docs: add PR 906 to changelog for 0.18.0

Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -2,8 +2,8 @@
 
 1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
 2. Please label this pull request according to what type of issue you are addressing.
-5. Please add a release note!
-6. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
+3. . Please add a release note!
+4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
 -->
 
 **What type of PR is this?**
@@ -30,19 +30,31 @@
 
 > /kind rule-create
 
+<!--
+Please remove the leading whitespace before the `/kind <>` you uncommented.
+-->
+
 **Any specific area of the project related to this PR?**
 
 > Uncomment one (or more) `/area <>` lines:
 
+> /area build
+
 > /area engine
 
+> /area examples
+
 > /area rules
 
-> /area deployment
-
 > /area integrations
 
-> /area examples
+> /area tests
+
+> /area proposals
+
+<!--
+Please remove the leading whitespace before the `/area <>` you uncommented.
+-->
 
 **What this PR does / why we need it**:
 
@@ -63,7 +75,8 @@ Fixes #
 <!--
 If no, just write "NONE" in the release-note block below.
 If yes, a release note is required:
-Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, prepend the string "action required:".
+Enter your extended release note in the block below.
+If the PR requires additional action from users switching to the new release, prepend the string "action required:".
 For example, `action required: change the API interface of the rule engine`.
 -->
 

.travis.yml

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,7 +19,7 @@ compiler: gcc
 env:
     - BUILD_TYPE=debug
     - BUILD_TYPE=release
-sudo: required
+dist: xenial
 services:
     - docker
 before_install:

ADOPTERS.md

@@ -0,0 +1,17 @@
+# Adopters
+
+This is a list of production adopters of Falco (in alphabetical order):
+
+* [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.
+
+* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containerswhich could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
+
+* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPPA compliance requirements.
+  * https://hipaa.preferral.com/01-preferral_hipaa_compliance/
+
+* [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
+
+* [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.
+
+*  [Sysdig](https://www.sysdig.com/) Sysdig created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call probe. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-define infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
+

CHANGELOG.md

@@ -2,27 +2,93 @@
 
 This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
 
+## v0.18.0
+
+Released 2019-10-28
+
+### Major Changes
+
+* falco grpc api server implementation, contains a subscribe method to subscribe to outputs from any grpc capable language [[#822](https://github.com/falcosecurity/falco/pull/822)]
+* add support for converting k8s pod security policies (psps) into set of falco rules that can be used to evaluate the conditions specified in the psp. [[#826](https://github.com/falcosecurity/falco/pull/826)]
+* initial redesign container images to remove build tools and leverage init containers for kernel module delivery. [[#776](https://github.com/falcosecurity/falco/pull/776)]
+* add flags to disable `syscall` event source or `k8s_audit` event source [[#779](https://github.com/falcosecurity/falco/pull/779)]
+
+### Minor Changes
+
+* allow for unique names for psp converted rules/macros/lists/rule names as generated by falcoctl 0.0.3 [[#895](https://github.com/falcosecurity/falco/pull/895)]
+* make it easier to run regression tests without necessarily using the falco-tester docker image. [[#808](https://github.com/falcosecurity/falco/pull/808)]
+* fix falco engine compatibility with older k8s audit rules files. [[#893](https://github.com/falcosecurity/falco/pull/893)]
+* add tests for psp conversions with names containing spaces/dashes. [[#899](https://github.com/falcosecurity/falco/pull/899)]
+
+### Bug Fixes
+
+* handle multi-document yaml files when reading rules files. [[#760](https://github.com/falcosecurity/falco/pull/760)]
+* improvements to how the webserver handles incoming invalid inputs [[#759](https://github.com/falcosecurity/falco/pull/759)]
+* fix: make lua state access thread-safe [[#867](https://github.com/falcosecurity/falco/pull/867)]
+* fix compilation on gcc 5.4 by working around gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56480 [[#873](https://github.com/falcosecurity/falco/pull/873)]
+* add explicit dependency between tests and catch2 header file. [[#879](https://github.com/falcosecurity/falco/pull/879)]
+* fix: stable dockerfile libgcc-6-dev dependencies [[#830](https://github.com/falcosecurity/falco/pull/830)]
+* fix: build dependencies for the local dockerfile [[#782](https://github.com/falcosecurity/falco/pull/782)]
+* fix: a crash bug that could result from reading more than ~6 rules files [[#906](https://github.com/falcosecurity/falco/issues/906)] [[#907](https://github.com/falcosecurity/falco/pull/907)]
+  
+### Rule Changes
+
+* rules: add calico/node to trusted privileged container list [[#902](https://github.com/falcosecurity/falco/pull/902)]
+* rules: add macro `calico_node_write_envvars` to exception list of write below etc [[#902](https://github.com/falcosecurity/falco/pull/902)]
+* rules: add exception for rule write below rpm, this is a fp caused by amazon linux 2 yum. [[#755](https://github.com/falcosecurity/falco/pull/755)]
+* rules: ignore sensitive mounts from the ecs-agent [[#881](https://github.com/falcosecurity/falco/pull/881)]
+* rules: add rules to detect crypto mining activities [[#763](https://github.com/falcosecurity/falco/pull/763)]
+* rules: add back rule delete bash history for backport compatibility [[#864](https://github.com/falcosecurity/falco/pull/864)]
+* rule: syscalls are used to detect suid and sgid [[#765](https://github.com/falcosecurity/falco/pull/765)]
+* rules: delete bash history is renamed to delete or rename shell history [[#762](https://github.com/falcosecurity/falco/pull/762)]
+* rules: add image fluent/fluentd-kubernetes-daemonset to clear log trusted images [[#852](https://github.com/falcosecurity/falco/pull/852)]
+* rules: include default users created by `kops`. [[#898](https://github.com/falcosecurity/falco/pull/898)]
+* rules: delete or rename shell history: when deleting a shell history file now the syscalls are taken into account rather than just the commands deleting the files [[#762](https://github.com/falcosecurity/falco/pull/762)]
+* rules: delete or rename shell history: history deletion now supports fish and zsh in addition to bash [[#762](https://github.com/falcosecurity/falco/pull/762)]
+* rules: "create hidden files or directories" and "update package repository" now trigger also if the files are moved and not just if modified or created. [[#766](https://github.com/falcosecurity/falco/pull/766)]
+
+## v0.17.1
+
+Released 2019-09-26
+
+### Major Changes
+
+* Same as v0.17.0
+
+##
+
+* Same as v0.17.0
+
+### Bug Fixes
+
+* All in v0.17.0
+* Fix a build problem for pre-built kernel probes. [[draios/sysdig#1471](https://github.com/draios/sysdig/pull/1471)]
+
+### Rule Changes
+
+* Same as v0.17.0
+
 ## v0.17.0
 
 Released 2019-07-31
 
-## Major Changes
+### Major Changes
 
 * **The set of supported platforms has changed**. Switch to a reorganized builder image that uses Centos 7 as a base. As a result, falco is no longer supported on Centos 6. The other supported platforms should remain the same [[#719](https://github.com/falcosecurity/falco/pull/719)]
 
-## Minor Changes
+### Minor Changes
 
 * When enabling rules within the falco engine, use rule substrings instead of regexes. [[#743](https://github.com/falcosecurity/falco/pull/743)]
 
 * Additional improvements to the handling and display of rules validation errors [[#744](https://github.com/falcosecurity/falco/pull/744)] [[#747](https://github.com/falcosecurity/falco/pull/747)]
 
-## Bug Fixes
+### Bug Fixes
 
 * Fix a problem that would cause prevent container metadata lookups when falco was daemonized [[#731](https://github.com/falcosecurity/falco/pull/731)]
 
 * Allow rule priorites to be expressed as lowercase and a mix of lower/uppercase [[#737](https://github.com/falcosecurity/falco/pull/737)]
 
-## Rule Changes
+### Rule Changes
 
 * Fix a parentheses bug with the `shell_procs` macro [[#728](https://github.com/falcosecurity/falco/pull/728)]
 
@@ -36,7 +102,7 @@ Released 2019-07-31
 
 Released 2019-07-12
 
-## Major Changes
+### Major Changes
 
 * Clean up error reporting to provide more meaningful error messages along with context when loading rules files. When run with -V, the results of the validation ("OK" or error message) are sent to standard output. [[#708](https://github.com/falcosecurity/falco/pull/708)]
 
@@ -46,7 +112,7 @@ Released 2019-07-12
 
 * Add Catch2 as a unit testing framework. This will add additional coverage on top of the regression tests using Avocado. [[#687](https://github.com/falcosecurity/falco/pull/687)]
 
-## Minor Changes
+### Minor Changes
 
 * Add SYSDIG_DIR Cmake option to specify location for sysdig source code when building falco. [[#677](https://github.com/falcosecurity/falco/pull/677)] [[#679](https://github.com/falcosecurity/falco/pull/679)] [[#702](https://github.com/falcosecurity/falco/pull/702)]
 
@@ -66,7 +132,7 @@ Released 2019-07-12
 
 * Fix PR template for kind/rule-*. [[#697](https://github.com/falcosecurity/falco/pull/697)]
 
-## Bug Fixes
+### Bug Fixes
 
 * Remove an unused cmake file. [[#700](https://github.com/falcosecurity/falco/pull/700)]
 
@@ -74,7 +140,7 @@ Released 2019-07-12
 
 * Misc k8s install docs improvements. [[#671](https://github.com/falcosecurity/falco/pull/671)]
 
-## Rule Changes
+### Rule Changes
 
 * Allow k8s.gcr.io/kube-proxy image to run privileged. [[#717](https://github.com/falcosecurity/falco/pull/717)]
 
@@ -104,19 +170,19 @@ Released 2019-07-12
 
 Released 2019-06-12
 
-## Major Changes
+### Major Changes
 
 * None.
 
-## Minor Changes
+### Minor Changes
 
 * None.
 
-## Bug Fixes
+### Bug Fixes
 
 * Fix kernel module compilation for kernels < 3.11 [[#sysdig/1436](https://github.com/draios/sysdig/pull/1436)]
 
-## Rule Changes
+### Rule Changes
 
 * None.
 
@@ -124,19 +190,19 @@ Released 2019-06-12
 
 Released 2019-06-12
 
-## Major Changes
+### Major Changes
 
 * New documentation and process handling around issues and pull requests. [[#644](https://github.com/falcosecurity/falco/pull/644)] [[#659](https://github.com/falcosecurity/falco/pull/659)] [[#664](https://github.com/falcosecurity/falco/pull/664)] [[#665](https://github.com/falcosecurity/falco/pull/665)]
 
-## Minor Changes
+### Minor Changes
 
 * None.
 
-## Bug Fixes
+### Bug Fixes
 
 * Fix compilation of eBPF programs on COS (used by GKE) [[#sysdig/1431](https://github.com/draios/sysdig/pull/1431)]
 
-## Rule Changes
+### Rule Changes
 
 * Rework exceptions lists for `Create Privileged Pod`, `Create Sensitive Mount Pod`, `Launch Sensitive Mount Container`, `Launch Privileged Container` rules to use separate specific lists rather than a single "Trusted Containers" list. [[#651](https://github.com/falcosecurity/falco/pull/651)]
 
@@ -144,11 +210,11 @@ Released 2019-06-12
 
 Released 2019-06-07
 
-## Major Changes
+### Major Changes
 
 * Drop unnecessary events at the kernel level instead of userspace, which should improve performance [[#635](https://github.com/falcosecurity/falco/pull/635)]
 
-## Minor Changes
+### Minor Changes
 
 * Add instructions for k8s audit support in >= 1.13 [[#608](https://github.com/falcosecurity/falco/pull/608)]
 
@@ -158,13 +224,13 @@ Released 2019-06-07
 
 * Better tracking of rule counts per ruleset [[#645](https://github.com/falcosecurity/falco/pull/645)]
 
-## Bug Fixes
+### Bug Fixes
 
 * Handle rule patterns that are invalid regexes [[#636](https://github.com/falcosecurity/falco/pull/636)]
 
 * Fix kernel module builds on newer kernels [[#646](https://github.com/falcosecurity/falco/pull/646)] [[#sysdig/1413](https://github.com/draios/sysdig/pull/1413)]
 
-## Rule Changes
+### Rule Changes
 
 * New rule `Launch Remote File Copy Tools in Container` could be used to identify exfiltration attacks [[#600](https://github.com/falcosecurity/falco/pull/600)]
 
@@ -190,9 +256,9 @@ Released 2019-06-07
 
 Released 2019-05-13
 
-## Major Changes
+### Major Changes
 
-* **Actions and alerts for dropped events**: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. [[#561](https://github.com/falcosecurity/falco/pull/561)] [[#571](https://github.com/falcosecurity/falco/pull/571)]
+* **Actions and alerts for dropped events**: Falco can now take actions, including sending alerts/logging messages, and/or even exiting Falco, when it detects dropped system call events. Fixes CVE 2019-8339. [[#561](https://github.com/falcosecurity/falco/pull/561)] [[#571](https://github.com/falcosecurity/falco/pull/571)]
 
 * **Support for Containerd/CRI-O**: Falco now supports containerd/cri-o containers. [[#585](https://github.com/falcosecurity/falco/pull/585)] [[#591](https://github.com/falcosecurity/falco/pull/591)] [[#599](https://github.com/falcosecurity/falco/pull/599)] [[#sysdig/1376](https://github.com/draios/sysdig/pull/1376)] [[#sysdig/1310](https://github.com/draios/sysdig/pull/1310)] [[#sysdig/1399](https://github.com/draios/sysdig/pull/1399)]
 
@@ -209,7 +275,7 @@ Released 2019-05-13
 * RHEL-based falco image: Provide dockerfiles that use RHEL 7 as the base image instead of debian:unstable. [[#544](https://github.com/falcosecurity/falco/pull/544)]
 
 
-## Minor Changes
+### Minor Changes
 
 * ISO-8601 Timestamps: Add the ability to write timestamps in ISO-8601 w/ UTC, and use this format by default when running falco in a container [[#518](https://github.com/falcosecurity/falco/pull/518)]
 
@@ -223,13 +289,13 @@ Released 2019-05-13
 
 * Improvements to sample K8s daemonset/service/etc files [[#562](https://github.com/falcosecurity/falco/pull/562)]
 
-## Bug Fixes
+### Bug Fixes
 
 * Fix regression that broke json output [[#581](https://github.com/falcosecurity/falco/pull/581)]
 
 * Fix errors when building via docker from MacOS [[#582](https://github.com/falcosecurity/falco/pull/582)]
 
-## Rule Changes
+### Rule Changes
 
 * **Tag rules using Mitre Attack Framework**: Add tags for all relevant rules linking them to the [MITRE Attack Framework](https://attack.mitre.org). We have an associated [blog post](https://sysdig.com/blog/mitre-attck-framework-for-container-runtime-security-with-sysdig-falco/). [[#575](https://github.com/falcosecurity/falco/pull/575)] [[#578](https://github.com/falcosecurity/falco/pull/578)]
 
@@ -255,12 +321,11 @@ Released 2019-05-13
 
 * Add `ash` (Alpine Linux-related shell) as a shell binary [[#597](https://github.com/falcosecurity/falco/pull/597)]
 
-
 ## v0.14.0
 
 Released 2019-02-06
 
-## Major Changes
+### Major Changes
 
 * Rules versioning support: The falco engine and executable now have an *engine version* that represents the fields they support. Similarly, rules files have an optional *required_engine_version: NNN* object that names the minimum engine version required to read that rules file. Any time the engine adds new fields, event sources, etc, the engine version will be incremented, and any time a rules file starts using new fields, event sources, etc, the required engine version will be incremented. [[#492](https://github.com/falcosecurity/falco/pull/492)]
 
@@ -270,7 +335,7 @@ Released 2019-02-06
 
 * Support bundle: When run with `--support`, falco will print a json object containing necessary information like falco version, command line, operating system information, and falco rules files contents. This could be useful when reporting issues. [[#517](https://github.com/falcosecurity/falco/pull/517)]
 
-## Minor Changes
+### Minor Changes
 
 * Support new third-party library dependencies from open source sysdig. [[#498](https://github.com/falcosecurity/falco/pull/498)]
 
@@ -286,11 +351,11 @@ Released 2019-02-06
 
 * Add additional RBAC permissions to track deployments/daemonsets/replicasets. [[#514](https://github.com/falcosecurity/falco/pull/514)]
 
-## Bug Fixes
+### Bug Fixes
 
 * Fix formatting of nodejs examples README [[#502](https://github.com/falcosecurity/falco/pull/502)]
 
-## Rule Changes
+### Rule Changes
 
 * Remove FPs for `Launch Sensitive Mount Container` rule [[#509](https://github.com/falcosecurity/falco/pull/509/files)]
 
@@ -300,10 +365,10 @@ Released 2019-02-06
 
 Released 2019-01-16
 
-## Major Changes
+### Major Changes
 
 
-## Minor Changes
+### Minor Changes
 
 * Unbuffer outputs by default. This helps make output readable when used in environments like K8s. [[#494](https://github.com/falcosecurity/falco/pull/494)]
 
@@ -317,7 +382,7 @@ Released 2019-01-16
 
 * Remove kubernetes-response-engine from system:masters [[#488](https://github.com/falcosecurity/falco/pull/488)]
 
-## Bug Fixes
+### Bug Fixes
 
 * Ensure `-pc`/`-pk` only apply to syscall rules and not k8s_audit rules [[#495](https://github.com/falcosecurity/falco/pull/495)]
 
@@ -325,7 +390,7 @@ Released 2019-01-16
 
 * Fix a regression where format output options were mistakenly removed [[#485](https://github.com/falcosecurity/falco/pull/485)]
 
-## Rule Changes
+### Rule Changes
 
 * Fix FPs related to calico and writing files below etc [[#481](https://github.com/falcosecurity/falco/pull/481)]
 
@@ -342,25 +407,25 @@ Released 2019-01-16
 
 Released 2018-11-09
 
-## Major Changes
+### Major Changes
 
 * **Support for K8s Audit Events** : Falco now supports [K8s Audit Events](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-backends) as a second stream of events in addition to syscalls. For full details on the feature, see the [wiki](https://github.com/falcosecurity/falco/wiki/K8s-Audit-Event-Support).
 
 * Transparent Config/Rule Reloading: On SIGHUP, Falco will now reload all config files/rules files and start processing new events. Allows rules changes without having to restart falco [[#457](https://github.com/falcosecurity/falco/pull/457)] [[#432](https://github.com/falcosecurity/falco/issues/432)]
 
-## Minor Changes
+### Minor Changes
 
 * The reference integration of falco into a action engine now supports aws actions like lambda, etc. [[#460](https://github.com/falcosecurity/falco/pull/460)]
 
 * Add netcat to falco docker images, which allows easier integration of program outputs to external servers [[#456](https://github.com/falcosecurity/falco/pull/456)] [[#433](https://github.com/falcosecurity/falco/issues/433)]
 
-## Bug Fixes
+### Bug Fixes
 
 * Links cleanup related to the draios/falco -> falcosecurity/falco move [[#447](https://github.com/falcosecurity/falco/pull/447)]
 
 * Properly load/unload kernel module when the falco service is started/stopped [[#459](https://github.com/falcosecurity/falco/pull/459)] [[#418](https://github.com/falcosecurity/falco/issues/418)]
 
-## Rule Changes
+### Rule Changes
 
 * Better coverage (e.g. reduced FPs) for critical stack, hids systems, ufw, cloud-init, etc. [[#445](https://github.com/falcosecurity/falco/pull/445)]
 
@@ -372,7 +437,7 @@ Released 2018-11-09
 
 Released 2018-09-11
 
-## Bug Fixes
+### Bug Fixes
 
 * Fig regression in libcurl configure script [[#416](https://github.com/draios/falco/pull/416)]
 
@@ -380,7 +445,7 @@ Released 2018-09-11
 
 Released 2018-09-11
 
-## Major Changes
+### Major Changes
 
 * Improved IPv6 Support to fully support use of IPv6 addresses in events, connections and filters [[#sysdig/1204](https://github.com/draios/sysdig/pull/1204)]
 
@@ -388,16 +453,16 @@ Released 2018-09-11
 
 * New filterchecks `user.loginuid` and `user.loginname` can be used to match the login uid, which stays consistent across sudo/su. This can be used to find the actual user running a given process [[#sysdig/1189](https://github.com/draios/sysdig/pull/1189)]
 
-## Minor Changes
+### Minor Changes
 
 * Upgrade zlib to 1.2.11, openssl to 1.0.2n, and libcurl to 7.60.0 to address software vulnerabilities [[#402](https://github.com/draios/falco/pull/402)]
 * New `endswith` operator can be used for suffix matching on strings [[#sysdig/1209](https://github.com/draios/sysdig/pull/1209)]
 
-## Bug Fixes
+### Bug Fixes
 
 * Better control of specifying location of lua source code [[#406](https://github.com/draios/falco/pull/406)]
 
-## Rule Changes
+### Rule Changes
 
 * None for this release.
 
@@ -405,7 +470,7 @@ Released 2018-09-11
 
 Released 2018-07-31
 
-## Bug Fixes
+### Bug Fixes
 
 * Fix a problem that caused the kernel module to not load on certain kernel versions [[#397](https://github.com/draios/falco/pull/397)] [[#394](https://github.com/draios/falco/issues/394)]
 
@@ -413,25 +478,25 @@ Released 2018-07-31
 
 Released 2018-07-24
 
-## Major Changes
+### Major Changes
 
 * **EBPF Support** (Beta): Falco can now read events via an ebpf program loaded into the kernel instead of the `falco-probe` kernel module. Full docs [here](https://github.com/draios/sysdig/wiki/eBPF-(beta)). [[#365](https://github.com/draios/falco/pull/365)]
 
-## Minor Changes
+### Minor Changes
 
 * Rules may now have an `skip-if-unknown-filter` property. If set to true, a rule will be skipped if its condition/output property refers to a filtercheck (e.g. `fd.some-new-attibute`) that is not present in the current falco version. [[#364](https://github.com/draios/falco/pull/364)] [[#345](https://github.com/draios/falco/issues/345)]
 * Small changes to Falco `COPYING` file so github automatically recognizes license [[#380](https://github.com/draios/falco/pull/380)]
 * New example integration showing how to connect Falco with Anchore to dynamically create falco rules based on negative scan results [[#390](https://github.com/draios/falco/pull/390)]
 * New example integration showing how to connect Falco, [nats](https://nats.io/), and K8s to run flexible "playbooks" based on Falco events [[#389](https://github.com/draios/falco/pull/389)]
 
-## Bug Fixes
+### Bug Fixes
 
 * Ensure all rules are enabled by default [[#379](https://github.com/draios/falco/pull/379)]
 * Fix libcurl compilation problems [[#374](https://github.com/draios/falco/pull/374)]
 * Add gcc-6 to docker container, which improves compatibility when building kernel module [[#382](https://github.com/draios/falco/pull/382)] [[#371](https://github.com/draios/falco/issues/371)]
 * Ensure the /lib/modules symlink to /host/lib/modules is set correctly [[#392](https://github.com/draios/falco/issues/392)]
 
-## Rule Changes
+### Rule Changes
 
 * Add additional binary writing programs [[#366](https://github.com/draios/falco/pull/366)]
 * Add additional package management programs [[#388](https://github.com/draios/falco/pull/388)] [[#366](https://github.com/draios/falco/pull/366)]
@@ -452,7 +517,7 @@ Released 2018-07-24
 
 Released 2018-04-24
 
-## Major Changes
+### Major Changes
 
 * **Rules Directory Support**: Falco will read rules files from `/etc/falco/rules.d` in addition to `/etc/falco/falco_rules.yaml` and `/etc/falco/falco_rules.local.yaml`. Also, when the argument to `-r`/falco.yaml `rules_file` is a directory, falco will read rules files from that directory. [[#348](https://github.com/draios/falco/pull/348)] [[#187](https://github.com/draios/falco/issues/187)]
 * Properly support all syscalls (e.g. those without parameter extraction by the kernel module) in falco conditions, so they can be included in `evt.type=<name>` conditions. [[#352](https://github.com/draios/falco/pull/352)]
@@ -461,7 +526,7 @@ Released 2018-04-24
 * When signaled with `USR1`, falco will close/reopen log files. Include a [logrotate](https://github.com/logrotate/logrotate) example that shows how to use this feature for log rotation. [[#347](https://github.com/draios/falco/pull/347)] [[#266](https://github.com/draios/falco/issues/266)]
 * To improve resource usage, further restrict the set of system calls available to falco [[#351](https://github.com/draios/falco/pull/351)] [[draios/sysdig#1105](https://github.com/draios/sysdig/pull/1105)]
 
-## Minor Changes
+### Minor Changes
 
 * Add gdb to the development Docker image (sysdig/falco:dev) to aid in debugging. [[#323](https://github.com/draios/falco/pull/323)]
 * You can now specify -V multiple times on the command line to validate multiple rules files at once. [[#329](https://github.com/draios/falco/pull/329)]
@@ -472,7 +537,7 @@ Released 2018-04-24
 * If a rule has an attribute `warn_evttypes`, falco will not complain about `evt.type` restrictions on that rule [[#355](https://github.com/draios/falco/pull/355)]
 * When run with `-i`, print all ignored events/syscalls and exit. [[#359](https://github.com/draios/falco/pull/359)]
 
-## Bug Fixes
+### Bug Fixes
 
 * Minor bug fixes to k8s daemonset configuration. [[#325](https://github.com/draios/falco/pull/325)] [[#296](https://github.com/draios/falco/pull/296)] [[#295](https://github.com/draios/falco/pull/295)]
 * Ensure `--validate` can be used interchangeably with `-V`. [[#334](https://github.com/draios/falco/pull/334)] [[#322](https://github.com/draios/falco/issues/322)]
@@ -481,7 +546,7 @@ Released 2018-04-24
 * Make it possible to append to a skipped macro/rule without falco complaining [[#346](https://github.com/draios/falco/pull/346)] [[#305](https://github.com/draios/falco/issues/305)]
 * Ensure rule order is preserved even when rules do not contain any `evt.type` restriction. [[#354](https://github.com/draios/falco/issues/354)] [[#355](https://github.com/draios/falco/pull/355)]
 
-## Rule Changes
+### Rule Changes
 
 * Make it easier to extend the `Change thread namespace` rule via a `user_known_change_thread_namespace_binaries` list. [[#324](https://github.com/draios/falco/pull/324)]
 * Various FP fixes from users. [[#321](https://github.com/draios/falco/pull/321)] [[#326](https://github.com/draios/falco/pull/326)] [[#344](https://github.com/draios/falco/pull/344)] [[#350](https://github.com/draios/falco/pull/350)]
@@ -736,13 +801,13 @@ All of these changes result in dramatically reduced CPU usage. Here are some com
 * Sysdig Cloud Kubernetes Demo: Starts a kubernetes environment using docker with apache and wordpress instances + synthetic workloads.
 * [Juttle-engine examples](https://github.com/juttle/juttle-engine/blob/master/examples/README.md) : Several elasticsearch, node.js, logstash, mysql, postgres, influxdb instances run under docker-compose.
 
-| Workload | 0.2.0 CPU Usage | 0.3.0 CPU Usage |
-|----------| --------------- | ----------------|
-| pts/apache | 24% | 7% |
-| pts/dbench | 70% | 5% |
-| Kubernetes-Demo (Running) | 6% | 2% |
-| Kubernetes-Demo (During Teardown) | 15% | 3% |
-| Juttle-examples | 3% | 1% |
+| Workload                          | 0.2.0 CPU Usage | 0.3.0 CPU Usage |
+| --------------------------------- | --------------- | --------------- |
+| pts/apache                        | 24%             | 7%              |
+| pts/dbench                        | 70%             | 5%              |
+| Kubernetes-Demo (Running)         | 6%              | 2%              |
+| Kubernetes-Demo (During Teardown) | 15%             | 3%              |
+| Juttle-examples                   | 3%              | 1%              |
 
 As a part of these changes, falco now prefers rule conditions that have at least one `evt.type=` operator, at the beginning of the condition, before any negative operators (i.e. `not` or `!=`). If a condition does not have any `evt.type=` operator, falco will log a warning like:
 

CMakeCPackOptions.cmake

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

CMakeLists.txt

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -598,8 +597,8 @@ else()
 	set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc")
 	message(STATUS "Using bundled grpc in '${GRPC_SRC}'")
 	set(GRPC_INCLUDE "${GRPC_SRC}/include")
-	set(GRPC_LIB "${GRPC_SRC}/libs/opt/libgrpc_unsecure.a")
-	set(GRPCPP_LIB "${GRPC_SRC}/libs/opt/libgrpc++_unsecure.a")
+	set(GRPC_LIB "${GRPC_SRC}/libs/opt/libgrpc.a")
+	set(GRPCPP_LIB "${GRPC_SRC}/libs/opt/libgrpc++.a")
 	set(GRPC_CPP_PLUGIN "${GRPC_SRC}/bins/opt/grpc_cpp_plugin")
 
 	get_filename_component(PROTOC_DIR ${PROTOC} DIRECTORY)

CODE_OF_CONDUCT.md

@@ -1,6 +1,6 @@
-## CNCF Community Code of Conduct v1.0
+# CNCF Community Code of Conduct v1.0
 
-### Contributor Code of Conduct
+## Contributor Code of Conduct
 
 As contributors and maintainers of this project, and in the interest of fostering
 an open and welcoming community, we pledge to respect all people who contribute
@@ -32,8 +32,7 @@ Conduct may be permanently removed from the project team.
 This code of conduct applies both within project spaces and in public spaces
 when an individual is representing the project or its community.
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, Sarah Novotny <sarahnovotny@google.com>, and/or Dan Kohn <dan@linuxfoundation.org>.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a CNCF project maintainer, [Sarah Novotny](mailto:sarahnovotny@google.com), and/or [Dan Kohn](mailto:dan@linuxfoundation.org).
 
-This Code of Conduct is adapted from the Contributor Covenant
-(http://contributor-covenant.org), version 1.2.0, available at
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at
 http://contributor-covenant.org/version/1/2/0/

CONTRIBUTING.md

@@ -12,7 +12,7 @@
 ## Code of Conduct
 
 Falco has a
-[Code of Conduct](CODE_OF_CONDUCT)
+[Code of Conduct](CODE_OF_CONDUCT.md)
 to which all contributors must adhere, please read it before interacting with the repository or the community in any way.
 
 ## Issues
@@ -87,7 +87,7 @@ need a kind, make sure to specify the appropriate one by typing `/kind <KIND>`.
 
 The list of labels is [here](https://github.com/falcosecurity/falco/labels).
 
-Also feel free to suggest a reviewer with `/assign @theirname`.
+Also feel free to suggest a reviewer with `/cc @theirname`, or to assign an assignee using `/assign @nickname`.
 
 Once your reviewer is happy, they will say `/lgtm` which will apply the
 `lgtm` label, and will apply the `approved` label if they are an

COPYING

@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2019 The Falco Authors
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

MAINTAINERS

@@ -1,11 +0,0 @@
-Current maintainers:
-@mstemm - Mark Stemm <mark.stemm@sysdig.com>
-@ldegio - Loris Degioanni <loris@sysdig.com>
-@fntlnz - Lorenzo Fontana <lo@sysdig.com>
-@leodido - Leonardo Di Donato <leo@sysdig.com>
-
-Community Mangement:
-@mfdii - Michael Ducy <michael@sysdig.com>
-
-Emeritus maintainers:
-@henridf - Henri Dubois-Ferriere <henri.dubois-ferriere@sysdig.com>

README.md

@@ -5,7 +5,7 @@
 
 #### Latest release
 
-**v0.17.0**
+**v0.18.0**
 Read the [change log](https://github.com/falcosecurity/falco/blob/dev/CHANGELOG.md)
 
 Dev Branch: [![Build Status](https://travis-ci.com/falcosecurity/falco.svg?branch=dev)](https://travis-ci.com/falcosecurity/falco)<br />

cmake/modules/DownloadCatch.cmake

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2019 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of

cmake/modules/DownloadFakeIt.cmake

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2019 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy of

docker/OWNERS

@@ -0,0 +1,2 @@
+labels:
+  - area/integration

docker/README.md

@@ -0,0 +1,30 @@
+# Falco Dockerfiles
+
+This directory contains the various ways to package Falco as a container. 
+
+## Currently Supported Containers
+
+### `falcosecurity/falco` Dockerfiles
+ - `./dev`: Builds a container image from the `dev` apt repo.
+ - `./stable`: Builds a container image from the `stable` apt repo.
+ - `./local`: Builds a container image from a locally provided Falco `dpkg` package.
+
+### Build & Testing Dockerfiles
+ - `./builder`: `falcosecurity/falco-builder` - The complete build tool chain for compiling Falco from source. See [the documentation](https://falco.org/docs/source/) for more details on building from source.
+ - `./tester`: `falcosecurity/falco-tester` - Container image for running the Falco test suite.
+
+## Alpha Release Containers
+
+These Dockerfiles (and resulting container images) are currently in `alpha`. We'd love for you to test these images and [report any feedback](https://github.com/falcosecurity/falco/issues/new/choose).
+
+### Slim and Minimal Dockerfiles
+The goal of these container images is to reduce the size of the underlying Falco container. 
+ - `./slim-dev`: Like `./dev` above but removes build tools for older kernels.
+ - `./slim-stable`: Like `./stable` above but removes build tools for older kernels.
+ - `./minimal`: A minimal container image (~20mb), containing only the files required to run Falco.
+
+### Init Containers
+These container images allow for the delivery of the kernel module or eBPF probe either via HTTP or via a container image.
+ - `kernel/linuxkit`: Multistage Dockerfile to build a Falco kernel module for Linuxkit (Docker Desktop). Generates an alpine based container image with the kernel module, and `insmod` as the container `CMD`.  
+ - `kernel/probeloader`: Multistage Dockerfile to build a Go based application to download (via HTTPS) and load a Falco kernel module. The resulting container image can be ran as an `initContainer` to load the Falco module before Falco starts.
+

docker/dev/Dockerfile

@@ -1,6 +1,6 @@
 FROM debian:unstable
 
-LABEL maintainer="Sysdig <support@sysdig.com>"
+LABEL maintainer="opensource@sysdig.com"
 
 ENV FALCO_REPOSITORY dev
 

docker/dev/docker-entrypoint.sh

@@ -1,8 +1,7 @@
 #!/bin/bash
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

docker/event-generator/Dockerfile

@@ -1,4 +1,5 @@
 FROM alpine:latest
+LABEL maintainer="opensource@sysdig.com"
 RUN apk add --no-cache bash g++
 COPY ./event_generator.cpp /usr/local/bin
 RUN mkdir -p /var/lib/rpm

docker/event-generator/Makefile

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

docker/event-generator/event_generator.cpp

@@ -1,7 +1,5 @@
 /*
-Copyright (C) 2016-2018 Draios Inc dba Sysdig.
-
-This file is part of falco.
+Copyright (C) 2019 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,7 +12,6 @@ distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
-
 */
 
 #include <cstdio>
@@ -91,7 +88,6 @@ void open_file(const char *filename, const char *flags)
 	{
 		fprintf(stderr, "Could not open %s for writing: %s\n", filename, strerror(errno));
 	}
-
 }
 
 void exfiltration()
@@ -110,7 +106,7 @@ void exfiltration()
 
 	string line;
 	string shadow_contents;
-	while (getline(shadow, line))
+	while(getline(shadow, line))
 	{
 		shadow_contents += line;
 		shadow_contents += "\n";
@@ -125,13 +121,13 @@ void exfiltration()
 	dest.sin_port = htons(8197);
 	inet_aton("10.5.2.6", &(dest.sin_addr));
 
-	if((rc = connect(sock, (struct sockaddr *) &dest, sizeof(dest))) != 0)
+	if((rc = connect(sock, (struct sockaddr *)&dest, sizeof(dest))) != 0)
 	{
 		fprintf(stderr, "Could not bind listening socket to dest: %s\n", strerror(errno));
 		return;
 	}
 
-	if ((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
+	if((sent = send(sock, shadow_contents.c_str(), shadow_contents.size(), 0)) != shadow_contents.size())
 	{
 		fprintf(stderr, "Could not send shadow contents via udp datagram: %s\n", strerror(errno));
 		return;
@@ -174,7 +170,7 @@ void spawn(const char *cmd, char **argv, char **env)
 	pid_t child;
 
 	// Fork a process, that way proc.duration is reset
-	if ((child = fork()) == 0)
+	if((child = fork()) == 0)
 	{
 		execve(cmd, argv, env);
 		fprintf(stderr, "Could not exec to spawn %s: %s\n", cmd, strerror(errno));
@@ -188,86 +184,97 @@ void spawn(const char *cmd, char **argv, char **env)
 
 void respawn(const char *cmd, const char *action, const char *interval)
 {
-	char *argv[] = {(char *) cmd,
-			(char *) "--action", (char *) action,
-			(char *) "--interval", (char *) interval,
-			(char *) "--once", NULL};
+	char *argv[] = {(char *)cmd,
+			(char *)"--action", (char *)action,
+			(char *)"--interval", (char *)interval,
+			(char *)"--once", NULL};
 
 	char *env[] = {NULL};
 
 	spawn(cmd, argv, env);
 }
 
-void write_binary_dir() {
+void write_binary_dir()
+{
 	printf("Writing to /bin/created-by-event-generator-sh...\n");
 	touch("/bin/created-by-event-generator-sh");
 }
 
-void write_etc() {
+void write_etc()
+{
 	printf("Writing to /etc/created-by-event-generator-sh...\n");
 	touch("/etc/created-by-event-generator-sh");
 }
 
-void read_sensitive_file() {
+void read_sensitive_file()
+{
 	printf("Reading /etc/shadow...\n");
 	read("/etc/shadow");
 }
 
-void read_sensitive_file_after_startup() {
+void read_sensitive_file_after_startup()
+{
 	printf("Becoming the program \"httpd\", sleeping 6 seconds and reading /etc/shadow...\n");
 	respawn("./httpd", "read_sensitive_file", "6");
 }
 
-void write_rpm_database() {
+void write_rpm_database()
+{
 	printf("Writing to /var/lib/rpm/created-by-event-generator-sh...\n");
 	touch("/var/lib/rpm/created-by-event-generator-sh");
 }
 
-void spawn_shell() {
+void spawn_shell()
+{
 	printf("Spawning a shell to run \"ls > /dev/null\" using system()...\n");
 	int rc;
 
-	if ((rc = system("ls > /dev/null")) != 0)
+	if((rc = system("ls > /dev/null")) != 0)
 	{
 		fprintf(stderr, "Could not run ls > /dev/null in a shell: %s\n", strerror(errno));
 	}
 }
 
-void spawn_shell_under_httpd() {
+void spawn_shell_under_httpd()
+{
 	printf("Becoming the program \"httpd\" and then spawning a shell\n");
 	respawn("./httpd", "spawn_shell", "0");
 }
 
-void db_program_spawn_process() {
+void db_program_spawn_process()
+{
 	printf("Becoming the program \"mysql\" and then running ls\n");
 	respawn("./mysqld", "exec_ls", "0");
 }
 
-void modify_binary_dirs() {
+void modify_binary_dirs()
+{
 	printf("Moving /bin/true to /bin/true.event-generator-sh and back...\n");
 
-	if (rename("/bin/true", "/bin/true.event-generator-sh") != 0)
+	if(rename("/bin/true", "/bin/true.event-generator-sh") != 0)
 	{
 		fprintf(stderr, "Could not rename \"/bin/true\" to \"/bin/true.event-generator-sh\": %s\n", strerror(errno));
 	}
 	else
 	{
-		if (rename("/bin/true.event-generator-sh", "/bin/true") != 0)
+		if(rename("/bin/true.event-generator-sh", "/bin/true") != 0)
 		{
 			fprintf(stderr, "Could not rename \"/bin/true.event-generator-sh\" to \"/bin/true\": %s\n", strerror(errno));
 		}
 	}
 }
 
-void mkdir_binary_dirs() {
+void mkdir_binary_dirs()
+{
 	printf("Creating directory /bin/directory-created-by-event-generator-sh...\n");
-	if (mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
+	if(mkdir("/bin/directory-created-by-event-generator-sh", 0644) != 0)
 	{
 		fprintf(stderr, "Could not create directory \"/bin/directory-created-by-event-generator-sh\": %s\n", strerror(errno));
 	}
 }
 
-void change_thread_namespace() {
+void change_thread_namespace()
+{
 	printf("Calling setns() to change namespaces...\n");
 	printf("NOTE: does not result in a falco notification in containers, unless container run with --privileged or --security-opt seccomp=unconfined\n");
 	// It doesn't matter that the arguments to setns are
@@ -276,12 +283,13 @@ void change_thread_namespace() {
 	setns(0, 0);
 }
 
-void system_user_interactive() {
+void system_user_interactive()
+{
 	pid_t child;
 
 	printf("Forking a child that becomes user=daemon and then tries to run /bin/login...\n");
 	// Fork a child and do everything in the child.
-	if ((child = fork()) == 0)
+	if((child = fork()) == 0)
 	{
 		become_user("daemon");
 		char *argv[] = {(char *)"/bin/login", NULL};
@@ -296,7 +304,8 @@ void system_user_interactive() {
 	}
 }
 
-void network_activity() {
+void network_activity()
+{
 	printf("Connecting a udp socket to 10.2.3.4:8192...\n");
 	int rc;
 	int sock = socket(PF_INET, SOCK_DGRAM, 0);
@@ -306,7 +315,7 @@ void network_activity() {
 	localhost.sin_port = htons(8192);
 	inet_aton("10.2.3.4", &(localhost.sin_addr));
 
-	if((rc = connect(sock, (struct sockaddr *) &localhost, sizeof(localhost))) != 0)
+	if((rc = connect(sock, (struct sockaddr *)&localhost, sizeof(localhost))) != 0)
 	{
 		fprintf(stderr, "Could not bind listening socket to localhost: %s\n", strerror(errno));
 		return;
@@ -315,18 +324,20 @@ void network_activity() {
 	close(sock);
 }
 
-void system_procs_network_activity() {
+void system_procs_network_activity()
+{
 	printf("Becoming the program \"sha1sum\" and then performing network activity\n");
 	respawn("./sha1sum", "network_activity", "0");
 }
 
-void non_sudo_setuid() {
+void non_sudo_setuid()
+{
 	pid_t child;
 
 	printf("Forking a child that becomes \"daemon\" user and then \"root\"...\n");
 
 	// Fork a child and do everything in the child.
-	if ((child = fork()) == 0)
+	if((child = fork()) == 0)
 	{
 		// First setuid to something non-root. Then try to setuid back to root.
 		become_user("daemon");
@@ -340,7 +351,8 @@ void non_sudo_setuid() {
 	}
 }
 
-void create_files_below_dev() {
+void create_files_below_dev()
+{
 	printf("Creating /dev/created-by-event-generator-sh...\n");
 	touch("/dev/created-by-event-generator-sh");
 }
@@ -352,7 +364,8 @@ void exec_ls()
 	spawn("/bin/ls", argv, env);
 }
 
-void user_mgmt_binaries() {
+void user_mgmt_binaries()
+{
 	printf("Becoming the program \"vipw\" and then running the program /bin/ls\n");
 	printf("NOTE: does not result in a falco notification in containers\n");
 	respawn("./vipw", "exec_ls", "0");
@@ -393,11 +406,11 @@ void create_symlinks(const char *program)
 	// sets up all the required symlinks.
 	const char *progs[] = {"./httpd", "./mysqld", "./sha1sum", "./vipw", NULL};
 
-	for (unsigned int i=0; progs[i] != NULL; i++)
+	for(unsigned int i = 0; progs[i] != NULL; i++)
 	{
 		unlink(progs[i]);
 
-		if ((rc = symlink(program, progs[i])) != 0)
+		if((rc = symlink(program, progs[i])) != 0)
 		{
 			fprintf(stderr, "Could not link \"./event_generator\" to \"%s\": %s\n", progs[i], strerror(errno));
 		}
@@ -406,9 +419,9 @@ void create_symlinks(const char *program)
 
 void run_actions(map<string, action_t> &actions, int interval, bool once)
 {
-	while (true)
+	while(true)
 	{
-		for (auto action : actions)
+		for(auto action : actions)
 		{
 			printf("***Action %s\n", action.first.c_str());
 			action.second();
@@ -431,14 +444,13 @@ int main(int argc, char **argv)
 	map<string, action_t>::iterator it;
 
 	static struct option long_options[] =
-	{
-		{"help", no_argument, 0, 'h' },
-		{"action", required_argument, 0, 'a' },
-		{"interval", required_argument, 0, 'i' },
-		{"once", no_argument, 0, 'o' },
+		{
+			{"help", no_argument, 0, 'h'},
+			{"action", required_argument, 0, 'a'},
+			{"interval", required_argument, 0, 'i'},
+			{"once", no_argument, 0, 'o'},
 
-		{0, 0}
-	};
+			{0, 0}};
 
 	//
 	// Parse the args
@@ -454,7 +466,7 @@ int main(int argc, char **argv)
 			exit(1);
 		case 'a':
 			// "all" is already implied
-			if (strcmp(optarg, "all") != 0)
+			if(strcmp(optarg, "all") != 0)
 			{
 				if((it = defined_actions.find(optarg)) == defined_actions.end())
 				{
@@ -477,8 +489,8 @@ int main(int argc, char **argv)
 	}
 
 	//
-        // Also look for actions in the environment. If specified, they
-        // override any specified on the command line.
+	// Also look for actions in the environment. If specified, they
+	// override any specified on the command line.
 	//
 	char *env_action = getenv("EVENT_GENERATOR_ACTIONS");
 
@@ -489,7 +501,7 @@ int main(int argc, char **argv)
 		string envs(env_action);
 		istringstream ss(envs);
 		string item;
-		while (std::getline(ss, item, ':'))
+		while(std::getline(ss, item, ':'))
 		{
 			if((it = defined_actions.find(item)) == defined_actions.end())
 			{
@@ -514,7 +526,7 @@ int main(int argc, char **argv)
 	setvbuf(stdout, NULL, _IONBF, 0);
 	setvbuf(stderr, NULL, _IONBF, 0);
 	// Only create symlinks when running as the program event_generator
-	if (strstr(argv[0], "generator"))
+	if(strstr(argv[0], "generator"))
 	{
 		create_symlinks(argv[0]);
 	}

docker/kernel/linuxkit/Dockerfile

@@ -0,0 +1,38 @@
+ARG ALPINE_VERSION=3.10
+ARG KERNEL_VERSION=4.9.184
+ARG FALCO_VERSION=0.18.0
+
+FROM linuxkit/kernel:${KERNEL_VERSION} AS ksrc
+FROM falcosecurity/falco-minimal:${FALCO_VERSION} as falco
+FROM alpine:${ALPINE_VERSION} AS probe-build
+LABEL maintainer="opensource@sysdig.com"
+ARG KERNEL_VERSION=4.9.184
+ARG FALCO_VERSION=0.18.0
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV KERNEL_VERSION=${KERNEL_VERSION}
+
+COPY --from=ksrc /kernel-dev.tar /
+COPY --from=falco /usr/src/falco-${FALCO_VERSION} /usr/src/falco-${FALCO_VERSION}
+
+RUN apk add --no-cache --update \
+  build-base gcc abuild binutils \
+  bc \
+  autoconf && \
+  export KERNELVER=`uname -r  | cut -d '-' -f 1`  && \
+  export KERNELDIR=/usr/src/linux-headers-${KERNEL_VERSION}-linuxkit/ && \
+  tar xf /kernel-dev.tar && \
+  cd $KERNELDIR && \
+  zcat /proc/1/root/proc/config.gz > .config && \
+  make olddefconfig && \
+  cd /usr/src/falco-${FALCO_VERSION} && \
+  make && \
+  apk del \
+  build-base gcc abuild binutils \
+  bc \
+  autoconf
+
+FROM alpine:${ALPINE_VERSION}
+ARG FALCO_VERSION=0.18.0
+ENV FALCO_VERSION=${FALCO_VERSION}
+COPY --from=probe-build /usr/src/falco-${FALCO_VERSION}/falco-probe.ko /
+CMD ["insmod","/falco-probe.ko"] 

docker/kernel/probeloader/Dockerfile

@@ -0,0 +1,18 @@
+FROM golang:1.13-alpine AS build
+ARG FALCOCTL_REF=2be3df92edbac668284fe5c165ccb5bd6bf4e869
+
+RUN apk --no-cache add build-base git gcc ca-certificates
+
+RUN git clone https://github.com/falcosecurity/falcoctl.git /falcoctl
+
+WORKDIR /falcoctl
+
+RUN git checkout ${FALCOCTL_REF}
+RUN go mod vendor
+RUN CGO_ENABLED=0 GOOS=linux go build -a -o falcoctl -ldflags '-extldflags "-static"' .
+
+FROM scratch
+LABEL maintainer="opensource@sysdig.com"
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=build /falcoctl/falcoctl /falcoctl
+CMD ["/falcoctl", "install", "probe"]

docker/local/docker-entrypoint.sh

@@ -1,8 +1,7 @@
 #!/bin/bash
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

docker/minimal/Dockerfile

@@ -0,0 +1,50 @@
+FROM ubuntu:18.04 as ubuntu
+
+LABEL maintainer="opensource@sysdig.com"
+
+ARG FALCO_VERSION=0.18.0
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+
+WORKDIR /
+
+ADD https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz /
+
+# ADD will download from URL and unntar
+RUN apt-get update && \
+    apt-get install -y  binutils && \
+    # curl -O https://s3.amazonaws.com/download.draios.com/stable/tgz/x86_64/falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    tar xfzv falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    rm -f falco-${FALCO_VERSION}-x86_64.tar.gz && \
+    mv falco-${FALCO_VERSION}-x86_64 falco && \
+    strip falco/usr/bin/falco && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+FROM scratch
+
+COPY --from=ubuntu /lib/x86_64-linux-gnu/libanl.so.1 \
+    /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libdl.so.2 \
+    /lib/x86_64-linux-gnu/libgcc_s.so.1 /lib/x86_64-linux-gnu/libm.so.6 \
+    /lib/x86_64-linux-gnu/libnsl.so.1 /lib/x86_64-linux-gnu/libnss_compat.so.2 \
+    /lib/x86_64-linux-gnu/libnss_files.so.2 /lib/x86_64-linux-gnu/libnss_nis.so.2 \
+    /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/librt.so.1 \
+    /lib/x86_64-linux-gnu/libz.so.1 \
+    /lib/x86_64-linux-gnu/ 
+
+COPY --from=ubuntu /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
+    /usr/lib/x86_64-linux-gnu/libstdc++.so.6
+
+COPY --from=ubuntu /etc/ld.so.cache \
+    /etc/nsswitch.conf \
+    /etc/ld.so.cache \
+    /etc/passwd \
+    /etc/group \
+    /etc/
+
+COPY --from=ubuntu /etc/default/nss /etc/default/nss
+COPY --from=ubuntu /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+
+COPY --from=ubuntu /falco /
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/rhel/docker-entrypoint.sh

@@ -1,8 +1,7 @@
 #!/bin/bash
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

docker/slim-dev/Dockerfile

@@ -0,0 +1,50 @@
+FROM ubuntu:18.04
+
+LABEL maintainer="opensource@sysdig.com"
+
+ENV FALCO_REPOSITORY dev
+
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV SYSDIG_HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+# 	bash-completion \
+# 	bc \
+ 	ca-certificates \
+ 	curl \
+ 	gnupg2 \
+ 	jq \
+# 	netcat \
+# 	xz-utils \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends falco \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+ && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+ && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
+
+#COPY ./entrypoint.sh /
+# ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/slim-stable/Dockerfile

@@ -0,0 +1,50 @@
+FROM ubuntu:18.04
+
+LABEL maintainer="opensource@sysdig.com"
+
+ENV FALCO_REPOSITORY stable
+
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV SYSDIG_HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+# 	bash-completion \
+# 	bc \
+ 	ca-certificates \
+ 	curl \
+ 	gnupg2 \
+ 	jq \
+# 	netcat \
+# 	xz-utils \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - \
+  && curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/$FALCO_REPOSITORY/deb/draios.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends falco \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+# Change the falco config within the container to enable ISO 8601
+# output.
+RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
+ && mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
+
+# Some base images have an empty /lib/modules by default
+# If it's not empty, docker build will fail instead of
+# silently overwriting the existing directory
+RUN rm -df /lib/modules \
+ && ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
+
+#COPY ./entrypoint.sh /
+# ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]

docker/stable/Dockerfile

@@ -1,6 +1,6 @@
 FROM debian:unstable
 
-LABEL maintainer="Sysdig <support@sysdig.com>"
+LABEL maintainer="opensource@sysdig.com"
 
 ENV FALCO_REPOSITORY stable
 
@@ -27,6 +27,7 @@ RUN apt-get update \
 	jq \
 	libc6-dev \
 	libelf-dev \
+	libmpx2 \
 	llvm-7 \
 	netcat \
 	xz-utils \

docker/stable/docker-entrypoint.sh

@@ -1,8 +1,7 @@
 #!/bin/bash
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

examples/OWNERS

@@ -0,0 +1,2 @@
+labels:
+  - area/examples

examples/mitm-sh-installer/web_root/install-software.sh

@@ -1,8 +1,7 @@
 #!/bin/bash
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

falco.yaml

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -166,4 +165,23 @@ program_output:
 
 http_output:
   enabled: false
-  url: http://some.url
+  url: http://some.url
+
+# gRPC server configuration.
+# The gRPC server is secure by default (mutual TLS) so you need to generate certificates and update their paths here.
+# By default the gRPC server is off.
+# You can configure the address to bind and expose it.
+# By modifying the threadiness configuration you can fine-tune the number of threads (and context) it will use.
+grpc:
+  enabled: false
+  bind_address: "0.0.0.0:5060"
+  threadiness: 8
+  private_key: "/etc/falco/certs/server.key"
+  cert_chain: "/etc/falco/certs/server.crt"
+  root_certs: "/etc/falco/certs/ca.crt"
+
+# gRPC output service.
+# By default it is off.
+# By enabling this all the output events will be kept in memory until you read them with a gRPC client.
+grpc_output:
+  enabled: false

integrations/OWNERS

@@ -0,0 +1,2 @@
+labels:
+  - area/integration

integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap-slim.yaml

@@ -0,0 +1,96 @@
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: falco-daemonset
+  labels:
+    app: falco-example
+    role: security
+spec:
+  template:
+    metadata:
+      labels:
+        app: falco-example
+        role: security
+    spec:
+      serviceAccount: falco-account
+      initContainers:
+        - name: probeloader
+          image: falcosecurity/probeloader:latest
+          securityContext:
+            privileged: true
+          #env:
+          #  - name: FALCOCTL_FALCO_VERSION
+          #    value: 0.18.0
+          #  - name: FALCOCTL_FALCO_PROBE_URL
+          #    value:
+          #  - name: FALCOCTL_FALCO_PROBE_REPO
+          #    value: "https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/"
+          volumeMounts:
+            - mountPath: /host/boot
+              name: boot-fs
+              readOnly: true
+      containers:
+        - name: falco
+          image: falcosecurity/falco:0.18.0-slim
+          securityContext:
+            privileged: true
+# Uncomment the 3 lines below to enable eBPF support for Falco.
+# This allows Falco to run on Google COS.
+# Leave blank for the default probe location, or set to the path
+# of a precompiled probe.
+#          env:
+#          - name: SYSDIG_BPF_PROBE
+#            value: ""
+          args: [ "/usr/bin/falco", "--cri", "/host/run/containerd/containerd.sock", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
+          volumeMounts:
+            - mountPath: /host/var/run/docker.sock
+              name: docker-socket
+            - mountPath: /host/run/containerd/containerd.sock
+              name: containerd-socket
+            - mountPath: /host/dev
+              name: dev-fs
+            - mountPath: /host/proc
+              name: proc-fs
+              readOnly: true
+            - mountPath: /host/boot
+              name: boot-fs
+              readOnly: true
+            - mountPath: /host/lib/modules
+              name: lib-modules
+              readOnly: true
+            - mountPath: /host/usr
+              name: usr-fs
+              readOnly: true
+            - mountPath: /host/etc/
+              name: etc-fs
+              readOnly: true
+            - mountPath: /etc/falco
+              name: falco-config
+      volumes:
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+        - name: containerd-socket
+          hostPath:
+            path: /run/containerd/containerd.sock
+        - name: dev-fs
+          hostPath:
+            path: /dev
+        - name: proc-fs
+          hostPath:
+            path: /proc
+        - name: boot-fs
+          hostPath:
+            path: /boot
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: usr-fs
+          hostPath:
+            path: /usr
+        - name: etc-fs
+          hostPath:
+            path: /etc
+        - name: falco-config
+          configMap:
+            name: falco-config

integrations/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml

@@ -33,6 +33,7 @@ spec:
               name: containerd-socket
             - mountPath: /host/dev
               name: dev-fs
+              readOnly: true
             - mountPath: /host/proc
               name: proc-fs
               readOnly: true

integrations/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml

@@ -26,6 +26,7 @@ spec:
               name: containerd-socket
             - mountPath: /host/dev
               name: dev-fs
+              readOnly: true
             - mountPath: /host/proc
               name: proc-fs
               readOnly: true

integrations/k8s-using-deployment/README.md

@@ -0,0 +1,62 @@
+# Example Kubernetes Deployments for Falco
+
+This directory gives you the required YAML files to stand up Falco on Kubernetes only for audit purpose as a Deployment.
+
+To deploy Falco on Kubernetes for audit:
+- `k8s-with-rbac` - This directory provides a definition to deploy a Deployment on Kubernetes with RBAC enabled.
+
+Also provided:
+- `falco-event-generator-deployment.yaml` - A Kubernetes Deployment to generate sample events. This is useful for testing, but note it will generate a large number of events.
+
+## Deploying to Kubernetes with RBAC enabled
+
+Since v1.8 RBAC has been available in Kubernetes, and running with RBAC enabled is considered the best practice. The `k8s-with-rbac` directory provides the YAML to create a Service Account for Falco, as well as the ClusterRoles and bindings to grant the appropriate permissions to the Service Account.
+
+```
+k8s-using-deployment$ kubectl create -f k8s-with-rbac/falco-k8s-audit-account.yaml
+serviceaccount "falco-account" created
+clusterrole "falco-cluster-role" created
+clusterrolebinding "falco-cluster-role-binding" created
+k8s-using-deployment$
+```
+
+We also create a service that allows other services to reach the embedded webserver in falco, which listens on https port 8765:
+
+```
+k8s-using-deployment$ kubectl create -f k8s-with-rbac/falco-k8s-audit-service.yaml
+service/falco-service created
+k8s-using-deployment$
+```
+
+The Deployment also relies on a Kubernetes ConfigMap to store the Falco configuration and make the configuration available to the Falco Pods. This allows you to manage custom configuration without rebuilding and redeploying the underlying Pods. In order to create the ConfigMap you'll first need to copy the required configuration from their location in this GitHub repo to the `k8s-with-rbac/falco-config/` directory (please note that you will need to create the /falco-config directory). Any modification of the configuration should be performed on these copies rather than the original files.
+
+```
+k8s-using-deployment$ mkdir -p k8s-with-rbac/falco-config
+k8s-using-deployment$ cp ./falco.yaml k8s-with-rbac/falco-config/
+k8s-using-deployment$ cp ../../rules/k8s_audit_rules.yaml k8s-with-rbac/falco-config/
+```
+
+If you want to send Falco alerts to a Slack channel, you'll want to modify the `falco.yaml` file to point to your Slack webhook. For more information on getting a webhook URL for your Slack team, refer to the [Slack documentation](https://api.slack.com/incoming-webhooks). Add the below to the bottom of the `falco.yaml` config file you just copied to enable Slack messages.
+
+```
+program_output:
+  enabled: true
+  keep_alive: false
+  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"
+```
+
+You will also need to enable JSON output. Find the `json_output: false` setting in the `falco.yaml` file and change it to read `json_output: true`. Any custom rules for your environment can be added to into the `falco_rules.local.yaml` file and they will be picked up by Falco at start time. You can now create the ConfigMap in Kubernetes.
+
+```
+k8s-using-deployment$ kubectl create configmap falco-config --from-file=k8s-with-rbac/falco-config
+configmap "falco-config" created
+k8s-using-deployment$
+```
+
+Now that we have the requirements for our Deployment in place, we can create our Deployment.
+
+```
+k8s-using-deployment$ kubectl create -f k8s-with-rbac/falco-k8s-audit-deployment.yaml
+daemonset "falco" created
+k8s-using-deployment$
+```

integrations/k8s-using-deployment/falco-event-generator-deployment.yaml

@@ -0,0 +1,17 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: falco-event-generator-deployment
+  labels:
+    name: falco-event-generator-deployment
+    app: demo
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: falco-event-generator
+    spec:
+      containers:
+      - name: falco-event-generator
+        image: sysdig/falco-event-generator:latest

integrations/k8s-using-deployment/falco.yaml

@@ -0,0 +1,167 @@
+#
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+#
+# This file is part of falco .
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# File(s) or Directories containing Falco rules, loaded at startup.
+# The name "rules_file" is only for backwards compatibility.
+# If the entry is a file, it will be read directly. If the entry is a directory,
+# every file in that directory will be read, in alphabetical order.
+#
+# falco_rules.yaml ships with the falco package and is overridden with
+# every new software version. falco_rules.local.yaml is only created
+# if it doesn't exist. If you want to customize the set of rules, add
+# your customizations to falco_rules.local.yaml.
+#
+# The files will be read in the order presented here, so make sure if
+# you have overrides they appear in later files.
+rules_file:
+ - /etc/falco/k8s_audit_rules.yaml
+
+# If true, the times displayed in log messages and output messages
+# will be in ISO 8601. By default, times are displayed in the local
+# time zone, as governed by /etc/localtime.
+time_format_iso_8601: false
+
+# Whether to output events in json or text
+json_output: true
+
+
+# When using json output, whether or not to include the "output" property
+# itself (e.g. "File below a known binary directory opened for writing
+# (user=root ....") in the json output.
+json_include_output_property: true
+
+# Send information logs to stderr and/or syslog Note these are *not* security
+# notification logs! These are just Falco lifecycle (and possibly error) logs.
+log_stderr: true
+log_syslog: true
+
+# Minimum log level to include in logs. Note: these levels are
+# separate from the priority field of rules. This refers only to the
+# log level of falco's internal logging. Can be one of "emergency",
+# "alert", "critical", "error", "warning", "notice", "info", "debug".
+log_level: info
+
+# Minimum rule priority level to load and run. All rules having a
+# priority more severe than this level will be loaded/run.  Can be one
+# of "emergency", "alert", "critical", "error", "warning", "notice",
+# "info", "debug".
+priority: debug
+
+# Whether or not output to any of the output channels below is
+# buffered. Defaults to false
+buffered_outputs: false
+
+# Falco uses a shared buffer between the kernel and userspace to pass
+# system call information. When falco detects that this buffer is
+# full and system calls have been dropped, it can take one or more of
+# the following actions:
+#   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
+#   - "log": log a CRITICAL message noting that the buffer was full.
+#   - "alert": emit a falco alert noting that the buffer was full.
+#   - "exit": exit falco with a non-zero rc.
+#
+# The rate at which log/alert messages are emitted is governed by a
+# token bucket. The rate corresponds to one message every 30 seconds
+# with a burst of 10 messages.
+
+syscall_event_drops:
+  actions:
+    - log
+    - alert
+  rate: .03333
+  max_burst: 10
+
+# A throttling mechanism implemented as a token bucket limits the
+# rate of falco notifications. This throttling is controlled by the following configuration
+# options:
+#  - rate: the number of tokens (i.e. right to send a notification)
+#    gained per second. Defaults to 1.
+#  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
+#
+# With these defaults, falco could send up to 1000 notifications after
+# an initial quiet period, and then up to 1 notification per second
+# afterward. It would gain the full burst back after 1000 seconds of
+# no activity.
+
+outputs:
+  rate: 1
+  max_burst: 1000
+
+# Where security notifications should go.
+# Multiple outputs can be enabled.
+
+syslog_output:
+  enabled: true
+
+# If keep_alive is set to true, the file will be opened once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the file will be re-opened
+# for each output message.
+#
+# Also, the file will be closed and reopened if falco is signaled with
+# SIGUSR1.
+
+file_output:
+  enabled: false
+  keep_alive: false
+  filename: ./events.txt
+
+stdout_output:
+  enabled: true
+
+# Falco contains an embedded webserver that can be used to accept K8s
+# Audit Events. These config options control the behavior of that
+# webserver. (By default, the webserver is disabled).
+#
+# The ssl_certificate is a combination SSL Certificate and corresponding
+# key contained in a single file. You can generate a key/cert as follows:
+#
+# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
+# $ cat certificate.pem key.pem > falco.pem
+# $ sudo cp falco.pem /etc/falco/falco.pem
+
+webserver:
+  enabled: true
+  listen_port: 8765
+  k8s_audit_endpoint: /k8s_audit
+  ssl_enabled: false
+  ssl_certificate: /etc/falco/falco.pem
+
+# Possible additional things you might want to do with program output:
+#   - send to a slack webhook:
+#         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
+#   - logging (alternate method than syslog):
+#         program: logger -t falco-test
+#   - send over a network connection:
+#         program: nc host.example.com 80
+
+# If keep_alive is set to true, the program will be started once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the program will be re-spawned
+# for each output message.
+#
+# Also, the program will be closed and reopened if falco is signaled with
+# SIGUSR1.
+program_output:
+  enabled: false
+  keep_alive: false
+  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
+
+http_output:
+  enabled: false
+  url: http://some.url

integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-account.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: falco-account
+  labels:
+    app: falco-k8s-audit
+    role: security
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: falco-cluster-role
+  labels:
+    app: falco-k8s-audit
+    role: security
+rules:
+  - apiGroups: ["extensions",""]
+    resources: ["nodes","namespaces","pods","replicationcontrollers","replicasets","services","daemonsets","deployments","events","configmaps"]
+    verbs: ["get","list","watch"]
+  - nonResourceURLs: ["/healthz", "/healthz/*"]
+    verbs: ["get"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: falco-cluster-role-binding
+  namespace: default
+  labels:
+    app: falco-k8s-audit
+    role: security
+subjects:
+  - kind: ServiceAccount
+    name: falco-account
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: falco-cluster-role
+  apiGroup: rbac.authorization.k8s.io

integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: falco-k8s-audit
+  labels:
+    app: falco-k8s-audit
+    role: security
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: falco-k8s-audit
+  template:
+    metadata:
+      labels:
+        app: falco-k8s-audit
+        role: security
+    spec:
+      serviceAccount: falco-account
+      containers:
+        - name: falco
+          image: falcosecurity/falco:latest
+          securityContext:
+            privileged: true
+          args: [ "/usr/bin/falco", "--disable-source", "syscall", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"]
+          volumeMounts:
+            - mountPath: /etc/falco
+              name: falco-config
+      volumes:
+        - name: falco-config
+          configMap:
+            name: falco-config

integrations/k8s-using-deployment/k8s-with-rbac/falco-k8s-audit-service.yaml

@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: falco-k8s-audit
+  labels:
+    app: falco-k8s-audit
+    role: security
+spec:
+  selector:
+    app: falco-k8s-audit
+  ports:
+  - protocol: TCP
+    port: 8765

integrations/puppet-module/sysdig-falco/templates/falco.yaml.erb

@@ -3,9 +3,8 @@
 ####
 
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

proposals/20190826-grpc-outputs.md

@@ -0,0 +1,113 @@
+# gRPC Falco Output
+
+<!-- toc -->
+
+- [Summary](#summary)
+- [Motivation](#motivation)
+  * [Goals](#goals)
+  * [Non-Goals](#non-goals)
+- [Proposal](#proposal)
+  * [Use cases](#use-cases)
+  * [Diagrams](#diagrams)
+  * [Design Details](#design-details)
+
+<!-- tocstop -->
+
+## Summary
+
+We intend to build a simple gRPC server and SDKs - eg., [falco#785](https://github.com/falcosecurity/falco/issues/785) - to allow users receive and consume the alerts regarding the violated rules.
+
+## Motivation
+
+The most valuable information that Falco can give to its users are the alerts.
+
+An alert is an "output" when it goes over a transport, and it is emitted by Falco every time a rule is matched.
+
+At the current moment, however, Falco can deliver alerts in a very basic way, for example by dumping them to standard output.
+
+For this reason, many Falco users asked, with issues - eg., [falco#528](https://github.com/falcosecurity/falco/issues/528) - or in the [slack channel](https://sysdig.slack.com) if we can find a more consumable way to implement Falco outputs in an extensible way.
+
+The motivation behind this proposal is to design a new output implementation that can meet our user's needs.
+
+### Goals
+
+- To decouple the outputs from the Falco code base
+- To design and implement an additional output mode by mean of a gRPC **streaming** server
+- To keep it as simple as possible
+- To have a simple contract interface
+- To only have the responsibility to route Falco output requests and responses
+- To continue supporting the old output formats by implementing their same interface
+- To be secure by default (**mutual TLS** authentication)
+- To be **asynchronous** and **non-blocking**
+- To implement a Go SDK
+
+### Non-Goals
+
+- To substitute existing outputs (stdout, syslog, etc.)
+- To support different queing systems than the default (round-robin) one
+- To support queuing mechanisms for message retransmission
+  - Users can have a local gRPC relay server along with Falco that multiplexes connections and handles retires and backoff
+- To change the output format
+- To make the message context (text, fields, etc.) and format configurable
+  - Users can already override rules changing their output messages
+- To act as an orchestrator for Falco instances
+
+## Proposal
+
+### Use cases
+
+- Receive Falco events with a well-defined contract over wire
+- Integrate Falco events with existing alerting/paging mechanisms
+- Integrate Falco events with existing monitoring infrastructures/tools
+- Falco outputs SDKs for different languages
+
+### Diagrams
+
+The following sequence diagram illustrates the flow happening for a single rule being matched and the consequent alert through the gRPC output client.
+
+![Single alert sequence diagram](20190826-grpc-output-single-alert-sequence.png)
+
+### Design Details
+
+Here is the proto3 contracts definitions for the client and the server SDK.
+
+```proto3
+syntax = "proto3";
+
+import "google/protobuf/timestamp.proto";
+import "schema.proto";
+
+package falco.output;
+
+option go_package = "github.com/falcosecurity/client-go/pkg/api/output";
+
+// The `subscribe` service defines the RPC call
+// to perform an output `request` which will lead to obtain an output `response`.
+service service {
+  rpc subscribe(request) returns (stream response);
+}
+
+// The `request` message is the logical representation of the request model.
+// It is the input of the `subscribe` service.
+// It is used to configure the kind of subscription to the gRPC streaming server.
+message request {
+  bool keepalive = 1;
+  // string duration = 2; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
+  // repeated string tags = 3; // TODO(leodido, fntlnz): not handled yet but keeping for reference.
+}
+
+// The `response` message is the logical representation of the output model.
+// It contains all the elements that Falco emits in an output along with the
+// definitions for priorities and source.
+message response {
+  google.protobuf.Timestamp time = 1;
+  falco.schema.priority priority = 2;
+  falco.schema.source source = 3;
+  string rule = 4;
+  string output = 5;
+  map<string, string> output_fields = 6;
+  // repeated string tags = 7; // TODO(leodido,fntlnz): tags not supported yet, keeping for reference
+}
+```
+
+---

proposals/20190909-psp-rules-support.md

@@ -0,0 +1,56 @@
+# Support for K8s Pod Security Policies (PSPs) in Falco
+
+<!-- toc -->
+
+- [Summary](#summary)
+- [Motivation](#motivation)
+  * [Goals](#goals)
+  * [Non-Goals](#non-goals)
+- [Proposal](#proposal)
+  * [Use cases](#use-cases)
+  * [Diagrams](#diagrams)
+  * [Design Details](#design-details)
+
+<!-- tocstop -->
+
+## Summary
+
+We want to make it easier for K8s Cluster Operators to Author Pod Security Policies by providing a way to read a PSP, convert it to a set of Falco rules, and then run Falco with those rules.
+
+## Motivation
+
+PSPs provide a rich powerful framework to restrict the behavior of pods and apply consistent security policies across a cluster, but it’s difficult to know the gap between what you want your security policy to be and what your cluster is actually doing. Additionally, since PSPs enforce once applied, they might prevent pods from running, and the process of tuning a PSP live on a cluster can be disruptive and painful.
+
+That's where Falco comes in. We want to make it possible for Falco to perform a "dry run" evaluation of a PSP, translating it to Falco rules that observe the behaviour of deployed pods and sending alerts for violations, *without* blocking. This helps accelerate the authoring cycle, providing a complete authoring framework for PSPs without deploying straight to the cluster.
+
+### Goals
+
+Transparently read a candidate PSP into an equivalent set of Falco rules that can look for the conditions in the PSP.
+
+The PSP is converted into a set of Falco rules which can be either saved as a file for later use/inspection, or loaded directly so they they can monitor system calls and k8s audit activity.
+
+### Non-Goals
+
+Falco will not automatically read PSPs from a cluster, will not install PSPs, and will not provide guidance on the parts of your infrastructure that are already covered by PSPs. This feature only helps with the testing part of a candidate PSP. For coming up with an initial PSP, you can use tools like [https://github.com/sysdiglabs/kube-psp-advisor](Kube PSP Advisor).
+
+The use case here is for cluster operators who want to author PSPs, but don't want to just put it in a cluster and see what breaks. For example, if your PSP sets privileged to false, but it turns out some of your pods are running privileged, they won't be able to start.
+
+With this feature, they could iterate without enforcement until they have a PSP that matches the actual behaviour of their cluster. Some of that will come from changing the PSP, some of that will come from changing the behaviour of the cluster. The important part is that it's not mistakenly preventing things from running while you're figuring it out.
+
+## Proposal
+
+### Use cases
+
+You'll be able to run falco with a `--psp` argument that provides a single PSP yaml file. Falco will automatically convert the PSP into an equivalent set of Falco rules, load the rules, and then run with the loaded rules. You can optionally provide a `--psp_save=<path>` command line option to save the converted rules to a file.
+
+### Diagrams
+
+No diagrams yet.
+
+### Design Details
+
+* We'll use [inja](https://github.com/pantor/inja) as the templating engine.
+
+* For the most part, we can rely on the existing framework of rules, filter expressions, and output expressions that already exist in Falco. One significant change will be that filter fields can extract more than one "value" per event, and we'll need to define new operators to perform set comparisions betweeen values in an event and values in the comparison right-hand-side.
+
+* This will rely heavily on existing support for [K8s Audit Events](https://falco.org/docs/event-sources/kubernetes-audit/) in Falco.

rules/CMakeLists.txt

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

rules/OWNERS

@@ -7,4 +7,6 @@ reviewers:
   - mfdii
   - kaizhe
   - mstemm
+labels:
+  - area/rules
 

rules/application_rules.yaml

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

rules/falco_rules.local.yaml

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

rules/falco_rules.yaml

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -899,6 +898,9 @@
 - macro: calico_writing_state
   condition: (proc.name=kube-controller and fd.name startswith /status.json and k8s.pod.name startswith calico)
 
+- macro: calico_writing_envvars
+  condition: (proc.name=start_runit and fd.name startswith "/etc/envvars" and container.image.repository endswith "calico/node")
+
 - list: repository_files
   items: [sources.list]
 
@@ -1252,6 +1254,7 @@
     and not istio_writing_conf
     and not ufw_writing_conf
     and not calico_writing_conf
+    and not calico_writing_envvars
     and not prometheus_conf_writing_conf
     and not openshift_writing_conf
     and not keepalived_writing_conf
@@ -1751,7 +1754,7 @@
 - list: falco_privileged_images
   items: [
     docker.io/sysdig/agent, docker.io/sysdig/falco, docker.io/sysdig/sysdig,
-    gcr.io/google_containers/kube-proxy, docker.io/calico/node,
+    gcr.io/google_containers/kube-proxy, docker.io/calico/node, quay.io/calico/node,
     docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/mesosphere/mesos-slave,
     docker.io/docker/ucp-agent, sematext_images, k8s.gcr.io/kube-proxy
     ]
@@ -1788,7 +1791,8 @@
     gcr.io/google_containers/kube-proxy, docker.io/calico/node,
     docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
     docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
-    docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter
+    docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
+    amazon/amazon-ecs-agent
     ]
 
 - macro: falco_sensitive_mount_containers
@@ -2356,7 +2360,8 @@
   condition: (never_true)
 
 - macro: trusted_logging_images
-  condition: (container.image.repository endswith "splunk/fluentd-hec")
+  condition: (container.image.repository endswith "splunk/fluentd-hec" or
+              container.image.repository endswith "fluent/fluentd-kubernetes-daemonset")
 
 - rule: Clear Log Activities
   desc: Detect clearing of critical log files
@@ -2414,6 +2419,19 @@
     WARNING
   tag: [process, mitre_defense_evation]
 
+# This rule is deprecated and will/should never be triggered. Keep it here for backport compatibility.
+# Rule Delete or rename shell history is the preferred rule to use now.
+- rule: Delete Bash History
+  desc: Detect bash history deletion
+  condition: >
+    ((spawned_process and proc.name in (shred, rm, mv) and proc.args contains "bash_history") or 
+     (open_write and fd.name contains "bash_history" and evt.arg.flags contains "O_TRUNC"))
+  output: >
+    Shell history had been deleted or renamed (user=%user.name type=%evt.type command=%proc.cmdline fd.name=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath %container.info)
+  priority:
+    WARNING
+  tag: [process, mitre_defense_evation]
+
 - macro: consider_all_chmods
   condition: (always_true)
 

rules/k8s_audit_rules.yaml

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -40,8 +39,9 @@
   condition: (jevt.value[/stage]=ResponseStarted)
 
 # If you wish to restrict activity to a specific set of users, override/append to this list.
+# users created by kops are included
 - list: allowed_k8s_users
-  items: ["minikube", "minikube-user", "kubelet", "kops"]
+  items: ["minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy"]
 
 - rule: Disallowed K8s User
   desc: Detect any k8s operation by users outside of an allowed set of users.
@@ -56,7 +56,7 @@
 # your environment. In this main falco rules file, there isn't any way
 # to know all the containers that can run, so any container is
 # allowed, by using the always_true macro. In the overridden macro, the condition
-# would look something like (ka.req.container.image.repository=my-repo/my-image)
+# would look something like (ka.req.pod.containers.image.repository in (my-repo/my-image))
 - macro: allowed_k8s_containers
   condition: (k8s_audit_always_true)
 
@@ -109,7 +109,7 @@
   desc: >
     Detect an attempt to start a pod with a container image outside of a list of allowed images.
   condition: kevt and pod and kcreate and not allowed_k8s_containers
-  output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
+  output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
   tags: [k8s]
@@ -117,26 +117,22 @@
 - rule: Create Privileged Pod
   desc: >
     Detect an attempt to start a pod with a privileged container
-  condition: kevt and pod and kcreate and ka.req.container.privileged=true and not ka.req.container.image.repository in (falco_privileged_images)
-  output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
+  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
+  output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
   tags: [k8s]
 
 - macro: sensitive_vol_mount
   condition: >
-    (ka.req.volume.hostpath[/proc*]=true or
-     ka.req.volume.hostpath[/var/run/docker.sock]=true or
-     ka.req.volume.hostpath[/]=true or
-     ka.req.volume.hostpath[/etc]=true or
-     ka.req.volume.hostpath[/root*]=true)
+    (ka.req.pod.volumes.hostpath intersects (/proc, /var/run/docker.sock, /, /etc, /root))
 
 - rule: Create Sensitive Mount Pod
   desc: >
     Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
     Exceptions are made for known trusted images.
-  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.container.image.repository in (falco_sensitive_mount_images)
-  output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image mounts=%jevt.value[/requestObject/spec/volumes])
+  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
+  output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
   priority: WARNING
   source: k8s_audit
   tags: [k8s]
@@ -144,8 +140,8 @@
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
   desc: Detect an attempt to start a pod using the host network.
-  condition: kevt and pod and kcreate and ka.req.container.host_network=true and not ka.req.container.image.repository in (falco_hostnetwork_images)
-  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
+  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
+  output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
   tags: [k8s]
@@ -221,7 +217,7 @@
 - rule: Pod Created in Kube Namespace
   desc: Detect any attempt to create a pod in the kube-system or kube-public namespaces
   condition: kevt and pod and kcreate and ka.target.namespace in (kube-system, kube-public)
-  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace image=%ka.req.container.image)
+  output: Pod created in kube namespace (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
   tags: [k8s]
@@ -258,7 +254,7 @@
 
 - rule: ClusterRole With Wildcard Created
   desc: Detect any attempt to create a Role/ClusterRole with wildcard resources or verbs
-  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources contains '"*"' or ka.req.role.rules.verbs contains '"*"')
+  condition: kevt and (role or clusterrole) and kcreate and (ka.req.role.rules.resources intersects ("*") or ka.req.role.rules.verbs intersects ("*"))
   output: Created Role/ClusterRole with wildcard (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
   priority: WARNING
   source: k8s_audit
@@ -266,11 +262,7 @@
 
 - macro: writable_verbs
   condition: >
-    (ka.req.role.rules.verbs contains create or
-     ka.req.role.rules.verbs contains update or
-     ka.req.role.rules.verbs contains patch or
-     ka.req.role.rules.verbs contains delete or
-     ka.req.role.rules.verbs contains deletecollection)
+    (ka.req.role.rules.verbs intersects (create, update, patch, delete, deletecollection))
 
 - rule: ClusterRole With Write Privileges Created
   desc: Detect any attempt to create a Role/ClusterRole that can perform write-related actions
@@ -282,7 +274,7 @@
 
 - rule: ClusterRole With Pod Exec Created
   desc: Detect any attempt to create a Role/ClusterRole that can exec to pods
-  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources contains "pods/exec"
+  condition: kevt and (role or clusterrole) and kcreate and ka.req.role.rules.resources intersects ("pods/exec")
   output: Created Role/ClusterRole with pod exec privileges (user=%ka.user.name role=%ka.target.name rules=%ka.req.role.rules)
   priority: WARNING
   source: k8s_audit
@@ -396,7 +388,7 @@
 - rule: K8s Role/Clusterrolebinding Created
   desc: Detect any attempt to create a clusterrolebinding
   condition: (kactivity and kcreate and clusterrolebinding and response_successful)
-  output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason foo=%ka.req.binding.subject.has_name[cluster-admin])
+  output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
   tags: [k8s]

scripts/CMakeLists.txt

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

scripts/build-lpeg.sh

@@ -1,8 +1,7 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

scripts/debian/falco

@@ -1,8 +1,7 @@
 #! /bin/sh
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

scripts/debian/postinst.in

@@ -1,8 +1,7 @@
 #!/bin/sh
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

scripts/debian/postrm

@@ -1,8 +1,7 @@
 #!/bin/sh
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

scripts/debian/prerm.in

@@ -1,8 +1,7 @@
 #!/bin/sh
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco .
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

scripts/ignored-calls.sh

@@ -1,8 +1,7 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

scripts/rpm/falco

@@ -1,9 +1,8 @@
 #!/bin/sh
 
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

scripts/rpm/postinstall

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

scripts/rpm/postuninstall

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

scripts/rpm/preuninstall

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

test/OWNERS

@@ -0,0 +1,2 @@
+labels:
+  - area/tests

test/confs/file_output.yaml

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

test/confs/program_output.yaml

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

test/confs/psp.yaml

@@ -0,0 +1,165 @@
+#
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+#
+# This file is part of falco .
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# File(s) or Directories containing Falco rules, loaded at startup.
+# The name "rules_file" is only for backwards compatibility.
+# If the entry is a file, it will be read directly. If the entry is a directory,
+# every file in that directory will be read, in alphabetical order.
+#
+# falco_rules.yaml ships with the falco package and is overridden with
+# every new software version. falco_rules.local.yaml is only created
+# if it doesn't exist. If you want to customize the set of rules, add
+# your customizations to falco_rules.local.yaml.
+#
+# The files will be read in the order presented here, so make sure if
+# you have overrides they appear in later files.
+rules_file: []
+
+# If true, the times displayed in log messages and output messages
+# will be in ISO 8601. By default, times are displayed in the local
+# time zone, as governed by /etc/localtime.
+time_format_iso_8601: false
+
+# Whether to output events in json or text
+json_output: false
+
+# When using json output, whether or not to include the "output" property
+# itself (e.g. "File below a known binary directory opened for writing
+# (user=root ....") in the json output.
+json_include_output_property: true
+
+# Send information logs to stderr and/or syslog Note these are *not* security
+# notification logs! These are just Falco lifecycle (and possibly error) logs.
+log_stderr: true
+log_syslog: true
+
+# Minimum log level to include in logs. Note: these levels are
+# separate from the priority field of rules. This refers only to the
+# log level of falco's internal logging. Can be one of "emergency",
+# "alert", "critical", "error", "warning", "notice", "info", "debug".
+log_level: info
+
+# Minimum rule priority level to load and run. All rules having a
+# priority more severe than this level will be loaded/run.  Can be one
+# of "emergency", "alert", "critical", "error", "warning", "notice",
+# "info", "debug".
+priority: debug
+
+# Whether or not output to any of the output channels below is
+# buffered. Defaults to false
+buffered_outputs: false
+
+# Falco uses a shared buffer between the kernel and userspace to pass
+# system call information. When falco detects that this buffer is
+# full and system calls have been dropped, it can take one or more of
+# the following actions:
+#   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
+#   - "log": log a CRITICAL message noting that the buffer was full.
+#   - "alert": emit a falco alert noting that the buffer was full.
+#   - "exit": exit falco with a non-zero rc.
+#
+# The rate at which log/alert messages are emitted is governed by a
+# token bucket. The rate corresponds to one message every 30 seconds
+# with a burst of 10 messages.
+
+syscall_event_drops:
+  actions:
+    - log
+    - alert
+  rate: .03333
+  max_burst: 10
+
+# A throttling mechanism implemented as a token bucket limits the
+# rate of falco notifications. This throttling is controlled by the following configuration
+# options:
+#  - rate: the number of tokens (i.e. right to send a notification)
+#    gained per second. Defaults to 1.
+#  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
+#
+# With these defaults, falco could send up to 1000 notifications after
+# an initial quiet period, and then up to 1 notification per second
+# afterward. It would gain the full burst back after 1000 seconds of
+# no activity.
+
+outputs:
+  rate: 1
+  max_burst: 1000
+
+# Where security notifications should go.
+# Multiple outputs can be enabled.
+
+syslog_output:
+  enabled: true
+
+# If keep_alive is set to true, the file will be opened once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the file will be re-opened
+# for each output message.
+#
+# Also, the file will be closed and reopened if falco is signaled with
+# SIGUSR1.
+
+file_output:
+  enabled: false
+  keep_alive: false
+  filename: ./events.txt
+
+stdout_output:
+  enabled: true
+
+# Falco contains an embedded webserver that can be used to accept K8s
+# Audit Events. These config options control the behavior of that
+# webserver. (By default, the webserver is disabled).
+#
+# The ssl_certificate is a combination SSL Certificate and corresponding
+# key contained in a single file. You can generate a key/cert as follows:
+#
+# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
+# $ cat certificate.pem key.pem > falco.pem
+# $ sudo cp falco.pem /etc/falco/falco.pem
+
+webserver:
+  enabled: true
+  listen_port: 8765
+  k8s_audit_endpoint: /k8s_audit
+  ssl_enabled: false
+  ssl_certificate: /etc/falco/falco.pem
+
+# Possible additional things you might want to do with program output:
+#   - send to a slack webhook:
+#         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
+#   - logging (alternate method than syslog):
+#         program: logger -t falco-test
+#   - send over a network connection:
+#         program: nc host.example.com 80
+
+# If keep_alive is set to true, the program will be started once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the program will be re-spawned
+# for each output message.
+#
+# Also, the program will be closed and reopened if falco is signaled with
+# SIGUSR1.
+program_output:
+  enabled: false
+  keep_alive: false
+  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
+
+http_output:
+  enabled: false
+  url: http://some.url

test/cpu_monitor.sh

@@ -1,8 +1,7 @@
 #!/usr/bin/env bash
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

test/falco_k8s_audit_tests.yaml

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,6 +16,68 @@
 #
 trace_files: !mux
 
+  compat_engine_v4_create_disallowed_pod:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
+      - ./rules/k8s_audit/engine_v4/allow_only_apache_container.yaml
+    detect_counts:
+      - Create Disallowed Pod: 1
+    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+
+  compat_engine_v4_create_allowed_pod:
+    detect: False
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
+      - ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml
+    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+
+  compat_engine_v4_create_privileged_pod:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
+    detect_counts:
+      - Create Privileged Pod: 1
+    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+
+  compat_engine_v4_create_privileged_trusted_pod:
+    detect: False
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
+      - ./rules/k8s_audit/trust_nginx_container.yaml
+    trace_file: trace_files/k8s_audit/create_nginx_pod_privileged.json
+
+  compat_engine_v4_create_unprivileged_pod:
+    detect: False
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
+    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
+
+  compat_engine_v4_create_hostnetwork_pod:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
+    detect_counts:
+      - Create HostNetwork Pod: 1
+    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+
+  compat_engine_v4_create_hostnetwork_trusted_pod:
+    detect: False
+    rules_file:
+      - ../rules/falco_rules.yaml
+      - ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
+      - ./rules/k8s_audit/trust_nginx_container.yaml
+    trace_file: trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
+
   user_outside_allowed_set:
     detect: True
     detect_level: WARNING
@@ -514,4 +575,4 @@ trace_files: !mux
       - ../rules/k8s_audit_rules.yaml
     detect_counts:
       - K8s Role/Clusterrolebinding Deleted: 1
-    trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json
+    trace_file: trace_files/k8s_audit/delete_clusterrolebinding.json

test/falco_test.py

@@ -1,8 +1,7 @@
  #!/usr/bin/env python
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,7 +21,10 @@ import json
 import sets
 import glob
 import shutil
+import stat
 import subprocess
+import sys
+import urllib
 
 from avocado import Test
 from avocado.utils import process
@@ -34,13 +36,14 @@ class FalcoTest(Test):
         """
         Load the sysdig kernel module if not already loaded.
         """
-        build_type = "release"
-        if 'BUILD_TYPE' in os.environ:
-            build_type = os.environ['BUILD_TYPE'].lower()
-            build_type = "debug" if build_type == "debug" else "release"
+        build_dir = "/build"
+        if 'BUILD_DIR' in os.environ:
+            build_dir = os.environ['BUILD_DIR']
 
-        build_dir = os.path.join('/build', build_type)
-        self.falcodir = self.params.get('falcodir', '/', default=os.path.join(self.basedir, build_dir))
+        self.falcodir = self.params.get('falcodir', '/', default=build_dir)
+
+        self.psp_conv_path = os.path.join(build_dir, "falcoctl")
+        self.psp_conv_url = "https://github.com/falcosecurity/falcoctl/releases/download/v0.0.4/falcoctl-0.0.4-linux-amd64"
 
         self.stdout_is = self.params.get('stdout_is', '*', default='')
         self.stderr_is = self.params.get('stderr_is', '*', default='')
@@ -95,8 +98,15 @@ class FalcoTest(Test):
             if not isinstance(self.validate_rules_file, list):
                 self.validate_rules_file = [self.validate_rules_file]
 
+        self.psp_rules_file = os.path.join(build_dir, "psp_rules.yaml")
+
+        self.psp_file = self.params.get('psp_file', '*', default="")
+
         self.rules_args = ""
 
+        if self.psp_file != "":
+            self.rules_args = self.rules_args + "-r " + self.psp_rules_file + " "
+
         for file in self.validate_rules_file:
             if not os.path.isabs(file):
                 file = os.path.join(self.basedir, file)
@@ -427,6 +437,31 @@ class FalcoTest(Test):
         if self.trace_file:
             trace_arg = "-e {}".format(self.trace_file)
 
+        # Possibly run psp converter
+        if self.psp_file != "":
+
+            if not os.path.isfile(self.psp_conv_path):
+                self.log.info("Downloading {} to {}".format(self.psp_conv_url, self.psp_conv_path))
+
+                urllib.urlretrieve(self.psp_conv_url, self.psp_conv_path)
+                os.chmod(self.psp_conv_path, stat.S_IEXEC)
+
+            conv_cmd = '{} convert psp --psp-path {} --rules-path {}'.format(
+                self.psp_conv_path, os.path.join(self.basedir, self.psp_file), self.psp_rules_file)
+
+            conv_proc = process.SubProcess(conv_cmd)
+
+            conv_res = conv_proc.run(timeout=180, sig=9)
+
+            if conv_res.exit_status != 0:
+                self.error("psp_conv command \"{}\" exited with unexpected return value {}. Full stdout={} stderr={}".format(
+                    conv_cmd, conv_res.exit_status, conv_res.stdout, conv_res.stderr))
+
+            with open(self.psp_rules_file, 'r') as myfile:
+                psp_rules = myfile.read()
+                self.log.debug("Converted Rules: {}".format(psp_rules))
+
+
         # Run falco
         cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format(
             self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority)

test/falco_tests_package.yaml

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

test/falco_tests_psp.yaml

@@ -0,0 +1,666 @@
+#
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+#
+# This file is part of falco.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+trace_files: !mux
+
+  privileged_detect_k8s_audit:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP no_privileged Violation (privileged) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/privileged.yaml
+    trace_file: trace_files/psp/privileged.json
+
+  privileged_detect_syscall:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP no_privileged Violation (privileged) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/privileged.yaml
+    trace_file: trace_files/psp/privileged.scap
+
+  privileged_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/privileged.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  host_pid_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP no_host_pid Violation (hostPID)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_pid.yaml
+    trace_file: trace_files/psp/host_pid.json
+
+  host_pid_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_pid.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  host_ipc_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP no_host_ipc Violation (hostIPC)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_ipc.yaml
+    trace_file: trace_files/psp/host_ipc.json
+
+  host_ipc_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_ipc.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  host_network_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP no_host_network Violation (hostNetwork)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_network.yaml
+    trace_file: trace_files/psp/host_network.json
+
+  host_network_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_network.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  host_network_ports_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP host_ports_100_200_only Violation (hostPorts)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_network_ports.yaml
+    trace_file: trace_files/psp/host_network_ports.json
+
+  host_network_ports_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_network_ports.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  volumes_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP only_secret_volumes Violation (volumes)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/volumes.yaml
+    trace_file: trace_files/psp/mount_etc_using_host_path.json
+
+  volumes_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/volumes.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  allowed_host_paths_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP only_mount_host_usr Violation (allowedHostPaths)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_host_paths.yaml
+    trace_file: trace_files/psp/mount_etc_using_host_path.json
+
+  allowed_host_paths_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_host_paths.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  allowed_flex_volumes_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP only_lvm_cifs_flex_volumes Violation (allowedFlexVolumes)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/flex_volumes.yaml
+    trace_file: trace_files/psp/flex_volumes.json
+
+  allowed_flex_volumes_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/flex_volumes.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  fs_group_must_run_as_with_unset:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_must_run_as.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  fs_group_must_run_as:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP fs_group_must_run_as_30 Violation (fsGroup)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_must_run_as.yaml
+    trace_file: trace_files/psp/fs_group.json
+
+  fs_group_may_run_as:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP fs_group_may_run_as_30 Violation (fsGroup)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_may_run_as.yaml
+    trace_file: trace_files/psp/fs_group.json
+
+  fs_group_may_run_as_with_unset:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_may_run_as.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  fs_group_run_as_any:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_run_as_any.yaml
+    trace_file: trace_files/psp/fs_group.json
+
+  fs_group_run_as_any_with_unset:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_run_as_any.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  read_only_root_fs_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP read_only_root_fs Violation (readOnlyRootFilesystem) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/read_only_root_fs.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  read_only_root_fs_detect_syscall:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP read_only_root_fs Violation (readOnlyRootFilesystem) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/read_only_root_fs.yaml
+    trace_file: trace_files/psp/write_tmp_test.scap
+
+  read_only_root_fs_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/read_only_root_fs.yaml
+    trace_file: trace_files/psp/read_only_root_fs.json
+
+  user_must_run_as_with_unset:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  user_must_run_as_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_1000_container.json
+
+  user_must_run_as_detect_syscall:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_65534_container.scap
+
+  user_must_run_as_not_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_30_container.json
+
+  user_must_run_as_detect_sec_ctx:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
+
+  user_must_run_as_not_detect_sec_ctx:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_30_sec_ctx.json
+
+  user_must_run_as_detect_both:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP user_must_run_as_30 Violation (runAsUser=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_30_sec_ctx_1000_container.json
+
+  user_must_run_as_not_detect_both:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_1000_sec_ctx_30_container.json
+
+  user_must_run_as_non_root_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_0_container.json
+
+  user_must_run_as_non_root_detect_syscall:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_0_container.scap
+
+  user_must_run_as_non_root_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_1000_container.json
+
+  user_must_run_as_non_root_detect_sec_ctx:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_0_sec_ctx.json
+
+  user_must_run_as_non_root_no_detect_sec_ctx:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
+
+  user_must_run_as_non_root_detect_both:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP user_must_run_as_non_root Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_1000_sec_ctx_0_container.json
+
+  user_must_run_as_non_root_no_detect_both:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_0_sec_ctx_1000_container.json
+
+  group_must_run_as_with_unset:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  group_must_run_as_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_container.json
+
+  group_must_run_as_detect_syscall:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_65534_container.scap
+
+  group_must_run_as_not_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_container.json
+
+  group_must_run_as_detect_sec_ctx:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
+
+  group_must_run_as_not_detect_sec_ctx:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
+
+  group_must_run_as_detect_both:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP group_must_run_as_30 Violation (runAsGroup=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
+
+  group_must_run_as_not_detect_both:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
+
+  group_may_run_as_with_unset:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  group_may_run_as_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_container.json
+
+  group_may_run_as_not_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_container.json
+
+  group_may_run_as_detect_sec_ctx:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
+
+  group_may_run_as_not_detect_sec_ctx:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
+
+  group_may_run_as_detect_both:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP group_may_run_as_30 Violation (runAsGroup=MayRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
+
+  group_may_run_as_not_detect_both:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
+
+  supplemental_groups_must_run_as_with_unset:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  supplemental_groups_must_run_as_no_overlap:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP supplemental_groups_must_run_as_30 Violation (supplementalGroups=MustRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_must_run_as_partial_overlap:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP supplemental_groups_must_run_as_30_10 Violation (supplementalGroups=MustRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_must_run_as_30_40_10_15.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_must_run_as_overlap:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_must_run_as_10_20.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_must_run_as_overlap_multiple_ranges:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_must_run_as_10_40_10_20.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_may_run_as_with_unset:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  supplemental_groups_may_run_as_no_overlap:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP supplemental_groups_may_run_as_30 Violation (supplementalGroups=MayRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_may_run_as_partial_overlap:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP supplemental_groups_may_run_as_30_10 Violation (supplementalGroups=MayRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_may_run_as_30_40_10_15.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_may_run_as_overlap:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_may_run_as_10_20.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_may_run_as_overlap_multiple_ranges:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_may_run_as_10_40_10_20.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  privilege_escalation_privilege_escalation_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP no_privilege_escalation Violation (allowPrivilegeEscalation)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/privilege_escalation.yaml
+    trace_file: trace_files/psp/privilege_escalation.json
+
+  allowed_capabilities_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP allow_capability_sys_nice Violation (allowedCapabilities)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_capabilities.yaml
+    trace_file: trace_files/psp/capability_add_sys_time.json
+
+  allowed_capabilities_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_capabilities.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  allowed_capabilities_match:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_capabilities.yaml
+    trace_file: trace_files/psp/capability_add_sys_nice.json
+
+  allowed_proc_mount_types_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP allow_default_proc_mount_type Violation (allowedProcMountTypes)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_proc_mount_types.yaml
+    trace_file: trace_files/psp/proc_mount_type_unmasked.json
+
+  allowed_proc_mount_types_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_proc_mount_types.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  allowed_proc_mount_types_match:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_proc_mount_types.yaml
+    trace_file: trace_files/psp/proc_mount_type_default.json
+
+  psp_name_with_dashes:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP no_privileged Violation (privileged) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/privileged_name_with_dashes.yaml
+    trace_file: trace_files/psp/privileged.scap
+
+  psp_name_with_spaces:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP no_privileged Violation (privileged) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/privileged_name_with_spaces.yaml
+    trace_file: trace_files/psp/privileged.scap

test/falco_traces.yaml.in

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

test/plot-live.r

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

test/plot-traces.r

@@ -1,7 +1,6 @@
 #
-# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+# Copyright (C) 2019 The Falco Authors.
 #
-# This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

test/psps/allowed_capabilities.yaml

@@ -0,0 +1,10 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: allow_capability_sys_nice
+spec:
+  allowedCapabilities:
+    - SYS_NICE
+

test/psps/allowed_host_paths.yaml

@@ -0,0 +1,11 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: only_mount_host_usr
+spec:
+  allowedHostPaths:
+    - pathPrefix: /usr
+      readOnly: true
+

test/psps/allowed_proc_mount_types.yaml

@@ -0,0 +1,10 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: allow_default_proc_mount_type
+spec:
+  allowedProcMountTypes:
+    - Default
+

test/psps/flex_volumes.yaml

@@ -0,0 +1,13 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: only_lvm_cifs_flex_volumes
+spec:
+  volumes:
+    - flexVolume
+  allowedFlexVolumes:
+    - driver: example/lvm
+    - driver: example/cifs
+

test/psps/fs_group_may_run_as.yaml

@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: fs_group_may_run_as_30
+spec:
+  fsGroup:
+    rule: "MayRunAs"
+    ranges:
+      - min: 30
+        max: 40

test/psps/fs_group_must_run_as.yaml

@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: fs_group_must_run_as_30
+spec:
+  fsGroup:
+    rule: "MustRunAs"
+    ranges:
+      - min: 30
+        max: 40

test/psps/fs_group_run_as_any.yaml

@@ -0,0 +1,10 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: fs_group_run_as_any
+spec:
+  fsGroup:
+    rule: "RunAsAny"
+

test/psps/group_may_run_as.yaml

@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: group_may_run_as_30
+spec:
+  runAsGroup:
+    rule: "MayRunAs"
+    ranges:
+      - min: 30
+        max: 40

test/psps/group_must_run_as.yaml

@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: group_must_run_as_30
+spec:
+  runAsGroup:
+    rule: "MustRunAs"
+    ranges:
+      - min: 30
+        max: 40

test/psps/host_ipc.yaml

@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no_host_ipc
+spec:
+  hostIPC: false

test/psps/host_network.yaml

@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no_host_network
+spec:
+  hostNetwork: false

test/psps/host_network_ports.yaml

@@ -0,0 +1,11 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: host_ports_100_200_only
+spec:
+  hostNetwork: true
+  hostPorts:
+    - min: 100
+      max: 200

test/psps/host_pid.yaml

@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no_host_pid
+spec:
+  hostPID: false

test/psps/privilege_escalation.yaml

@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no_privilege_escalation
+spec:
+  allowPrivilegeEscalation: false

test/psps/privileged.yaml

@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no_privileged
+spec:
+  privileged: false

test/psps/privileged_name_with_dashes.yaml

@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no-privileged
+spec:
+  privileged: false

test/psps/privileged_name_with_spaces.yaml

@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no privileged
+spec:
+  privileged: false

test/psps/read_only_root_fs.yaml

@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: read_only_root_fs
+spec:
+  readOnlyRootFilesystem: true

test/psps/supplemental_groups_may_run_as_10_20.yaml

@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_may_run_as_10
+spec:
+  supplementalGroups:
+    rule: "MayRunAs"
+    ranges:
+      - min: 10
+        max: 20

test/psps/supplemental_groups_may_run_as_10_40_10_20.yaml

@@ -0,0 +1,14 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_may_run_as_30
+spec:
+  supplementalGroups:
+    rule: "MayRunAs"
+    ranges:
+      - min: 10
+        max: 40
+      - min: 10
+        max: 20

test/psps/supplemental_groups_may_run_as_30_40.yaml

@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_may_run_as_30
+spec:
+  supplementalGroups:
+    rule: "MayRunAs"
+    ranges:
+      - min: 30
+        max: 40

test/psps/supplemental_groups_may_run_as_30_40_10_15.yaml

@@ -0,0 +1,14 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_may_run_as_30_10
+spec:
+  supplementalGroups:
+    rule: "MayRunAs"
+    ranges:
+      - min: 30
+        max: 40
+      - min: 10
+        max: 15

test/psps/supplemental_groups_must_run_as_10_20.yaml

@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_must_run_as_10
+spec:
+  supplementalGroups:
+    rule: "MustRunAs"
+    ranges:
+      - min: 10
+        max: 20

test/psps/supplemental_groups_must_run_as_10_40_10_20.yaml

@@ -0,0 +1,14 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_must_run_as_30
+spec:
+  supplementalGroups:
+    rule: "MustRunAs"
+    ranges:
+      - min: 10
+        max: 40
+      - min: 10
+        max: 20