi
 
 	if [ -n "$ENABLE_DOWNLOAD" ]; then
 		load_kernel_module_download
 	fi
+
+	if [ -n "$ENABLE_COMPILE" ]; then
+		load_kernel_module_compile
+	fi
+
+	# Not able to download a prebuilt module nor to compile one on-the-fly
+	>&2 echo "Consider compiling your own ${DRIVER_NAME} driver and loading it or getting in touch with the Falco community"
+	exit 1
+}
+
+clean_kernel_module() {
+	if ! hash lsmod > /dev/null 2>&1; then
+		>&2 echo "This program requires lsmod"
+		exit 1
+	fi
+
+	if ! hash rmmod > /dev/null 2>&1; then
+		>&2 echo "This program requires rmmod"
+		exit 1
+	fi
+
+	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
+	if lsmod | cut -d' ' -f1 | grep -qx "${KMOD_NAME}"; then
+		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
+			echo "* Unloading ${DRIVER_NAME} module succeeded"
+		else
+			echo "* Unloading ${DRIVER_NAME} module failed"
+		fi
+	else
+		echo "* There is no ${DRIVER_NAME} module loaded"
+	fi
+
+	if ! hash dkms >/dev/null 2>&1; then
+		echo "* Skipping dkms remove (dkms not found)"
+		return
+	fi
+
+	DRIVER_VERSIONS=$(dkms status -m "${DRIVER_NAME}" | cut -d',' -f2 | sed -e 's/^[[:space:]]*//')
+	if [ -z "${DRIVER_VERSIONS}" ]; then
+		echo "* There is no ${DRIVER_NAME} module in dkms"
+		return
+	fi
+	for CURRENT_VER in ${DRIVER_VERSIONS}; do
+		if dkms remove -m "${DRIVER_NAME}" -v "${CURRENT_VER}" --all 2>/dev/null; then
+			echo "* Removing ${DRIVER_NAME}/${CURRENT_VER} succeeded"
+		else
+			echo "* Removing ${DRIVER_NAME}/${CURRENT_VER} failed"
+			exit 1
+		fi
+	done
 }
 
 load_bpf_probe_compile() {
@@ -272,14 +317,14 @@ load_bpf_probe_compile() {
 
 	customize_kernel_build() {
 		if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
-		sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
+			sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
 		fi
 		make olddefconfig > /dev/null
 		make modules_prepare > /dev/null
 	}
 
-	if [ -n "${COS}" ]; then
-		echo "* COS detected (build ${BUILD_ID}), using cos kernel headers"
+	if [ "${TARGET_ID}" == "cos" ]; then
+		echo "* COS detected (build ${BUILD_ID}), using COS kernel headers"
 
 		BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
 		KERNEL_EXTRA_VERSION="+"
@@ -310,7 +355,8 @@ load_bpf_probe_compile() {
 		}
 	fi
 
-	if [ -n "${MINIKUBE}" ]; then
+	if [ "${TARGET_ID}" == "minikube" ]; then
+		MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
 		echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
 		local kernel_version
 		kernel_version=$(uname -r)
@@ -336,14 +382,16 @@ load_bpf_probe_compile() {
 	fi
 
 	if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
+		get_kernel_config
+
 		echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
 
 		mkdir -p /tmp/kernel
 		cd /tmp/kernel || exit
 		cd "$(mktemp -d -p /tmp/kernel)" || exit
 		if ! curl -L -o kernel-sources.tgz --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
-			>&2 echo "Download failed"
-			exit 1;
+			>&2 echo "Unable to download the kernel sources"
+			return
 		fi
 
 		echo "* Extracting kernel sources"
@@ -384,47 +432,22 @@ load_bpf_probe_download() {
 	echo "* Trying to download a prebuilt eBPF probe from ${URL}"
 
 	if ! curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"; then
-		>&2 echo "Download failed"
-		exit 1;
+		>&2 echo "Unable to find a prebuilt ${DRIVER_NAME} eBPF probe"
+		return
 	fi
 }
 
 load_bpf_probe() {
-
 	echo "* Mounting debugfs"
 
 	if [ ! -d /sys/kernel/debug/tracing ]; then
 		mount -t debugfs nodev /sys/kernel/debug
 	fi
 
-	get_kernel_config
-
-	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
-		# shellcheck source=/dev/null
-		source "${HOST_ROOT}/etc/os-release"
-
-		if [ "${ID}" == "cos" ]; then
-			COS=1
-		fi
-	fi
-
-	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
-		MINIKUBE=1
-		MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
-	fi
-
 	get_target_id
 
 	BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
 
-	if [ -n "$ENABLE_COMPILE" ]; then
-		if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
-			echo "* Skipping compile, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
-		else
-			load_bpf_probe_compile
-		fi
-	fi
-
 	if [ -n "$ENABLE_DOWNLOAD" ]; then
 		if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
 			echo "* Skipping download, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
@@ -433,21 +456,22 @@ load_bpf_probe() {
 		fi
 	fi
 
+	if [ -n "$ENABLE_COMPILE" ]; then
+		if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
+			echo "* Skipping compilation, eBPF probe is already present in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
+		else
+			load_bpf_probe_compile
+		fi
+	fi
+
 	if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
 		echo "* eBPF probe located in ${HOME}/.falco/${BPF_PROBE_FILENAME}"
 
-		if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then
-			echo "******************************************************************"
-			echo "** BPF doesn't have JIT enabled, performance might be degraded. **"
-			echo "** Please ensure to run on a kernel with CONFIG_BPF_JIT on.     **"
-			echo "******************************************************************"
-		fi
-
 		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o" \
 			&& echo "* Success: eBPF probe symlinked to ${HOME}/.falco/${DRIVER_NAME}-bpf.o"
 		exit $?
 	else
-		>&2 echo "Failure to find an eBPF probe"
+		>&2 echo "Unable to load the ${DRIVER_NAME} eBPF probe"
 		exit 1
 	fi
 }
@@ -463,15 +487,32 @@ print_usage() {
 	echo ""
 	echo "Options:"
 	echo "  --help         show brief help"
-	echo "  --compile      try to compile the driver locally"
-	echo "  --download     try to download a prebuilt driver"
+	echo "  --clean        try to remove an already present driver installation"
+	echo "  --compile      try to compile the driver locally (default true)"
+	echo "  --download     try to download a prebuilt driver (default true)"
 	echo "  --source-only  skip execution and allow sourcing in another script"
 	echo ""
+	echo "Environment variables:"
+	echo "  DRIVER_REPO              specify a different URL where to look for prebuilt Falco drivers"
+	echo "  DRIVER_NAME              specify a different name for the driver"
+	echo "  DRIVER_INSECURE_DOWNLOAD whether you want to allow insecure downloads or not"
+	echo ""
+	echo "Versions:"
+	echo "  Falco version  ${FALCO_VERSION}"
+	echo "  Driver version ${DRIVER_VERSION}"
+	echo ""
 }
 
 ARCH=$(uname -m)
+
 KERNEL_RELEASE=$(uname -r)
+
+if ! hash sed > /dev/null 2>&1; then
+	>&2 echo "This program requires sed"
+	exit 1
+fi
 KERNEL_VERSION=$(uname -v | sed 's/#\([[:digit:]]\+\).*/\1/')
+
 DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}
 
 if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
@@ -486,7 +527,8 @@ if [[ -z "$MAX_RMMOD_WAIT" ]]; then
 fi
 
 DRIVER_VERSION="@PROBE_VERSION@"
-DRIVER_NAME="@PROBE_NAME@"
+DRIVER_NAME=${DRIVER_NAME:-"@PROBE_NAME@"}
+FALCO_VERSION="@FALCO_VERSION@"
 
 DRIVER="module"
 if [ -v FALCO_BPF_PROBE ]; then
@@ -496,6 +538,7 @@ fi
 ENABLE_COMPILE=
 ENABLE_DOWNLOAD=
 
+clean=
 has_args=
 has_opts=
 source_only=
@@ -503,7 +546,7 @@ while test $# -gt 0; do
 	case "$1" in
 		module|bpf)
 			if [ -n "$has_args" ]; then
-				>&2 echo "Only one driver can be passed"
+				>&2 echo "Only one driver per invocation"
 				print_usage
 				exit 1
 			else
@@ -516,6 +559,10 @@ while test $# -gt 0; do
 			print_usage
 			exit 0
 			;;
+		--clean)
+			clean="true"
+			shift
+			;;
 		--compile)
 			ENABLE_COMPILE="yes"
 			has_opts="true"
@@ -549,23 +596,42 @@ if [ -z "$has_opts" ]; then
 fi
 
 if [ -z "$source_only" ]; then
+	echo "* Running falco-driver-loader for: falco version=${FALCO_VERSION}, driver version=${DRIVER_VERSION}"
+
 	if [ "$(id -u)" != 0 ]; then
 		>&2 echo "This program must be run as root (or with sudo)"
 		exit 1
 	fi
 
-	if ! hash curl > /dev/null 2>&1; then
-		>&2 echo "This program requires curl"
-		exit 1
-	fi
+	if [ -n "$clean" ]; then
+		if [ -n "$has_opts" ]; then
+			>&2 echo "Cannot use --clean with other options"
+			exit 1
+		fi
 
-	echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
-	case $DRIVER in 
+		echo "* Running falco-driver-loader with: driver=$DRIVER, clean=yes"
+		case $DRIVER in
 		module)
-			load_kernel_module
+			clean_kernel_module
 			;;
 		bpf)
-			load_bpf_probe
-			;;
-	esac
-fi
+			>&2 echo "--clean not supported for driver=bpf"
+			exit 1
+		esac
+	else
+		if ! hash curl > /dev/null 2>&1; then
+			>&2 echo "This program requires curl"
+			exit 1
+		fi
+
+		echo "* Running falco-driver-loader with: driver=$DRIVER, compile=${ENABLE_COMPILE:-"no"}, download=${ENABLE_DOWNLOAD:-"no"}"
+		case $DRIVER in
+			module)
+				load_kernel_module
+				;;
+			bpf)
+				load_bpf_probe
+				;;
+		esac
+	fi
+fi

scripts/publish-bin

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+set -e
+
+usage() {
+    echo "usage: $0 -f <package.tar.gz> -r <bin|bin-dev> -a <arch>"
+    exit 1
+}
+
+# parse options
+while getopts ":f::r::a:" opt; do
+    case "${opt}" in
+        f )
+          file=${OPTARG}
+          ;;
+        r )
+          repo="${OPTARG}"
+          [[ "${repo}" == "bin" || "${repo}" == "bin-dev" ]] || usage
+          ;;
+        a )
+          arch=${OPTARG}
+          ;;
+        : )
+          echo "invalid option: ${OPTARG} requires an argument" 1>&2
+          exit 1
+          ;;
+        \?)
+          echo "invalid option: ${OPTARG}" 1>&2
+          exit 1
+          ;;
+    esac
+done
+shift $((OPTIND-1))
+
+if [ -z "${file}" ] || [ -z "${repo}" ] || [ -z "${arch}" ]; then
+    usage
+fi
+
+# settings
+s3_bucket_repo="s3://falco-distribution/packages/${repo}/${arch}"
+cloudfront_path="/packages/${repo}/${arch}"
+
+# publish
+package=$(basename -- ${file})
+echo "Publishing ${package} to ${s3_bucket_repo}..."
+aws s3 cp ${file} ${s3_bucket_repo}/${package} --acl public-read
+
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}

scripts/publish-deb

@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+set -e
+
+usage() {
+    echo "usage: $0 -f <package.deb> -r <deb|deb-dev>"
+    exit 1
+}
+
+check_program() {
+  if ! command -v $1 &> /dev/null
+  then
+      echo "$1 is required and could not be found"
+      exit
+  fi
+}
+
+# Add a package to the local DEB repository
+#
+# $1: path of the repository.
+# $2: suite (eg. "stable")
+# $3: path of the DEB file.
+add_deb() {
+    cp -f $3 $1/$2
+    pushd $1/$2 > /dev/null
+    rm -f $(basename -- $3).asc
+    gpg --detach-sign --armor $(basename -- $3)
+    popd > /dev/null
+}
+
+# Update the local DEB repository
+#
+# $1: path of the repository
+# $2: suite (eg. "stable")
+update_repo() {
+    # fixme(leogr): we cannot use apt-ftparchive --arch packages ...
+    # since our .deb files ends with "_x86_64" instead of "amd64".
+    # See https://manpages.debian.org/jessie/apt-utils/apt-ftparchive.1.en.html
+    #
+    # As a workaround, we temporarily stick here with "amd64" 
+    # (the only supported arch at the moment)
+    local arch=amd64
+
+    local component=main
+    local debs_dir=$2
+    local release_dir=dists/$2
+    local packages_dir=${release_dir}/${component}/binary-${arch}
+
+    pushd $1 > /dev/null
+
+    # packages metadata
+    apt-ftparchive packages ${debs_dir} > ${packages_dir}/Packages
+    gzip -c ${packages_dir}/Packages > ${packages_dir}/Packages.gz
+    bzip2 -z -c ${packages_dir}/Packages > ${packages_dir}/Packages.bz2
+    
+    # release metadata
+    apt-ftparchive release \
+      -o APT::FTPArchive::Release::Origin=Falco \
+      -o APT::FTPArchive::Release::Label=Falco \
+      -o APT::FTPArchive::Release::Suite=$2 \
+      -o APT::FTPArchive::Release::Codename=$2 \
+      -o APT::FTPArchive::Release::Components=${component} \
+      -o APT::FTPArchive::Release::Architectures=${arch} \
+      ${release_dir} > ${release_dir}/Release
+
+    # release signature
+    gpg --detach-sign --armor ${release_dir}/Release
+    rm -f ${release_dir}/Release.gpg
+    mv ${release_dir}/Release.asc ${release_dir}/Release.gpg
+
+    popd > /dev/null
+}
+
+# parse options
+while getopts ":f::r:" opt; do
+    case "${opt}" in
+        f )
+          file=${OPTARG}
+          ;;
+        r )
+          repo="${OPTARG}"
+          [[ "${repo}" == "deb" || "${repo}" == "deb-dev" ]] || usage
+          ;;
+        : )
+          echo "invalid option: ${OPTARG} requires an argument" 1>&2
+          exit 1
+          ;;
+        \?)
+          echo "invalid option: ${OPTARG}" 1>&2
+          exit 1
+          ;;
+    esac
+done
+shift $((OPTIND-1))
+
+# check options
+if [ -z "${file}" ] || [ -z "${repo}" ]; then
+    usage
+fi
+
+# check prerequisites
+check_program apt-ftparchive
+check_program gzip
+check_program bzip2
+check_program gpg
+check_program aws
+
+# settings
+debSuite=stable
+s3_bucket_repo="s3://falco-distribution/packages/${repo}"
+cloudfront_path="/packages/${repo}"
+tmp_repo_path=/tmp/falco-$repo
+
+# prepare repository local copy
+echo "Fetching ${s3_bucket_repo}..."
+mkdir -p ${tmp_repo_path}
+aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
+
+# update the repo
+echo "Adding ${file}..."
+add_deb ${tmp_repo_path} ${debSuite} ${file}
+update_repo ${tmp_repo_path} ${debSuite}
+
+# publish
+package=$(basename -- ${file})
+echo "Publishing ${package} to ${s3_bucket_repo}..."
+aws s3 cp ${tmp_repo_path}/${debSuite}/${package} ${s3_bucket_repo}/${debSuite}/${package} --acl public-read
+aws s3 cp ${tmp_repo_path}/${debSuite}/${package}.asc ${s3_bucket_repo}/${debSuite}/${package}.asc --acl public-read
+aws s3 sync ${tmp_repo_path}/dists ${s3_bucket_repo}/dists --delete --acl public-read
+
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${debSuite}/${package}.asc
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/dists/*

scripts/publish-rpm

@@ -0,0 +1,96 @@
+#!/usr/bin/env bash
+set -e
+
+usage() {
+    echo "usage: $0 -f <package.rpm> -r <rpm|rpm-dev>"
+    exit 1
+}
+
+check_program() {
+  if ! command -v $1 &> /dev/null
+  then
+      echo "$1 is required and could not be found"
+      exit
+  fi
+}
+
+# Add a package to the local RPM repository
+#
+# $1: path of the repository.
+# $2: path of the RPM file.
+add_rpm() {
+    cp -f $2 $1
+    pushd $1 > /dev/null
+    rm -f $(basename -- $2).asc
+    gpg --detach-sign --armor $(basename -- $2)
+    popd > /dev/null
+}
+
+# Update the local RPM repository
+#
+# $1: path of the repository.
+update_repo() {
+    pushd $1 > /dev/null
+    createrepo --update --no-database .
+    rm -f repodata/repomd.xml.asc
+    gpg --detach-sign --armor repodata/repomd.xml
+    popd > /dev/null
+}
+
+
+# parse options
+while getopts ":f::r:" opt; do
+    case "${opt}" in
+        f )
+          file=${OPTARG}
+          ;;
+        r )
+          repo="${OPTARG}"
+          [[ "${repo}" == "rpm" || "${repo}" == "rpm-dev" ]] || usage
+          ;;
+        : )
+          echo "invalid option: ${OPTARG} requires an argument" 1>&2
+          exit 1
+          ;;
+        \?)
+          echo "invalid option: ${OPTARG}" 1>&2
+          exit 1
+          ;;
+    esac
+done
+shift $((OPTIND-1))
+
+if [ -z "${file}" ] || [ -z "${repo}" ]; then
+    usage
+fi
+
+# check prerequisites
+check_program createrepo
+check_program gpg
+check_program aws
+
+# settings
+s3_bucket_repo="s3://falco-distribution/packages/${repo}"
+cloudfront_path="/packages/${repo}"
+tmp_repo_path=/tmp/falco-$repo
+
+# prepare repository local copy
+echo "Fetching ${s3_bucket_repo}..."
+mkdir -p ${tmp_repo_path}
+aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
+
+# update the repo
+echo "Adding ${file}..."
+add_rpm ${tmp_repo_path} ${file}
+update_repo ${tmp_repo_path}
+
+# publish
+package=$(basename -- ${file})
+echo "Publishing ${package} to ${s3_bucket_repo}..."
+aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
+aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
+aws s3 sync ${tmp_repo_path}/repodata ${s3_bucket_repo}/repodata --delete --acl public-read
+
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/${package}.asc
+aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/repodata/*

scripts/rpm/falco

@@ -1,127 +0,0 @@
-#!/bin/sh
-
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-#
-# falco syscall monitoring agent
-#
-# chkconfig:   2345 55 45
-# description: Falco syscall monitoring agent
-#
-
-### BEGIN INIT INFO
-# Provides:
-# Required-Start:
-# Required-Stop:
-# Should-Start:
-# Should-Stop:
-# Default-Start:
-# Default-Stop:
-# Short-Description:
-# Description:
-### END INIT INFO
-
-# Source function library.
-. /etc/rc.d/init.d/functions
-
-exec="/usr/bin/falco"
-prog="falco"
-# config="<path to major config file>"
-
-[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
-
-lockfile=/var/lock/subsys/$prog
-pidfile="/var/run/falco.pid"
-
-start() {
-    [ -x $exec ] || exit 5
-    # [ -f $config ] || exit 6
-    echo -n $"Starting $prog: "
-    daemon $exec --daemon --pidfile=$pidfile
-    if [ ! -d /sys/module/falco ]; then
-        /sbin/modprobe falco || return $?
-    fi
-    retval=$?
-    echo
-    [ $retval -eq 0 ] && touch $lockfile
-    return $retval
-}
-
-stop() {
-    echo -n $"Stopping $prog: "
-    killproc -p $pidfile
-    retval=$?
-    echo
-    /sbin/rmmod falco
-    [ $retval -eq 0 ] && rm -f $lockfile
-    return $retval
-}
-
-restart() {
-    stop
-    start
-}
-
-reload() {
-    restart
-}
-
-force_reload() {
-    restart
-}
-
-rh_status() {
-    status -p $pidfile $prog
-}
-
-rh_status_q() {
-    rh_status >/dev/null 2>&1
-}
-
-
-case "$1" in
-    start)
-        rh_status_q && exit 0
-        $1
-        ;;
-    stop)
-        rh_status_q || exit 0
-        $1
-        ;;
-    restart)
-        $1
-        ;;
-    reload)
-        rh_status_q || exit 7
-        $1
-        ;;
-    force-reload)
-        force_reload
-        ;;
-    status)
-        rh_status
-        ;;
-    condrestart|try-restart)
-        rh_status_q || exit 0
-        restart
-        ;;
-    *)
-        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
-        exit 2
-esac
-exit $?

scripts/rpm/falco.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Falco: Container Native Runtime Security
+Documentation=https://falco.org/docs/
+
+[Service]
+Type=simple
+User=root
+ExecStartPre=/sbin/modprobe falco
+ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
+ExecStopPost=/sbin/rmmod falco
+UMask=0077
+TimeoutSec=30
+RestartSec=15s
+Restart=on-failure
+PrivateTmp=true
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=full
+ProtectKernelTunables=true
+RestrictRealtime=true
+RestrictAddressFamilies=~AF_PACKET
+
+[Install]
+WantedBy=multi-user.target

scripts/rpm/postinstall.in

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -29,5 +29,3 @@ else
 	echo -e "Module build for the currently running kernel was skipped since the"
 	echo -e "kernel source for this kernel does not seem to be installed."
 fi
-
-/sbin/chkconfig --add falco

scripts/rpm/postuninstall.in

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,7 +14,3 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-
-if [ "$1" -ge "1" ]; then
-	/sbin/service falco condrestart > /dev/null 2>&1
-fi

scripts/rpm/preuninstall.in

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2021 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,10 +15,5 @@
 # limitations under the License.
 #
 
-if [ $1 = 0 ]; then
-	/sbin/service falco stop > /dev/null 2>&1
-	/sbin/chkconfig --del falco
-fi
-
 mod_version="@PROBE_VERSION@"
 dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade

test/README.md

@@ -2,7 +2,7 @@
 
 This folder contains the Regression tests suite for Falco.
 
-You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).
+You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/getting-started/source/#run-regression-tests).
 
 ## Test suites
 
@@ -16,7 +16,7 @@ You can find instructions on how to run this test suite on the Falco website [he
 
 This step assumes you already built Falco.
 
-Note that the tests are intended to be run against a [release build](https://falco.org/docs/source/#specify-the-build-type) of Falco, at the moment.
+Note that the tests are intended to be run against a [release build](https://falco.org/docs/getting-started/source/#specify-the-build-type) of Falco, at the moment.
 
 Also, it assumes you prepared [falco_traces](#falco_traces) (see the section below) and you already run the following command from the build directory:
 
@@ -26,7 +26,15 @@ make test-trace-files
 
 It prepares the fixtures (`json` and `scap` files) needed by the integration tests.
 
-Using `virtualenv` the steps to locally run a specific test suite are the following ones (from this directory):
+**Requirements**
+
+- Python 3.x
+- [Virtualenv](https://virtualenv.pypa.io/en/latest/)
+- [grpcurl](https://github.com/fullstorydev/grpcurl)
+
+**Setup and execution**
+
+Using `virtualenv` the steps to locally run a specific test suite are the following ones (**from this directory**):
 
 ```console
 virtualenv venv

test/confs/drops_ignore_log.yaml

@@ -0,0 +1,12 @@
+syscall_event_drops:
+  actions:
+    - ignore
+    - log
+  rate: .03333
+  max_burst: 10
+  simulate_drops: true
+
+stdout_output:
+  enabled: true
+
+log_stderr: true

test/confs/drops_log.yaml

@@ -9,3 +9,5 @@ stdout_output:
   enabled: true
 
 log_stderr: true
+
+log_level: debug

test/confs/drops_threshold_neg.yaml

@@ -0,0 +1,12 @@
+syscall_event_drops:
+  threshold: -1
+  actions:
+    - ignore
+  rate: .03333
+  max_burst: 10
+  simulate_drops: true
+
+stdout_output:
+  enabled: true
+
+log_stderr: true

test/confs/drops_threshold_oor.yaml

@@ -0,0 +1,12 @@
+syscall_event_drops:
+  threshold: 1.1
+  actions:
+    - ignore
+  rate: .03333
+  max_burst: 10
+  simulate_drops: true
+
+stdout_output:
+  enabled: true
+
+log_stderr: true

test/falco_k8s_audit_tests.yaml

@@ -128,6 +128,16 @@ trace_files: !mux
       - Create Privileged Pod: 1
     trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
 
+  create_privileged_no_secctx_1st_container_2nd_container_pod:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ../rules/k8s_audit_rules.yaml
+    detect_counts:
+      - Create Privileged Pod: 1
+    trace_file: trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
+
   create_privileged_2nd_container_pod:
     detect: True
     detect_level: WARNING

test/falco_tests.yaml

@@ -356,8 +356,6 @@ trace_files: !mux
         condition: evt.type=fork
         priority: INFO
       ---
-      1 warnings:
-      Rule no output rule: consider adding an exceptions property to define supported exceptions fields
     validate_rules_file:
       - rules/invalid_rule_without_output.yaml
     trace_file: trace_files/cat_write.scap
@@ -413,8 +411,6 @@ trace_files: !mux
         condition: evt.type=open
         append: true
       ---
-      1 warnings:
-      Rule my_rule: consider adding an exceptions property to define supported exceptions fields
     validate_rules_file:
       - rules/rule_append_failure.yaml
     trace_file: trace_files/cat_write.scap
@@ -542,9 +538,6 @@ trace_files: !mux
         priority: INFO
         append: false
       ---
-      2 warnings:
-      Rule some rule: consider adding an exceptions property to define supported exceptions fields
-      Rule some rule: consider adding an exceptions property to define supported exceptions fields
     validate_rules_file:
       - rules/invalid_overwrite_rule_multiple_docs.yaml
     trace_file: trace_files/cat_write.scap
@@ -567,9 +560,6 @@ trace_files: !mux
         priority: INFO
         append: true
       ---
-      2 warnings:
-      Rule some rule: consider adding an exceptions property to define supported exceptions fields
-      Rule some rule: consider adding an exceptions property to define supported exceptions fields
     validate_rules_file:
       - rules/invalid_append_rule_multiple_docs.yaml
     trace_file: trace_files/cat_write.scap
@@ -627,8 +617,6 @@ trace_files: !mux
         output: "An open was seen %not_a_real_field"
         priority: WARNING
       ---
-      1 warnings:
-      Rule rule_with_invalid_output: consider adding an exceptions property to define supported exceptions fields
     validate_rules_file:
       - rules/invalid_rule_output.yaml
     trace_file: trace_files/cat_write.scap
@@ -1227,6 +1215,51 @@ trace_files: !mux
     stdout_not_contains:
       - "Falco internal: syscall event drop"
 
+  monitor_syscall_drops_ignore_and_log:
+    exit_status: 1
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/drops_ignore_log.yaml
+    trace_file: trace_files/ping_sendto.scap
+    stderr_not_contains:
+      - "event drop detected: 9 occurrences"
+      - "num times actions taken: 9"
+      - "Falco internal: syscall event drop"
+    stdout_not_contains:
+      - "Falco internal: syscall event drop"
+    stderr_contains:
+      - "syscall event drop action \"log\" does not make sense with the \"ignore\" action"
+
+  monitor_syscall_drops_threshold_oor:
+    exit_status: 1
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/drops_threshold_oor.yaml
+    trace_file: trace_files/ping_sendto.scap
+    stderr_not_contains:
+      - "event drop detected: 9 occurrences"
+      - "num times actions taken: 9"
+      - "Falco internal: syscall event drop"
+    stdout_not_contains:
+      - "Falco internal: syscall event drop"
+    stderr_contains:
+      - "syscall event drops threshold must be a double in the range"
+
+  monitor_syscall_drops_threshold_neg:
+    exit_status: 1
+    rules_file:
+      - rules/single_rule.yaml
+    conf_file: confs/drops_threshold_neg.yaml
+    trace_file: trace_files/ping_sendto.scap
+    stderr_not_contains:
+      - "event drop detected: 9 occurrences"
+      - "num times actions taken: 9"
+      - "Falco internal: syscall event drop"
+    stdout_not_contains:
+      - "Falco internal: syscall event drop"
+    stderr_contains:
+      - "syscall event drops threshold must be a double in the range"
+
   monitor_syscall_drops_log:
     exit_status: 0
     rules_file:

test/falco_tests_exceptions.yaml

@@ -185,15 +185,6 @@ trace_files: !mux
       - rules/exceptions/append_item_not_in_rule.yaml
     trace_file: trace_files/cat_write.scap
 
-  rule_without_exception:
-    exit_status: 0
-    stderr_contains: |+
-      1 warnings:
-      Rule My Rule: consider adding an exceptions property to define supported exceptions fields
-    validate_rules_file:
-      - rules/exceptions/rule_without_exception.yaml
-    trace_file: trace_files/cat_write.scap
-
   rule_exception_no_values:
     detect: True
     detect_level: WARNING

test/requirements.txt

@@ -5,9 +5,9 @@ chardet==3.0.4
 idna==2.9
 pathtools==0.1.2
 pbr==5.4.5
-PyYAML==5.3.1
+PyYAML==5.4
 requests==2.23.0
 six==1.14.0
 stevedore==1.32.0
 urllib3==1.25.9
-watchdog==0.10.2
+watchdog==0.10.2

test/rules/exceptions/rule_without_exception.yaml

@@ -1,21 +0,0 @@
-#
-# Copyright (C) 2020 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-- rule: My Rule
-  desc: Some desc
-  condition: evt.type=open and proc.name=cat
-  output: Some output
-  priority: error

test/run_performance_tests.sh

@@ -20,9 +20,11 @@
 
 trap "cleanup; exit" SIGHUP SIGINT SIGTERM
 
+TRACE_FILES_BASE_URL=${TRACE_FILES_BASE_URL:-"https://download.falco.org/fixtures/trace-files/"}
+
 function download_trace_files() {
 
-    (mkdir -p $TRACEDIR && rm -rf $TRACEDIR/traces-perf && curl -fo $TRACEDIR/traces-perf.zip https://s3.amazonaws.com/download.draios.com/falco-tests/traces-perf.zip && unzip -d $TRACEDIR $TRACEDIR/traces-perf.zip && rm -f $TRACEDIR/traces-perf.zip) || exit 1
+    (mkdir -p $TRACEDIR && rm -rf $TRACEDIR/traces-perf && curl -fo $TRACEDIR/traces-perf.zip "${TRACE_FILES_BASE_URL}traces-perf.zip" && unzip -d $TRACEDIR $TRACEDIR/traces-perf.zip && rm -f $TRACEDIR/traces-perf.zip) || exit 1
 
 }
 

test/run_regression_tests.sh

@@ -20,6 +20,7 @@ set -euo pipefail
 SCRIPT=$(readlink -f $0)
 SCRIPTDIR=$(dirname "$SCRIPT")
 SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}
+TRACE_FILES_BASE_URL=${TRACE_FILES_BASE_URL:-"https://download.falco.org/fixtures/trace-files/"}
 
 # Trace file tarballs are now versioned. Any time a substantial change
 # is made that affects the interaction of rules+engine and the trace
@@ -31,9 +32,9 @@ function download_trace_files() {
     for TRACE in traces-positive traces-negative traces-info ; do
     if [ ! -e "$TRACE_DIR/$TRACE" ]; then
         if [ "$OPT_BRANCH" != "none" ]; then
-        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$OPT_BRANCH.zip
+        curl -fso "$TRACE_DIR/$TRACE.zip" "$TRACE_FILES_BASE_URL$TRACE-$OPT_BRANCH.zip"
         else
-        curl -fso "$TRACE_DIR/$TRACE.zip" https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE-$TRACE_FILES_VERSION.zip
+        curl -fso "$TRACE_DIR/$TRACE.zip" "$TRACE_FILES_BASE_URL$TRACE-$TRACE_FILES_VERSION.zip"
         fi
         unzip -d "$TRACE_DIR" "$TRACE_DIR/$TRACE.zip"
         rm -rf "$TRACE_DIR/$TRACE.zip"

test/trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json

@@ -0,0 +1 @@
+{"annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""},"auditID":"f83ecd50-5bf4-4fe7-a419-dea22852ca49","kind":"Event","level":"RequestResponse","metadata":{"creationTimestamp":"2018-10-25T17:53:07Z"},"objectRef":{"apiVersion":"v1","namespace":"default","resource":"pods"},"requestObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":null,"generateName":"nginx-deployment-544b59f8b8-","labels":{"app":"nginx","pod-template-hash":"1006159464"},"ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-544b59f8b8","uid":"d40b40e1-d87e-11e8-a473-080027728ac4"}]},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx1","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"},{"image":"mysql:latest","imagePullPolicy":"Always","name":"mysql","resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30},"status":{}},"requestReceivedTimestamp":"2018-10-25T17:53:06.995407Z","requestURI":"/api/v1/namespaces/default/pods","responseObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":"2018-10-25T17:53:06Z","generateName":"nginx-deployment-544b59f8b8-","labels":{"app":"nginx","pod-template-hash":"1006159464"},"name":"nginx-deployment-544b59f8b8-ffkxm","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-544b59f8b8","uid":"d40b40e1-d87e-11e8-a473-080027728ac4"}],"resourceVersion":"246302","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-544b59f8b8-ffkxm","uid":"d40dfcd7-d87e-11e8-a473-080027728ac4"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx1","resources":{},"securityContext":{"privileged":false},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]},{"image":"mysql:latest","imagePullPolicy":"Always","name":"mysql","resources":{},"securityContext":{"privileged":true},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"name":"default-token-g2sp7","secret":{"defaultMode":420,"secretName":"default-token-g2sp7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"responseStatus":{"code":201,"metadata":{}},"sourceIPs":["::1"],"stage":"ResponseComplete","stageTimestamp":"2018-10-25T17:53:07.006845Z","timestamp":"2018-10-25T17:53:06Z","user":{"groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","username":"system:serviceaccount:kube-system:replicaset-controller"},"verb":"create"}

userspace/engine/json_evt.cpp

@@ -312,7 +312,7 @@ bool json_event_filter_check::def_extract(const nlohmann::json &root,
 			{
 				if(!def_extract(item, ptrs, std::next(it, 1)))
 				{
-					return false;
+					add_extracted_value(no_value);
 				}
 			}
 		}

userspace/engine/lua/parser.lua

@@ -204,7 +204,7 @@ local G = {
    Hex = (P("0x") + P("0X")) * xdigit ^ 1,
    Expo = S("eE") * S("+-") ^ -1 * digit ^ 1,
    Float = (((digit ^ 1 * P(".") * digit ^ 0) + (P(".") * digit ^ 1)) * V "Expo" ^ -1) + (digit ^ 1 * V "Expo"),
-   Number = C(V "Hex" + V "Float" + V "Int") / function(n)
+   Number = C(V "Hex" + V "Float" + V "Int") * - V "idStart" / function(n)
          return tonumber(n)
       end,
    String = (P '"' * C(((P "\\" * P(1)) + (P(1) - P '"')) ^ 0) * P '"' +

userspace/engine/lua/rule_loader.lua

@@ -522,10 +522,8 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['source'] = "syscall"
 	 end
 
-	 -- Add an empty exceptions property to the rule if not
-	 -- defined, but add a warning about defining one
+	 -- Add an empty exceptions property to the rule if not defined
 	 if v['exceptions'] == nil then
-	    warnings[#warnings + 1] = "Rule "..v['rule']..": consider adding an exceptions property to define supported exceptions fields"
 	    v['exceptions'] = {}
 	 end
 

userspace/falco/configuration.cpp

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2020 The Falco Authors.
+Copyright (C) 2021 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -34,6 +34,7 @@ falco_configuration::falco_configuration():
 	m_webserver_enabled(false),
 	m_webserver_listen_port(8765),
 	m_webserver_k8s_audit_endpoint("/k8s-audit"),
+	m_webserver_k8s_healthz_endpoint("/healthz"),
 	m_webserver_ssl_enabled(false),
 	m_config(NULL)
 {
@@ -193,6 +194,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 	m_webserver_enabled = m_config->get_scalar<bool>("webserver", "enabled", false);
 	m_webserver_listen_port = m_config->get_scalar<uint32_t>("webserver", "listen_port", 8765);
 	m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver", "k8s_audit_endpoint", "/k8s-audit");
+	m_webserver_k8s_healthz_endpoint = m_config->get_scalar<string>("webserver", "k8s_healthz_endpoint", "/healthz");
 	m_webserver_ssl_enabled = m_config->get_scalar<bool>("webserver", "ssl_enabled", false);
 	m_webserver_ssl_certificate = m_config->get_scalar<string>("webserver", "ssl_certificate", "/etc/falco/falco.pem");
 
@@ -203,34 +205,46 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 	{
 		if(act == "ignore")
 		{
-			m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_IGNORE);
+			m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::IGNORE);
 		}
 		else if(act == "log")
 		{
-			m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_LOG);
+			if(m_syscall_evt_drop_actions.count(syscall_evt_drop_action::IGNORE))
+			{
+				throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action \"" + act + "\" does not make sense with the \"ignore\" action");
+			}
+			m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::LOG);
 		}
 		else if(act == "alert")
 		{
-			m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_ALERT);
+			if(m_syscall_evt_drop_actions.count(syscall_evt_drop_action::IGNORE))
+			{
+				throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action \"" + act + "\" does not make sense with the \"ignore\" action");
+			}
+			m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::ALERT);
 		}
 		else if(act == "exit")
 		{
-			m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_EXIT);
+			m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::EXIT);
 		}
 		else
 		{
-			throw logic_error("Error reading config file (" + m_config_file + "): syscall event drop action " + act + " must be one of \"ignore\", \"log\", \"alert\", or \"exit\"");
+			throw logic_error("Error reading config file (" + m_config_file + "): available actions for syscall event drops are \"ignore\", \"log\", \"alert\", and \"exit\"");
 		}
 	}
 
 	if(m_syscall_evt_drop_actions.empty())
 	{
-		m_syscall_evt_drop_actions.insert(syscall_evt_drop_mgr::ACT_IGNORE);
+		m_syscall_evt_drop_actions.insert(syscall_evt_drop_action::IGNORE);
 	}
 
-	m_syscall_evt_drop_rate = m_config->get_scalar<double>("syscall_event_drops", "rate", 0.3333);
-	m_syscall_evt_drop_max_burst = m_config->get_scalar<double>("syscall_event_drops", "max_burst", 10);
-
+	m_syscall_evt_drop_threshold = m_config->get_scalar<double>("syscall_event_drops", "threshold", .1);
+	if(m_syscall_evt_drop_threshold < 0 || m_syscall_evt_drop_threshold > 1)
+	{
+		throw logic_error("Error reading config file (" + m_config_file + "): syscall event drops threshold must be a double in the range [0, 1]");
+	}
+	m_syscall_evt_drop_rate = m_config->get_scalar<double>("syscall_event_drops", "rate", .03333);
+	m_syscall_evt_drop_max_burst = m_config->get_scalar<double>("syscall_event_drops", "max_burst", 1);
 	m_syscall_evt_simulate_drops = m_config->get_scalar<bool>("syscall_event_drops", "simulate_drops", false);
 }
 

userspace/falco/configuration.h

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2021 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -111,7 +111,7 @@ public:
 		}
 		catch(const YAML::BadConversion& ex)
 		{
-			std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "\n";
+			std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "." + subkey + "\n";
 			throw;
 		}
 
@@ -172,7 +172,7 @@ public:
 		}
 		catch(const YAML::BadConversion& ex)
 		{
-			std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "\n";
+			std::cerr << "Cannot read config file (" + m_path + "): wrong type at key " + key + "." + subkey +"\n";
 			throw;
 		}
 	}
@@ -216,9 +216,11 @@ public:
 	bool m_webserver_enabled;
 	uint32_t m_webserver_listen_port;
 	std::string m_webserver_k8s_audit_endpoint;
+	std::string m_webserver_k8s_healthz_endpoint;
 	bool m_webserver_ssl_enabled;
 	std::string m_webserver_ssl_certificate;
-	std::set<syscall_evt_drop_mgr::action> m_syscall_evt_drop_actions;
+	syscall_evt_drop_actions m_syscall_evt_drop_actions;
+	double m_syscall_evt_drop_threshold;
 	double m_syscall_evt_drop_rate;
 	double m_syscall_evt_drop_max_burst;
 

userspace/falco/event_drops.cpp

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2020 The Falco Authors.
+Copyright (C) 2021 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -34,7 +34,8 @@ syscall_evt_drop_mgr::~syscall_evt_drop_mgr()
 
 void syscall_evt_drop_mgr::init(sinsp *inspector,
 				falco_outputs *outputs,
-				std::set<action> &actions,
+				syscall_evt_drop_actions &actions,
+				double threshold,
 				double rate,
 				double max_tokens,
 				bool simulate_drops)
@@ -43,10 +44,15 @@ void syscall_evt_drop_mgr::init(sinsp *inspector,
 	m_outputs = outputs;
 	m_actions = actions;
 	m_bucket.init(rate, max_tokens);
+	m_threshold = threshold;
 
 	m_inspector->get_capture_stats(&m_last_stats);
 
 	m_simulate_drops = simulate_drops;
+	if(m_simulate_drops)
+	{
+		m_threshold = 0;
+	}
 }
 
 bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
@@ -83,19 +89,27 @@ bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt)
 
 		if(delta.n_drops > 0)
 		{
-			m_num_syscall_evt_drops++;
+			double ratio = delta.n_drops;
+			// Assuming the number of event does not contains the dropped ones
+			ratio /= delta.n_drops + delta.n_evts;
 
-			// There were new drops in the last second. If
-			// the token bucket allows, perform actions.
-			if(m_bucket.claim(1, evt->get_ts()))
+			// When simulating drops the threshold is always zero
+			if(ratio > m_threshold)
 			{
-				m_num_actions++;
+				m_num_syscall_evt_drops++;
 
-				return perform_actions(evt->get_ts(), delta, inspector->is_bpf_enabled());
-			}
-			else
-			{
-				falco_logger::log(LOG_DEBUG, "Syscall event drop but token bucket depleted, skipping actions");
+				// There were new drops in the last second.
+				// If the token bucket allows, perform actions.
+				if(m_bucket.claim(1, evt->get_ts()))
+				{
+					m_num_actions++;
+
+					return perform_actions(evt->get_ts(), delta, inspector->is_bpf_enabled());
+				}
+				else
+				{
+					falco_logger::log(LOG_DEBUG, "Syscall event drop but token bucket depleted, skipping actions");
+				}
 			}
 		}
 	}
@@ -115,36 +129,32 @@ bool syscall_evt_drop_mgr::perform_actions(uint64_t now, scap_stats &delta, bool
 	std::string rule = "Falco internal: syscall event drop";
 	std::string msg = rule + ". " + std::to_string(delta.n_drops) + " system calls dropped in last second.";
 
-	std::map<std::string, std::string> output_fields;
-
-	output_fields["n_evts"] = std::to_string(delta.n_evts);
-	output_fields["n_drops"] = std::to_string(delta.n_drops);
-	output_fields["n_drops_buffer"] = std::to_string(delta.n_drops_buffer);
-	output_fields["n_drops_pf"] = std::to_string(delta.n_drops_pf);
-	output_fields["n_drops_bug"] = std::to_string(delta.n_drops_bug);
-	output_fields["ebpf_enabled"] = std::to_string(bpf_enabled);
 	bool should_exit = false;
 
 	for(auto &act : m_actions)
 	{
 		switch(act)
 		{
-		case ACT_IGNORE:
+		case syscall_evt_drop_action::IGNORE:
 			break;
 
-		case ACT_LOG:
-			falco_logger::log(LOG_ERR, msg);
+		case syscall_evt_drop_action::LOG:
+			falco_logger::log(LOG_DEBUG, msg);
 			break;
 
-		case ACT_ALERT:
-			m_outputs->handle_msg(now,
-					      falco_common::PRIORITY_CRITICAL,
-					      msg,
-					      rule,
-					      output_fields);
+		case syscall_evt_drop_action::ALERT:
+		{
+			std::map<std::string, std::string> output_fields;
+			output_fields["n_evts"] = std::to_string(delta.n_evts);
+			output_fields["n_drops"] = std::to_string(delta.n_drops);
+			output_fields["n_drops_buffer"] = std::to_string(delta.n_drops_buffer);
+			output_fields["n_drops_pf"] = std::to_string(delta.n_drops_pf);
+			output_fields["n_drops_bug"] = std::to_string(delta.n_drops_bug);
+			output_fields["ebpf_enabled"] = std::to_string(bpf_enabled);
+			m_outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, output_fields);
 			break;
-
-		case ACT_EXIT:
+		}
+		case syscall_evt_drop_action::EXIT:
 			should_exit = true;
 			break;
 

userspace/falco/event_drops.h

@@ -1,5 +1,5 @@
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2021 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -23,25 +23,28 @@ limitations under the License.
 #include "logger.h"
 #include "falco_outputs.h"
 
+// The possible actions that this class can take upon
+// detecting a syscall event drop.
+enum class syscall_evt_drop_action : uint8_t
+{
+	IGNORE = 0,
+	LOG,
+	ALERT,
+	EXIT
+};
+
+using syscall_evt_drop_actions = std::set<syscall_evt_drop_action>;
+
 class syscall_evt_drop_mgr
 {
 public:
-	// The possible actions that this class can take upon
-	// detecting a syscall event drop.
-	enum action
-	{
-		ACT_IGNORE = 0,
-		ACT_LOG,
-		ACT_ALERT,
-		ACT_EXIT,
-	};
-
 	syscall_evt_drop_mgr();
 	virtual ~syscall_evt_drop_mgr();
 
 	void init(sinsp *inspector,
 		  falco_outputs *outputs,
-		  std::set<action> &actions,
+		  syscall_evt_drop_actions &actions,
+		  double threshold,
 		  double rate,
 		  double max_tokens,
 		  bool simulate_drops);
@@ -63,9 +66,10 @@ protected:
 	uint64_t m_num_actions;
 	sinsp *m_inspector;
 	falco_outputs *m_outputs;
-	std::set<action> m_actions;
+	syscall_evt_drop_actions m_actions;
 	token_bucket m_bucket;
 	uint64_t m_next_check_ts;
 	scap_stats m_last_stats;
 	bool m_simulate_drops;
+	double m_threshold;
 };

userspace/falco/falco.cpp

@@ -255,6 +255,7 @@ uint64_t do_inspect(falco_engine *engine,
 	sdropmgr.init(inspector,
 		      outputs,
 		      config.m_syscall_evt_drop_actions,
+		      config.m_syscall_evt_drop_threshold,
 		      config.m_syscall_evt_drop_rate,
 		      config.m_syscall_evt_drop_max_burst,
 		      config.m_syscall_evt_simulate_drops);

userspace/falco/webserver.cpp

@@ -34,6 +34,15 @@ k8s_audit_handler::~k8s_audit_handler()
 {
 }
 
+bool k8s_healthz_handler::handleGet(CivetServer *server, struct mg_connection *conn)
+{
+	const std::string status_body = "{\"status\": \"ok\"}";
+	mg_send_http_ok(conn, "application/json", status_body.size());
+	mg_printf(conn, "%s", status_body.c_str());
+
+	return true;
+}
+
 bool k8s_audit_handler::accept_data(falco_engine *engine,
 				    falco_outputs *outputs,
 				    std::string &data,
@@ -148,7 +157,7 @@ bool k8s_audit_handler::handlePost(CivetServer *server, struct mg_connection *co
 		return true;
 	}
 
-	std::string ok_body = "<html><body>Ok</body></html>";
+	const std::string ok_body = "<html><body>Ok</body></html>";
 	mg_send_http_ok(conn, "text/html", ok_body.size());
 	mg_printf(conn, "%s", ok_body.c_str());
 
@@ -233,6 +242,8 @@ void falco_webserver::start()
 
 	m_k8s_audit_handler = make_unique<k8s_audit_handler>(m_engine, m_outputs);
 	m_server->addHandler(m_config->m_webserver_k8s_audit_endpoint, *m_k8s_audit_handler);
+	m_k8s_healthz_handler = make_unique<k8s_healthz_handler>();
+	m_server->addHandler(m_config->m_webserver_k8s_healthz_endpoint, *m_k8s_healthz_handler);
 }
 
 void falco_webserver::stop()
@@ -241,5 +252,6 @@ void falco_webserver::stop()
 	{
 		m_server = NULL;
 		m_k8s_audit_handler = NULL;
+		m_k8s_healthz_handler = NULL;
 	}
 }

userspace/falco/webserver.h

@@ -41,6 +41,20 @@ private:
 	bool accept_uploaded_data(std::string &post_data, std::string &errstr);
 };
 
+class k8s_healthz_handler : public CivetHandler
+{
+public:
+	k8s_healthz_handler()
+	{
+	}
+
+	virtual ~k8s_healthz_handler()
+	{
+	}
+
+	bool handleGet(CivetServer *server, struct mg_connection *conn);
+};
+
 class falco_webserver
 {
 public:
@@ -60,4 +74,5 @@ private:
 	falco_outputs *m_outputs;
 	unique_ptr<CivetServer> m_server;
 	unique_ptr<k8s_audit_handler> m_k8s_audit_handler;
+	unique_ptr<k8s_healthz_handler> m_k8s_healthz_handler;
 };