update(libs): update libs to 0.11.2

Signed-off-by: Luca Guerra <luca@guerra.sh>

.circleci/config.yml

@@ -203,7 +203,7 @@ jobs:
           path: /tmp/build-arm64/release/integration-tests-xunit
   "tests-driver-loader-integration":
     machine:
-      image: ubuntu-2004:2023.04.2
+      image: ubuntu-2004:202107-02
     steps:
       - attach_workspace:
           at: /tmp/ws

.github/workflows/ci.yml

@@ -1,9 +1,7 @@
 name: CI Build
 on:
   pull_request:
-    branches:
-      - master
-      - release/*
+    branches: [master]
   workflow_dispatch:
 
 # Checks if any concurrent jobs under the same pull request or branch are being executed
@@ -13,36 +11,8 @@ concurrency:
   cancel-in-progress: true  
 
 jobs:
-  fetch-version:
-    uses: ./.github/workflows/reusable_fetch_version.yaml
-
-  build-dev-packages:
-    needs: [fetch-version]
-    uses: ./.github/workflows/reusable_build_packages.yaml
-    with:
-      arch: x86_64
-      version: ${{ needs.fetch-version.outputs.version }}
-
-  test-dev-packages:
-    needs: [fetch-version, build-dev-packages]
-    uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
-    with:
-      arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
-      version: ${{ needs.fetch-version.outputs.version }}
-
-  build-dev:
-    strategy:
-      fail-fast: false
-      matrix:
-        machine: ['ubuntu-20.04']
-        buildmode: ['Debug', 'Release']
-        minimal: ['', 'minimal']
-    runs-on: ${{ matrix.machine }}
+  build-minimal:
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -52,25 +22,83 @@ jobs:
 
       - name: Update base image
         run: sudo apt update -y
-      
-      - name: Install build dependencies
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libelf-dev libyaml-cpp-dev cmake build-essential git -y
 
-      - name: Install build dependencies (non-minimal)
-        if: matrix.minimal != 'minimal'
-        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libgrpc++-dev protobuf-compiler-grpc rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y
-      
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libjq-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build-minimal
+          pushd build-minimal
+          cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DBUILD_FALCO_UNIT_TESTS=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build-minimal
+          make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build-minimal
+          sudo ./unit_tests/falco_unit_tests 
+          popd
+
+  build-ubuntu-focal:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
       - name: Prepare project
         run: |
           mkdir build
           pushd build
-          cmake \
-            -DBUILD_FALCO_UNIT_TESTS=On \
-            -DCMAKE_BUILD_TYPE=${{ matrix.buildmode }} \
-            -DBUILD_BPF=${{ matrix.minimal == 'minimal' && 'OFF' || 'ON' }} \
-            -DBUILD_DRIVER=${{ matrix.minimal == 'minimal' && 'OFF' || 'ON' }} \
-            -DMINIMAL_BUILD=${{ matrix.minimal == 'minimal' && 'ON' || 'OFF' }} \
-            ..
+          cmake -DBUILD_BPF=On -DCMAKE_BUILD_TYPE=Release -DBUILD_FALCO_UNIT_TESTS=On ..
+          popd
+
+      - name: Build
+        run: |
+          pushd build
+          KERNELDIR=/lib/modules/$(uname -r)/build make -j4 all
+          popd
+
+      - name: Run unit tests
+        run: |
+          pushd build
+          sudo ./unit_tests/falco_unit_tests 
+          popd
+
+  build-ubuntu-focal-debug:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Update base image
+        run: sudo apt update -y
+
+      - name: Install build dependencies
+        run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
+
+      - name: Prepare project
+        run: |
+          mkdir build
+          pushd build
+          cmake -DCMAKE_BUILD_TYPE=Debug -DBUILD_BPF=On -DBUILD_FALCO_UNIT_TESTS=On ..
           popd
 
       - name: Build

.github/workflows/master.yaml

@@ -9,8 +9,37 @@ concurrency:
   cancel-in-progress: true  
 
 jobs:
+  # We need to use an ubuntu-latest to fetch Falco version because
+  # Falco version is computed by some cmake scripts that do git sorceries
+  # to get the current version.
+  # But centos7 jobs have a git version too old and actions/checkout does not 
+  # fully clone the repo, but uses http rest api instead.
   fetch-version:
-    uses: ./.github/workflows/reusable_fetch_version.yaml 
+    runs-on: ubuntu-latest
+    # Map the job outputs to step outputs
+    outputs:
+      version: ${{ steps.store_version.outputs.version }}  
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          
+      - name: Install build dependencies
+        run: |
+          sudo apt update 
+          sudo apt install -y cmake build-essential
+      
+      - name: Configure project
+        run: |
+          mkdir build && cd build
+          cmake -DUSE_BUNDLED_DEPS=On ..
+          
+      - name: Load and store Falco version output
+        id: store_version
+        run: |
+          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT     
 
   build-dev-packages:
     needs: [fetch-version]
@@ -27,28 +56,9 @@ jobs:
       arch: aarch64
       version: ${{ needs.fetch-version.outputs.version }}
     secrets: inherit
-
-  test-dev-packages:
-    needs: [fetch-version, build-dev-packages]
-    uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
-    with:
-      arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
-      version: ${{ needs.fetch-version.outputs.version }}
-  
-  test-dev-packages-arm64:
-    needs: [fetch-version, build-dev-packages-arm64]
-    uses: ./.github/workflows/reusable_test_packages.yaml
-    with:
-      arch: aarch64
-      version: ${{ needs.fetch-version.outputs.version }}
-
+    
   publish-dev-packages:
-    needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
+    needs: [fetch-version, build-dev-packages, build-dev-packages-arm64]
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: '-dev'

.github/workflows/release.yaml

@@ -65,28 +65,9 @@ jobs:
       arch: aarch64
       version: ${{ github.event.release.tag_name }}
     secrets: inherit
-
-  test-packages:
-    needs: [release-settings, build-packages]
-    uses: ./.github/workflows/reusable_test_packages.yaml
-    strategy:
-      fail-fast: false
-      matrix:
-        static: ["static", ""]
-    with:
-      arch: x86_64
-      static: ${{ matrix.static != '' && true || false }}
-      version: ${{ github.event.release.tag_name }}
-  
-  test-packages-arm64:
-    needs: [release-settings, build-packages-arm64]
-    uses: ./.github/workflows/reusable_test_packages.yaml
-    with:
-      arch: aarch64
-      version: ${{ github.event.release.tag_name }}
     
   publish-packages:
-    needs: [release-settings, test-packages, test-packages-arm64]
+    needs: [release-settings, build-packages, build-packages-arm64]
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}

.github/workflows/reusable_build_packages.yaml

@@ -49,7 +49,7 @@ jobs:
           yum -y install centos-release-scl
           yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++
           source /opt/rh/devtoolset-9/enable
-          yum install -y wget git make m4 rpm-build perl-IPC-Cmd
+          yum install -y wget git make m4 rpm-build
     
       - name: Checkout
         uses: actions/checkout@v3

.github/workflows/reusable_fetch_version.yaml

@@ -1,40 +0,0 @@
-# This is a reusable workflow used by master and release CI
-on:
-  workflow_call:
-    outputs:
-      version:
-        description: "Falco version"
-        value: ${{ jobs.fetch-version.outputs.version }}
-    
-jobs:
-  # We need to use an ubuntu-latest to fetch Falco version because
-  # Falco version is computed by some cmake scripts that do git sorceries
-  # to get the current version.
-  # But centos7 jobs have a git version too old and actions/checkout does not 
-  # fully clone the repo, but uses http rest api instead.
-  fetch-version:
-    runs-on: ubuntu-latest
-    # Map the job outputs to step outputs
-    outputs:
-      version: ${{ steps.store_version.outputs.version }}  
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          
-      - name: Install build dependencies
-        run: |
-          sudo apt update 
-          sudo apt install -y cmake build-essential
-      
-      - name: Configure project
-        run: |
-          mkdir build && cd build
-          cmake -DUSE_BUNDLED_DEPS=On ..
-          
-      - name: Load and store Falco version output
-        id: store_version
-        run: |
-          FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-          echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT

.github/workflows/reusable_publish_packages.yaml

@@ -117,7 +117,8 @@ jobs:
       - name: Install dependencies
         run: |
           apt update -y
-          apt-get install apt-utils bzip2 gpg awscli -y
+          apt-get install apt-utils bzip2 gpg python python3-pip -y
+          pip install awscli
       
       # Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
       # Note: master CI can only push dev packages as we have 2 different roles for master and release.

.github/workflows/reusable_test_packages.yaml

@@ -1,75 +0,0 @@
-# This is a reusable workflow used by master and release CI
-on:
-  workflow_call:
-    inputs:
-      arch:
-        description: x86_64 or aarch64
-        required: true
-        type: string
-      static:
-        description: Falco packages use a static build
-        required: false
-        type: boolean
-        default: false
-      version:
-        description: The Falco version to use when testing packages
-        required: true
-        type: string
-
-jobs:
-  test-packages:
-    # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
-    runs-on: ${{ (inputs.arch == 'aarch64' && fromJSON('[ "self-hosted", "linux", "ARM64" ]')) || 'ubuntu-latest' }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          submodules: 'true'
-      
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: '>=1.17.0'
-
-      - name: Download binary
-        uses: actions/download-artifact@v3
-        with:
-          name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}.tar.gz
-      
-      - name: Install Falco package
-        run: |
-          ls falco-*.tar.gz
-          tar -xvf $(ls falco-*.tar.gz)
-          cd falco-${{ inputs.version }}-${{ inputs.arch }}
-          sudo cp -r * /
-
-      - name: Install go-junit-report
-        run: |
-          pushd submodules/falcosecurity-testing
-          go install github.com/jstemmer/go-junit-report/v2@latest
-          popd
-  
-      - name: Generate regression test files
-        run: |
-          pushd submodules/falcosecurity-testing
-          go generate ./...
-          popd
-
-      - name: Run regression tests
-        run: |
-          pushd submodules/falcosecurity-testing
-          ./build/falco.test -falco-static=${{ inputs.static && 'true' || 'false' }} -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-          if ${{ inputs.static && 'false' || 'true' }}; then
-            ./build/falcoctl.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-            ./build/k8saudit.test -test.timeout=90s -test.v >> ./report.txt 2>&1 || true
-          fi
-          cat ./report.txt | go-junit-report -set-exit-code > report.xml
-          popd
-
-      - name: Test Summary
-        if: always() # run this even if previous step fails
-        uses: test-summary/action@v2
-        with:
-          paths: "submodules/falcosecurity-testing/report.xml"
-          show: "fail"

.gitmodules

@@ -2,7 +2,3 @@
 	path = submodules/falcosecurity-rules
 	url = https://github.com/falcosecurity/rules.git
 	branch = main
-[submodule "submodules/falcosecurity-testing"]
-	path = submodules/falcosecurity-testing
-	url = https://github.com/falcosecurity/testing.git
-	branch = main

ADOPTERS.md

@@ -68,16 +68,12 @@ This is a list of production adopters of Falco (in alphabetical order):
 
 * [Shapesecurity/F5](https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
 
+* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
+
 * [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call driver. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
 
-* [Thales Group](https://www.thalesgroup.com) Thales is a global technology leader with more than 81,000 employees on five continents. The Thales Group is investing in digital and “deep tech” innovations – Big Data, artificial intelligence, connectivity, cybersecurity and quantum technology – to build a future we can all trust. In the past few years, the Cloud-Native paradigms and its frameworks and tools have challenged the way applications and services are developed, delivered, and instantiated. All sorts of services are container-based workloads managed by higher level layers of orchestration such as the Kubernetes environment. Thales is committed to develop Cloud-Native services and to provide its customers with security features that ensure their applications and services are protected against cyber threats. Falco is a framework that can help Thales' products and services reach the level of trust, security and safety our clients need.
-
-* [Vinted](https://vinted.com/) Vinted uses Falco to continuously monitor container activities, identifying security threats, and ensuring compliance. The container-native approach, rule-based real-time threat detection, community support, extensibility, and compliance capabilities are the main factors why we chose it to enhance Vinted Kubernetes security. Falco Sidekick is used to send critical and warning severity alerts to our incident management solution (RTIR).
-
 * [Xenit AB](https://xenit.se/contact/) Xenit is a growth company with services within cloud and digital transformation. We provide an open-source Kubernetes framework that we leverage to help our customers get their applications to production as quickly and as securely as possible. We use Falco's detection capabilities to identify anomalous behaviour within our clusters in both Azure and AWS.
 
-* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
-
 ## Projects that use Falco libs
 
 * [R6/Phoenix](https://r6security.com/) is an attack surface protection company that uses moving target defense to provide fully automated, proactive and devops friendly security to its customers. There are a set of policies you can add to enable the moving target defense capabilities. Some of them are triggered by a combination of Falco's findings. You can kill, restart and rename pods according to the ever changing policies.

CHANGELOG.md

@@ -1,35 +1,5 @@
 # Change Log
 
-## v0.35.1
-
-Released on 2023-06-29
-
-### Major Changes
-
-
-### Minor Changes
-
-* update(userspace): change description of snaplen option stating only performance implications [[#2634](https://github.com/falcosecurity/falco/pull/2634)] - [@loresuso](https://github.com/loresuso)
-* update(cmake): bump libs to 0.11.3 [[#2662](https://github.com/falcosecurity/falco/pull/2662)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* cleanup(config): minor config clarifications [[#2651](https://github.com/falcosecurity/falco/pull/2651)] - [@incertum](https://github.com/incertum)
-* update(cmake): bump falco rules to v1.0.1 [[#2648](https://github.com/falcosecurity/falco/pull/2648)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* chore(userspace/falco): make source matching error more expressive [[#2623](https://github.com/falcosecurity/falco/pull/2623)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* update(.github): integrate Go regression tests [[#2437](https://github.com/falcosecurity/falco/pull/2437)] - [@jasondellaluce](https://github.com/jasondellaluce)
-
-
-### Bug Fixes
-
-* fix(scripts): fixed falco-driver-loader to manage debian kernel rt and cloud flavors. [[#2627](https://github.com/falcosecurity/falco/pull/2627)] - [@FedeDP](https://github.com/FedeDP)
-* fix(userspace/falco): solve live multi-source issues when loading more than two sources [[#2653](https://github.com/falcosecurity/falco/pull/2653)] - [@jasondellaluce](https://github.com/jasondellaluce)
-* fix(driver-loader): fix ubuntu kernel version parsing [[#2635](https://github.com/falcosecurity/falco/pull/2635)] - [@therealbobo](https://github.com/therealbobo)
-* fix(userspace): switch to timer_settime API for stats writer. [[#2646](https://github.com/falcosecurity/falco/pull/2646)] - [@FedeDP](https://github.com/FedeDP)
-
-
-
-### Non user-facing changes
-
-* CI: bump ubuntu version for tests-driver-loader-integration job [[#2661](https://github.com/falcosecurity/falco/pull/2661)] - [@Andreagit97](https://github.com/Andreagit97)
-
 ## v0.35.0
 
 Released on 2023-06-07

OWNERS

@@ -4,8 +4,6 @@ approvers:
   - jasondellaluce
   - fededp
   - andreagit97
-  - incertum
-  - LucaGuerra
 reviewers:
   - kaizhe
 emeritus_approvers:

cmake/modules/cpp-httplib.cmake

@@ -24,8 +24,8 @@ else()
 
 	ExternalProject_Add(cpp-httplib
 		PREFIX "${PROJECT_BINARY_DIR}/cpp-httplib-prefix"
-		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.13.1.tar.gz"
-		URL_HASH "SHA256=9b837d290b61e3f0c4239da0b23bbf14c382922e2bf2a9bac21c1e3feabe1ff9"
+		URL "https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.11.3.tar.gz"
+		URL_HASH "SHA256=799b2daa0441d207f6cd1179ae3a34869722084a434da6614978be1682c1e12d"
 		CONFIGURE_COMMAND ""
 		BUILD_COMMAND ""
 		INSTALL_COMMAND "")	

cmake/modules/driver-repo/CMakeLists.txt

@@ -19,7 +19,7 @@ message(STATUS "Driver version: ${DRIVER_VERSION}")
 
 ExternalProject_Add(
   driver
-  URL "https://github.com/Andreagit97/libs/archive/${DRIVER_VERSION}.tar.gz"
+  URL "https://github.com/falcosecurity/libs/archive/${DRIVER_VERSION}.tar.gz"
   URL_HASH "${DRIVER_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""

cmake/modules/driver.cmake

@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "647c3fcb0d3802ba5b01af2f1088fea11614eb94")
-    set(DRIVER_CHECKSUM "SHA256=cbcfd2671c514c5d9326bff5fc0741c496569f79e782048af3ab69c3171dde19")
+    set(DRIVER_VERSION "5.0.1+driver")
+    set(DRIVER_CHECKSUM "SHA256=8b197b916b6419dac8fb41807aa05d822164c7bfd2c3eef66d20d060a05a485a")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcoctl.cmake

@@ -15,14 +15,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.5.1")
+set(FALCOCTL_VERSION "0.5.0")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "ea7c89134dc745a1cbdbcf8f839d3b47851a40e1aebee20702a606b03b45b897")
+    set(FALCOCTL_HASH "ba82ee14ee72fe5737f1b5601e403d8a9422dfe2c467d1754eb488001eeea5f1")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "22797200bf0e4c7c45f69207ed85218a3839115a302dc07939d3006778d41300")
+    set(FALCOCTL_HASH "be145ece641d439011cc4a512d0fd2dac5974cab7399f9a7cd43f08eb43dd446")
 endif()
 
 ExternalProject_Add(

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -19,7 +19,7 @@ message(STATUS "Libs version: ${FALCOSECURITY_LIBS_VERSION}")
 
 ExternalProject_Add(
   falcosecurity-libs
-  URL "https://github.com/Andreagit97/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
+  URL "https://github.com/falcosecurity/libs/archive/${FALCOSECURITY_LIBS_VERSION}.tar.gz"
   URL_HASH "${FALCOSECURITY_LIBS_CHECKSUM}"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "647c3fcb0d3802ba5b01af2f1088fea11614eb94")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=cbcfd2671c514c5d9326bff5fc0741c496569f79e782048af3ab69c3171dde19")
+    set(FALCOSECURITY_LIBS_VERSION "0.11.2")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=f70364038f88f88cb86de12fddbaf295b932681a920dfb1f0b7d1f88495d027a")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/rules.cmake

@@ -15,8 +15,8 @@ include(GNUInstallDirs)
 include(ExternalProject)
 
 # falco_rules.yaml
-set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-1.0.1")
-set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=2348d43196bbbdea92e3f67fa928721a241b0406d0ef369693bdefcec2b3fa13")
+set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-1.0.0")
+set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=3474d170e6cd1ac5c6ee0cfe6a226e3fd8ef5f7191b0363ecd69672601e7914f")
 set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
 ExternalProject_Add(
   falcosecurity-rules-falco

falco.yaml

@@ -148,7 +148,7 @@ rules_file:
 #
 # --- [Description]
 #
-# Falco plugins enable integration with other services in your ecosystem.
+# Falco plugins enable integration with other services in the your ecosystem.
 # They allow Falco to extend its functionality and leverage data sources such as
 # Kubernetes audit logs or AWS CloudTrail logs. This enables Falco to perform
 # fast on-host detections beyond syscalls and container events. The plugin
@@ -162,11 +162,10 @@ rules_file:
 #
 # Please note that if your intention is to enrich Falco syscall logs with fields
 # such as `k8s.ns.name`, `k8s.pod.name`, and `k8s.pod.*`, you do not need to use
-# the `k8saudit` plugin nor the `-k`/`-K` Kubernetes metadata enrichment. This
-# information is automatically extracted from the container runtime socket. The
-# `k8saudit` plugin is specifically designed to integrate with Kubernetes audit
-# logs and is not required for basic enrichment of syscall logs with
-# Kubernetes-related fields.
+# the `k8saudit` plugin. This information is automatically extracted from the
+# container runtime socket. The `k8saudit` plugin is specifically designed to
+# integrate with Kubernetes audit logs and is not required for basic enrichment
+# of syscall logs with Kubernetes-related fields.
 #
 # --- [Usage]
 #
@@ -329,9 +328,6 @@ file_output:
 # [Stable] `http_output`
 #
 # Send logs to an HTTP endpoint or webhook.
-#
-# When using falcosidekick, it is necessary to set `json_output` to true, which is
-# conveniently done automatically for you when using `falcosidekick.enabled=true`.
 http_output:
   enabled: false
   url: http://some.url
@@ -602,7 +598,6 @@ syscall_event_drops:
 # [Experimental] `metrics`
 #
 # Generates "Falco internal: metrics snapshot" rule output when `priority=info` at minimum
-# By selecting `output_file`, equivalent JSON output will be appended to a file.
 #
 # periodic metric snapshots (including stats and resource utilization) captured
 # at regular intervals
@@ -634,9 +629,6 @@ syscall_event_drops:
 #
 # It's important to note that the output fields and their names can be subject
 # to change until the metrics feature reaches a stable release.
-# In addition, the majority of fields represent an instant snapshot, with the
-# exception of event rates per second and drop percentage stats. These values
-# are computed based on the delta between two snapshots.
 #
 # To customize the hostname in Falco, you can set the environment variable
 # `FALCO_HOSTNAME` to your desired hostname. This is particularly useful in
@@ -680,8 +672,7 @@ syscall_event_drops:
 # must be set to `info` at a minimum.
 #
 # `output_file`: Append stats to a `jsonl` file. Use with caution in production
-# as Falco does not automatically rotate the file. It can be used in combination
-# with `output_rule`.
+# as Falco does not automatically rotate the file.
 #
 # `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage
 # is reported as a percentage of one CPU and can be normalized to the total

scripts/falco-driver-loader

@@ -151,17 +151,11 @@ get_target_id() {
 		# Real kernel release is embedded inside the kernel version.
 		# Moreover, kernel arch, when present, is attached to the former,
 		# therefore make sure to properly take it and attach it to the latter.
-		# Moreover, we support 3 flavors for debian kernels: cloud, rt and normal.
-		# KERNEL-RELEASE will have a `-rt`, or `-cloud` if we are in one of these flavors.
-		# Manage it to download the correct driver.
-		#
-		# Example: KERNEL_RELEASE="5.10.0-0.deb10.22-rt-amd64" and `uname -v`="5.10.178-3"
-		# should lead to: KERNEL_RELEASE="5.10.178-3-rt-amd64"
 		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
 		local ARCH_extra=""
-		if [[ $KERNEL_RELEASE =~ -?(rt-|cloud-|)(amd64|arm64) ]];
+		if [[ $KERNEL_RELEASE =~ -(amd64|arm64) ]];
 		then
-			ARCH_extra="-${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+			ARCH_extra="-${BASH_REMATCH[1]}"
 		fi
 		if [[ $(uname -v) =~ ([0-9]+\.[0-9]+\.[0-9]+\-[0-9]+) ]];
 		then
@@ -171,26 +165,14 @@ get_target_id() {
 	("ubuntu")
 		# Extract the flavor from the kernelrelease
 		# Examples:
-		# 5.0.0-1028-aws-5.0 -> ubuntu-aws
+		# 5.0.0-1028-aws-5.0 -> ubuntu-aws-5.0
 		# 5.15.0-1009-aws -> ubuntu-aws
 		if [[ $KERNEL_RELEASE =~ -([a-zA-Z]+)(-.*)?$ ]];
 		then
-			TARGET_ID="ubuntu-${BASH_REMATCH[1]}"
+			TARGET_ID="ubuntu-${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
 		else
 			TARGET_ID="ubuntu-generic"
 		fi
-
-
-		# In the case that the kernelversion isn't just a number
-		# we keep also the remaining part excluding `-Ubuntu`.
-		# E.g.:
-		# from the following `uname -v` result
-		# `#26~22.04.1-Ubuntu SMP Mon Apr 24 01:58:15 UTC 2023`
-		# we obtain the kernelversion`26~22.04.1`
-		if [[ $(uname -v) =~ (^\#[0-9]+\~[^-]*-Ubuntu .*$) ]];
-		then
-			KERNEL_VERSION=$(uname -v | sed 's/#\([^-\\ ]*\).*/\1/g')
-		fi
 		;;
 	("flatcar")
 		KERNEL_RELEASE="${VERSION_ID}"

test/requirements.txt

@@ -1,6 +1,6 @@
 avocado-framework==69.0
 avocado-framework-plugin-varianter-yaml-to-mux==69.0
-certifi==2023.7.22
+certifi==2022.12.7
 chardet==3.0.4
 idna==2.9
 pathtools==0.1.2

userspace/engine/falco_engine_version.h

@@ -16,9 +16,9 @@ limitations under the License.
 
 // The version of rules/filter fields/etc supported by this Falco
 // engine.
-#define FALCO_ENGINE_VERSION (19)
+#define FALCO_ENGINE_VERSION (17)
 
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of Falco. It's used
 // at build time to detect a changed set of fields.
-#define FALCO_FIELDS_CHECKSUM "1d7f91f22d40074c56c705f5e494b7fae51aee1b7ababc8c70cfa63c6d6671c2"
+#define FALCO_FIELDS_CHECKSUM "dd438e1713ebf8abc09a2c89da77bb43ee3886ad1ba69802595a5f18e3854550"

userspace/engine/json_evt.h

@@ -436,7 +436,7 @@ public:
 	bool tostring(gen_event *evt, std::string &output) override;
 	bool tostring_withformat(gen_event *evt, std::string &output, gen_event_formatter::output_format of) override;
 	bool get_field_values(gen_event *evt, std::map<std::string, std::string> &fields) override;
-	void get_field_names(std::vector<std::string> &fields) override
+	void get_field_names(std::vector<std::string> &fields) override 
 	{
 		throw falco_exception("json_event_formatter::get_field_names operation not supported");
 	}

userspace/falco/app/actions/helpers_generic.cpp

@@ -39,17 +39,8 @@ bool falco::app::actions::check_rules_plugin_requirements(falco::app::state& s,
 
 void falco::app::actions::print_enabled_event_sources(falco::app::state& s)
 {
-	/* Print all loaded sources. */
-	std::string str;
-	for (const auto &src : s.loaded_sources)
-	{
-		str += str.empty() ? "" : ", ";
-		str += src;
-	}
-	falco_logger::log(LOG_INFO, "Loaded event sources: " + str);
-
 	/* Print all enabled sources. */
-	str.clear();
+	std::string str;
 	for (const auto &src : s.enabled_sources)
 	{
 		str += str.empty() ? "" : ", ";

userspace/falco/app/actions/init_inspectors.cpp

@@ -187,23 +187,6 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 		{
 			return run_result::fatal(err);
 		}
-
-		// in live mode, each inspector should have registered at most two event sources:
-		// the "syscall" on, loaded at default at index 0, and optionally another
-		// one defined by a plugin, at index 1
-		if (!s.is_capture_mode())
-		{
-			const auto& sources = src_info->inspector->event_sources();
-			if (sources.size() == 0 || sources.size() > 2 || sources[0] != falco_common::syscall_source)
-			{
-				std::string err;
-				for (const auto &s : sources)
-				{
-					err += (err.empty() ? "" : ", ") + s;
-				}
-				return run_result::fatal("Illegal sources setup in live inspector for source '" + src + "': " + err);
-			}
-		}
 	}
 
 	// check if some plugin remains unused

userspace/falco/app/actions/process_events.cpp

@@ -144,13 +144,6 @@ static falco::app::run_result do_inspect(
 	const bool is_capture_mode = source.empty();
 	size_t source_engine_idx = 0;
 
-	// note(jasondellaluce): The "syscall" event source will always be loaded
-	// by default in an inspector, and at index 0. As such, in live mode we would
-	// expect the event source index to always be 0 in case of "syscall" source,
-	// and 1 in case of any other plugin event source, because it would be
-	// the only other source loaded in its relative live inspector.
-	size_t expected_live_evt_src_idx = source == falco_common::syscall_source ? 0 : 1;
-
 	if (!is_capture_mode)
 	{
 		// note: in live mode, each inspector gets assigned a distinct event
@@ -272,13 +265,10 @@ static falco::app::run_result do_inspect(
 			if (source_engine_idx == sinsp_no_event_source_idx)
 			{
 				std::string msg = "Unknown event source for inspector's event";
-				if (ev->get_type() == PPME_PLUGINEVENT_E || ev->get_type() == PPME_ASYNCEVENT_E)
+				if (ev->get_type() == PPME_PLUGINEVENT_E)
 				{
-					auto pluginID = *(uint32_t *)ev->get_param(0)->m_val;
-					if (pluginID != 0)
-					{
-						msg += " (plugin ID: " + std::to_string(pluginID) + ")";
-					}
+					auto pluginID = *(int32_t *)ev->get_param(0)->m_val;
+					msg += " (plugin ID: " + std::to_string(pluginID) + ")";
 				}
 				return run_result::fatal(msg);
 			}
@@ -290,15 +280,12 @@ static falco::app::run_result do_inspect(
 		{
 			// in live mode, each inspector gets assigned a distinct event source,
 			// so we report an error if we fetch an event of a different source.
-			if (expected_live_evt_src_idx != ev->get_source_idx())
+			if (source_engine_idx != ev->get_source_idx())
 			{
-				std::string actual = (ev->get_source_name() != NULL)
+				auto msg = "Unexpected event source for inspector's event: expected='" + source + "', actual=";
+				msg += (ev->get_source_name() != NULL)
 					? ("'" + std::string(ev->get_source_name()) + "'")
 					: ("<NA>");
-				std::string msg = "Unexpected event source for inspector's event:";
-				msg += " type=" + std::to_string(ev->get_type());
-				msg += ", expected='" + source + " (idx=" + std::to_string(expected_live_evt_src_idx) + ")";
-				msg += "', actual=" + actual + " (idx=" + std::to_string(ev->get_source_idx()) + ")";
 				return run_result::fatal(msg);
 			}
 

userspace/falco/app/options.cpp

@@ -195,7 +195,7 @@ void options::define(cxxopts::Options& opts)
 		("gvisor-root",					  "gVisor root directory for storage of container state. Equivalent to runsc --root flag.", cxxopts::value(gvisor_root), "<gvisor_root>")
 #endif
 #ifdef HAS_MODERN_BPF
-		("modern-bpf",				  "Use BPF modern probe driver to instrument the kernel.", cxxopts::value(modern_bpf)->default_value("false"))
+		("modern-bpf",				  "Use BPF modern probe to capture system events.", cxxopts::value(modern_bpf)->default_value("false"))
 #endif
 		("i",                             "Print all high volume syscalls that are ignored by default for performance reasons (i.e. without the -A flag) and exit.", cxxopts::value(print_ignored_events)->default_value("false"))
 #ifndef MINIMAL_BUILD
@@ -213,7 +213,7 @@ void options::define(cxxopts::Options& opts)
 		("M",                             "Stop collecting after <num_seconds> reached.", cxxopts::value(duration_to_tot)->default_value("0"), "<num_seconds>")
 		("markdown",                      "When used with --list/--list-syscall-events, print the content in Markdown format", cxxopts::value<bool>(markdown))
 		("N",                             "When used with --list, only print field names.", cxxopts::value(names_only)->default_value("false"))
-		("nodriver",                      "Do not use a driver to instrument the kernel. If a loaded plugin has event sourcing capability and can produce system events, it will be used to for event collection.", cxxopts::value(nodriver)->default_value("false"))
+		("nodriver",                      "Capture for system events without drivers. If a loaded plugin has event sourcing capability and can produce system events, it will be used to for event collection.", cxxopts::value(nodriver)->default_value("false"))
 		("o,option",                      "Set the value of option <opt> to <val>. Overrides values in configuration file. <opt> can be identified using its location in configuration file using dot notation. Elements which are entries of lists can be accessed via square brackets [].\n    E.g. base.id = val\n         base.subvalue.subvalue2 = val\n         base.list[1]=val", cxxopts::value(cmdline_config_options), "<opt>=<val>")
 		("plugin-info",                   "Print info for a single plugin and exit.\nThis includes all descriptivo info like name and author, along with the\nschema format for the init configuration and a list of suggested open parameters.\n<plugin_name> can be the name of the plugin or its configured library_path.", cxxopts::value(print_plugin_info), "<plugin_name>")
 		("p,print",                       "Add additional information to each falco notification's output.\nWith -pc or -pcontainer will use a container-friendly format.\nWith -pk or -pkubernetes will use a kubernetes-friendly format.\nAdditionally, specifying -pc/-pk will change the interpretation of %container.info in rule output fields.", cxxopts::value(print_additional), "<output_format>")
@@ -221,7 +221,7 @@ void options::define(cxxopts::Options& opts)
 		("r",                             "Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml). This option can be passed multiple times to read from multiple files/directories.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
 		("s",                             "If specified, append statistics related to Falco's reading/processing of events to this file (only useful in live mode).", cxxopts::value(stats_output_file), "<stats_file>")
 		("stats-interval",                "When using -s <stats_file>, write statistics every <msec> ms. This uses signals, and has a minimum threshold of 100 ms. Defaults to 5000 (5 seconds).", cxxopts::value(stats_interval),  "<msec>")
-		("S,snaplen",                     "Capture the first <len> bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can have a strong performance impact.", cxxopts::value(snaplen)->default_value("0"), "<len>")
+		("S,snaplen",                     "Capture the first <len> bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files.", cxxopts::value(snaplen)->default_value("0"), "<len>")
 		("support",                       "Print support information including version, rules files used, etc. and exit.", cxxopts::value(print_support)->default_value("false"))
 		("T",                             "Disable any rules with a tag=<tag>. This option can be passed multiple times. Can not be mized with -t", cxxopts::value<std::vector<std::string>>(), "<tag>")
 		("t",                             "Only run those rules with a tag=<tag>. This option can be passed multiple times. Can not be mixed with -T/-D.", cxxopts::value<std::vector<std::string>>(), "<tag>")

userspace/falco/stats_writer.cpp

@@ -15,8 +15,7 @@ limitations under the License.
 */
 
 #include <sys/time.h>
-#include <ctime>
-#include <csignal>
+#include <signal.h>
 #include <nlohmann/json.hpp>
 #include <atomic>
 
@@ -40,32 +39,22 @@ static void timer_handler(int signum)
 
 bool stats_writer::init_ticker(uint32_t interval_msec, std::string &err)
 {
-	struct itimerspec timer = {};
-	struct sigaction handler = {};
+	struct itimerval timer;
+	struct sigaction handler;
 
-	memset (&handler, 0, sizeof(handler));
+	memset (&handler, 0, sizeof (handler));
 	handler.sa_handler = &timer_handler;
 	if (sigaction(SIGALRM, &handler, NULL) == -1)
 	{
 		err = std::string("Could not set up signal handler for periodic timer: ") + strerror(errno);
 		return false;
 	}
-	
-	timer_t timerid;
-	struct sigevent sev = {};
-	/* Create the timer */
-	sev.sigev_notify = SIGEV_SIGNAL;
-	sev.sigev_signo = SIGALRM;
-	sev.sigev_value.sival_ptr = &timerid;
-	if (timer_create(CLOCK_MONOTONIC, &sev, &timerid) == -1) {
-		err = std::string("Could not create periodic timer: ") + strerror(errno);
-		return false;
-	}
-	timer.it_value.tv_sec = interval_msec / 1000;
-	timer.it_value.tv_nsec = (interval_msec % 1000) * 1000 * 1000;
-	timer.it_interval = timer.it_value;
 
-	if (timer_settime(timerid, 0, &timer, NULL) == -1) {
+	timer.it_value.tv_sec = interval_msec / 1000;
+	timer.it_value.tv_usec = (interval_msec % 1000) * 1000;
+	timer.it_interval = timer.it_value;
+	if (setitimer(ITIMER_REAL, &timer, NULL) == -1)
+	{
 		err = std::string("Could not set up periodic timer: ") + strerror(errno);
 		return false;
 	}